MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dca536f80d61bfb182eebc0d9e17e3723194b2a472cb60c8cc2c0a119d4a2c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	7dca536f80d61bfb182eebc0d9e17e3723194b2a472cb60c8cc2c0a119d4a2c5
SHA3-384 hash:	527e1bae879d40760ebc182156aef2138740fc5e5f13403be3c41f8fdb6d2bd6fe03693180b9ddc9e629ef81757fbe4b
SHA1 hash:	1eacb4d51287ff8f33acf6cf820dcb8f938fd441
MD5 hash:	999ce814bdbde48e252ef3979d91508e
humanhash:	eleven-juliet-mike-maryland
File name:	Ciabins.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'970 bytes
First seen:	2026-06-07 14:55:27 UTC
Last seen:	2026-06-08 12:51:12 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vtwtkt1atItcht+apfUxt7Atkttjg11JtMttU3CGttdUvpLttmhEqJttn76Zc:vmqvaWGhEalUxRA66qjU3CGjdUvpLjmb
TLSH	T1FD413ECB61924975BEA0ED6B31AE884D33C4E5E780DFEF6468DC34E4809FE987410697
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.183.232.247/CRY.mips	f188a78202626243c40841543b2f280cf1f183371bfca353eb99f3423a23c18d	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.mipsel	n/a	n/a	elf opendir ua-wget
http://94.183.232.247/CRY.sh4	38679f84b82e188affb462c17e50e5b352ca53f469b7424473bfdd0da8afcb6a	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.x86	644933ccf018523580c4b45682ae4f58a46ac8b9bebbdf138b908f0eae37bb59	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.i686	n/a	n/a	elf opendir ua-wget
http://94.183.232.247/CRY.powerpc	n/a	n/a	elf opendir ua-wget
http://94.183.232.247/CRY.i586	n/a	n/a	elf opendir ua-wget
http://94.183.232.247/CRY.m68k	634ef1d7252b8636cf06f1ae4a800a560a68b0372a40f993764b9cdf62840aa0	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.sparc	n/a	n/a	elf opendir ua-wget
http://94.183.232.247/CRY.arc	13237d9b0ea5aa0addc244351ce66b7491e2855bd286093571151b3f8d09d789	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.arm4	n/a	n/a	elf opendir ua-wget
http://94.183.232.247/CRY.arm5	1bf3503333a2fbb50bd4081c2eb468d60682385563190e2fdb4df8adb3e22f21	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.arm6	24598637bc80b2454b3a3f6675c495a94772ce8b3280d01aec91de01f783b9bc	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.arm7	872bc0cf636a7d71b04ee7c298f76eac90cf99f86bc62a51f56d1c3c64ed1b0b	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/6a2586664bb6e36d180d26d9/reports/159c43fd-b78f-48c1-885d-c688f8fd6e29/overview

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/4749f43f-ac81-4717-8293-eb25e745b945

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/7dca536f80d61bfb182eebc0d9e17e3723194b2a472cb60c8cc2c0a119d4a2c5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7dca536f80d61bfb182eebc0d9e17e3723194b2a472cb60c8cc2c0a119d4a2c5/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/7dca536f80d61bfb182eebc0d9e17e3723194b2a472cb60c8cc2c0a119d4a2c5

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-06-07 14:56:26 UTC

File Type:

Text (Shell)

AV detection:

24 of 36 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pxffg34a2yn7wgbo5pantyl6g4rrsszki4wlmdemylakcgouulcq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery linux

Link:

https://tria.ge/reports/260607-saqw5sfz5m/

Behaviour

System Network Configuration Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/7dca536f80d61bfb182eebc0d9e17e3723194b2a472cb60c8cc2c0a119d4a2c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh