MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83b0f1bac36856cfd230d5f3638860e2cf8d475b9911105a9267e593c7a765b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	83b0f1bac36856cfd230d5f3638860e2cf8d475b9911105a9267e593c7a765b1
SHA3-384 hash:	7070b97d30b6e18f7f58aebcd65aa3378c6b0efa26e4f1c7ebb47b86a5f982d4706530aef376e784b502a59e227040d7
SHA1 hash:	8cf62736362463486a4e8048d261ca4a3d966934
MD5 hash:	687f586978247c2a43de6eccf23e0713
humanhash:	florida-pasta-nineteen-earth
File name:	massload.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'305 bytes
First seen:	2025-10-19 04:06:54 UTC
Last seen:	2025-10-22 10:05:35 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ToWBGhBh9Mk8QopCZKCyk/GU5k/Lzoz4k/JN3k/c0k/xk/Y:ToGGhL8QopCZKCyk/GU5k/Xk/fk/Dk/x
TLSH	T10721B58F41D0166168C0FE84B1E3482DA8A8B6CA2CD01EDDDB6D25E1735CB94B41EF77
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://23.177.185.39/mips	2cae01a9c5ccb06c91d94ba45a9aaec9f804f60f9bf86cdf97daf5ceacae8f4f	Mirai	32-bit elf gafgyt mirai Mozi
http://23.177.185.39/mpsl	9b9764585122f6e0d842fb301963fed0cb6cba5a12740fec2c660d1f636bafd5	Mirai	elf gafgyt mirai ua-wget
http://23.177.185.39/arm4	9537740259e5cdb297a1986493143741babec7e71bc6e339e06c3f87c469e93e	Mirai	elf gafgyt mirai ua-wget
http://23.177.185.39/arm5	b5f97c4c0ff408de365da6735bf940d1a6a7f7465be68509db8e313f3dcf174f	Mirai	elf gafgyt mirai ua-wget
http://23.177.185.39/arm7	ffe536b3d11dd297b8155ecf55695ef88518cc6e35976efed155b6328444bfb5	Mirai	elf mirai ua-wget
http://23.177.185.39/x86	37429b16ecb491e691262e8531d59c19386077c257ea0c703401cf48fdbf9da1	Mirai	elf gafgyt mirai ua-wget

Intelligence

File Origin

# of uploads :

4

# of downloads :

49

Origin country :

DE

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-36.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive mirai

Link:

https://www.filescan.io/uploads/68f46413c85c5c56972dd1e8/reports/8133b6f8-a7a7-4cf8-9247-58a4f5384f9b/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-18T21:28:00Z UTC

Last seen:

2025-10-20T22:35:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/83b0f1bac36856cfd230d5f3638860e2cf8d475b9911105a9267e593c7a765b1/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/0d281c4a-e906-4331-b7f4-aaab189c02dc

Behavior Graph:

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/83b0f1bac36856cfd230d5f3638860e2cf8d475b9911105a9267e593c7a765b1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/83b0f1bac36856cfd230d5f3638860e2cf8d475b9911105a9267e593c7a765b1/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/83b0f1bac36856cfd230d5f3638860e2cf8d475b9911105a9267e593c7a765b1

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-10-19 03:40:11 UTC

File Type:

Text (Shell)

AV detection:

11 of 36 (30.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qoypdowdnblm7urq2xzwhcda4lhy2r23teirawusm7szhr5hmwyq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

credential_access defense_evasion discovery linux

Link:

https://tria.ge/reports/251019-ep385azlaw/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads process memory

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Renames itself

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.26

Link:

https://yomi.yoroi.company/submissions/83b0f1bac36856cfd230d5f3638860e2cf8d475b9911105a9267e593c7a765b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 83b0f1bac36856cfd230d5f3638860e2cf8d475b9911105a9267e593c7a765b1

(this sample)

elf c6662e973133deb25482b179bb38327c01c8f4b6519f3311352e072e5e91189a

URLhaus

https://urlhaus.abuse.ch/url/3681265/

Delivery method

Distributed via web download

Dropping

MD5 78c0b5819a7c288b5e80645a6156b50e

Dropping

SHA256 c6662e973133deb25482b179bb38327c01c8f4b6519f3311352e072e5e91189a

URLhaus

https://urlhaus.abuse.ch/url/3681262/

URLhaus

https://urlhaus.abuse.ch/url/3681361/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample