MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83b628a580c1fb473a0a55efb1dad03f6a81f1a5c1e0ae99f550a764fd9d9efe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	83b628a580c1fb473a0a55efb1dad03f6a81f1a5c1e0ae99f550a764fd9d9efe
SHA3-384 hash:	2ed0c4677d3abf64c0df45fce75e672dc5ad9060c5360d85d16a4757d38de7aa4f43ba7b8167a5d9e25076b4beb6a2a6
SHA1 hash:	dbad998fd60417d391617caee2e1704f7287cdb1
MD5 hash:	d0b199da5555da703148de7cc7d93962
humanhash:	finch-autumn-oven-iowa
File name:	run.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'907 bytes
First seen:	2025-11-21 08:41:27 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:6P2JMOIbiBG5uZxEaEnE2EhEkuQbw5KJUflChM34:6P2JMOIbiBG5uZxxcvyqQbwRChM34
TLSH	T1625124BB01094B359609864FF7F875B4722BB5D796EBCE04E944281E5FC5D5C3292E40
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnaarch64xnxn	907ef6f74b4e5d5956e55b1f4660768aa918d87df53fa00cf4b59263b5d4189a	Mirai	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxni386xnxn	n/a	n/a	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnloongarch64xnxn	a8fd940dc918666f47dc4fa9e351ac9ad6a969a17cdf58871cc724f92ac54637	Mirai	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnm68kxnxn	8f6ce0ae66f7f696d896f6b19234582bbd7969d34218f428e29b4ec186c46132	Mirai	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnmicroblazexnxn	6e7e0ac426f07cfdc6a16e9ebbb1435e3978bb19f4b5085adc01b2daaec5e264	Mirai	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnmipsxnxn	2ac83497640ee4e731ca43d4514a8c1620bc7d0b6d80fb6719b5a789b017efe4	Mirai	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnor1kxnxn	91760e6e4bad4055c443905910909e18562feff8cf286f4f3359964cb8f702a0	Mirai	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnpowerpcxnxn	9f38218a5f5f1f12cf6b46cf32a5ebca3dcf7d2f216713e4bb6e67d49b37db49	Mirai	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnriscv32xnxn	92de153ffaa61982a25d254735a86e4f42d9674011dfa41ba33e44369524d996	Mirai	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnriscv64xnxn	97967f261cf233e64c897eacece81f6c96ffba7f59eea619376de5d92603b34e	Mirai	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnsh2xnxn	0686b04b788e2fc7df3ced2d123052976b3ff0ee640a61e41554392dca507d0b	Mirai	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnsh4xnxn	2ede46d54cc0573ef26ebd2a3e1ce6fb89c9768c9e453cd10b42ab6951b6fb34	Mirai	elf mirai
http://213.209.143.33/bins/xnxnxnxnxnxnxnxnx86_64xnxn	00f6a25ffc788301e3e08d527f02834c12c7c945bb64c0c8267efb05146f0804	Mirai	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive mirai

Link:

https://www.filescan.io/uploads/69202600eecb08e4aa432077/reports/e7ff6a8f-2733-4f1a-a1a9-aade0087a3bd/overview

Verdict:

Malicious

File Type:

text

First seen:

2025-11-15T22:55:00Z UTC

Last seen:

2025-11-23T01:47:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/83b628a580c1fb473a0a55efb1dad03f6a81f1a5c1e0ae99f550a764fd9d9efe/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/ba038107-be73-4cdc-af68-0ca36441a41f

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/83b628a580c1fb473a0a55efb1dad03f6a81f1a5c1e0ae99f550a764fd9d9efe

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/83b628a580c1fb473a0a55efb1dad03f6a81f1a5c1e0ae99f550a764fd9d9efe/

Threat name:

Script-Shell.Trojan.Heuristic

Status:

Malicious

First seen:

2025-11-16 03:47:54 UTC

File Type:

Text (Shell)

AV detection:

7 of 36 (19.44%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qo3crjmayh5uooqkkxx3dwwqh5vid4nfyhqk5gpvkctwj7m5t37a._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251121-kmafxssjew/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/83b628a580c1fb473a0a55efb1dad03f6a81f1a5c1e0ae99f550a764fd9d9efe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.