MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85c89e3e84e41da0c333f2e6bae7779445ec812edc3c351b1b9330485f694cae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	85c89e3e84e41da0c333f2e6bae7779445ec812edc3c351b1b9330485f694cae
SHA3-384 hash:	a5afb7e0c302ae0fe7e3311ce99fcb4085775260f32bfba2f205ae027925d1050f8177a86fb9076feec3874655cf993c
SHA1 hash:	8127e2a77d7126291838746cecc35b946e1b5aac
MD5 hash:	a2fd89da203852d4ae475aed6cb3d3de
humanhash:	december-harry-six-ceiling
File name:	23.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'639 bytes
First seen:	2026-01-15 17:09:38 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:vZonlnKKt4vRtKFT4+CXlFc4lKVblKyySl4PZkTGB8FbmA:vZa/t4vRtKFT4+w9AtekTvj
TLSH	T150515AC483711AB02E62ED7671B88264B0E5A5DFACF6FB0748FD3DE6508CD045F84646
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://5.59.248.100/djmario.x86	ae88cc6dc61a559d7fa1d7271cc91572fbba361affaa0d93fe6a4c606c097860	Mirai	elf mirai opendir ua-wget
http://5.59.248.100/djmario.mips	1e54387d2545094dae5a55b49056d73f076028cffa530f2b060104af7709cba8	Mirai	elf mirai opendir ua-wget
http://5.59.248.100/djmario.arc	n/a	n/a	elf ua-wget
http://5.59.248.100/djmario.i468	n/a	n/a	elf ua-wget
http://5.59.248.100/djmario.i686	n/a	n/a	elf ua-wget
http://5.59.248.100/djmario.x86_64	216bc844451868628bedb68b6968b4627968bde0593e00de0853831f10dc635f	Mirai	elf mirai opendir ua-wget
http://5.59.248.100/djmario.mpsl	664cd78d438af62048a0a127f98bfcca55b264df109035fba90f1f325fcb9cd9	Mirai	elf mirai opendir ua-wget
http://5.59.248.100/djmario.arm	702dc79f56fcf920a798195707d7750726241fe54e10188de6dfb20202941568	Mirai	elf mirai opendir ua-wget
http://5.59.248.100/djmario.arm5	0c205753701807954b21b125866030ac034b331dfc9618952385dce90ab1e00e	Mirai	elf mirai opendir ua-wget
http://5.59.248.100/djmario.arm6	698472487992cb604b774270b9c71b46e59653da63e04d3d97a3d849f63b47d9	Mirai	elf mirai opendir ua-wget
http://5.59.248.100/djmario.arm7	3491f22a5814b3c83ac3e7e68af24c9b4ad2746e38aa196d3f153cf8557bff20	Mirai	elf mirai opendir ua-wget
http://5.59.248.100/djmario.ppc	b764a4697649ed6d93c94132bbb3e1b432d5242f3f395599c203e6fa772937df	Mirai	elf mirai opendir ua-wget
http://5.59.248.100/djmario.spc	n/a	n/a	elf ua-wget
http://5.59.248.100/djmario.m68k	cdcda4765bc21b10793948ac026ab1f8c9cb724ab3068f89199c515092b5eb99	Mirai	elf mirai opendir ua-wget
http://5.59.248.100/djmario.sh4	8cfae29ea39fde8dd28f8616cf32eb2a2b6ba0e1ef43ee93b2e2c3bcef5b133e	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bash lolbin medusa mirai

Link:

https://www.filescan.io/uploads/69691f903dd9d2095055e59c/reports/7d3c225d-727c-40c1-9ec7-1f3fb6cc8499/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-15T14:17:00Z UTC

Last seen:

2026-01-16T12:48:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/85c89e3e84e41da0c333f2e6bae7779445ec812edc3c351b1b9330485f694cae/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/b3283fc0-a366-487d-8954-dfa75b3af4ff

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/85c89e3e84e41da0c333f2e6bae7779445ec812edc3c351b1b9330485f694cae

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/85c89e3e84e41da0c333f2e6bae7779445ec812edc3c351b1b9330485f694cae/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/85c89e3e84e41da0c333f2e6bae7779445ec812edc3c351b1b9330485f694cae

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-01-15 16:42:16 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qxej4pue4qo2bqzt6ltlvz3xsrc6zajo3q6dkgy3smyeqx3jjsxa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260115-vp2cjagz5e/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Traces itself

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/85c89e3e84e4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/85c89e3e84e41da0c333f2e6bae7779445ec812edc3c351b1b9330485f694cae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh