MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 890f9f63dfa80674ded1caae9f88f9b6f0eb98c8ba8bebdf028898294c8f252a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	890f9f63dfa80674ded1caae9f88f9b6f0eb98c8ba8bebdf028898294c8f252a
SHA3-384 hash:	5075c584dcf4b71e0f4a54f310f651b700a7f57c82c2e1babf143661a0792d151669316f7f6d8038529cfa9ab2454091
SHA1 hash:	15d62857a3528e040da321e8ab101be3002a7151
MD5 hash:	5f7f28413300eda9fd8eb8f0faca606d
humanhash:	magazine-diet-foxtrot-winter
File name:	bins.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'948 bytes
First seen:	2026-05-17 06:58:43 UTC
Last seen:	2026-05-18 02:10:50 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:0OJW5IvW6J5BJezPNIPNIdKP/KPw2vr2vaelHyGe:RWV6dAtKP/KPw2vr2vJHyGe
TLSH	T14B41B3CB22A00EF3C50D9E45F35414E4D08F96E2F1A38AFDB56B55A20C5934CF6A6EA0
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.156.152.234/x86	c90da7fb6b8f73f88bea60206a6f393dc2e1c2e8d7a6cfb3795e7fd4b1a5f93d	Mirai	mirai
http://94.156.152.234/i386	c90da7fb6b8f73f88bea60206a6f393dc2e1c2e8d7a6cfb3795e7fd4b1a5f93d	Mirai	mirai
http://94.156.152.234/amd64	ccba808ae1b5232091407327877187f67f73919a8be09ae2ec69e835a880719b	Mirai	mirai
http://94.156.152.234/arm	147a66c079759c20b68d02b52ea2994839b1142f4a0bc778ee1f3d0fede1daaa	Mirai	mirai
http://94.156.152.234/armv7l	147a66c079759c20b68d02b52ea2994839b1142f4a0bc778ee1f3d0fede1daaa	Mirai	elf mirai ua-wget
http://94.156.152.234/arm5	d400b1959ae27ec7e29011b963e5321edfc8cc2db1dd27d94bf8b5ac500fdf19	Mirai	mirai
http://94.156.152.234/arm6	377d504d0b80a6f26cb1be37747ec04436c91b45bf68cfa8acd3ea8f4947a6e5	Mirai	mirai
http://94.156.152.234/arm64	bf68ad745957906f29f2acbb7aa8269e77532c13b61fc16b4922b1d338ad3ab6	Mirai	mirai
http://94.156.152.234/android_arm64	62cc6404803271bb0d3afbe9ae329ffeafb26eee1ca29a5b4f6566e9262ce622	Mirai	mirai
http://94.156.152.234/mips	12ae67f448204f8f6643e9e26bdc0fd05c9adb279522f554c51345ec8c478466	Mirai	mirai
http://94.156.152.234/mipsle	9c98d034298ac227bed5083ab7e677acd458f13bf6e9a1f687cf030d7b4b4b94	Mirai	mirai
http://94.156.152.234/bot.exe	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/6a096747efbd399b39b3c5f9/reports/a8a931a0-0593-45cf-8c7e-4796131b566d/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-05-12T13:26:00Z UTC

Last seen:

2026-05-17T05:11:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/890f9f63dfa80674ded1caae9f88f9b6f0eb98c8ba8bebdf028898294c8f252a/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/303d9f59-89b0-4a95-a57b-3e2abf146f7a

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/890f9f63dfa80674ded1caae9f88f9b6f0eb98c8ba8bebdf028898294c8f252a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/890f9f63dfa80674ded1caae9f88f9b6f0eb98c8ba8bebdf028898294c8f252a/

Threat name:

Script-Shell.Trojan.Vigorf

Status:

Malicious

First seen:

2026-05-12 16:38:58 UTC

File Type:

Text (Shell)

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rehz6y67vadhjxwrzkxj7chzw3yoxggixkf6xxycrcmcstepeuva._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux persistence privilege_escalation

Link:

https://tria.ge/reports/260517-hseaysdv8x/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

Modifies Bash startup script

Creates/modifies environment variables

Write file to user bin folder

File and Directory Permissions Modification

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.42

Link:

https://yomi.yoroi.company/submissions/890f9f63dfa80674ded1caae9f88f9b6f0eb98c8ba8bebdf028898294c8f252a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh