MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8af878a537f2591a9b16b45b0b4e420b69a4038522f01967636caefaf6c5cd1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	8af878a537f2591a9b16b45b0b4e420b69a4038522f01967636caefaf6c5cd1c
SHA3-384 hash:	5bd717f7777d3f8c45344797d95cd2a16ab625c01155b0894e8f8e129a3dca26823bc99dce978a71f6ec074d7ca19ae0
SHA1 hash:	c7c83b2048a5d75f0a7ddf4cfd34655579d3a99b
MD5 hash:	10ae2685f82eecdcdb6802e02549a6cb
humanhash:	cold-jupiter-uniform-river
File name:	wget.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'022 bytes
First seen:	2025-12-20 20:15:16 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:pObgjIXnxNI5n01rKDlUpid+tfspiBCqituk2cxKyvYlTMuA:pegonA0xylkiMtfMiIqiQk2uK68ouA
TLSH	T101113ACD2310921AC90CDF483F9D2B2C9759B798E5B48F249CD5097E9E9C609B06BF4B
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://143.20.185.78/bins/frost.arm	8a6ddd16ceeec5a114f3e8319a225ce5f75cba9225d79855231de0b113472d1f	Mirai	arm elf geofenced mirai ua-wget USA
http://143.20.185.78/bins/frost.arm5	98e2d7934b42ebce6ecbdbf56fb8bb1c0335bab4dc8b644404b8d8b41a496543	Mirai	arm elf geofenced mirai ua-wget USA
http://143.20.185.78/bins/frost.arm6	30d1e33d231e28919cf36bf997a44965ad39c7f8dad59484906fd1e8e2826ed4	Mirai	arm elf geofenced mirai ua-wget USA
http://143.20.185.78/bins/frost.arm7	c9a4f7b1626cfc17d700850cf30703632e96354ae80b1c49532acb3b464d19ec	Mirai	arm elf geofenced mirai ua-wget USA
http://143.20.185.78/bins/frost.m68k	d265fd196d8c4113f2a52dd397cfd60d75c125983f944e4869adf929e78ce039	Mirai	elf geofenced m68k mirai ua-wget USA
http://143.20.185.78/bins/frost.mips	37c634fbfbfce823c3e25f381578336d285b49208ad9bb155493ab2b3923d23a	Mirai	elf geofenced mips mirai ua-wget USA
http://143.20.185.78/bins/frost.mpsl	881c736b0ef28f73fd09a7ed06dc6b4935f0a9e95bcd8ad05ed9bd022e3a4a7f	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/frost.ppc	cf642a2210f02af51797257777169041c7d55d1558d030e36ce69d2321ff8601	Mirai	elf geofenced mirai PowerPC ua-wget USA
http://143.20.185.78/bins/frost.sh4	ab4454e6726ed09e3045755d53d4168e30b74fb5c3f2fb82d472789b65059075	Mirai	elf geofenced mirai SuperH ua-wget USA
http://143.20.185.78/bins/frost.spc	199380dcab2a4acf4d919972002884eff2d01a7e4f1b9228514bf187efef6ff6	Mirai	elf geofenced mirai sparc ua-wget USA
http://143.20.185.78/bins/frost.x86	eec7f66f18d53e7a73987d079bbea53d3cb060b83388fd0d850cff7a5aac1f8e	Mirai	elf geofenced mirai ua-wget USA x86
http://143.20.185.78/bins/frost.x86_64	2bdb5c71ddc686e9387663a1d114aa12f8c9f5466a47b3da0e9050c6694cd6c4	Mirai	elf geofenced mirai ua-wget USA x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Shell.Downloader.Gen-1.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

mirai

Link:

https://www.filescan.io/uploads/694703dde126b9ff438a285b/reports/231de5eb-4ec9-4cb4-b4a5-7bbc87d7f7db/overview

Verdict:

Unknown

File Type:

text

Link:

https://opentip.kaspersky.com/8af878a537f2591a9b16b45b0b4e420b69a4038522f01967636caefaf6c5cd1c/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/2bd62316-12dd-46cc-b650-c7e1a28c2ab1

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/8af878a537f2591a9b16b45b0b4e420b69a4038522f01967636caefaf6c5cd1c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8af878a537f2591a9b16b45b0b4e420b69a4038522f01967636caefaf6c5cd1c/

Threat name:

Script-Shell.Downloader.Heuristic

Status:

Malicious

First seen:

2025-12-20 20:15:30 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rl4hrjjx6jmrvgywwrnqwtscbnu2ia4felybsz3dnsxpv5wfzuoa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251223-nwtspswmct/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8af878a537f2591a9b16b45b0b4e420b69a4038522f01967636caefaf6c5cd1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh