MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b8aadf5236c1280e0fe9699cfe8e32833a67dcdf9bc908eeced1981ef3c0dab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	8b8aadf5236c1280e0fe9699cfe8e32833a67dcdf9bc908eeced1981ef3c0dab
SHA3-384 hash:	5c0e6493d2c3d0227c49ae55d24e94a88ea64b237a85e2304e914c2d8ef81437aeb28e89bb202b164b901e4cbcc792e1
SHA1 hash:	3aae8733ce0e4ec1fae2ca6bd1371adbf891caf0
MD5 hash:	01587a8474cd2d2369837ee520b2b875
humanhash:	mars-yellow-low-vermont
File name:	sora.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	690 bytes
First seen:	2026-01-13 16:07:41 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:EkJzb3VkJzwokJzP5OGBkJzDNI1ikJzGmBkJzBTgy1nkJz7ZBkJzKbABkJzfbkJs:7JviJaJXOJvNI7J/OJlTxKJxOJ6AOJE2
TLSH	T1230178CF731A7302CB735EEC3D7384A4A255C3C06A54AA06F5AC093682CF7457125AAA
Magika	batch
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://41.216.188.162/bins/sora.mips	fd47ac5697fd193a1ba1a5c3fc6f1004a033ae0e9e71cc0538405376285c8873	Mirai	elf mirai ua-wget
http://41.216.188.162/bins/sora.arm	3a22c5730cfc5279e2214d547fc6b56e9f23810631892e7d98189e731af22dc5	Mirai	elf mirai ua-wget
http://41.216.188.162/bins/sora.arm5	d1eeae10cb0d111334401e509e60587ef0d47384211838e6613c0444c9139961	Mirai	elf mirai ua-wget
http://41.216.188.162/bins/sora.arm6	6697bc6b3dd7e0cad077af8503e4f95f63d16d11f6f8daa2ffd67c3685b4549b	Mirai	elf mirai ua-wget
http://41.216.188.162/bins/sora.m68k	ac7cf4dde0137453a2e97d321691555a36b3f738ff65a68053c12aeeae03fa91	Mirai	elf mirai ua-wget
http://41.216.188.162/bins/sora.mpsl	afd2a7cafac399a43b202588f912b1b139302cdf4ee6df73afbce91edbd4c6da	Mirai	elf mirai ua-wget
http://41.216.188.162/bins/sora.ppc	2b80d927771a7311165a27dbf92bc66f7360e892b2374d8dbb19ef8e43e591a0	Mirai	elf mirai ua-wget
http://41.216.188.162/bins/sora.spc	2d1a238467edfb03fae8122510835697d423319cc5ccb022b1b0ed4175724499	Mirai	elf mirai ua-wget
http://41.216.188.162/bins/sora.sh4	247ae5158b6a34148c244755e9aa2bb6fd7727719af000e8d7543b73dc87759d	Mirai	elf mirai ua-wget
http://41.216.188.162/bins/sora.x86	ad0c39dff07834a302dd1f44bb682e26ceebcc77f31f124e955e7fc1f6d12bda	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

mirai

Link:

https://www.filescan.io/uploads/69666dfcdb2622e9b109bcc3/reports/5348166a-f44d-4306-9750-031909c8ce55/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-13T13:20:00Z UTC

Last seen:

2026-01-13T23:44:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.c HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/8b8aadf5236c1280e0fe9699cfe8e32833a67dcdf9bc908eeced1981ef3c0dab/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/8164ab26-3c22-4c08-98cc-17b05e2ba09c

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/8b8aadf5236c1280e0fe9699cfe8e32833a67dcdf9bc908eeced1981ef3c0dab

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8b8aadf5236c1280e0fe9699cfe8e32833a67dcdf9bc908eeced1981ef3c0dab/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/8b8aadf5236c1280e0fe9699cfe8e32833a67dcdf9bc908eeced1981ef3c0dab

Threat name:

Script-Shell.Downloader.Heuristic

Status:

Malicious

First seen:

2026-01-13 16:00:46 UTC

File Type:

Text (Shell)

AV detection:

8 of 36 (22.22%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rofk35jdnqjibyh6s2m472hdfaz2m7on7g6jbdxm5umyd3z4bwvq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260113-tldxdscs2b/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8b8aadf5236c1280e0fe9699cfe8e32833a67dcdf9bc908eeced1981ef3c0dab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh