MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c88bab565e4897fa8d74594e05db8c1f856d70a5d42e5619d10415c6c6c071e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	8c88bab565e4897fa8d74594e05db8c1f856d70a5d42e5619d10415c6c6c071e
SHA3-384 hash:	3cfe13f928ce782e9585d6ed5056e87ffcf0794be06caf7205def023c84b3a1833d7a6eac5cab9432b8cc8708cb6e826
SHA1 hash:	795c0259371e9c46be4c7fd93a6f9e12925ac780
MD5 hash:	75632ec8dda0a4590f2cbb5ae6d725a2
humanhash:	london-jig-uranus-michigan
File name:	Sakura.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'124 bytes
First seen:	2025-12-25 07:54:29 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vod8jHttQdMGYdRb7QT6aCOIlL1f5NOI9xET:vod8jHttQdMGYdRb7QT6aCOIlBf5NOIQ
TLSH	T194413CC7226147F26CA0DCB3326AD4C0B5E89195E4D66F4B69DC3CE448BFEEC64446C2
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.221.199.206/m-i.p-s.Sakura	bab1c65eb103979e523c51279d9b166ce7023667cabc7cee6f3356f6d4a496a5	Mirai	elf mirai ua-wget
http://185.221.199.206/m-p.s-l.Sakura	9f00a765db5ce358ea849926921ffd9e6f34c8e84e8e6bc9b236fa614f9a5b98	Gafgyt	elf gafgyt ua-wget
http://185.221.199.206/s-h.4-.Sakura	59118fb1d51e93b916f89dddde76b3f6f8e2760e49ba2b8f0f2a5e8308f1d892	Mirai	elf mirai ua-wget
http://185.221.199.206/x-8.6-.Sakura	ebe6a23a1e288e1bd0aced70302a618d0a06afd1a62fb9ad62314aa6791cb7e0	Mirai	elf mirai ua-wget
http://185.221.199.206/a-r.m-6.Sakura	900943f8067c381a00bf655c3e537389fe1f0b32d64d67c64023b7bfe9b74a5b	Gafgyt	elf gafgyt ua-wget
http://185.221.199.206/x-3.2-.Sakura	b7e3744783f2ab4901e2e0e62d8259115e54f2b6af934e8dd2df20c9c5db5432	Gafgyt	elf gafgyt ua-wget
http://185.221.199.206/a-r.m-7.Sakura	27dabb9ad95bb8c9b25d7cfffa6fca500774a8e07a4a0d7d261a597875ff0391	Mirai	elf mirai ua-wget
http://185.221.199.206/p-p.c-.Sakura	40cfc43aa48d5a4afdf57b549e0b586faf8fd39e9e153e6c8e1bc78d819866c5	Gafgyt	elf gafgyt ua-wget
http://185.221.199.206/i-5.8-6.Sakura	a2039c787503669586f07db8d5e61ba9984bc9bbf67ee391ca6bc3490e857819	Mirai	elf mirai ua-wget
http://185.221.199.206/m-6.8-k.Sakura	a8f159d165188e04d08649711833987d54ce17e0f541d0fa90633f58e23ca065	Gafgyt	elf gafgyt ua-wget
http://185.221.199.206/a-r.m-4.Sakura	40cfc43aa48d5a4afdf57b549e0b586faf8fd39e9e153e6c8e1bc78d819866c5	Gafgyt	elf gafgyt ua-wget
http://185.221.199.206/a-r.m-5.Sakura	dfc0c0820b4d7b5fba03d41d5a99e969fd4886dce51ec752b454669c3c4166e4	Gafgyt	elf gafgyt ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/694cede9e126b9ff4390d460/reports/fc4593d2-4a82-4def-a254-7d149b81c869/overview

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/8c88bab565e4897fa8d74594e05db8c1f856d70a5d42e5619d10415c6c6c071e/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/243813fc-6c32-4795-91c8-ea341f35cbf9

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/8c88bab565e4897fa8d74594e05db8c1f856d70a5d42e5619d10415c6c6c071e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8c88bab565e4897fa8d74594e05db8c1f856d70a5d42e5619d10415c6c6c071e/

Verdict:

Malicious

Threat:

Family.GAFGYT

Link:

https://tip.neiki.dev/file/8c88bab565e4897fa8d74594e05db8c1f856d70a5d42e5619d10415c6c6c071e

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2025-12-25 07:43:04 UTC

AV detection:

24 of 36 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rselvnlf4sex7kgxiwkoaxnyyh4fnvyklvbokym5cbavy3dma4pa._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251225-jscb2a1lck/

Behaviour

Writes file to tmp directory

Reads system network configuration

Creates a large amount of network flows

Reads system routing table

File and Directory Permissions Modification

Executes dropped EXE

Detected Gafgyt variant

Gafgyt family

Gafgyt/Bashlite

Malware Config

C2 Extraction:

185.221.199.206:12345

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/8c88bab565e4897fa8d74594e05db8c1f856d70a5d42e5619d10415c6c6c071e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.