MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8deb25a6fffc878eb8442e9132cba35ceb104a4baf54e42098c633e79ad80a16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	8deb25a6fffc878eb8442e9132cba35ceb104a4baf54e42098c633e79ad80a16
SHA3-384 hash:	3067e93bfacef317691d804d24fd74ca2b1bec83f7b0135381114d99cc90de7bc0c5ae374c0f6a224dba37d90341c661
SHA1 hash:	a6070a3f421d7c27eb0d0e23a5d644d6b9cb36b5
MD5 hash:	6a5d5cb000147f2f858e06e3addfa26c
humanhash:	violet-finch-sierra-steak
File name:	zyxel
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'863 bytes
First seen:	2026-02-08 16:48:35 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vNUoQUoqUo0UouUoBezEUoLUoqUolUokUoqUoPFUfUojUomUL:vNtQtqt0tut4EtLtqtltktqtPFUftjtf
TLSH	T1D151E2C4B296AA70FFB24D5A35F5440474D0E095E6C7EF85D0FC36BD054EF0994A8BA2
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://158.94.210.195/bins/sora.x86	725e13862af947197344fcb7ab345488a74762b936e841237df7f433fcbc31d8	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.mips	dec39ef87e6860891a50f3184cb34a0d6b9f80400091f181c68cefb2cdb3e4a4	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.x86_64	163a4b5be84e43243e6ccf8c9244e24e04c3429308a563ab20423f2970c65c33	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.i468	n/a	n/a	elf ua-wget
http://158.94.210.195/bins/sora.i686	ee98b5fd6ee15fe38e33baf14028d87592a86b3efa666d411bc283214b34dac2	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.mpsl	96a33a462b4026fa48a0bf747fa37915c04d4bce7f9052effe1767559bf6fa24	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.arm4	n/a	n/a	elf ua-wget
http://158.94.210.195/bins/sora.arm5	7dcbe81f748cc63db9d293c2dedebb86a9fd2299d9bd50043437c5a75107a64b	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.arm6	3a9659465e555c2e7d6ded5e96b14301a7a1fadc539ea6a32383db5250cd5778	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.arm7	32de63a0ea3a16d33fa478b59d9ac4ca503eabff97a35c5a4d9fa6e841479c28	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.ppc	824247c83d959b72bf2287af03ea5a96c496ff7eb077596e4d363e3e04994ced	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.ppc440fp	n/a	n/a	elf ua-wget
http://158.94.210.195/bins/sora.m68k	5408fbe38b20d2a90df7f4da3f41224a7769ea9ed5ca00442c344afb64cc8306	Mirai	elf mirai ua-wget
http://158.94.210.195/bins/sora.sh4	7754516998ed27fc3572da4127e51c381f0ceba586e0b32da846c14fd604cb00	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Result

Gathering data

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/45dcc002-1520-4e70-b614-319d24b185d9

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/8deb25a6fffc878eb8442e9132cba35ceb104a4baf54e42098c633e79ad80a16

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8deb25a6fffc878eb8442e9132cba35ceb104a4baf54e42098c633e79ad80a16/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/8deb25a6fffc878eb8442e9132cba35ceb104a4baf54e42098c633e79ad80a16

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-02-08 16:45:07 UTC

File Type:

Text (Shell)

AV detection:

22 of 36 (61.11%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rxvsljx77sdy5ocef2itfs5dltvrasslv5koiieyyyz6pgwybila._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:sora antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260208-vbshgabv3b/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

UPX packed file

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Unexpected DNS network traffic destination

Contacts a large (42827) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8deb25a6fffc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh