MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f2f79124ff3353081958be3b250441b8bdac0d73e790c0efc225287a462690e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	8f2f79124ff3353081958be3b250441b8bdac0d73e790c0efc225287a462690e
SHA3-384 hash:	1aae68c5077de5810f49f6dcee349042841e72d1a2c8eacda6e6a2f6cc580e31c80df0657a586f3d1d4dfbbca15ebf94
SHA1 hash:	f037b2d03aefa3da282b8cf41437f5e6f74588e8
MD5 hash:	13f222112b6cda32fdbbf92735a20dfe
humanhash:	king-september-alaska-oxygen
File name:	goon.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'128 bytes
First seen:	2025-10-16 05:40:43 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:t/ddrNIvoK8AZpWk1q/6NNI7tfKAet8NWd:tjkpj1qy4tfphNWd
TLSH	T1CF21F69F5971274B8CC8FDC6717219486019E3C638D20BDBFD9C14B942A9D98F051B87
Magika	batch
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://23.177.185.39/garm	n/a	n/a	elf ua-wget
http://23.177.185.39/garm5	58b3a79908d27434eeca74e2c54476fb38b2b93b540abc04f7315bde694a914a	Mirai	arm elf geofenced mirai ua-wget USA
http://23.177.185.39/garm6	0c1313445a60d4b30b3f7f51f71a338ed42422d5f28e200a40ef259a40eeee4a	Gafgyt	arm elf gafgyt geofenced ua-wget USA
http://23.177.185.39/garm7	70116c88989dac84c982c6bcd364ee6f6a5b9dd22e8a295d209ce8cc72ab2124	Mirai	arm elf geofenced mirai ua-wget USA
http://23.177.185.39/gmips	7ad355b06d01dd98b4eb6edb6415cd4642d328a2925ec3cd70ebf6b871ffc04e	Mirai	elf geofenced mips mirai ua-wget USA
http://23.177.185.39/gmpsl	ba80287beeb7e1e12ee4af4cd70084a313da19733bc37bb52d8e79ecbc0b48ba	Mirai	elf geofenced mips mirai ua-wget USA
http://23.177.185.39/x86_64	7e02164c352397c011317df0cff9c6b3ec66eb749f5c68dcca67c3c6f50f86a6	Mirai	elf mirai ua-wget
http://23.177.185.39/arm	f6038ff963fc43473bd69ee8b571b6bcdc88d7bb3231ec5727e835232edee6a7	Mirai	elf mirai ua-wget
http://23.177.185.39/arm5	b5f97c4c0ff408de365da6735bf940d1a6a7f7465be68509db8e313f3dcf174f	Mirai	elf gafgyt mirai ua-wget
http://23.177.185.39/arm6	625c60b9a8b0347d5a3988d73bf19d9c5bc9bf126fa8720dd28c648edb4a0975	Mirai	elf gafgyt mirai ua-wget
http://23.177.185.39/arm7	ffe536b3d11dd297b8155ecf55695ef88518cc6e35976efed155b6328444bfb5	Mirai	elf mirai ua-wget
http://23.177.185.39/mips	2cae01a9c5ccb06c91d94ba45a9aaec9f804f60f9bf86cdf97daf5ceacae8f4f	Mirai	32-bit elf gafgyt mirai Mozi
http://23.177.185.39/mpsl	9b9764585122f6e0d842fb301963fed0cb6cba5a12740fec2c660d1f636bafd5	Mirai	elf gafgyt mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

mirai

Link:

https://www.filescan.io/uploads/68f088ce057c46a471ceaba6/reports/1324ecf5-6a18-43be-a322-b8f6faaa5b29/overview

Verdict:

Malicious

File Type:

text

First seen:

2025-10-16T03:45:00Z UTC

Last seen:

2025-10-16T04:02:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/8f2f79124ff3353081958be3b250441b8bdac0d73e790c0efc225287a462690e/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/78df74b6-f8f8-4f2a-9ec4-c095bbbdddd4

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/8f2f79124ff3353081958be3b250441b8bdac0d73e790c0efc225287a462690e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f2f79124ff3353081958be3b250441b8bdac0d73e790c0efc225287a462690e/

Threat name:

Linux.Worm.Mirai

Status:

Malicious

First seen:

2025-10-16 06:05:44 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r4xxsesp6m2tbamvrpr3eucedof5vqgxhz4qydx4ejjipjdcneha._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251016-gmqw5aht3e/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8f2f79124ff3353081958be3b250441b8bdac0d73e790c0efc225287a462690e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.