MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 948d6dbdf5723d97aa8523006220517cea031e9b3133bf28878566bbd71b65da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	948d6dbdf5723d97aa8523006220517cea031e9b3133bf28878566bbd71b65da
SHA3-384 hash:	bb964a05d5c2c9fac1c2da967f23f8506fb511e4a04b1d5610bf4fc3be9f14565083aac15bbe002462e39a1f681f951f
SHA1 hash:	ec73aa8d9603438a2f36912d103d69760713480f
MD5 hash:	8a059f24b35dc6dd0018532ccfde1ff7
humanhash:	two-india-wolfram-paris
File name:	wget.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'661 bytes
First seen:	2025-09-25 10:17:04 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	48:M0XJByX/KXKJ2XbyX2q+MX1XAXfXf10XmByXYKX3J2X0yXTq+MXK7X9XcXfn:pMELg2q+Wdy/QT72LTq+WKT1mf
TLSH	T1BD31B6DED2D2BD62846CDD1AB933069C2006C28E6CAB8FDFFC7614B458E3A5071D4E85
Magika	txt
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://158.94.209.216/arc	ee9180bd2b165795dfaaf5d6de60148d34353c66373cc322e49eaf532de435f9	Mirai	elf mirai
http://158.94.209.216/arm	14883298489d57b2242533f561769e8f21737126e8560c4b9955dc701478c23e	Mirai	32-bit elf mirai Mozi
http://158.94.209.216/arm5	82ee72be70e8dce122910449268514083943892258ea9b9d21068e03286d03f8	Mirai	elf mirai
http://158.94.209.216/arm6	57a6ba282a2ffad3469d83844906606272225fdaeb15c2e2043a11978240de4b	Mirai	elf mirai
http://158.94.209.216/arm7	5a469ba94c55f39fdf0656a0a1b98c988d699569397587d8e1141a0d928b9eea	Mirai	elf mirai
http://158.94.209.216/mips	77637c28bd5ccda2ad3c90c2d34e879fa7e10f1abe04520e5bda11cd7ed69c8e	Gafgyt	32-bit elf gafgyt Mozi
http://158.94.209.216/mpsl	afe59ccdfac00527b2983101bc1e5d91361609b4753962e0cb2cc890b8a35d2f	Gafgyt	elf gafgyt
http://158.94.209.216/ppc	a8de55bad2e1d7f6821139880b74b7345a242dd8f6296f626cdceb07d5f5742e	Mirai	elf mirai
http://158.94.209.216/sh4	71cf2bcec3f927abc59bb4a57e950a1685ce005380b6a2e3dad891788828dc07	Gafgyt	elf gafgyt mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

File Type:

text

First seen:

2025-09-25T07:37:00Z UTC

Last seen:

2025-09-25T07:37:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/948d6dbdf5723d97aa8523006220517cea031e9b3133bf28878566bbd71b65da/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/248bbec5-b63c-471b-9bdd-77025e340a04

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/948d6dbdf5723d97aa8523006220517cea031e9b3133bf28878566bbd71b65da

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/948d6dbdf5723d97aa8523006220517cea031e9b3133bf28878566bbd71b65da/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/948d6dbdf5723d97aa8523006220517cea031e9b3133bf28878566bbd71b65da

Threat name:

Script-Shell.Downloader.Heuristic

Status:

Malicious

First seen:

2025-09-25 10:18:27 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ssgw3ppvoi6zpkufemageicrptvaghu3gez36kehqvtlxvy3mxna._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250925-mbpsksxk16/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/948d6dbdf5723d97aa8523006220517cea031e9b3133bf28878566bbd71b65da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 948d6dbdf5723d97aa8523006220517cea031e9b3133bf28878566bbd71b65da

(this sample)

elf 868a24a3acca181f4ea347dce53ffac86e7e584889bb16835073f08daac471cb

URLhaus

https://urlhaus.abuse.ch/url/3623697/

Delivery method

Distributed via web download

Dropping

MD5 789532e0df7b70cba426f63eb3489286

Dropping

SHA256 868a24a3acca181f4ea347dce53ffac86e7e584889bb16835073f08daac471cb

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample