MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 959643eb6c43c89b20c98bbd0979c6cc5c4dae41ff7977990a8875fff744ffc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	959643eb6c43c89b20c98bbd0979c6cc5c4dae41ff7977990a8875fff744ffc9
SHA3-384 hash:	df809c66a62cb9a54866d9d403fd1a3bf8f63e94cb6c5d483b4748edd8f780c84c0aabdcc9001d0453efa3a03b048fb6
SHA1 hash:	705d0ec103659567a9d3d7fcc551784c84b4e863
MD5 hash:	3c3a95121d2363ff273ae1ca4d666783
humanhash:	sweet-orange-music-mississippi
File name:	curl.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	698 bytes
First seen:	2025-12-02 04:54:51 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:KhI5W3CtI1/TbNEYrBwBtEYQ1npLOhcEYK26IdliAE/IQqlHWEaoJi5EN3bQA:KOQyS1bbOAB1N1npLOXtmliAiqlfaoJl
TLSH	T16301F08981801F735B84ED1F7693842F0226E2C9161727C0FF9D5A78ABC47CFB018972
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://23.132.164.18/arm	a3d5e3c3e422d72ef0e095e164f2706e250839eaf52e24dd7624f6e3e250f8da	Mirai	32-bit elf mirai Mozi
http://23.132.164.18/arm5	788e47fcc1f7e85da5b575ddeb98980fafc9cab532c378855556d679da2a59be	Mirai	elf mirai ua-wget
http://23.132.164.18/arm7	547d1e75421bbbfe0492e2191417ad070d3e1e40db837e9aa4737c7946cd67b7	Mirai	elf mirai ua-wget
http://23.132.164.18/mips	67df849f3252e566ca8f73336ab31eb7b5ddb277c91f90a9dac885c9d9de3837	Mirai	32-bit elf mirai Mozi
http://23.132.164.18/mpsl	449e30caaa96c2833e4f381071095addc874ad4bab41e21225acf6356145c0ed	Mirai	elf mirai ua-wget
http://23.132.164.18/arc	40340e3a77486c1369e0c0983e376950720970a61d9645ecccdc68e6a10337f5	Mirai	elf mirai ua-wget
http://23.132.164.18/aarch64	7cf1b7da477075d7c365bd1fb986b170fac4e9c5b32252ad7e53940e24495f86	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive expand lolbin

Link:

https://www.filescan.io/uploads/692e7139c1a2f55fb9c50dd7/reports/9141cec0-a852-41a6-bbd8-21459b8ad862/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-02T03:13:00Z UTC

Last seen:

2025-12-03T21:24:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/959643eb6c43c89b20c98bbd0979c6cc5c4dae41ff7977990a8875fff744ffc9/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/24bd2385-82ba-410f-8562-a5389dc0b18f

Score:

87%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/959643eb6c43c89b20c98bbd0979c6cc5c4dae41ff7977990a8875fff744ffc9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/959643eb6c43c89b20c98bbd0979c6cc5c4dae41ff7977990a8875fff744ffc9/

Threat name:

Document-HTML.Downloader.Heuristic

Status:

Malicious

First seen:

2025-12-02 04:46:14 UTC

AV detection:

7 of 36 (19.44%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=swleh23mipejwigjro6qs6ogzroe3lsb754xpgikrb27752e77eq._file

Result

Malware family:

n/a

Score:

9/10

Tags:

antivm credential_access defense_evasion discovery linux

Link:

https://tria.ge/reports/251202-fj9pdsxjhv/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads process memory

Deletes log files

Enumerates running processes

File and Directory Permissions Modification

Deletes system logs

Executes dropped EXE

Renames itself

Unexpected DNS network traffic destination

Contacts a large (23662) amount of remote hosts

Creates a large amount of network flows

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/959643eb6c43c89b20c98bbd0979c6cc5c4dae41ff7977990a8875fff744ffc9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 959643eb6c43c89b20c98bbd0979c6cc5c4dae41ff7977990a8875fff744ffc9

(this sample)

Mirai

elf cbb7583e642fe0d7778ed8548f3940a4028d769f1e83e24128d24b00aaea829a

URLhaus

https://urlhaus.abuse.ch/url/3722777/

Delivery method

Distributed via web download

Dropping

MD5 e5dd3ad4c501f828a7096cd4607f098b

Dropping

SHA256 cbb7583e642fe0d7778ed8548f3940a4028d769f1e83e24128d24b00aaea829a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample