MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a4747fb4ca166cf3ba048b21b377a4a0748d0b0d388a3f183f9b9d14a69c00a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	9a4747fb4ca166cf3ba048b21b377a4a0748d0b0d388a3f183f9b9d14a69c00a
SHA3-384 hash:	d8acbb880d7f6407cc23d590e4d3e2743081f666c715757f53068c3339aea775d9f1086b671038c1c9c97df82c35489e
SHA1 hash:	cc9d499978e6c4c4b2db02dadaada2b3fdb0a2c9
MD5 hash:	69965a37592c156eaa799278828fd246
humanhash:	charlie-louisiana-chicken-xray
File name:	painbins.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'621 bytes
First seen:	2025-07-14 18:09:40 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:DXbjsMXbY0Xblx2c4+XbRo9YXb4txsLXbZ0XGXb0hhMXbqqEGXbQr9hUDXb79xX4:HDjL42i9A3LkhU3Q3UHZV+kTzzjybCoR
TLSH	T14671B5CB11E71CB3BDE29A2BB67A684870E26A9F50C99F149CCCBCE6105DD09F091753
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://213.232.114.169/mips	1f7072ebad1c250291f017280a187391b0d68c3794922704358f9d1be61ad5c8	Mirai	elf mirai ua-wget
http://213.232.114.169/mipsel	006a4aa7cff6188a9909a4f920edda3f250e12889a23da4fa962f45c8b2eeb89	Mirai	elf mirai ua-wget
http://213.232.114.169/sh4	0515af001cfbc5f9643a35c2f4a87e7ffc5b966a49bf54e078ee5cb00792b285	Mirai	elf mirai ua-wget
http://213.232.114.169/x86_64	557c3e6e7d59d96137630377e8a018a6725adec14b4fc861e636df8b1a15825c	Mirai	elf mirai ua-wget
http://213.232.114.169/armv6l	062f4c8cd05261b1e10a9b79c5a70eee7c5cde71f99ee9760a8490f7f347fc6d	Mirai	elf mirai ua-wget
http://213.232.114.169/i686	0ea7f9c899753840c12cc3132cc246663457e7f5adbfb3f42292443adf199110	Mirai	elf mirai ua-wget
http://213.232.114.169/powerpc	0f84febd68bf405ce11e919846f7eac5d53e0a3901d0720bbd8998fb4b35e355	Mirai	mirai ua-wget
http://213.232.114.169/i586	8ab5de147cccce1eccea9bd3503b08710b02605951c0c75554b53e492976038a	Mirai	elf mirai ua-wget
http://213.232.114.169/m68k	8743ee05aa26d3946bbcbf4c00fc19f1a39a051a5c69ae82ece778d1b3563731	Mirai	elf mirai ua-wget
http://213.232.114.169/sparc	fedeed737e3ba9346f84a53808827e9f36851d8d9ee49c5dfcbb44bebfbcffb6	Mirai	elf mirai ua-wget
http://213.232.114.169/armv4l	f9c0cd0ddb36a527080de2f95bf6f707f6a9fe210573aec3f89d0168a7b651f9	Gafgyt	elf gafgyt ua-wget
http://213.232.114.169/armv5l	04e4727b0fe9af4c94417df2482a6463f2d80dcc6c116cf055c5f29d692d401a	Gafgyt	elf gafgyt ua-wget
http://213.232.114.169/armv7l	719e096fd74a1431123d6475f1427d93863dfa379757a08ab80568e79a48a311	Mirai	elf mirai ua-wget
http://213.232.114.169/i486	14ee8dac8148d57fccb5f6d05dfb445642281c123d8cdf0c07b9dc8474fdd3d1	Mirai	elf mirai ua-wget
http://213.232.114.169/powerpc-440fp	bef88844fa5733cfb644609f7862cab21c1aaf75102faf7fd6bc65713e37d46d	Mirai	mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/f2c070b4-10cd-41b5-82e7-b447033279bc

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9a4747fb4ca166cf3ba048b21b377a4a0748d0b0d388a3f183f9b9d14a69c00a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9a4747fb4ca166cf3ba048b21b377a4a0748d0b0d388a3f183f9b9d14a69c00a/

Threat name:

Linux.Trojan.Multiverze

Status:

Malicious

First seen:

2025-07-14 11:50:34 UTC

File Type:

Text (Shell)

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tjdup62muftm6o5ajczbwn32jidurufq2oekh4md7g45cstjyafa._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt antivm botnet defense_evasion discovery execution linux privilege_escalation

Link:

https://tria.ge/reports/250714-wsa57ahp9z/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Enumerates active TCP sockets

Enumerates running processes

Reads system routing table

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Detected Gafgyt variant

Gafgyt family

Gafgyt/Bashlite

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/9a4747fb4ca166cf3ba048b21b377a4a0748d0b0d388a3f183f9b9d14a69c00a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 9a4747fb4ca166cf3ba048b21b377a4a0748d0b0d388a3f183f9b9d14a69c00a

(this sample)

Mirai

elf 1f7072ebad1c250291f017280a187391b0d68c3794922704358f9d1be61ad5c8

URLhaus

https://urlhaus.abuse.ch/url/3583312/

Delivery method

Distributed via web download

Dropping

MD5 6e5e62b5f6d3dbee6a4d0598c8eb0206

Dropping

SHA256 1f7072ebad1c250291f017280a187391b0d68c3794922704358f9d1be61ad5c8

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample