MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a77bd0ca74b9f7f03088814ecd0a7c3fb31d4ae6ebd6b40f2686a45b50eda87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	9a77bd0ca74b9f7f03088814ecd0a7c3fb31d4ae6ebd6b40f2686a45b50eda87
SHA3-384 hash:	6301924f7743fc49268513ae848b11d232ef15bc53e300915ffbcd21d0611c359b0bfa0c8208fea963c237c3db3c62d8
SHA1 hash:	ec593293c574a90c2812af91b53e004cd1bf7aba
MD5 hash:	0a0bb23a3d81b5fdd515173ee4269427
humanhash:	friend-south-fix-georgia
File name:	nvr.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	4'396 bytes
First seen:	2026-03-16 17:23:57 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ZbAEtrZFYFWFFFiUMzEUXVVjUY0qIFYFWFFFoZvlp6xEy2guKb0+bcZF6FYFWFF6:ZbAE1twE9CQEK1i
TLSH	T1B491E7CC3121982788C68E0CB45AD39753D893A5D9ACC01C55A4FE3B3191FEAB9FAF41
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	juroots
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://88.214.20.14/bins/tuxnokill.x86	a9c595b2c94cbcd3c93fdc72705b502080848f45f41a4142ad77c5a5f4326b0b	Mirai	mirai
http://88.214.20.14/bins/tuxnokill.mips	3b7d02c7d5fae025badfbb801059183029189d85d00aac04311247e4f5f4030a	Mirai	mirai
http://88.214.20.14/bins/tuxnokill.mpsl	234f547c6940b136c16b743950b1b503fffb0fa852b123a107b883a2161b8e5f	Mirai	mirai
http://88.214.20.14/bins/tuxnokill.arm	409c149979a739286e87e55f730410fbc14fe39a2685135b21f7cf6f51bcf466	Mirai	mirai
http://88.214.20.14/bins/tuxnokill.arc	557a7680cac8a83c98f5059b6c11dda33df085e931a53817685ad6427645a3c9	Mirai	mirai
http://88.214.20.14/bins/tuxnokill.arm4	n/a	n/a	elf ua-wget
http://88.214.20.14/bins/tuxnokill.arm5	95d0933e9e2906f5f5df011e5afd2e04161dbac4d4618e0b2ebcee54e91bff5d	Mirai	mirai
http://88.214.20.14/bins/tuxnokill.arm6	501776d5ac80fb72e7c11ce98e4b1cfb16615d76293166a864ba05a62e7f4ff3	Mirai	mirai
http://88.214.20.14/bins/tuxnokill.arm7	c6535cc21940b7be719621fd9b791ddbc33d9be9b4ac050a23d8542c82cae9d6	Mirai	mirai
http://88.214.20.14/bins/tuxnokill.ppc	8cff96f1e570b6eae7b433cebaffc9a6d6a32f6927271ed2e5c3e3866f35ef6c	Mirai	mirai
http://88.214.20.14/bins/tuxnokill.m68k	a065f1dd35f3bf8f2dc8b25a09273b751fee7a4dba6623b41be874bf42aa5185	Mirai	mirai
http://88.214.20.14/bins/tuxnokill.sh4	ddba21e124054e17b84c367320b1e9dcbc8354c39895b6f1eca489841e8eade0	Mirai	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Gathering data

Verdict:

Malicious

File Type:

unix shell

Link:

https://opentip.kaspersky.com/9a77bd0ca74b9f7f03088814ecd0a7c3fb31d4ae6ebd6b40f2686a45b50eda87/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/4518dad5-020d-4cb3-8447-8f6eeedaade0

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9a77bd0ca74b9f7f03088814ecd0a7c3fb31d4ae6ebd6b40f2686a45b50eda87

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9a77bd0ca74b9f7f03088814ecd0a7c3fb31d4ae6ebd6b40f2686a45b50eda87/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tj332dfhjopx6ayirakozufhyp5tdvfon26wwqhsnbvelnio3kdq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260316-vy3lyset5s/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Enumerates active TCP sockets

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Contacts a large (87613) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh