MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c0406f3e62dd5c138f86777224b4e4fd4e423df2d99ffbea37fd08d25c4055a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	9c0406f3e62dd5c138f86777224b4e4fd4e423df2d99ffbea37fd08d25c4055a
SHA3-384 hash:	d24c0748633d80eb1846e0d06ec2e46e7372ede6e3e250a90c59b37e777fae268ec9fa0b0e6849f3744951e40fa8bed1
SHA1 hash:	fd7fad50b0ee24e229e2bf1b1d2d168071ab50d8
MD5 hash:	5f58a885fc049a8c17c903908109d523
humanhash:	potato-red-echo-enemy
File name:	telnet.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'959 bytes
First seen:	2026-06-16 05:59:36 UTC
Last seen:	2026-06-16 16:28:40 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:a7kt1WnWhn0O2QmUwl/Th/TGZvH301EijIWiKid6x3ttmIEulsn:a7kXWWhn0O2QmUwl/l/a5H301EijIWi5
TLSH	T19241DBD6600003E68F1BCD69FEAA5CDD460E41EDB15B87B5D7C0C829F85C6A43CF5A86
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://64.89.162.139/nz/nz.x86	599a8990a470a5289ad26b0416f5169a215d6ce20888be9760bd251f35bf3928	Mirai	elf mirai opendir ua-wget x86
http://64.89.162.139/nz/nz.mips	a02b6616324a104f09e67ce1d29ceaaa220cdea6d8a44017c5f8d80aa1044398	Mirai	elf mips mirai opendir ua-wget
http://64.89.162.139/nz/nz.arc	c6b77f3dd889fc109bd022d72fa7dc57e89a83f0e90abc4d6f4f792b88716bce	Mirai	arc elf mirai opendir ua-wget
http://64.89.162.139/nz/nz.i468	n/a	n/a	elf ua-wget
http://64.89.162.139/nz/nz.i686	8750b76214a4a0a8591a36daa94842df325d847f94b453303b6e5d16b58c77ca	Mirai	elf mirai opendir ua-wget x86
http://64.89.162.139/nz/nz.x86_64	4dd213a642ceda89a1d710a8ce62e05df9e7f951725abebbd4f3eccb31128834	Mirai	elf mirai opendir ua-wget x86
http://64.89.162.139/nz/nz.mpsl	699d3591c84d4dbf04065df6ed1d4175707d2637c4e15acef7d5fb064d803c1a	Mirai	elf mips mirai opendir ua-wget
http://64.89.162.139/nz/nz.arm	25e1b8c1a926ae161abad2b529dbc6a789b5cac6d99593c30ee4f07695f42bb7	Mirai	arm elf mirai opendir ua-wget
http://64.89.162.139/nz/nz.arm5	c0fb32c9b6d0b21011ab017f5b29a9737eea500abc831d3049555d05c324f92e	Mirai	arm elf mirai opendir ua-wget
http://64.89.162.139/nz/nz.arm6	5d8830876915f448791a8fda8448566b28ae4199bddc2a8e68ed086d887a8e4f	Mirai	arm elf mirai opendir ua-wget
http://64.89.162.139/nz/nz.arm7	2d4bb2c5507bbe2dc7da9a51a261f8061d7b5c5bc860c0d5160c7e08d90c8e72	Mirai	arm elf mirai opendir ua-wget
http://64.89.162.139/nz/nz.ppc	543bf7b5a88b10a54b9fbc679b71be7deca960cc2a708e39d74f8a0012879a0d	Mirai	elf mirai opendir PowerPC ua-wget
http://64.89.162.139/nz/nz.spc	a7651eb7ec42024de6c2825b851b3a97cecca22862635050a39cac335df261de	Mirai	elf mirai opendir sparc ua-wget
http://64.89.162.139/nz/nz.m68k	66ab0c455b5f3bcfce4494a42f11f0bd9717f384256a67982d8a00319e314c81	Mirai	elf m68k mirai opendir ua-wget
http://64.89.162.139/nz/nz.sh4	e7b804e2ff837ef551c49c32e6a16ec35845551e6e4917cc103b3de2e655d13a	Mirai	elf mirai opendir SuperH ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive obfuscated

Link:

https://www.filescan.io/uploads/6a30e69f1f652d68658290b1/reports/21c2390b-c4a6-4b75-9830-ab36620808cb/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-06-14T21:28:00Z UTC

Last seen:

2026-06-16T12:58:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/9c0406f3e62dd5c138f86777224b4e4fd4e423df2d99ffbea37fd08d25c4055a/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/4c5a7163-ac04-404e-9b2a-1cb6e06a32dd

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9c0406f3e62dd5c138f86777224b4e4fd4e423df2d99ffbea37fd08d25c4055a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c0406f3e62dd5c138f86777224b4e4fd4e423df2d99ffbea37fd08d25c4055a/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/9c0406f3e62dd5c138f86777224b4e4fd4e423df2d99ffbea37fd08d25c4055a

Threat name:

Linux.Worm.Mirai

Status:

Malicious

First seen:

2026-06-16 06:01:25 UTC

File Type:

Text (Shell)

AV detection:

13 of 36 (36.11%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tqcan47gfxk4cohym53ses2oj7koii67fwm77pvdp7ii2joeavna._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/260616-gqyq5sat91/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/9c0406f3e62dd5c138f86777224b4e4fd4e423df2d99ffbea37fd08d25c4055a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh