MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d
SHA3-384 hash:	47d95bf283902424232c92ab0b0fc4a2eb853f7bc0070c6451c81bedef3c11023ef4b9fafd17992c70bc606d19de07b8
SHA1 hash:	688279dad3809e88aceecafdcebbfba7dcd870ae
MD5 hash:	c9b559b4a8e1def2037f1c5a8ea0993c
humanhash:	video-virginia-texas-freddie
File name:	mao_http.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'211 bytes
First seen:	2026-02-03 09:14:17 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:geEUuA1gZW8YKmsKo5MZmzizgSwGMIaMGSweSQ:4Sn
TLSH	T1FF612BFD41A0BF93CC85A94CBA2483A1730B91F5FD72F63C9C584A6A4481B15349BEBD
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.242.3.127/bins/mao.x86_64	1b9e17462a47afb7ba79400f147f699ca70909f51a971bab80e20177ae024ef3	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.x86	201c0b78693a3091d9a7e26aa7110c77beb13289ea5978f1edd4b1359567ea6e	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.mips	eb83574b4e79b73f2669e257643a06811b5a3d392ebc8597130bc8102b4a6b7f	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.mpsl	c39ce9aeb58024de86d0df1aaed297a308cf59745d0c8589db81902cdb402bb5	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.arm	37511f960894bb1bec92f792eb9a772a6a7926596155cbe3f60ca2b81a04e743	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.arm5	f2eb51eaf6ec0d4e1293922014c2df9fd4fa62ade85fc2e47c56269d37c030ba	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.arm6	65c1b5a4909e6f0bad16e48d4005f68d453936b72256564900537445582b0591	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.arm7	48737f8fa20358f195fb9670e6ee0444c9760f50f02bda7d78472dbfd0a08bab	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.ppc	e66306f6a71cb948e0b5f4e55e5159a2380e8d61d3923380ce25264db244aeee	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.m68k	e7b3c9c00f79eca8e50a27c0462ff5f0cd3ac4148200508aa77b3eef21fd1cbb	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.sh4	2fce8de8728f1291b308fa7f5d4f096e83e4bc90df63645d7de50e7c62463934	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.spc	e2b29014d4de16f628b0785438dd2de9a4003af819e7f9a266bd751415764b2b	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.arc	0cce20071a014da88feb55d7935d8525390f1bb31cc8259018f57ed1bb1292fd	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.i686	58c9220ae7d6e5e39d2fe77cb2a3d9df5929572ba2f8cab82e2b0e2f2ab5b13f	Mirai	elf mirai ua-wget
http://185.242.3.127/bins/mao.i486	0029fe67bf75b12aa1497f5302e59294502f57f59dd47d0c7d8e9a376794adf5	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bash evasive lolbin mirai obfuscated

Link:

https://www.filescan.io/uploads/6981bc74930564ff3c864d21/reports/ffba418a-bc43-4276-8612-10b7f4dab880/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-02-03T06:21:00Z UTC

Last seen:

2026-02-03T08:40:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/b59e7cbe-bf50-4d7a-85f1-55342bd9ebc9

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d

Gathering data

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d

Threat name:

Script-Shell.Trojan.Vigorf

Status:

Malicious

First seen:

2026-02-03 09:17:16 UTC

File Type:

Text (Shell)

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tqwgkilpshmt3yqu3an55qg5az7aphmbvd6wddcf534eg7qwfioq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260203-k7h9kaay4g/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Creates a large amount of network flows

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9c2c65216f91/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh