MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f45aa714e603901aa6c7627fab86a1def241ecb30dea3575fbbb8c8269bc4b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	9f45aa714e603901aa6c7627fab86a1def241ecb30dea3575fbbb8c8269bc4b9
SHA3-384 hash:	2999f5b6d77f2d065cf52d87e1e8952969f84407d5382ccbcdb1331bc87c9237729b4fdd260a6a78fb55acfd3267a2bf
SHA1 hash:	2290d549f7b7cbee7433ea0353170cc6cb583537
MD5 hash:	a4a3eae4b1b1b77307bf8652df69a639
humanhash:	blossom-ohio-alpha-glucose
File name:	w.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'121 bytes
First seen:	2025-12-25 19:18:50 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:oF1iHWW5hbSWWflwWW29NIl56WWQCa0LKbWW1NgOyWWjJiRWWZO7fWWWSvSWW9Nc:ygMl1NI74KCdiWQA2Nt6dO0PNf7
TLSH	T10F21D1CF21910FB148488E0CB973841855C6A9D4FC422EEC168E19764D97B78B62AFA9
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.156.152.90/bins/arm	e0844b0cdf611d8a7521ff37ca40ab691a2c2c3e28a4b9571ff9456d5b5a2b77	Mirai	elf ua-wget
http://94.156.152.90/bins/arm5	f6fbf730c614f55b266174036c98d1827bc602c3c830ccff25454272c694b91f	Mirai	elf ua-wget
http://94.156.152.90/bins/arm6	46588e27520d4ff181d33bc7ff021903d1ecd13f376657f5db7af180ca2e3ac6	Mirai	elf mirai ua-wget
http://94.156.152.90/bins/arm7	c05ee431ce3abe70afdbf9710b0ab3864ecdd8de9f8697c077f956a39bdf8217	Mirai	elf ua-wget
http://94.156.152.90/bins/m68k	0fc0c0aa10d7f989ee6709c50908144d95b2c62ad512419f690652c906db8ed5	Mirai	elf mirai ua-wget
http://94.156.152.90/bins/mips	0f8f041acce3852c7ee78caffddcb4e941206b3c5b905bb5e6c061285ce08852	Mirai	elf ua-wget
http://94.156.152.90/bins/mpsl	d80d236e16bfef3dd5b8aacb4aff4226616be790c3b5dc2325af73e71d61441c	Mirai	elf mirai ua-wget
http://94.156.152.90/bins/ppc	14d5f0267f0ca1c67bdd8e3075ee3598e2ae7444c7f87bab0b862b3b5ee6ced7	Mirai	elf ua-wget
http://94.156.152.90/bins/sh4	439b5691344326a2b67d18c5414f27c50d2b5be2bba021a6c74fbd718fd956ce	Mirai	elf ua-wget
http://94.156.152.90/bins/spc	2951437574f0b44b68855462c650bc1d7b10fbaf36ed86e7a45faec38b87ee6e	Mirai	elf ua-wget
http://94.156.152.90/bins/x86	03ecda01330d867752a09c2e6118fed74a061d4f5222d492ab43640e0d36e6c4	Mirai	elf mirai ua-wget
http://94.156.152.90/bins/x86_64	c0fe3a9a893f48296e27f62bb47a35480d0255c5df46d2185963ce8552004535	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.DownLoader.37.14990.7844.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-25T16:34:00Z UTC

Last seen:

2025-12-26T17:41:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p

Link:

https://opentip.kaspersky.com/9f45aa714e603901aa6c7627fab86a1def241ecb30dea3575fbbb8c8269bc4b9/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/4e8b45ee-f175-4d5e-aca4-94c484e1d1b1

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9f45aa714e603901aa6c7627fab86a1def241ecb30dea3575fbbb8c8269bc4b9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f45aa714e603901aa6c7627fab86a1def241ecb30dea3575fbbb8c8269bc4b9/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/9f45aa714e603901aa6c7627fab86a1def241ecb30dea3575fbbb8c8269bc4b9

Threat name:

Script-Shell.Downloader.Heuristic

Status:

Malicious

First seen:

2025-12-25 19:19:34 UTC

File Type:

Text (Shell)

AV detection:

9 of 36 (25.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t5c2u4koma4qdktmoyt7vodkdxxsihwlgdpkgv27xo4mqju3ys4q._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:owari botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251225-x1skwaej7y/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Enumerates active TCP sockets

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.26

Link:

https://yomi.yoroi.company/submissions/9f45aa714e603901aa6c7627fab86a1def241ecb30dea3575fbbb8c8269bc4b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh