MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f99d87475016fce033c9ad5a8f914f8f87d94f3afb9ba98c5a83977321e1710. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	9f99d87475016fce033c9ad5a8f914f8f87d94f3afb9ba98c5a83977321e1710
SHA3-384 hash:	abc776652c33075a0ef2595b7636cf5703820f2366af7a937d9a7bf90fafcdbda3d11817b70cf7124db732e585aa18db
SHA1 hash:	f1bb05583cb0ce47c5a0cf2318bed47e9c4fa0fd
MD5 hash:	415925a827eb38bcd1d08468860801dd
humanhash:	magazine-sodium-summer-arizona
File name:	r
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'002 bytes
First seen:	2025-06-08 03:22:07 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:k9q5zLt+MB08xJxDkhSxnkxnmkhSx3xJkhSxSx0kh8jn:ko5XEA0gzDkhOomkhOhJkhOO0kh8j
TLSH	T1FF11B9CF41A4CD726C408EDD31934A19A4C6C9D957CF8FC6E48E05B9A1CD90DB251EB9
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.26.90.217/vv/armv4l	a82594f321a14d22c63b44b8b3f4e5dcb725aeda14db201cfe59d6b37cb8093f	Mirai	elf gafgyt mirai ua-wget
http://94.26.90.217/vv/armv5l	d64ce359bc97c9643e66057dbd0ea9ed69d5272487e873119dc7a01134f852bc	Mirai	elf gafgyt mirai ua-wget
http://94.26.90.217/vv/armv6l	176858d674f19ed1c385ebfd952caea9f6a76f4b44828d6b8f21985476a35df0	Mirai	elf gafgyt mirai ua-wget
http://94.26.90.217/vv/armv7l	ae5dbccdfcd0e48e2065b462be5879d1c103e3dc9c553ce8eb319c6385580d78	Mirai	elf gafgyt mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

127

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6845054f8bd5d68a12e6b13flinux22vpnfull_triage

Tags:

agent hype sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/68450250fd02ed5e059dbf73/reports/b5b3c065-9b43-4437-9b63-a1fbc6a9c70f/overview

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9f99d87475016fce033c9ad5a8f914f8f87d94f3afb9ba98c5a83977321e1710

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f99d87475016fce033c9ad5a8f914f8f87d94f3afb9ba98c5a83977321e1710/

Threat name:

Linux.Downloader.Generic

Status:

Suspicious

First seen:

2025-06-08 03:27:08 UTC

File Type:

Text (Shell)

AV detection:

6 of 24 (25.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t6m5q5dvafx44az4tlk2r6iu7d4h3fhtv643vggfva4xomq6c4ia._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250608-dzr36s1ves/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/9f99d87475016fce033c9ad5a8f914f8f87d94f3afb9ba98c5a83977321e1710

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.