MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fce1578d0305981889ee6a62e114fef925d263b2ed93500b532a6ecf50f0bdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	9fce1578d0305981889ee6a62e114fef925d263b2ed93500b532a6ecf50f0bdb
SHA3-384 hash:	f8ec49b3c8084cc10e506363f7e6ecfc6d487749c8728ca677b7654a7651d41882499bbb9df73b9f22bb5fdb96f695e4
SHA1 hash:	a2997f004ae488ba9cffadabeec984517f16020a
MD5 hash:	bb81eca867f91d05929cff72d6694c48
humanhash:	alpha-sixteen-bacon-uniform
File name:	lg
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'793 bytes
First seen:	2026-02-03 16:40:16 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vzyucz3Ucz58czHwczBwczdudzEczoCczR8czKuczLMczH+cz7x7UfczAuczjWf:vzyucz3Ucz58czHwczBwczM9EczoCczu
TLSH	T172518CC832204BB5BFB15992B6F585167489E0D1AEC74EC9E2FC68FE014CF096C916A6
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.26.106.177/bins/sora.x86	e9e378387a21bdfc4c1f424ec79a209ceba05d1f0919d6dca05e5623e3f941fd	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.mips	5e74a50c9255cda93e51e37903260477800d9aac1301e8447a8793a83529c07a	Mirai	32-bit elf mirai Mozi
http://94.26.106.177/bins/sora.x86_64	9494683239ff99d86db9145ddd361c5014eef8506c720ef34bae542b1f140c88	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.i468	n/a	n/a	n/a
http://94.26.106.177/bins/sora.i686	28d2d9759823d69e7fc46485b53a413b38ef2f8ff504dd397b6726c21c5dcd19	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.mpsl	c62afaff80ce42bd7e8f6f3b66e45da9a3b36d00fcd630936d28fbce2c9d8f26	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.arm4	n/a	n/a	n/a
http://94.26.106.177/bins/sora.arm5	681c788f1f1c6beb7f7ef7dce47c3971dbb506c5ce58a0caedbb7999efb9bd66	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.arm6	9633a560c9e528465418f37cb0111f6cbda015a4b46f4ab2efe27eaa0b75413b	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.arm7	n/a	n/a	n/a
http://94.26.106.177/bins/sora.ppc	f67c66b6e0cf80b0546171bc249b825601f1078f0df6fb18402441eba65ad610	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.ppc440fp	n/a	n/a	n/a
http://94.26.106.177/bins/sora.m68k	482fe1c5adf10b2feb46d79a6ba89ac5865e73fda816738642d61c03e2149e07	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.sh4	be6d52de33de60fd6d03fc14a719eea4b605519b22370321e44acd102ba7447c	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Result

Gathering data

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/58a4faa9-30ef-417e-9c7d-5ae56e9c49d5

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9fce1578d0305981889ee6a62e114fef925d263b2ed93500b532a6ecf50f0bdb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9fce1578d0305981889ee6a62e114fef925d263b2ed93500b532a6ecf50f0bdb/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/9fce1578d0305981889ee6a62e114fef925d263b2ed93500b532a6ecf50f0bdb

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-02-03 16:34:21 UTC

File Type:

Text (Shell)

AV detection:

22 of 36 (61.11%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t7hbk6gqgbmydce642tc4ekp56jf2jr3f3mtkafvgktoz5ipbpnq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/260203-t6ygjah12g/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh