MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1d5da69e8ef3386501f1876e33f29125dbd3cfc861a386da01a69957b0f55d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a1d5da69e8ef3386501f1876e33f29125dbd3cfc861a386da01a69957b0f55d8
SHA3-384 hash:	1070bf3a0b6fdd6626b488b8d166b661164ad6eb776f4791eb4255daa34c149fee7eaeebc32608a3c4ebb2d9e95e8dec
SHA1 hash:	79fdd892c80c3830d7ca241c659824c69eea916a
MD5 hash:	0b40c24c8c37a175ce2f229baaf5d703
humanhash:	lake-single-utah-salami
File name:	wget.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'003 bytes
First seen:	2026-01-13 17:32:54 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:EwPJrbllAENI7NPK9eIZfmI5kYlxPNtq/xmO0A3f8jv:BPtj2F3I/5AA
TLSH	T1D2113BDF35D354E2958D9E0ABC790C446004C2C9F994AE36F483183B9CF67187828FD6
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://154.6.197.41/bins/arm	61a4b0868ce06046999e76536bbf94a07336ec3ed3d0a8edc935d57c674fb187	Mirai	mirai opendir
http://154.6.197.41/bins/arm5	8f40d31972029c1d7f88790b7c2ec116deabafa25352aafb5b62780edaf94d6f	Mirai	mirai opendir
http://154.6.197.41/bins/arm6	491dc178d7e42e3ffd98a9977664b9a79be08dbefc9efe4531311a432d9eb70e	Mirai	mirai opendir
http://154.6.197.41/bins/arm7	b0cb456114f2fd7bdc8ee3f7a0da44ac1a673314ce90905826524f426413e13e	Mirai	mirai opendir
http://154.6.197.41/bins/m68k	e594c4dca244303ec4efcd939d95cb7108104e335c3edf85d1766bd462204180	Mirai	mirai opendir
http://154.6.197.41/bins/mips	f7d2afdec972e57c79775f06665e80ab7cdc8a1974f1d3002a89fb0f27a9bbae	Mirai	mirai opendir
http://154.6.197.41/bins/mpsl	n/a	n/a	ua-wget
http://154.6.197.41/bins/ppc	0f8d7d0e039dbb1dbdd62182a43f735b6adf887084ef3aaabf5ae29908a4822e	Mirai	mirai opendir
http://154.6.197.41/bins/sh4	bcef5d6a503c6fca15c039cc4f53e1098316a22c1f9fe29d19fc3beb5e1e4637	Mirai	mirai opendir
http://154.6.197.41/bins/spc	e868327424a6b2cacc60c09e7dca335c4bb9178b723d1fb4e57b05959b1336c3	Mirai	mirai opendir
http://154.6.197.41/bins/x86	747a9e3bbe95b804d32fa3377d9d76a30bb46d45f6396b0357e3ec3410be0ee9	Mirai	mirai opendir
http://154.6.197.41/bins/x86_64	22482b7fbf6dab523956888b0844cd25b065921885c59aba052e967195d3e4c1	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive mirai

Link:

https://www.filescan.io/uploads/696681fd32bf4f14bb109474/reports/c6a0e357-28fe-4fa7-b2b0-a2f519aee72b/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-13T14:44:00Z UTC

Last seen:

2026-01-14T12:48:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/a1d5da69e8ef3386501f1876e33f29125dbd3cfc861a386da01a69957b0f55d8/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/d95fa2dc-4235-49f6-81c2-447a54fec659

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a1d5da69e8ef3386501f1876e33f29125dbd3cfc861a386da01a69957b0f55d8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a1d5da69e8ef3386501f1876e33f29125dbd3cfc861a386da01a69957b0f55d8/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/a1d5da69e8ef3386501f1876e33f29125dbd3cfc861a386da01a69957b0f55d8

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2026-01-13 17:35:47 UTC

File Type:

Text (Shell)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uhk5u2pi54zymua7db3ogpzjcjo32ph4qyndq3nadjuzk6ypkxma._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:owari botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260113-v5hv5aes8a/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Enumerates active TCP sockets

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/a1d5da69e8ef3386501f1876e33f29125dbd3cfc861a386da01a69957b0f55d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh