MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a23fbf034154fb243d6f8971eb5da56a214f2ca58635a9bd1f6bd6d00e371916. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a23fbf034154fb243d6f8971eb5da56a214f2ca58635a9bd1f6bd6d00e371916
SHA3-384 hash:	c2ee01cdc96d22acb674089a8e1ca7fb8e815c14f5dd09a0826a226c305c147cdaadda0d3a5028b9ed59ae8b73104643
SHA1 hash:	82d7ebae0d6e4d310be8c51b6e5b7ab2de6d8bd2
MD5 hash:	6461bcafd685ffe7c9e211780bb31ff4
humanhash:	venus-stairway-equal-fillet
File name:	asus.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'037 bytes
First seen:	2025-12-24 12:21:37 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:BLsSlfNjxFiVOyoOVTKJFgDRX7RoNgmG9/BKd6iSQWrT/m:djxHyoOVTKJFgDRX7RoNgmDd6ipWri
TLSH	T1BB51E4CE2175203ABC548AEDE6A3DAF3BACF4F74D88508C4C4E76455347C58EA8E8E11
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://81.88.18.108/bins/shadow.x86	6e01176ce19a409441cadb631f5f0c9b51705a99ebeac50cfae65de383b2e4d4	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.mips	7a84fe422301a21cbbb8dd3cdc0e643ee0b9c1aadffa8c57398fd62ea4b58c4b	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.mpsl	7a1849017c0684337d85b2aa8a730c4fee62486f444c675e8414b97c50cfb5a8	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.arm	eb9e1cf68eb14e4adcdfa704496393a5650750460d44a27fc6810a8fb943c18d	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.arm5	4d5a9a2f2e81daf2490c91bbc8f8a9363cea14da81749fa0131ba80512542b30	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.arm6	01a6e4d8e80b7090e1287238fce08de7bf135d537438845cbb3283f0c17f2d95	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.arm7	a9e36e6d5c7b89b86270b0ea4d1363cd83e1f8efdabd7331c76ce3e1c64a3539	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.ppc	72f8dcac376fa2861c1a6591953d2c4ad3eed9c634938b3a04388603121ac424	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.sh4	9db2cdc377de44600f2bd4ea70114ef56ca00c876e0577899288782fd8b11fbd	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.x86_64	7c4d404b0e75f2e8a13e6d396544a04667a28b0d73f2baf2ee11d715d09c52e1	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.arm64	5ee3a4aec9a92a62c5d308a2ec541372ab4bacf3fa05e833d880935cf46d0721	Mirai	arm elf geofenced mirai opendir ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox

Link:

https://www.filescan.io/uploads/694bdaf5a7163552ba0492fe/reports/b927bc0f-74b5-42a5-9705-77e8480e9067/overview

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-22T22:15:00Z UTC

Last seen:

2025-12-24T02:28:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen

Link:

https://opentip.kaspersky.com/a23fbf034154fb243d6f8971eb5da56a214f2ca58635a9bd1f6bd6d00e371916/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/49180d93-1171-4355-892c-b30c055068d8

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a23fbf034154fb243d6f8971eb5da56a214f2ca58635a9bd1f6bd6d00e371916

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a23fbf034154fb243d6f8971eb5da56a214f2ca58635a9bd1f6bd6d00e371916/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/a23fbf034154fb243d6f8971eb5da56a214f2ca58635a9bd1f6bd6d00e371916

Threat name:

Script-Shell.Worm.Mirai

Status:

Malicious

First seen:

2025-12-23 03:21:37 UTC

File Type:

Text (Shell)

AV detection:

9 of 36 (25.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ui736a2bkt5siplprfy6wxnfniqu6lffqy22tpi7nplnadrxdela._file

Gathering data

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a23fbf034154/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.09

Link:

https://yomi.yoroi.company/submissions/a23fbf034154fb243d6f8971eb5da56a214f2ca58635a9bd1f6bd6d00e371916

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh