MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4bdfa69b63c5ed660277541946973572a1798b2b102e3a26f661709a0bbefe8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4bdfa69b63c5ed660277541946973572a1798b2b102e3a26f661709a0bbefe8
SHA3-384 hash: 241b9239537cce400ce2a1c97e113caca1184cad4cfd331904aec474534aba5e07e6da7ec2f0099cf7a5e41734454368
SHA1 hash: c36b7737ca9801db8e8d199bf91b2358af2780d9
MD5 hash: ab2e508ff22a9418dc40cc0b9b6c1e6c
humanhash: mexico-oxygen-uncle-asparagus
File name:tplink.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'621 bytes
First seen:2025-12-24 08:20:25 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:/Dq6DRED0taDQmDBMDbUDTkDe2DL+iMDiutDloDBQDE6DoaJD9y:/tidjSskVMTC+zpw
TLSH T1BF51BDCD13834F725CEEDD5BB7A9C848B09CA5E6B8C1DD36D5DE74AB088DE08B005252
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://151.242.30.13/bins/x8637f7a145112264b800b0d92a85bcc3ae6569fd50189e4080a9e13b0292df746c Miraielf geofenced mirai opendir ua-wget USA x86
http://151.242.30.13/bins/mips8977246c2eec422c5afb958b7431376b315d6fe4676c7a85edeb6e04e66515db Miraielf geofenced mips mirai opendir ua-wget USA
http://151.242.30.13/bins/mpsln/an/aelf geofenced mips mirai opendir ua-wget USA
http://151.242.30.13/bins/arca24a51b3ea4777475bad5ad18c053d99707d85d0e816278e4a27058a919eb224 Miraiarc elf geofenced mirai opendir ua-wget USA
http://151.242.30.13/bins/i468n/an/aelf ua-wget
http://151.242.30.13/bins/i68651e5d00211eb3a69cd7796e2208a2010aa263ce3490cf19ced71bec279bd303b Miraielf geofenced mirai opendir ua-wget USA x86
http://151.242.30.13/bins/x86_642cfe3d9f0100eb65810c632cd830a0ab516ce17a86536dee646ad819776b700a Miraielf geofenced mirai opendir ua-wget USA x86
http://151.242.30.13/bins/arm65ec93db8296b4ae09dd7a92272be5305f2c2ecd32566d73b07ae32eaf991056 Miraiarm elf geofenced mirai opendir ua-wget USA
http://151.242.30.13/bins/arm5d4ac7e5c0f78e10f1fe63eb105a7f6c295ac5cc9b1cdc9eddeb2642acc51639e Miraiarm elf geofenced mirai opendir ua-wget USA
http://151.242.30.13/bins/arm61f984d0ca8c9f8b92d0f34afd449b540206b6634730e2975b309d494bc682e13 Miraiarm elf geofenced mirai opendir ua-wget USA
http://151.242.30.13/bins/arm70a61672a8fa4115cc530b8b7651c20d5e9030af98f99ed92b35cdb6e8fc7c9e2 Miraiarm elf geofenced mirai opendir ua-wget USA
http://151.242.30.13/bins/ppccea109a1388edb5a1829d952637a0d9b37a48d8eee6fed0c2fe7b250085c707f Miraielf geofenced mirai opendir PowerPC ua-wget USA
http://151.242.30.13/bins/spc07019ea27232f2c0f528115a443e5b61fc45a53b05ccc28f60496ddd8a08b40a Miraielf geofenced mirai opendir sparc ua-wget USA
http://151.242.30.13/bins/m68k31c7ba1ae705063552f31e6deca1602468cfa6f93ed33e59b89312bb7dd0d8aa Miraielf geofenced m68k mirai opendir ua-wget USA
http://151.242.30.13/bins/sh414d4af82d5566a2cd3a4f81aef840a0f5d4c6f62f95eee5d7ae9e838bccabdf3 Miraielf geofenced mirai opendir SuperH ua-wget USA

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash busybox lolbin medusa mirai virus
Link:
https://www.filescan.io/uploads/694ba27c3f8fdbf8e950ded5/reports/c1e07351-d413-4f9f-8510-f44b86a239e7/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-12-24T05:28:00Z UTC
Last seen:
2025-12-24T05:28:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/a4bdfa69b63c5ed660277541946973572a1798b2b102e3a26f661709a0bbefe8/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d219a2dd-e950-462a-8c3b-8d32796eb2b8
Behavior Graph:
Download SVG
%3
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a4bdfa69b63c5ed660277541946973572a1798b2b102e3a26f661709a0bbefe8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4bdfa69b63c5ed660277541946973572a1798b2b102e3a26f661709a0bbefe8/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/a4bdfa69b63c5ed660277541946973572a1798b2b102e3a26f661709a0bbefe8
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-12-24 08:13:00 UTC
File Type:
Text (Shell)
AV detection:
17 of 36 (47.22%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=us67u2nwhrpnmybhovazi2ltk4vbpgfswebohitpmylqtif357ua._file
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a4bdfa69b63c5ed660277541946973572a1798b2b102e3a26f661709a0bbefe8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh a4bdfa69b63c5ed660277541946973572a1798b2b102e3a26f661709a0bbefe8

(this sample)

Mirai

elf 92e7027452964fe8329e6a2519d20f6788fa7b0c1f49cbb63027805f71a774df

Mirai

elf 37f7a145112264b800b0d92a85bcc3ae6569fd50189e4080a9e13b0292df746c

  
Dropping
MD5 42372bd3a444e2b34222bdc82bd6c21f
  
Dropping
SHA256 37f7a145112264b800b0d92a85bcc3ae6569fd50189e4080a9e13b0292df746c
  
URLhaus
https://urlhaus.abuse.ch/url/3742092/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3742096/
  
URLhaus
https://urlhaus.abuse.ch/url/3742098/

Comments