MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a70e2615f93d944d9ccbd15e9e0d384b4307347e51451836327ae9148b38e3b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	a70e2615f93d944d9ccbd15e9e0d384b4307347e51451836327ae9148b38e3b7
SHA3-384 hash:	4366f7e2867e826946df313d7014b98e04ae43661fd0ce81c9a93d290154e78ea67426781582162462afb907c77bdd50
SHA1 hash:	33e80bd0aaca2732996a197f12d5b5435a6e6c30
MD5 hash:	a3e3ddc5ac2d67abcbf4ff98b20e55f6
humanhash:	may-east-don-gee
File name:	lil
Download:	download sample
Signature	Mirai Create hunting rule
File size:	770 bytes
First seen:	2025-12-13 08:50:24 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:kXCZG+1ZuZI4Wu9AIm3vAIxH+AIGtNrAINnaAIyxh:e0b54N9A/beQt1fa0xh
TLSH	T18B012DD950A09C1024809C6E729764977923D2C72A9B0FA9FFAD1A3D6F9855DF034F48
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://195.177.94.107/n2	0ebeb6035d83cb19af3eb645c026c40e2e89f3bb6fee549f93c3241edbcdc6f4	Mirai	elf mirai ua-wget
http://195.177.94.107/n3	07b740bc561692f9cc10221571dfc5933c69f5786b648c2e1c53ad9bff4b4064	Mirai	elf mirai ua-wget
http://195.177.94.107/n4t	f67929158c5c814df747ab237fb6797b53a1b4e80afc14889be00246250a54d7	Mirai	elf mirai ua-wget
http://195.177.94.107/n7	09c0b01267effde638740f756034cdfb1c086baf3e53f563d3bbd5a11918d547	Mirai	elf mirai ua-wget
http://195.177.94.107/n8	f67929158c5c814df747ab237fb6797b53a1b4e80afc14889be00246250a54d7	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-13T03:19:00Z UTC

Last seen:

2025-12-13T09:39:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/a70e2615f93d944d9ccbd15e9e0d384b4307347e51451836327ae9148b38e3b7/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/e877dc03-7f68-4866-ba7e-96d9d819edda

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a70e2615f93d944d9ccbd15e9e0d384b4307347e51451836327ae9148b38e3b7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a70e2615f93d944d9ccbd15e9e0d384b4307347e51451836327ae9148b38e3b7/

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2025-12-13 08:53:19 UTC

File Type:

Text (Shell)

AV detection:

12 of 38 (31.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u4hcmfpzhwke3hgl2fpj4djyjnbqond6kfcrqnrsplurjczy4o3q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux

Link:

https://tria.ge/reports/251213-kth2ms1rhm/

Behaviour

Reads runtime system information

Writes file to tmp directory

Changes its process name

Enumerates running processes

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.26

Link:

https://yomi.yoroi.company/submissions/a70e2615f93d944d9ccbd15e9e0d384b4307347e51451836327ae9148b38e3b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.