MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8d754d93a4316ee36de8020e49a46c6985f33f70db95a8899ccb3decc7ced3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	a8d754d93a4316ee36de8020e49a46c6985f33f70db95a8899ccb3decc7ced3d
SHA3-384 hash:	a52fd6f4aa8cba94fa0e3a08cfaa581015f7ea50bbcda6e038cbe99f58c81459f30715a62d545adf482af4e80a0fa50b
SHA1 hash:	84ebfe797ca901ba60b7f6bf084d35485ee0da91
MD5 hash:	44dd6a3d5b73b3c39e8f97e0c1c1388c
humanhash:	kitten-queen-ink-hamper
File name:	adb-soap.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'111 bytes
First seen:	2026-02-14 21:09:30 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:OB/iQNIByKRAwkAGw/hU3hSkhIAhE5Fc/Z+1lU:+vG5UxSiI2EwgU
TLSH	T17B2184CE704D657D7A490E8270E0AA44A504FAE69D9F0E18BE4C0472FDC6E3037AEA5C
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://130.12.180.151/file/data.arm4	7b86f1e1139d7f15e0163c1b1a96bceff557613454a1cead677b28f922370956	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.151/file/data.arm5	1f8080e52d6a3a5e3b51f0da10e612f67f961cb0bc0d0af01d83f91504bb1b0a	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.151/file/data.arm6	598f8eee7ec2822c9ebfcdd75debc7b014b19a70954e9d8e8767594a7d2d585e	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.151/file/data.arm7	e1e04cc4713e0d53d7596622b452ac1ed56eaebff81a59a984ae8e305138e78d	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.151/file/data.aarch64	68ecdd1eb9ab0caff1227717b21508d64db456aeebd7552f6efc515ead7876c7	Mirai	arm elf geofenced mirai ua-wget USA
http://130.12.180.151/file/data.mips	2df731ccffaac8a175a9c410f0351ba537771c6873345ccc14090c7c10bdfc32	Mirai	elf geofenced mips mirai ua-wget USA
http://130.12.180.151/file/data.mipsel	7b4fb33ebd901223b53cdcc7ccd6e2b83e26a10fa5c40626a3497ad841482dd5	Mirai	elf geofenced mips mirai ua-wget USA
http://130.12.180.151/file/data.mips-uclibc	41b45799bc85d2c743a2ace4fd9407b52eeafb0d9a9b765d9c18d2cd41f38435	Mirai	elf geofenced mips mirai ua-wget USA
http://130.12.180.151/file/data.mipsel-uclibc	f6c7fecae7241b42ed82bc0109013da46fce46cae827954f8fd07ce0a9ba6759	Mirai	elf geofenced mips mirai ua-wget USA
http://130.12.180.151/file/data.powerpc	8f17f85085f91981089860713c6ae572db5bacc4f5338b1c58d06ae1b7bff5e2	Gafgyt	elf gafgyt geofenced mirai PowerPC ua-wget USA
http://130.12.180.151/file/data.x86	cdb0690dace0c8f548441901f74051dc23f1e22d0720743b66581426072c5ae0	Mirai	elf geofenced mirai ua-wget USA x86
http://130.12.180.151/file/data.x86_64	6c6db7fabf43b3b7d926414342072db1cfeb9596c62c9448a1ad38c3ab991ca4	Mirai	elf geofenced mirai ua-wget USA x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/a8d754d93a4316ee36de8020e49a46c6985f33f70db95a8899ccb3decc7ced3d/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/212e3408-464b-49f5-888a-48f1c19a38c2

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a8d754d93a4316ee36de8020e49a46c6985f33f70db95a8899ccb3decc7ced3d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8d754d93a4316ee36de8020e49a46c6985f33f70db95a8899ccb3decc7ced3d/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/a8d754d93a4316ee36de8020e49a46c6985f33f70db95a8899ccb3decc7ced3d

Threat name:

Linux.Trojan.Generic

Status:

Suspicious

First seen:

2026-02-14 21:22:21 UTC

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vdlvjwj2imlo4nw6qaqojgsgy2mf6m7xbw4vvcezzsz55td45u6q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

credential_access defense_evasion discovery linux

Link:

https://tria.ge/reports/260214-zz6r8ahs7g/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Reads process memory

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.26

Link:

https://yomi.yoroi.company/submissions/a8d754d93a4316ee36de8020e49a46c6985f33f70db95a8899ccb3decc7ced3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh