MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adb92a99d9554859fa43ffe596a7571c9fd07e2f14693d8553c72d01bba226bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	adb92a99d9554859fa43ffe596a7571c9fd07e2f14693d8553c72d01bba226bf
SHA3-384 hash:	d9fda835ef292cf658cdb9239d265466b81f8572382127cb7f8552b201a6b1bcf296e23aeb67189130ad4b13468c0808
SHA1 hash:	f176dff949a4a83d8a6efb8ab36658cf5c4dada5
MD5 hash:	00d01bfe9e41cfea6b53bbff59d8eb81
humanhash:	edward-tango-tennessee-east
File name:	vitek.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'729 bytes
First seen:	2026-02-16 09:59:14 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:ior5o5joXdoTBTO9AwEoTIT90loTIT9OTloSsos8oj9LoayoJPo7ZoNzNtopspSA:frG5cXSTBTO9AwdTIT90aTIT90aSFsVJ
TLSH	T1897131F656E14B321C629DB7B7A950277042908A94C7BF05EBE968B931EDD0C3088B5F
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	juroots
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://45.144.64.166:81/epshteyn_x86_64	354b42ba644a621b2d7c63da4fc4b62b93bcfed1962a761826e5a4d6d02db84a	Mirai	mirai
http://45.144.64.166:81/epshteyn_i486	8c252a0623638c441aa90a97e7df42a95281028630c578b24dade116955b72f0	Mirai	mirai
http://45.144.64.166:81/epshteyn_aarch64	fa74adf19d58fd9dc812cdbbf22a1951de69ab9dbe21aec87389d507ad1f3146	Mirai	mirai
http://45.144.64.166:81/epshteyn_mips	8281588e04600cbf3cece7261b73873618d8bb2fc451d81fd4bb34ad4f9e639d	Mirai	mirai
http://45.144.64.166:81/epshteyn_mpsl	d5a387b1fa9e3b03ae0a055aebb844e73c8e1ed1728ba775bb74d918a015c5ef	Mirai	mirai
http://45.144.64.166:81/epshteyn_mips32	232d1fbbbc8d0807bfc4c3d236468687adbc92635be4969508d78e029561a10e	Mirai	mirai
http://45.144.64.166:81/epshteyn_arc	9a372e6e294b69861d246f5f316047e8fa27e2e970ebb6de1004b105dd9ecfb6	Mirai	mirai
http://45.144.64.166:81/epshteyn_arm4	800a02b006e274ae455ae5f231cfcacfc69cdab5a99870c9adeed76c2fa298b5	Mirai	mirai
http://45.144.64.166:81/epshteyn_arm5	9ee3f6e4412df6a836e74081fcc01b5046d5bf3d07f7a97ca108867429730c82	Mirai	mirai
http://45.144.64.166:81/epshteyn_arm6	cb5c01163888125d43f063b02c1a19cdf0a7aecfe8b175f8fbefde50db11232c	Mirai	mirai
http://45.144.64.166:81/epshteyn_arm7	918ca73a9ad98ae6b7d9129e22d4e8eae6841d54abadc76925af111aacfe6d00	Mirai	mirai
http://45.144.64.166:81/epshteyn_ppc	07f0056010295dd01ef7292975d3738fdaaa4cf66e909a48fa3eff96aee53d1b	Mirai	mirai
http://45.144.64.166:81/epshteyn_ppc440	fe44ed151419ee10d36cbd20f0a7b6fae542b03ecae99ec215279ea39f0c049f	Mirai	mirai
http://45.144.64.166:81/epshteyn_spc	876e0e1290b19d3f26a7fcd4ee7c36239902009de02135e6cfbfca8269d95d2f	Mirai	mirai
http://45.144.64.166:81/epshteyn_m68k	3ecda2a7a6d13bafea629c41b5b8a35d8e129d873db178d17e1c69adc48a7540	Mirai	mirai
http://45.144.64.166:81/epshteyn_sh4	b7588bde89df4af3e0e90f7fa0e4ae44e6fd4b9efcd515d6f76f1cd5ae70dfb6	Mirai	mirai
http://45.144.64.166:81/epshteyn_riscv32	0eb96a804a6097bc1827094043f6388d05f0b1920ad558de7024aa0941967402	Mirai	mirai
http://45.144.64.166:81/epshteyn_riscv64	e648ddd49dcb88cc435bfa0bcdf643d39ccc27c21f901cbd472dd831f4ed317a	Mirai	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/adb92a99d9554859fa43ffe596a7571c9fd07e2f14693d8553c72d01bba226bf/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/43f566fe-a93f-445b-8ed1-3f75d7d6365a

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/adb92a99d9554859fa43ffe596a7571c9fd07e2f14693d8553c72d01bba226bf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/adb92a99d9554859fa43ffe596a7571c9fd07e2f14693d8553c72d01bba226bf/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/adb92a99d9554859fa43ffe596a7571c9fd07e2f14693d8553c72d01bba226bf

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-02-16 10:00:44 UTC

File Type:

Text (Shell)

AV detection:

20 of 35 (57.14%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vw4svgozkveft6sd77sznj2xdsp5a7rpcrut3bkty4wqdo5ce27q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux

Link:

https://tria.ge/reports/260216-l1kpgsbv2c/

Behaviour

Reads runtime system information

Writes file to tmp directory

Checks SCSI settings

Checks hardware identifiers (DMI)

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.37

Link:

https://yomi.yoroi.company/submissions/adb92a99d9554859fa43ffe596a7571c9fd07e2f14693d8553c72d01bba226bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh