MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b21e86bfaa99a9edf92af34f794f9fcfbe2c13e2a39497bf6558055854ab2186. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b21e86bfaa99a9edf92af34f794f9fcfbe2c13e2a39497bf6558055854ab2186
SHA3-384 hash: f2cc9cbfcf23a45b7c985c2c7c5f15ced64526c5381812d1074216d8bb4394eccf25fe640f25dde38246e67aeefaa3f8
SHA1 hash: a08ea80123b2cd399192811bffc4c628e8a8f1d5
MD5 hash: 0a16377c77a0a399b51f42f7da90eef5
humanhash: twelve-arkansas-london-east
File name:tplink.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:1'306 bytes
First seen:2025-08-23 02:25:09 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:boWBGhBh9Mk8QoOwle7eJHH28O87QUt2Kd2MIKpatkk0:boGGhL8Qo1WsH28O87QUt2g/IIat/0
TLSH T1F5213EEE83E1E22D9C5A8E40F2914736F80E5BE430516DE8F64B38A6685DD227075F27
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://103.176.20.59/mips7cd5fb5b6d94ac2acf16f8904f6f307f47710df1d51129d55e70590a52dcf823 Miraielf gafgyt mips mirai ua-wget
http://103.176.20.59/mpsle4acbf0a1448e928ea7714cf90692001c454b37d78b13a955f475568b36bbaec Miraielf mips mirai ua-wget
http://103.176.20.59/skid.arm8a235a9336092da5a5fd75dc7c04bf109a796cab8cbe52666f972c2c5f3ff285 Miraielf mirai ua-wget
http://103.176.20.59/skid.arm516877e8cab68f6d6a557b0bee1e41a6d938997cb31a62cfe017ed21867b41801 Miraielf mirai ua-wget
http://103.176.20.59/skid.arm70fd1878b69312fbf748d3be8ba65b3431083985fcfe65a3b32a74a8ef69cdf89 Miraielf mirai ua-wget
http://103.176.20.59/x8681a6645f942191bc2793f956acfc8fa2b80501171f8fc8bb0518ddddb050f649 Miraicensys elf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-08-22T23:35:00Z UTC
Last seen:
2025-08-22T23:35:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/b21e86bfaa99a9edf92af34f794f9fcfbe2c13e2a39497bf6558055854ab2186/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/87c0bfc8-f50a-42e4-821e-c7a9dea235fb
Behavior Graph:
Download SVG
%3 guuid=ddd99491-1a00-0000-0a58-685fdf0a0000 pid=2783 /usr/bin/sudo guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788 /tmp/sample.bin guuid=ddd99491-1a00-0000-0a58-685fdf0a0000 pid=2783->guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788 execve guuid=8594a998-1a00-0000-0a58-685ff10a0000 pid=2801 /usr/bin/rm guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=8594a998-1a00-0000-0a58-685ff10a0000 pid=2801 execve guuid=4b7b9399-1a00-0000-0a58-685ff50a0000 pid=2805 /usr/bin/wget net send-data write-file guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=4b7b9399-1a00-0000-0a58-685ff50a0000 pid=2805 execve guuid=0b8d171d-1b00-0000-0a58-685fea0b0000 pid=3050 /usr/bin/chmod guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=0b8d171d-1b00-0000-0a58-685fea0b0000 pid=3050 execve guuid=e09bb31d-1b00-0000-0a58-685fec0b0000 pid=3052 /usr/bin/dash guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=e09bb31d-1b00-0000-0a58-685fec0b0000 pid=3052 clone guuid=c108931f-1b00-0000-0a58-685ff10b0000 pid=3057 /usr/bin/wget net send-data write-file guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=c108931f-1b00-0000-0a58-685ff10b0000 pid=3057 execve guuid=9ab77d61-1b00-0000-0a58-685f6b0c0000 pid=3179 /usr/bin/chmod guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=9ab77d61-1b00-0000-0a58-685f6b0c0000 pid=3179 execve guuid=8e110362-1b00-0000-0a58-685f6d0c0000 pid=3181 /usr/bin/dash guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=8e110362-1b00-0000-0a58-685f6d0c0000 pid=3181 clone guuid=28621f63-1b00-0000-0a58-685f720c0000 pid=3186 /usr/bin/wget net send-data write-file guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=28621f63-1b00-0000-0a58-685f720c0000 pid=3186 execve guuid=f9ac20d9-1b00-0000-0a58-685f110d0000 pid=3345 /usr/bin/chmod guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=f9ac20d9-1b00-0000-0a58-685f110d0000 pid=3345 execve guuid=54848bd9-1b00-0000-0a58-685f120d0000 pid=3346 /usr/bin/dash guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=54848bd9-1b00-0000-0a58-685f120d0000 pid=3346 clone guuid=38684eda-1b00-0000-0a58-685f140d0000 pid=3348 /usr/bin/wget net send-data write-file guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=38684eda-1b00-0000-0a58-685f140d0000 pid=3348 execve guuid=4b9f7512-1c00-0000-0a58-685f8e0d0000 pid=3470 /usr/bin/chmod guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=4b9f7512-1c00-0000-0a58-685f8e0d0000 pid=3470 execve guuid=1e0cae12-1c00-0000-0a58-685f900d0000 pid=3472 /usr/bin/dash guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=1e0cae12-1c00-0000-0a58-685f900d0000 pid=3472 clone guuid=9dd92a13-1c00-0000-0a58-685f930d0000 pid=3475 /usr/bin/wget net send-data write-file guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=9dd92a13-1c00-0000-0a58-685f930d0000 pid=3475 execve guuid=c3629153-1c00-0000-0a58-685ff30d0000 pid=3571 /usr/bin/chmod guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=c3629153-1c00-0000-0a58-685ff30d0000 pid=3571 execve guuid=6c8c6354-1c00-0000-0a58-685ff50d0000 pid=3573 /usr/bin/dash guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=6c8c6354-1c00-0000-0a58-685ff50d0000 pid=3573 clone guuid=92794d55-1c00-0000-0a58-685ff90d0000 pid=3577 /usr/bin/wget net send-data write-file guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=92794d55-1c00-0000-0a58-685ff90d0000 pid=3577 execve guuid=f0e7fa89-1c00-0000-0a58-685f620e0000 pid=3682 /usr/bin/chmod guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=f0e7fa89-1c00-0000-0a58-685f620e0000 pid=3682 execve guuid=4c4f358a-1c00-0000-0a58-685f660e0000 pid=3686 /usr/bin/dash guuid=7e674a93-1a00-0000-0a58-685fe40a0000 pid=2788->guuid=4c4f358a-1c00-0000-0a58-685f660e0000 pid=3686 clone 58517d70-7b02-5fe6-86d3-049c9f17a9ed 103.176.20.59:80 guuid=4b7b9399-1a00-0000-0a58-685ff50a0000 pid=2805->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 132B guuid=c108931f-1b00-0000-0a58-685ff10b0000 pid=3057->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 132B guuid=28621f63-1b00-0000-0a58-685f720c0000 pid=3186->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 136B guuid=38684eda-1b00-0000-0a58-685f140d0000 pid=3348->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 137B guuid=9dd92a13-1c00-0000-0a58-685f930d0000 pid=3475->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 137B guuid=92794d55-1c00-0000-0a58-685ff90d0000 pid=3577->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 131B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b21e86bfaa99a9edf92af34f794f9fcfbe2c13e2a39497bf6558055854ab2186
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b21e86bfaa99a9edf92af34f794f9fcfbe2c13e2a39497bf6558055854ab2186/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/b21e86bfaa99a9edf92af34f794f9fcfbe2c13e2a39497bf6558055854ab2186
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-08-23 02:25:53 UTC
File Type:
Text (Shell)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wipinp5ktgu636jk6nhxst47z67cye7cuokjpp3flacvqvflegda._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:botnet botnet credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/250823-cw7h1sfr7x/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Enumerates running processes
Reads MAC address of network interface
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Renames itself
Contacts a large (185322) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/b21e86bfaa99a9edf92af34f794f9fcfbe2c13e2a39497bf6558055854ab2186

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh b21e86bfaa99a9edf92af34f794f9fcfbe2c13e2a39497bf6558055854ab2186

(this sample)

Mirai

elf 6353848769fd1e75b57401ed22dc5d7a7e39ceea12fde759df6a1640ba2cf716

  
URLhaus
https://urlhaus.abuse.ch/url/3591799/
  
Delivery method
Distributed via web download
  
Dropping
MD5 d4d05485f4c77add02302f2b4ddfbbf2
  
Dropping
SHA256 6353848769fd1e75b57401ed22dc5d7a7e39ceea12fde759df6a1640ba2cf716

Comments