MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b61c91545ce49c9751531e8a8043f4aa113550679d5ddc7bb29b451bc4a452d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	b61c91545ce49c9751531e8a8043f4aa113550679d5ddc7bb29b451bc4a452d2
SHA3-384 hash:	e91e0ef78853bff4a05df6565fa680803e913bb8e37bfedb7843609f9025e6461f3d8c537898184b2e0520d001f1826c
SHA1 hash:	8d62c5e10ff1ba8bf514929939cf239eaa13848b
MD5 hash:	610012cb3283f6f6a65cb79cbc568f2c
humanhash:	tennis-asparagus-lactose-nebraska
File name:	Ciabins.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'954 bytes
First seen:	2026-06-09 13:50:37 UTC
Last seen:	2026-06-10 00:09:15 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vtwtkt1atItchtPLsft7Atkttjg11JtMttU3CGttdUvpLttmhEqJttn76Zc:vmqvaWGh9LsfRA66qjU3CGjdUvpLjmhh
TLSH	T120412FCB61924975BEA0ED6B31AE484D33C0A5EB90DFEF645CDC34E4809FE987404697
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.183.232.247/CRY.mips	3a56ce727e772c89bd75eb6c5fbb029f19b89d73bd22865b0d4dfdf32448532b	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.mipsel	n/a	n/a	elf opendir ua-wget
http://94.183.232.247/CRY.sh4	87218d3a50595e89c351f16eea6b4e3c5dbb6f1251fe2ca0369493baa46f7556	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.x86	f997453517af9a39f3fb2264c1742bc710307305787ab4cdc2e7d470d58c71ba	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.i686	n/a	n/a	elf opendir ua-wget
http://94.183.232.247/CRY.ppc	42c982251c083492949a37c78bad1af1370c79ea4c842a212d1d51d2015fa821	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.i586	n/a	n/a	elf opendir ua-wget
http://94.183.232.247/CRY.m68k	n/a	n/a	elf mirai opendir ua-wget
http://94.183.232.247/CRY.sparc	n/a	n/a	elf opendir ua-wget
http://94.183.232.247/CRY.arc	ddddae35387b65d0fc7757550aab9bd967f9601042982c06647590617c28b97a	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.arm4	n/a	n/a	elf opendir ua-wget
http://94.183.232.247/CRY.arm5	7f07a1fb09ec75adf79dc878f15485e03aadcbe8d8b0717135c769b7d41ae7ef	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.arm6	6cebdb60882f724b6b3666897054603fbacd69f3369599ad40ae43e4a1bea880	Mirai	elf mirai opendir ua-wget
http://94.183.232.247/CRY.arm7	66b11ec69ec5f5e72b5377820cd8cc3ff7d68918daad4c247ccf8dd556ba2b9b	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/6a281a3a8161ac6cb55de19c/reports/0f5004ff-a6af-4f5a-bf90-984483c915d7/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-06-09T11:01:00Z UTC

Last seen:

2026-06-09T11:15:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/b61c91545ce49c9751531e8a8043f4aa113550679d5ddc7bb29b451bc4a452d2/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/9d7ee79f-4236-47e5-a8a1-c4a5e29ac5e6

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/b61c91545ce49c9751531e8a8043f4aa113550679d5ddc7bb29b451bc4a452d2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b61c91545ce49c9751531e8a8043f4aa113550679d5ddc7bb29b451bc4a452d2/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/b61c91545ce49c9751531e8a8043f4aa113550679d5ddc7bb29b451bc4a452d2

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-06-09 13:51:49 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wyojcvc44sojouktd2fiaq7uviitkudhtvo5y65stncrxrfeklja._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery linux

Link:

https://tria.ge/reports/260609-q5papabs7z/

Behaviour

System Network Configuration Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/b61c91545ce49c9751531e8a8043f4aa113550679d5ddc7bb29b451bc4a452d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh