MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7f2f1cb3589c11d1e87f9057b001a942d67f7705c30f681c5864d64deeba53a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7f2f1cb3589c11d1e87f9057b001a942d67f7705c30f681c5864d64deeba53a
SHA3-384 hash: e3ac3c66eade6d4a42916366d87437c97fab2f618caef00da708e0cf8a120767d1b51376245ce5ba1b9563e992f8f90f
SHA1 hash: 23b74191f9796df6e66302eeed059f4b853afa69
MD5 hash: a270abf84ba4ab891070afa92164b0c6
humanhash: carbon-mockingbird-summer-saturn
File name:Sassy.Cloudflare.cat.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'365 bytes
First seen:2026-06-09 14:48:34 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 48:q9AxKkCrVANEM5CboZtMUQbwnQWycO2DwD0gacY8:n/5957Zxplk9D0A3
TLSH T1B241AA8672F0F15AB594B9A0789047F07681E19110ED362B9FA3E833B5F67F0E2F4642
Magika batch
Reporter BlinkzSec
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.139.126/cloudflare/Sassy.Cloudflare.armcd8cec8d509f19176a13d5750a458c55dacdb3397d0b141380131ccb13cff8e5 Mirai176-65-139-126 elf mirai ua-wget
http://176.65.139.126/cloudflare/Sassy.Cloudflare.arm548d574a4c9826603cb60047e4a5c2c58a63f9b260770043bcaa80556883d0020 Mirai176-65-139-126 elf mirai ua-wget
http://176.65.139.126/cloudflare/Sassy.Cloudflare.arm62532851bbd6a3a3cb9b39e644a015b83fcc11939937e91ae061da6a5c1f3b36f Mirai176-65-139-126 elf mirai ua-wget
http://176.65.139.126/cloudflare/Sassy.Cloudflare.arm7394d90529db4150272fd16b51b05188528caeee08754d8caef26a0f8d0d56109 Mirai176-65-139-126 elf mirai ua-wget
http://176.65.139.126/cloudflare/Sassy.Cloudflare.m68k4d9dd833ebe47101a9764f8283b7f39391012bf62252300f88628f9b3c51e77f Mirai176-65-139-126 elf mirai ua-wget
http://176.65.139.126/cloudflare/Sassy.Cloudflare.mips3895f3b7368cb2c0657cb743506fe388bd18263c025d391b99a74052d376c04e Mirai176-65-139-126 elf mirai ua-wget
http://176.65.139.126/cloudflare/Sassy.Cloudflare.mipsel11e34b5802e385e33a7730d60496a950376bae5bca1dc0e2d1f63d141dea826e Mirai176-65-139-126 elf mirai ua-wget
http://176.65.139.126/cloudflare/Sassy.Cloudflare.ppcdb643607eb610ecabf6867963d5c3cf994002d374bed24cd036c5293d90f04ad Mirai176-65-139-126 elf mirai ua-wget
http://176.65.139.126/cloudflare/Sassy.Cloudflare.sh485f81d8713fa7d55806735490f7f5dac78b29f951b74feee25f25a627a36bc5e Mirai176-65-139-126 elf mirai ua-wget
http://176.65.139.126/cloudflare/Sassy.Cloudflare.spc86dec2a0e49a227a64ba225dba4b2483873f5958f8b857f86e91c1a5affd28c1 Mirai176-65-139-126 elf mirai ua-wget
http://176.65.139.126/cloudflare/Sassy.Cloudflare.x86_647398c35856f5b73d61895f6abe311a36efcc1e80ae20da64a0f6d36843a75291 Mirai176-65-139-126 elf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
22
Origin country :
GB GB
Vendor Threat Intelligence
No detections
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/8d79da97-3757-41ea-9b88-a05ee07ae7e7
Behavior Graph:
Download SVG
%3 guuid=b61962fd-1800-0000-65e1-b657b20a0000 pid=2738 /usr/bin/sudo guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744 /tmp/sample.bin guuid=b61962fd-1800-0000-65e1-b657b20a0000 pid=2738->guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744 execve guuid=a01b0600-1900-0000-65e1-b657ba0a0000 pid=2746 /usr/bin/wget net send-data write-file guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=a01b0600-1900-0000-65e1-b657ba0a0000 pid=2746 execve guuid=20ea8945-1900-0000-65e1-b657510b0000 pid=2897 /usr/bin/chmod guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=20ea8945-1900-0000-65e1-b657510b0000 pid=2897 execve guuid=2852ca45-1900-0000-65e1-b657530b0000 pid=2899 /usr/bin/dash guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=2852ca45-1900-0000-65e1-b657530b0000 pid=2899 clone guuid=8e91d745-1900-0000-65e1-b657550b0000 pid=2901 /usr/bin/wget net send-data write-file guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=8e91d745-1900-0000-65e1-b657550b0000 pid=2901 execve guuid=9cb06950-1900-0000-65e1-b657690b0000 pid=2921 /usr/bin/chmod guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=9cb06950-1900-0000-65e1-b657690b0000 pid=2921 execve guuid=05c9c750-1900-0000-65e1-b6576a0b0000 pid=2922 /usr/bin/dash guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=05c9c750-1900-0000-65e1-b6576a0b0000 pid=2922 clone guuid=0160e150-1900-0000-65e1-b6576b0b0000 pid=2923 /usr/bin/wget net send-data write-file guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=0160e150-1900-0000-65e1-b6576b0b0000 pid=2923 execve guuid=c1b5985d-1900-0000-65e1-b657810b0000 pid=2945 /usr/bin/chmod guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=c1b5985d-1900-0000-65e1-b657810b0000 pid=2945 execve guuid=c59fff5d-1900-0000-65e1-b657820b0000 pid=2946 /usr/bin/dash guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=c59fff5d-1900-0000-65e1-b657820b0000 pid=2946 clone guuid=9c49085e-1900-0000-65e1-b657830b0000 pid=2947 /usr/bin/wget net send-data write-file guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=9c49085e-1900-0000-65e1-b657830b0000 pid=2947 execve guuid=5e621866-1900-0000-65e1-b6578e0b0000 pid=2958 /usr/bin/chmod guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=5e621866-1900-0000-65e1-b6578e0b0000 pid=2958 execve guuid=39d96866-1900-0000-65e1-b657900b0000 pid=2960 /usr/bin/dash guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=39d96866-1900-0000-65e1-b657900b0000 pid=2960 clone guuid=346b7266-1900-0000-65e1-b657910b0000 pid=2961 /usr/bin/wget net send-data write-file guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=346b7266-1900-0000-65e1-b657910b0000 pid=2961 execve guuid=f8ebff6e-1900-0000-65e1-b657a20b0000 pid=2978 /usr/bin/chmod guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=f8ebff6e-1900-0000-65e1-b657a20b0000 pid=2978 execve guuid=af864b6f-1900-0000-65e1-b657a40b0000 pid=2980 /usr/bin/dash guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=af864b6f-1900-0000-65e1-b657a40b0000 pid=2980 clone guuid=da72556f-1900-0000-65e1-b657a50b0000 pid=2981 /usr/bin/wget net send-data write-file guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=da72556f-1900-0000-65e1-b657a50b0000 pid=2981 execve guuid=d1e88878-1900-0000-65e1-b657b60b0000 pid=2998 /usr/bin/chmod guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=d1e88878-1900-0000-65e1-b657b60b0000 pid=2998 execve guuid=86c8cc78-1900-0000-65e1-b657b70b0000 pid=2999 /usr/bin/dash guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=86c8cc78-1900-0000-65e1-b657b70b0000 pid=2999 clone guuid=11f5dd78-1900-0000-65e1-b657b80b0000 pid=3000 /usr/bin/wget net send-data write-file guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=11f5dd78-1900-0000-65e1-b657b80b0000 pid=3000 execve guuid=a2a71080-1900-0000-65e1-b657bc0b0000 pid=3004 /usr/bin/chmod guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=a2a71080-1900-0000-65e1-b657bc0b0000 pid=3004 execve guuid=eb8f7780-1900-0000-65e1-b657bd0b0000 pid=3005 /usr/bin/dash guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=eb8f7780-1900-0000-65e1-b657bd0b0000 pid=3005 clone guuid=96af8980-1900-0000-65e1-b657be0b0000 pid=3006 /usr/bin/wget net send-data write-file guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=96af8980-1900-0000-65e1-b657be0b0000 pid=3006 execve guuid=30c45e8b-1900-0000-65e1-b657d70b0000 pid=3031 /usr/bin/chmod guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=30c45e8b-1900-0000-65e1-b657d70b0000 pid=3031 execve guuid=8454f98b-1900-0000-65e1-b657da0b0000 pid=3034 /usr/bin/dash guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=8454f98b-1900-0000-65e1-b657da0b0000 pid=3034 clone guuid=db48078c-1900-0000-65e1-b657db0b0000 pid=3035 /usr/bin/wget net send-data write-file guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=db48078c-1900-0000-65e1-b657db0b0000 pid=3035 execve guuid=bd044691-1900-0000-65e1-b657e60b0000 pid=3046 /usr/bin/chmod guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=bd044691-1900-0000-65e1-b657e60b0000 pid=3046 execve guuid=a8628091-1900-0000-65e1-b657e80b0000 pid=3048 /usr/bin/dash guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=a8628091-1900-0000-65e1-b657e80b0000 pid=3048 clone guuid=07d08791-1900-0000-65e1-b657e90b0000 pid=3049 /usr/bin/wget net send-data write-file guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=07d08791-1900-0000-65e1-b657e90b0000 pid=3049 execve guuid=172c089d-1900-0000-65e1-b657040c0000 pid=3076 /usr/bin/chmod guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=172c089d-1900-0000-65e1-b657040c0000 pid=3076 execve guuid=05b4449d-1900-0000-65e1-b657060c0000 pid=3078 /usr/bin/dash guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=05b4449d-1900-0000-65e1-b657060c0000 pid=3078 clone guuid=62d84b9d-1900-0000-65e1-b657070c0000 pid=3079 /usr/bin/wget net send-data write-file guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=62d84b9d-1900-0000-65e1-b657070c0000 pid=3079 execve guuid=0f4a04a4-1900-0000-65e1-b657150c0000 pid=3093 /usr/bin/chmod guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=0f4a04a4-1900-0000-65e1-b657150c0000 pid=3093 execve guuid=1e7a77a4-1900-0000-65e1-b657190c0000 pid=3097 /usr/bin/dash guuid=c59ec0ff-1800-0000-65e1-b657b80a0000 pid=2744->guuid=1e7a77a4-1900-0000-65e1-b657190c0000 pid=3097 clone 13111cfa-38a3-541d-934d-777ea14ce0e9 176.65.139.126:80 guuid=a01b0600-1900-0000-65e1-b657ba0a0000 pid=2746->13111cfa-38a3-541d-934d-777ea14ce0e9 send: 160B guuid=8e91d745-1900-0000-65e1-b657550b0000 pid=2901->13111cfa-38a3-541d-934d-777ea14ce0e9 send: 161B guuid=0160e150-1900-0000-65e1-b6576b0b0000 pid=2923->13111cfa-38a3-541d-934d-777ea14ce0e9 send: 161B guuid=9c49085e-1900-0000-65e1-b657830b0000 pid=2947->13111cfa-38a3-541d-934d-777ea14ce0e9 send: 161B guuid=346b7266-1900-0000-65e1-b657910b0000 pid=2961->13111cfa-38a3-541d-934d-777ea14ce0e9 send: 161B guuid=da72556f-1900-0000-65e1-b657a50b0000 pid=2981->13111cfa-38a3-541d-934d-777ea14ce0e9 send: 161B guuid=11f5dd78-1900-0000-65e1-b657b80b0000 pid=3000->13111cfa-38a3-541d-934d-777ea14ce0e9 send: 163B guuid=96af8980-1900-0000-65e1-b657be0b0000 pid=3006->13111cfa-38a3-541d-934d-777ea14ce0e9 send: 160B guuid=db48078c-1900-0000-65e1-b657db0b0000 pid=3035->13111cfa-38a3-541d-934d-777ea14ce0e9 send: 160B guuid=07d08791-1900-0000-65e1-b657e90b0000 pid=3049->13111cfa-38a3-541d-934d-777ea14ce0e9 send: 160B guuid=62d84b9d-1900-0000-65e1-b657070c0000 pid=3079->13111cfa-38a3-541d-934d-777ea14ce0e9 send: 163B
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b7f2f1cb3589c11d1e87f9057b001a942d67f7705c30f681c5864d64deeba53a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7f2f1cb3589c11d1e87f9057b001a942d67f7705c30f681c5864d64deeba53a/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/b7f2f1cb3589c11d1e87f9057b001a942d67f7705c30f681c5864d64deeba53a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w7zpdszvrhar2huh7ecxwaa2sqwwp53qlqypnaofqzgwjxxluu5a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260609-r67dbscs81/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b7f2f1cb3589c11d1e87f9057b001a942d67f7705c30f681c5864d64deeba53a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh b7f2f1cb3589c11d1e87f9057b001a942d67f7705c30f681c5864d64deeba53a

(this sample)

Mirai

elf cd8cec8d509f19176a13d5750a458c55dacdb3397d0b141380131ccb13cff8e5

  
URLhaus
https://urlhaus.abuse.ch/url/3861770/
  
Delivery method
Distributed via web download
  
Dropping
MD5 03ba55b98f037a958a8b520a12d909b3
  
Dropping
SHA256 cd8cec8d509f19176a13d5750a458c55dacdb3397d0b141380131ccb13cff8e5

Comments