MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b85358b80802f914a3f3c3b1d262f76aec29327cea737f5563967feaab1d572c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b85358b80802f914a3f3c3b1d262f76aec29327cea737f5563967feaab1d572c
SHA3-384 hash: 63b5d7bfe956fd961288ea9c6b2bb72719a81b488993e4c187fde4054513267eb601e410052edf071b76ae19ef9e67f0
SHA1 hash: 3d1e3a6e812c4a3e2cb638065a259df824dcaacb
MD5 hash: 3b8cc538871a2fd438b24e9d9a7fb05f
humanhash: vermont-avocado-east-pasta
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'284 bytes
First seen:2025-12-26 19:57:26 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:ItCxEsCUvCLlCMTTCKqsCmDC7b7nJClBLCWR1LC9b9NIAksCUHCAb3Cf1LCPh3Cr:imvsbtpG3JG1L6Jf93kLGxY
TLSH T1406117DA208612B13C759F3762BD5A287183D0B618DF3F16D6ED38EC8AACD56F440B42
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://92.119.164.209/windyloveyou/windy.x86f7af4118ea65040336702508edcdd20ab146b6f47f96ba144633f89376cee63f Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.mips2d65468c854ebd82729c52fe08a3fa5f64720ceb52ab4bf89398c89e64c021da Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.arcn/an/amirai opendir
http://92.119.164.209/windyloveyou/windy.i468n/an/an/a
http://92.119.164.209/windyloveyou/windy.i68631d423164c480b1ae238259697bb38f59de35f03804e4c7620df0ae545c4cdcd Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.x86_64340902e57c810f31453b019f8b5e3df82388ba55d006355b9d28dd61d34b9df2 Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.mpslce873d725617a45e3c00ee8442153f7466fb55cc060f938575c8a684209b9aaf Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.armb786ac235d86fe82ed1faa420ef61a8470c1fba32dcbe62378cc5810c37041a5 Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.arm52dc4c91662ef8524222eb3d7015487103a98aa8b13aed43dcdcc48d8aca9b1f2 Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.arm6ae2a5f89f954ac884d13b2e0cefe173615bec58cf9888fa21ccf0ea6219aa101 Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.arm7b55b85e421b0984692514508133f910eb56d9272e033171d762e887282a67b94 Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.ppc5ce78c9640535cc6133577f76d653caa01555dda6ce7dcc7d52e1820a36228ba Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.spcd4d594aede211b92ee76bd0314c717d12805103532db2c4470364bfb5c1e01eb Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.m68k63dbbf2254cab953f2f316e68f7db077b9dc289c1b89b30196d90f9e24cb6784 Miraimirai opendir
http://92.119.164.209/windyloveyou/windy.sh439d2ec0f6140e29d919306a5d7d93f66e4cf53184249aa5e66c1a28b3cf405c4 Miraimirai opendir

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/69218514-45e2-467e-974d-ff8c2e0cf503
Behavior Graph:
Download SVG
%3 guuid=8e837aef-1a00-0000-8143-3175fa0a0000 pid=2810 /usr/bin/sudo guuid=58f038f2-1a00-0000-8143-3175000b0000 pid=2816 /tmp/sample.bin guuid=8e837aef-1a00-0000-8143-3175fa0a0000 pid=2810->guuid=58f038f2-1a00-0000-8143-3175000b0000 pid=2816 execve guuid=86d2bff2-1a00-0000-8143-3175030b0000 pid=2819 /usr/bin/cp guuid=58f038f2-1a00-0000-8143-3175000b0000 pid=2816->guuid=86d2bff2-1a00-0000-8143-3175030b0000 pid=2819 execve guuid=d540aaf8-1a00-0000-8143-31750c0b0000 pid=2828 /usr/bin/wget guuid=58f038f2-1a00-0000-8143-3175000b0000 pid=2816->guuid=d540aaf8-1a00-0000-8143-31750c0b0000 pid=2828 execve
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b85358b80802f914a3f3c3b1d262f76aec29327cea737f5563967feaab1d572c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b85358b80802f914a3f3c3b1d262f76aec29327cea737f5563967feaab1d572c/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/b85358b80802f914a3f3c3b1d262f76aec29327cea737f5563967feaab1d572c
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-12-26 19:59:32 UTC
File Type:
Text (Shell)
AV detection:
21 of 36 (58.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xbjvroaial4rji7tyoy5eyxxnlwcsmt45jzx6vldsz76vky5k4wa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery linux
Link:
https://tria.ge/reports/251226-ypsbeagj91/
Behaviour
Reads runtime system information
Writes file to tmp directory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh b85358b80802f914a3f3c3b1d262f76aec29327cea737f5563967feaab1d572c

(this sample)

Mirai

elf 2186d30e75c4768eb064d5c115dfe7e1fcf39d86252add1e1ed6d735511091a2

Mirai

elf f7af4118ea65040336702508edcdd20ab146b6f47f96ba144633f89376cee63f

  
URLhaus
https://urlhaus.abuse.ch/url/3744265/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3744271/
  
Dropping
MD5 eb51559381a5d23c5876de38b2e1e61a
  
Dropping
SHA256 f7af4118ea65040336702508edcdd20ab146b6f47f96ba144633f89376cee63f

Comments