MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8b498700a59ea410ed008610c2ebda8d7dbfdc33cb87c7f3464ff4a6ec42f3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8b498700a59ea410ed008610c2ebda8d7dbfdc33cb87c7f3464ff4a6ec42f3c
SHA3-384 hash: d750f547ae9ff97cb2ab5102b1cf2bf9c6fba3a4106cc5ee4c85c5f12e54575335a2bb235caaf819e55a3d3ea85f3bd4
SHA1 hash: 93b761d9f4fefdc73b60b93a4cd17de9a1b22955
MD5 hash: e3c65725c1873198b8f28d10550c217a
humanhash: burger-magnesium-quebec-helium
File name:bins.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'057 bytes
First seen:2025-12-24 09:15:34 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:2F4isFWsFJsFNsFwsFisF4sFUsFXsF5sFa:2Pscs3sHs+sMsmsOsts7sw
TLSH T16041149668A335F03869582A326EE8463681A45FC7C93E1848D93EB744CCF48748CE62
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://86.54.42.154/bins/mirai.x86dc94f266fe7387aef08a4d9b57d63aa4a8ad966646818716f032f278f102bc32 Miraielf mirai ua-wget
http://86.54.42.154/bins/mirai.mipsa1c74cd30f3733c3b36abe14c53e75e4212c3f9d4fff11f00cbf7d320c4507ef Miraielf mirai ua-wget
http://86.54.42.154/bins/mirai.mpslbf3b3e8235a980a6f281b9998ed4c89d9f1b94cf693a0fb63de5f07f49923a3f Miraielf mirai ua-wget
http://86.54.42.154/bins/mirai.armc2194e29e2e4ee5869ec2b95332ee8cd2b7e48f4a12f7974d8f045fbbb59456d Miraielf mirai ua-wget
http://86.54.42.154/bins/mirai.arm5ne63c0d54851287cebfa405aaa19bb30556dcddfe2d9cd57411cc9e68f56b9686 Miraielf mirai ua-wget
http://86.54.42.154/bins/mirai.arm733fbc6676a39b3cd030b9db288dcbadd5222016f555fe41716b929aac0f4255b Miraielf mirai ua-wget
http://86.54.42.154/bins/mirai.gnueabihf7926e9763ad01a4497aebb4c1765669c9ad56201d317729cc77637c681acf1cb Miraielf mirai ua-wget
http://86.54.42.154/bins/mirai.ppc9793fcf57e3e5270d0b9259ed41382064443a841ef071cc33d36259830ff023d Miraielf mirai ua-wget
http://86.54.42.154/bins/mirai.spc7c37791c89bc3893f98c7a84c3f58b54911c92bfed0baf8e3bd1a0ed7f11bc91 Miraielf mirai ua-wget
http://86.54.42.154/bins/mirai.m68k64ffcdc890d51f3ab424e49dbfae3f7fd3f3ef477e6349592df135e45c3ea2ac Miraielf mirai ua-wget
http://86.54.42.154/bins/mirai.sh4e06d523f3e6e9cc93b50ca47f0723c1f2fc36e4e70a27cb863a050ff8f0daeba Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive medusa mirai
Link:
https://www.filescan.io/uploads/694baf5ee126b9ff438fab43/reports/6997de89-38ad-4528-a158-c039cfcab8ca/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-12-24T06:32:00Z UTC
Last seen:
2025-12-24T07:19:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/b8b498700a59ea410ed008610c2ebda8d7dbfdc33cb87c7f3464ff4a6ec42f3c/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/3c28236e-1cbc-468d-9628-efa1bb213136
Behavior Graph:
Download SVG
%3 guuid=1b04d388-1500-0000-07ee-8f97380c0000 pid=3128 /usr/bin/sudo guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132 /tmp/sample.bin guuid=1b04d388-1500-0000-07ee-8f97380c0000 pid=3128->guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132 execve guuid=f588898a-1500-0000-07ee-8f973e0c0000 pid=3134 /usr/bin/wget net send-data write-file guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=f588898a-1500-0000-07ee-8f973e0c0000 pid=3134 execve guuid=b17bfe92-1500-0000-07ee-8f97500c0000 pid=3152 /usr/bin/chmod guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=b17bfe92-1500-0000-07ee-8f97500c0000 pid=3152 execve guuid=b3fd6593-1500-0000-07ee-8f97520c0000 pid=3154 /tmp/dvrHelper delete-file net guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=b3fd6593-1500-0000-07ee-8f97520c0000 pid=3154 execve guuid=a19e6d93-1500-0000-07ee-8f97530c0000 pid=3155 /usr/bin/rm guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=a19e6d93-1500-0000-07ee-8f97530c0000 pid=3155 execve guuid=b569dc93-1500-0000-07ee-8f97570c0000 pid=3159 /usr/bin/wget net send-data guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=b569dc93-1500-0000-07ee-8f97570c0000 pid=3159 execve guuid=c07c2a73-1d00-0000-07ee-8f978d140000 pid=5261 /usr/bin/chmod guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=c07c2a73-1d00-0000-07ee-8f978d140000 pid=5261 execve guuid=7340b373-1d00-0000-07ee-8f978e140000 pid=5262 /usr/bin/dash guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=7340b373-1d00-0000-07ee-8f978e140000 pid=5262 clone guuid=fe43bb73-1d00-0000-07ee-8f978f140000 pid=5263 /usr/bin/rm delete-file guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=fe43bb73-1d00-0000-07ee-8f978f140000 pid=5263 execve guuid=e82e4474-1d00-0000-07ee-8f9791140000 pid=5265 /usr/bin/wget guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=e82e4474-1d00-0000-07ee-8f9791140000 pid=5265 execve guuid=7baba874-1d00-0000-07ee-8f9792140000 pid=5266 /usr/bin/chmod guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=7baba874-1d00-0000-07ee-8f9792140000 pid=5266 execve guuid=fdda2175-1d00-0000-07ee-8f9793140000 pid=5267 /usr/bin/dash guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=fdda2175-1d00-0000-07ee-8f9793140000 pid=5267 clone guuid=54102975-1d00-0000-07ee-8f9794140000 pid=5268 /usr/bin/rm guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=54102975-1d00-0000-07ee-8f9794140000 pid=5268 execve guuid=9446ad75-1d00-0000-07ee-8f9795140000 pid=5269 /usr/bin/wget guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=9446ad75-1d00-0000-07ee-8f9795140000 pid=5269 execve guuid=b80c0b76-1d00-0000-07ee-8f9796140000 pid=5270 /usr/bin/chmod guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=b80c0b76-1d00-0000-07ee-8f9796140000 pid=5270 execve guuid=c0788f76-1d00-0000-07ee-8f9797140000 pid=5271 /usr/bin/dash guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=c0788f76-1d00-0000-07ee-8f9797140000 pid=5271 clone guuid=2a2a9776-1d00-0000-07ee-8f9798140000 pid=5272 /usr/bin/rm guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=2a2a9776-1d00-0000-07ee-8f9798140000 pid=5272 execve guuid=82701477-1d00-0000-07ee-8f9799140000 pid=5273 /usr/bin/wget guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=82701477-1d00-0000-07ee-8f9799140000 pid=5273 execve guuid=82187b77-1d00-0000-07ee-8f979a140000 pid=5274 /usr/bin/chmod guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=82187b77-1d00-0000-07ee-8f979a140000 pid=5274 execve guuid=39690278-1d00-0000-07ee-8f979b140000 pid=5275 /usr/bin/dash guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=39690278-1d00-0000-07ee-8f979b140000 pid=5275 clone guuid=67940f78-1d00-0000-07ee-8f979c140000 pid=5276 /usr/bin/rm guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=67940f78-1d00-0000-07ee-8f979c140000 pid=5276 execve guuid=82628a78-1d00-0000-07ee-8f979d140000 pid=5277 /usr/bin/wget guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=82628a78-1d00-0000-07ee-8f979d140000 pid=5277 execve guuid=9aecef78-1d00-0000-07ee-8f979e140000 pid=5278 /usr/bin/chmod guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=9aecef78-1d00-0000-07ee-8f979e140000 pid=5278 execve guuid=833d6879-1d00-0000-07ee-8f979f140000 pid=5279 /usr/bin/dash guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=833d6879-1d00-0000-07ee-8f979f140000 pid=5279 clone guuid=33ac6e79-1d00-0000-07ee-8f97a0140000 pid=5280 /usr/bin/rm guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=33ac6e79-1d00-0000-07ee-8f97a0140000 pid=5280 execve guuid=a426e479-1d00-0000-07ee-8f97a1140000 pid=5281 /usr/bin/wget guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=a426e479-1d00-0000-07ee-8f97a1140000 pid=5281 execve guuid=42e7457a-1d00-0000-07ee-8f97a2140000 pid=5282 /usr/bin/chmod guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=42e7457a-1d00-0000-07ee-8f97a2140000 pid=5282 execve guuid=ae62c77a-1d00-0000-07ee-8f97a3140000 pid=5283 /usr/bin/dash guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=ae62c77a-1d00-0000-07ee-8f97a3140000 pid=5283 clone guuid=6908cf7a-1d00-0000-07ee-8f97a4140000 pid=5284 /usr/bin/rm guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=6908cf7a-1d00-0000-07ee-8f97a4140000 pid=5284 execve guuid=31d64a7b-1d00-0000-07ee-8f97a5140000 pid=5285 /usr/bin/wget guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=31d64a7b-1d00-0000-07ee-8f97a5140000 pid=5285 execve guuid=49cfba7b-1d00-0000-07ee-8f97a6140000 pid=5286 /usr/bin/chmod guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=49cfba7b-1d00-0000-07ee-8f97a6140000 pid=5286 execve guuid=226a377c-1d00-0000-07ee-8f97a7140000 pid=5287 /usr/bin/dash guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=226a377c-1d00-0000-07ee-8f97a7140000 pid=5287 clone guuid=34023f7c-1d00-0000-07ee-8f97a8140000 pid=5288 /usr/bin/rm guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=34023f7c-1d00-0000-07ee-8f97a8140000 pid=5288 execve guuid=9a30bf7c-1d00-0000-07ee-8f97a9140000 pid=5289 /usr/bin/wget guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=9a30bf7c-1d00-0000-07ee-8f97a9140000 pid=5289 execve guuid=43b8287d-1d00-0000-07ee-8f97aa140000 pid=5290 /usr/bin/chmod guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=43b8287d-1d00-0000-07ee-8f97aa140000 pid=5290 execve guuid=3724a87d-1d00-0000-07ee-8f97ab140000 pid=5291 /usr/bin/dash guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=3724a87d-1d00-0000-07ee-8f97ab140000 pid=5291 clone guuid=6915b17d-1d00-0000-07ee-8f97ac140000 pid=5292 /usr/bin/rm guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=6915b17d-1d00-0000-07ee-8f97ac140000 pid=5292 execve guuid=c9512f7e-1d00-0000-07ee-8f97ad140000 pid=5293 /usr/bin/wget guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=c9512f7e-1d00-0000-07ee-8f97ad140000 pid=5293 execve guuid=03c6967e-1d00-0000-07ee-8f97ae140000 pid=5294 /usr/bin/chmod guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=03c6967e-1d00-0000-07ee-8f97ae140000 pid=5294 execve guuid=1608157f-1d00-0000-07ee-8f97af140000 pid=5295 /usr/bin/dash guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=1608157f-1d00-0000-07ee-8f97af140000 pid=5295 clone guuid=a9311b7f-1d00-0000-07ee-8f97b0140000 pid=5296 /usr/bin/rm guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=a9311b7f-1d00-0000-07ee-8f97b0140000 pid=5296 execve guuid=10798e7f-1d00-0000-07ee-8f97b1140000 pid=5297 /usr/bin/wget guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=10798e7f-1d00-0000-07ee-8f97b1140000 pid=5297 execve guuid=0fb9f17f-1d00-0000-07ee-8f97b2140000 pid=5298 /usr/bin/chmod guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=0fb9f17f-1d00-0000-07ee-8f97b2140000 pid=5298 execve guuid=93ef6180-1d00-0000-07ee-8f97b3140000 pid=5299 /usr/bin/dash guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=93ef6180-1d00-0000-07ee-8f97b3140000 pid=5299 clone guuid=45916b80-1d00-0000-07ee-8f97b4140000 pid=5300 /usr/bin/rm guuid=9fdc598a-1500-0000-07ee-8f973c0c0000 pid=3132->guuid=45916b80-1d00-0000-07ee-8f97b4140000 pid=5300 execve f17e858b-7591-5fa9-94b0-bc9756cbacb2 86.54.42.154:80 guuid=f588898a-1500-0000-07ee-8f973e0c0000 pid=3134->f17e858b-7591-5fa9-94b0-bc9756cbacb2 send: 141B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=b3fd6593-1500-0000-07ee-8f97520c0000 pid=3154->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=408f9e93-1500-0000-07ee-8f97540c0000 pid=3156 /tmp/dvrHelper delete-file net send-data write-file zombie guuid=b3fd6593-1500-0000-07ee-8f97520c0000 pid=3154->guuid=408f9e93-1500-0000-07ee-8f97540c0000 pid=3156 clone guuid=408f9e93-1500-0000-07ee-8f97540c0000 pid=3156->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 38dd5e56-4417-5c76-b9e4-6ce12926833e 86.54.42.154:23 guuid=408f9e93-1500-0000-07ee-8f97540c0000 pid=3156->38dd5e56-4417-5c76-b9e4-6ce12926833e send: 11B guuid=ad91a993-1500-0000-07ee-8f97550c0000 pid=3157 /tmp/dvrHelper guuid=408f9e93-1500-0000-07ee-8f97540c0000 pid=3156->guuid=ad91a993-1500-0000-07ee-8f97550c0000 pid=3157 clone guuid=5167d794-1500-0000-07ee-8f97590c0000 pid=3161 /tmp/dvrHelper net net-scan send-data guuid=408f9e93-1500-0000-07ee-8f97540c0000 pid=3156->guuid=5167d794-1500-0000-07ee-8f97590c0000 pid=3161 clone guuid=b569dc93-1500-0000-07ee-8f97570c0000 pid=3159->f17e858b-7591-5fa9-94b0-bc9756cbacb2 send: 142B guuid=5167d794-1500-0000-07ee-8f97590c0000 pid=3161->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 18108000-f6f5-5336-9689-2e478a45d53f 166.104.188.209:23 guuid=5167d794-1500-0000-07ee-8f97590c0000 pid=3161->18108000-f6f5-5336-9689-2e478a45d53f send: 40B guuid=5167d794-1500-0000-07ee-8f97590c0000 pid=3161|send-data send-data to 4097 IP addresses review logs to see them all guuid=5167d794-1500-0000-07ee-8f97590c0000 pid=3161->guuid=5167d794-1500-0000-07ee-8f97590c0000 pid=3161|send-data send
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b8b498700a59ea410ed008610c2ebda8d7dbfdc33cb87c7f3464ff4a6ec42f3c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8b498700a59ea410ed008610c2ebda8d7dbfdc33cb87c7f3464ff4a6ec42f3c/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/b8b498700a59ea410ed008610c2ebda8d7dbfdc33cb87c7f3464ff4a6ec42f3c
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-12-24 09:16:17 UTC
File Type:
Text (Shell)
AV detection:
18 of 36 (50.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xc2jq4aklhvecdwqbbqqylv5vdl5x7odhs4hy7zumt7uu3wef46a._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:mirai botnet defense_evasion discovery linux persistence
Link:
https://tria.ge/reports/251224-k78jfsvmhw/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
Modifies init.d
Modifies rc script
Write file to user bin folder
Writes file to system bin folder
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (2360) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware Config
C2 Extraction:
86.54.42.154
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/b8b498700a59ea410ed008610c2ebda8d7dbfdc33cb87c7f3464ff4a6ec42f3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh
Rule name:UNK_install_script
Create hunting rule
Author:evilcel3ri
Description:Detects a suspicious behaviour in an bash installation script

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh b8b498700a59ea410ed008610c2ebda8d7dbfdc33cb87c7f3464ff4a6ec42f3c

(this sample)

Mirai

elf dc94f266fe7387aef08a4d9b57d63aa4a8ad966646818716f032f278f102bc32

  
URLhaus
https://urlhaus.abuse.ch/url/3735510/
  
Delivery method
Distributed via web download
  
Dropping
MD5 beaae46f67e65b7d4ca5e33d339e4d88
  
Dropping
SHA256 dc94f266fe7387aef08a4d9b57d63aa4a8ad966646818716f032f278f102bc32

Comments