MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcb5295c2691d78a1ab580588ec0b9a80979884336bbef6d53f0df65b8cd529d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	bcb5295c2691d78a1ab580588ec0b9a80979884336bbef6d53f0df65b8cd529d
SHA3-384 hash:	30d1d1dcdf26427d9cbf1d4ba3f19644d6e5c0a09d9c6177dacf53ef221d5f8d2d68369f10f12a89152a1d37e90f353c
SHA1 hash:	1191b5c84f2d42d0402709069dbd30b7d5232a2f
MD5 hash:	589af25ac9c98a7aca9102a0773d0811
humanhash:	music-cola-purple-oklahoma
File name:	goahead.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	590 bytes
First seen:	2025-11-28 18:17:23 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:IXOp845iKbiMtgxxKKLVOhHWhtaQdnhHWhtaQdEzMHWhtaQdYIMHWhtaQd4HWhtA:q05pJtCcLWh0YRWh0VzGWh0rhWh0fWhe
TLSH	T129F081DF869148104A48F98EB683881ED80E86DB644E9BC4FC8D2D3929E954C7022A84
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://183.81.33.194/mips	12affec37ead42f73dd183de74725c5bd3d6621478fe4e0d1b81f1eb46d0c18f	Mirai	DEU elf geofenced mips mirai ua-wget USA
http://183.81.33.194/mpsl	21f65a0f5404263e2abcf0b9cc9a60b35e9ef8c505724c969bb9b3f8427cb44b	Mirai	DEU elf geofenced mips mirai ua-wget
http://183.81.33.194/arm4	f4d312c31b3f1170621721ea7dda0ceb50977bda8f04527cf060f85dda15c513	Mirai	elf mirai ua-wget
http://183.81.33.194/arm5	feec495f2b4a0a7c82f2333569e242ba31197ed563675b92a2319dbc3c77364f	Mirai	arm elf geofenced mirai ua-wget USA
http://183.81.33.194/arm7	b1c2458d22bbb0b7580470d9481654fae096a2bc0e8aab742ba9ac584568094d	Mirai	arm elf geofenced mirai ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive mirai

Link:

https://www.filescan.io/uploads/6929e762ab9dcca0c6fbb027/reports/abd68999-c54a-473b-8ee0-edd4f34da1fe/overview

Verdict:

Malicious

File Type:

text

First seen:

2025-11-28T16:29:00Z UTC

Last seen:

2025-11-29T00:59:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/bcb5295c2691d78a1ab580588ec0b9a80979884336bbef6d53f0df65b8cd529d/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/ddc7b05a-79b9-4650-93a8-dd549c88bb71

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/bcb5295c2691d78a1ab580588ec0b9a80979884336bbef6d53f0df65b8cd529d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bcb5295c2691d78a1ab580588ec0b9a80979884336bbef6d53f0df65b8cd529d/

Threat name:

Linux.Trojan.Vigorf

Status:

Malicious

First seen:

2025-11-28 18:10:34 UTC

File Type:

Text (Shell)

AV detection:

15 of 38 (39.47%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xs2ssxbgshlyugvvqbmi5qfzvaextccdg25663kt6dpwlognkkoq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251128-wxnxvavqb1/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/bcb5295c2691d78a1ab580588ec0b9a80979884336bbef6d53f0df65b8cd529d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.