MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd6c602f90687a7215402aa880024ace9e2df920733c39b16d02caef7488097f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	bd6c602f90687a7215402aa880024ace9e2df920733c39b16d02caef7488097f
SHA3-384 hash:	fec28b1756fdf2ad87d90e6a5f235ba55dc0149700e71a57e5478c0d33984a5cd4ada7f0819e9bb860c1e74b2c7646b3
SHA1 hash:	2861aca301bc8ca05bd0a51358d0332e6a17f2ef
MD5 hash:	98ac42751623f32f8b1b800329e2ca16
humanhash:	jupiter-speaker-pasta-saturn
File name:	8pr95K9.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'586 bytes
First seen:	2026-03-17 19:21:11 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:IXDurDKDWHbVLIf7wZDNwt5wFkt5wsePj4JxUrHG/tq4rcQ2cDUTWIduz4sGs:IXGW+LiUZDCOsIDYoypDUTHe9
TLSH	T15171E7CDE0E063746CDDDE6332BB9944B540A48614C27F689ECC34F2598FE85648EB82
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://178.16.54.73/1MstuFfwhCXulrI	e663a4312de309f96b41c5fc13cbc672e3fc901231549354d529410a46c5953b	Mirai	elf mirai ua-wget
http://178.16.54.73/aPG03YviN7x46	2f2fbb527f9a086e9cf23bd80c3ce7f74f673de58b4258b14d2ccac6134c0196	Mirai	elf mirai ua-wget
http://178.16.54.73/nN5oWS8MHN04Ygt	b6a05e2244a46eca59671bad97f27846eaaca8beb3d915dae39140969612650c	Mirai	elf mirai ua-wget
http://178.16.54.73/rHSgIuc6bWCRNhnI	3444490e3044cb9f9c8eebade13d23de7530dc848e8cbeec2ed98c8210af12d4	Mirai	elf mirai ua-wget
http://178.16.54.73/D6B8YmcOcvmdInZ7	7cebd4c3451c365ecd8ae3cec19d34dd32b27a0fa50bd03e7347f0bc4b053fd8	Mirai	elf mirai ua-wget
http://178.16.54.73/O2KseZ2Rs2kK4F	3920d8143477ec76be6bb791c96d88e7d65cd928a9a96907990eff0cb56c5aaf	Mirai	elf mirai ua-wget
http://178.16.54.73/FZXSOupfc3xz	7c576c16ba57b38bb0b51613059f6ee9afad77ec7b4c1d15f8a1203da6989d48	Mirai	elf mirai ua-wget
http://178.16.54.73/cwpj9HGq8KjAUVTU	aa01d67acbcbddda7acd553b700e9aa5172d716266e68fc245bcf28f66eb56d1	Mirai	elf mirai ua-wget
http://178.16.54.73/zGA6GUqtaiYtKV	d1ca90b03cc79e7b4627518021a2d3b304e8a0a157494b797964a4dfc3eb2e23	Mirai	elf mirai ua-wget
http://178.16.54.73/mOv9lSkDu5BYI3	0ad659a251eb5ddbbd0d7892425386d4ebc70b7bd1ada8cb2fe7a83f9206f44e	Mirai	elf mirai ua-wget
http://178.16.54.73/F3yJCc1PmcByE3DUNEqZ5n	8c2f0301b28eaab1e35d1620fd6c5179f51956641e6791b5e5f877fd7ed184fc	Mirai	elf mirai ua-wget
http://178.16.54.73/N9OXfQc1EvrvIymQ	8c87f8e1095c827cc036fe352fe22e285ac8e6d3602bf7cd12db3311b67d319f	Mirai	elf mirai ua-wget
http://178.16.54.73/7lmqyBAjov9oMU	29f20243292cc7287ac1e24a4bd2c7976ac94fbcd1669be8a39502c6c329a3d6	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 busybox evasive expand lolbin medusa mirai

Link:

https://www.filescan.io/uploads/69b9a9ad493cb7d62d02a166/reports/7e626426-730d-436f-90b7-9b8055ebccca/overview

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/bd6c602f90687a7215402aa880024ace9e2df920733c39b16d02caef7488097f/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/02ba5841-06bf-4a0b-849e-d85523d4950d

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/bd6c602f90687a7215402aa880024ace9e2df920733c39b16d02caef7488097f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd6c602f90687a7215402aa880024ace9e2df920733c39b16d02caef7488097f/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/bd6c602f90687a7215402aa880024ace9e2df920733c39b16d02caef7488097f

Threat name:

Linux.Trojan.Vigorf

Status:

Malicious

First seen:

2026-03-17 19:22:21 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xvwgal4qnb5hefkafkuiaaskz2pc36jaom6dtmlnalfo65eibf7q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery execution linux persistence privilege_escalation

Link:

https://tria.ge/reports/260317-x2rd7sbt6y/

Behaviour

Reads runtime system information

Writes file to tmp directory

Checks CPU configuration

Creates/modifies Cron job

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Renames itself

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/bd6c602f90687a7215402aa880024ace9e2df920733c39b16d02caef7488097f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.