MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd81875f09c4eb86c1b4322491af6c12bcb4a21141edfcb49431780b214d8467. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd81875f09c4eb86c1b4322491af6c12bcb4a21141edfcb49431780b214d8467
SHA3-384 hash: d78fbdba3a6ed3b2e5539ec22f58b6797e6276ded133083ed9284522a546508854f418ea97a38317c6a7bd9078633333
SHA1 hash: 67c7cee42f4bfd1de60fa7c41b1706c4c54662c6
MD5 hash: 53521b0e318ecb307b94da64f48643b2
humanhash: fillet-cat-hotel-happy
File name:check1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:999 bytes
First seen:2026-01-13 16:19:43 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:VUeYj+H1wDMK9CFdYhEnHQBYw9I5xqARiy3AnQZaZl1cSRs/:VUeYj+H1wDMK9CnYhEYwquiywOjSu
TLSH T1BC11AF827B356CB12DDD812D72AB985D6042023F561B7F98789B98B71F1C580F094FB4
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://77.221.152.211/check1.sha3c6896c569118bc40fd12db9516c8a2dd60690a4e5d1eddce11b792b254e6bc Miraimirai sh ua-wget
http://77.221.152.211/Error840c4bfa96b30bf3046a70d8a0143ed419a7cd58b55091c85da619a8a22cd31e1b Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
URLhaus.3757336.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
bash lolbin
Link:
https://www.filescan.io/uploads/696670d93827c9e1249b7f5f/reports/e0a1562e-0d92-4b73-8412-35539ea5c1d9/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-13T13:28:00Z UTC
Last seen:
2026-01-14T12:48:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.cw
Link:
https://opentip.kaspersky.com/bd81875f09c4eb86c1b4322491af6c12bcb4a21141edfcb49431780b214d8467/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/4433e0fe-7787-4eb8-91e2-fd6b6069e1ab
Behavior Graph:
Download SVG
%3 guuid=9b871f21-1a00-0000-5e32-c612790a0000 pid=2681 /usr/bin/sudo guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688 /tmp/sample.bin guuid=9b871f21-1a00-0000-5e32-c612790a0000 pid=2681->guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688 execve guuid=2a5b6624-1a00-0000-5e32-c612820a0000 pid=2690 /usr/bin/bash guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=2a5b6624-1a00-0000-5e32-c612820a0000 pid=2690 clone guuid=817d8c24-1a00-0000-5e32-c612830a0000 pid=2691 /usr/bin/grep guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=817d8c24-1a00-0000-5e32-c612830a0000 pid=2691 execve guuid=baa36025-1a00-0000-5e32-c612860a0000 pid=2694 /usr/bin/bash guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=baa36025-1a00-0000-5e32-c612860a0000 pid=2694 clone guuid=f50c6725-1a00-0000-5e32-c612870a0000 pid=2695 /usr/bin/bash guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=f50c6725-1a00-0000-5e32-c612870a0000 pid=2695 clone guuid=23e40626-1a00-0000-5e32-c6128b0a0000 pid=2699 /usr/bin/pgrep guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=23e40626-1a00-0000-5e32-c6128b0a0000 pid=2699 execve guuid=e1f6dc33-1a00-0000-5e32-c612aa0a0000 pid=2730 /usr/bin/rm delete-file guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=e1f6dc33-1a00-0000-5e32-c612aa0a0000 pid=2730 execve guuid=cae2a43a-1a00-0000-5e32-c612b20a0000 pid=2738 /usr/bin/sleep guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=cae2a43a-1a00-0000-5e32-c612b20a0000 pid=2738 execve guuid=2e504065-1b00-0000-5e32-c612bc0c0000 pid=3260 /usr/bin/curl net send-data write-file guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=2e504065-1b00-0000-5e32-c612bc0c0000 pid=3260 execve guuid=0591408b-1b00-0000-5e32-c612d20c0000 pid=3282 /usr/bin/wget net send-data write-file guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=0591408b-1b00-0000-5e32-c612d20c0000 pid=3282 execve guuid=b548baaf-1b00-0000-5e32-c612fc0c0000 pid=3324 /usr/bin/sleep guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=b548baaf-1b00-0000-5e32-c612fc0c0000 pid=3324 execve guuid=1f16c69e-1c00-0000-5e32-c612860f0000 pid=3974 /usr/bin/chmod guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=1f16c69e-1c00-0000-5e32-c612860f0000 pid=3974 execve guuid=a27b779f-1c00-0000-5e32-c612880f0000 pid=3976 /usr/bin/bash guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=a27b779f-1c00-0000-5e32-c612880f0000 pid=3976 clone guuid=bcd08c9f-1c00-0000-5e32-c6128a0f0000 pid=3978 /usr/bin/rm guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=bcd08c9f-1c00-0000-5e32-c6128a0f0000 pid=3978 execve guuid=587cdd9f-1c00-0000-5e32-c6128b0f0000 pid=3979 /usr/bin/sleep guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=587cdd9f-1c00-0000-5e32-c6128b0f0000 pid=3979 execve guuid=9fc361ca-1d00-0000-5e32-c612da0f0000 pid=4058 /usr/bin/rm guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=9fc361ca-1d00-0000-5e32-c612da0f0000 pid=4058 execve guuid=0e74b9ca-1d00-0000-5e32-c612db0f0000 pid=4059 /usr/bin/rm delete-file guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=0e74b9ca-1d00-0000-5e32-c612db0f0000 pid=4059 execve guuid=d4ad10cb-1d00-0000-5e32-c612dc0f0000 pid=4060 /usr/bin/rm delete-file guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=d4ad10cb-1d00-0000-5e32-c612dc0f0000 pid=4060 execve guuid=b9a660cb-1d00-0000-5e32-c612dd0f0000 pid=4061 /usr/bin/rm delete-file guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=b9a660cb-1d00-0000-5e32-c612dd0f0000 pid=4061 execve guuid=af92b3cb-1d00-0000-5e32-c612de0f0000 pid=4062 /usr/bin/rm delete-file guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=af92b3cb-1d00-0000-5e32-c612de0f0000 pid=4062 execve guuid=3e071acc-1d00-0000-5e32-c612df0f0000 pid=4063 /usr/bin/rm guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=3e071acc-1d00-0000-5e32-c612df0f0000 pid=4063 execve guuid=531871cc-1d00-0000-5e32-c612e00f0000 pid=4064 /usr/bin/clear guuid=04c69823-1a00-0000-5e32-c612800a0000 pid=2688->guuid=531871cc-1d00-0000-5e32-c612e00f0000 pid=4064 execve guuid=d3b07025-1a00-0000-5e32-c612880a0000 pid=2696 /usr/bin/bash guuid=baa36025-1a00-0000-5e32-c612860a0000 pid=2694->guuid=d3b07025-1a00-0000-5e32-c612880a0000 pid=2696 clone 66bedfa7-f5b5-5fb6-937f-c65dc36db775 77.221.152.211:80 guuid=2e504065-1b00-0000-5e32-c612bc0c0000 pid=3260->66bedfa7-f5b5-5fb6-937f-c65dc36db775 send: 85B guuid=0591408b-1b00-0000-5e32-c612d20c0000 pid=3282->66bedfa7-f5b5-5fb6-937f-c65dc36db775 send: 136B
Score:
29%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/bd81875f09c4eb86c1b4322491af6c12bcb4a21141edfcb49431780b214d8467
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd81875f09c4eb86c1b4322491af6c12bcb4a21141edfcb49431780b214d8467/
Verdict:
Malicious
Threat:
Family.XMRIG
Link:
https://tip.neiki.dev/file/bd81875f09c4eb86c1b4322491af6c12bcb4a21141edfcb49431780b214d8467
Threat name:
Linux.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-01-13 16:10:57 UTC
File Type:
Text (Shell)
AV detection:
11 of 37 (29.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwayoxyjytvynqnugisjdl3mck6ljiqrihw7zneugf4awiknqrtq._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig antivm defense_evasion discovery execution linux miner persistence privilege_escalation
Link:
https://tria.ge/reports/260113-ttd75act8h/
Behaviour
Reads runtime system information
Checks CPU configuration
Reads CPU attributes
Creates/modifies Cron job
Deletes log files
Enumerates running processes
File and Directory Permissions Modification
Indicator Removal: Clear Command History
Executes dropped EXE
XMRig Miner payload
Xmrig family
xmrig
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd81875f09c4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/bd81875f09c4eb86c1b4322491af6c12bcb4a21141edfcb49431780b214d8467

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 941ef0028ee51d84bea103270e3e65089d029b19decad4a1136ba325d3df41fc

Mirai

sh bd81875f09c4eb86c1b4322491af6c12bcb4a21141edfcb49431780b214d8467

(this sample)

Mirai

sh a3c6896c569118bc40fd12db9516c8a2dd60690a4e5d1eddce11b792b254e6bc

  
URLhaus
https://urlhaus.abuse.ch/url/3757341/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 941ef0028ee51d84bea103270e3e65089d029b19decad4a1136ba325d3df41fc
  
Dropped by
MD5 b4f51f5cc63464ecb276431a679ebe97
  
URLhaus
https://urlhaus.abuse.ch/url/3757340/
  
Dropping
MD5 87b700ca138d39ce95abc6a5053cd039
  
Dropping
SHA256 a3c6896c569118bc40fd12db9516c8a2dd60690a4e5d1eddce11b792b254e6bc

Comments