MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd9daab6d720ed33025f3e6cd2cc61c2abe562b3067b904304623a6c7a503b9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd9daab6d720ed33025f3e6cd2cc61c2abe562b3067b904304623a6c7a503b9a
SHA3-384 hash: ecfcf09f0cd281d4a3f04425c29a00cfdc0d3c990e09f72bb102436240e35636e663a609e6c4413a4fe46024c57348b4
SHA1 hash: fa7c40db28258dfe66e5b242b9cf2420c32637a4
MD5 hash: 5449adbda30f3ccf7e578c469f6a2f4d
humanhash: beryllium-potato-delaware-robin
File name:w.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:1'269 bytes
First seen:2025-08-03 04:31:50 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:TAENEzp+dlzoNnialz3zyZLZzpPzpDjlzPJlz9MYzL8SzeGkUMpzMXiolz9xzlz8:qF+dlkNialTuZLZVPlDjlDJlhBXflkpt
TLSH T1EF21B5CE07EA9168989C5EA23095C1342E4DC6D43260CFA994CD79B27688E14F136F99
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://196.251.115.36/HBTs/top1miku.arc22a0259442cc186e532dc5869fb4f71f759cccfb2457c815d25cc86a0e1dfe74 Miraielf mirai opendir ua-wget
http://196.251.115.36/HBTs/.ksysda999f47eecd7e38895349eb39c6d2350815b5de5dc06629cd3008ab712b95a49 Miraielf mirai ua-wget
http://196.251.115.36/HBTs/.dbusd4fca520cba6b303a00db04c5525f9ebcd91027396a8daea21428623d9c000cd9 Miraielf mirai ua-wget
http://196.251.115.36/HBTs/top1miku.i686d35606a53e34a64f61406a84c406478ebeab1759e43c7b9d8821bf7b707ae2ac Gafgytelf gafgyt geofenced opendir ua-wget USA
http://196.251.115.36/HBTs/.udevmonebf5b2fe63545dd6486a8424d3660e89fec0f5b4d9f5697cf639c71a30e5084f Miraielf mirai ua-wget
http://196.251.115.36/HBTs/.upstart5f346db94dd74ca9f5b9bbef9a3acede4ff545868d9302ce9e9f6afadd174c3e Miraielf mirai ua-wget
http://196.251.115.36/HBTs/.netd3fe3f07475a7f97dbd70d217568915acf9107cf6ac1225758d3068dcca3b894d Miraielf mirai ua-wget
http://196.251.115.36/HBTs/.syncd2e03f8c53cfdc53d28de4014c6d1bf599f6db13e805ddf40ec63fc2728d99615 Miraielf mirai ua-wget
http://196.251.115.36/HBTs/.irqbal2cc247d74f81b12e13cfee4617575ac1e0ab5dca352947af77072916b3f91532 Miraielf mirai ua-wget
http://196.251.115.36/HBTs/.rsysl739aef07d54c89858d617dcfaa25a44ea5d28f75efab5c14f884d3b89c24181b Miraielf mirai ua-wget
http://196.251.115.36/HBTs/.modprobea4c5d10e0484cc0b3005ba65e1499780acb68a18b476f846bc8fce1d318f07bf Miraielf mirai ua-wget
http://196.251.115.36/HBTs/.systemd-jdn/an/aelf ua-wget
http://196.251.115.36/HBTs/.kthreadd188e8c19cfc165712b2e5d83a4a79eb6c0f68fe0a03d0811cd2972da755be0ed Miraielf mirai ua-wget
http://196.251.115.36/HBTs/.klogda2d1334928d5ae1368924865254295e14290e36a88dc01c309ae66c04b1ab468 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash busybox lolbin mirai
Link:
https://www.filescan.io/uploads/688ee646dc44c87d077ae76e/reports/8a11055b-a39e-4afd-b30c-1abad0c23023/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b899439b-72b5-4033-96cb-9a1b0dcbb62b
Behavior Graph:
Download SVG
%3 guuid=db2081b6-1500-0000-80e1-b347f80b0000 pid=3064 /usr/bin/sudo guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069 /tmp/sample.bin guuid=db2081b6-1500-0000-80e1-b347f80b0000 pid=3064->guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069 execve guuid=b505d3b8-1500-0000-80e1-b347ff0b0000 pid=3071 /usr/bin/busybox net send-data guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=b505d3b8-1500-0000-80e1-b347ff0b0000 pid=3071 execve guuid=c022e9ba-1500-0000-80e1-b347050c0000 pid=3077 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=c022e9ba-1500-0000-80e1-b347050c0000 pid=3077 execve guuid=37282ebb-1500-0000-80e1-b347070c0000 pid=3079 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=37282ebb-1500-0000-80e1-b347070c0000 pid=3079 clone guuid=b18e40bb-1500-0000-80e1-b347080c0000 pid=3080 /usr/bin/busybox net send-data write-file guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=b18e40bb-1500-0000-80e1-b347080c0000 pid=3080 execve guuid=c9b0dcbf-1500-0000-80e1-b347100c0000 pid=3088 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=c9b0dcbf-1500-0000-80e1-b347100c0000 pid=3088 execve guuid=365e32c0-1500-0000-80e1-b347110c0000 pid=3089 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=365e32c0-1500-0000-80e1-b347110c0000 pid=3089 clone guuid=bae4d0c0-1500-0000-80e1-b347150c0000 pid=3093 /usr/bin/busybox net send-data write-file guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=bae4d0c0-1500-0000-80e1-b347150c0000 pid=3093 execve guuid=e464d6c4-1500-0000-80e1-b3471c0c0000 pid=3100 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=e464d6c4-1500-0000-80e1-b3471c0c0000 pid=3100 execve guuid=55ca56c5-1500-0000-80e1-b3471d0c0000 pid=3101 /home/sandbox/.dbusd net guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=55ca56c5-1500-0000-80e1-b3471d0c0000 pid=3101 execve guuid=bd8fcdc5-1500-0000-80e1-b347210c0000 pid=3105 /usr/bin/busybox guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=bd8fcdc5-1500-0000-80e1-b347210c0000 pid=3105 execve guuid=58116fc6-1500-0000-80e1-b347230c0000 pid=3107 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=58116fc6-1500-0000-80e1-b347230c0000 pid=3107 execve guuid=b312fec6-1500-0000-80e1-b347250c0000 pid=3109 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=b312fec6-1500-0000-80e1-b347250c0000 pid=3109 clone guuid=6ac529c7-1500-0000-80e1-b347260c0000 pid=3110 /usr/bin/busybox guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=6ac529c7-1500-0000-80e1-b347260c0000 pid=3110 execve guuid=b76e5dc7-1500-0000-80e1-b347270c0000 pid=3111 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=b76e5dc7-1500-0000-80e1-b347270c0000 pid=3111 execve guuid=923711c8-1500-0000-80e1-b347290c0000 pid=3113 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=923711c8-1500-0000-80e1-b347290c0000 pid=3113 clone guuid=b1fd32c8-1500-0000-80e1-b3472a0c0000 pid=3114 /usr/bin/busybox guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=b1fd32c8-1500-0000-80e1-b3472a0c0000 pid=3114 execve guuid=dfbb5cc8-1500-0000-80e1-b3472b0c0000 pid=3115 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=dfbb5cc8-1500-0000-80e1-b3472b0c0000 pid=3115 execve guuid=eac2bac8-1500-0000-80e1-b3472c0c0000 pid=3116 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=eac2bac8-1500-0000-80e1-b3472c0c0000 pid=3116 clone guuid=21c6d3c8-1500-0000-80e1-b3472d0c0000 pid=3117 /usr/bin/busybox guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=21c6d3c8-1500-0000-80e1-b3472d0c0000 pid=3117 execve guuid=e83eeac8-1500-0000-80e1-b3472e0c0000 pid=3118 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=e83eeac8-1500-0000-80e1-b3472e0c0000 pid=3118 execve guuid=e2bf3ec9-1500-0000-80e1-b3472f0c0000 pid=3119 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=e2bf3ec9-1500-0000-80e1-b3472f0c0000 pid=3119 clone guuid=7f885ac9-1500-0000-80e1-b347300c0000 pid=3120 /usr/bin/busybox guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=7f885ac9-1500-0000-80e1-b347300c0000 pid=3120 execve guuid=e6446dc9-1500-0000-80e1-b347310c0000 pid=3121 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=e6446dc9-1500-0000-80e1-b347310c0000 pid=3121 execve guuid=8731c5c9-1500-0000-80e1-b347320c0000 pid=3122 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=8731c5c9-1500-0000-80e1-b347320c0000 pid=3122 clone guuid=a70be3c9-1500-0000-80e1-b347330c0000 pid=3123 /usr/bin/busybox guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=a70be3c9-1500-0000-80e1-b347330c0000 pid=3123 execve guuid=b6d7f7c9-1500-0000-80e1-b347340c0000 pid=3124 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=b6d7f7c9-1500-0000-80e1-b347340c0000 pid=3124 execve guuid=5fd02eca-1500-0000-80e1-b347350c0000 pid=3125 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=5fd02eca-1500-0000-80e1-b347350c0000 pid=3125 clone guuid=27264cca-1500-0000-80e1-b347360c0000 pid=3126 /usr/bin/busybox net guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=27264cca-1500-0000-80e1-b347360c0000 pid=3126 execve guuid=66807eca-1500-0000-80e1-b347370c0000 pid=3127 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=66807eca-1500-0000-80e1-b347370c0000 pid=3127 execve guuid=69acb1ca-1500-0000-80e1-b347380c0000 pid=3128 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=69acb1ca-1500-0000-80e1-b347380c0000 pid=3128 clone guuid=50f2b9ca-1500-0000-80e1-b347390c0000 pid=3129 /usr/bin/busybox guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=50f2b9ca-1500-0000-80e1-b347390c0000 pid=3129 execve guuid=0a34d5ca-1500-0000-80e1-b3473a0c0000 pid=3130 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=0a34d5ca-1500-0000-80e1-b3473a0c0000 pid=3130 execve guuid=a92f0ccb-1500-0000-80e1-b3473b0c0000 pid=3131 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=a92f0ccb-1500-0000-80e1-b3473b0c0000 pid=3131 clone guuid=efd92acb-1500-0000-80e1-b3473c0c0000 pid=3132 /usr/bin/busybox net guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=efd92acb-1500-0000-80e1-b3473c0c0000 pid=3132 execve guuid=621e61cb-1500-0000-80e1-b3473d0c0000 pid=3133 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=621e61cb-1500-0000-80e1-b3473d0c0000 pid=3133 execve guuid=e35b97cb-1500-0000-80e1-b3473e0c0000 pid=3134 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=e35b97cb-1500-0000-80e1-b3473e0c0000 pid=3134 clone guuid=c201b4cb-1500-0000-80e1-b3473f0c0000 pid=3135 /usr/bin/busybox guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=c201b4cb-1500-0000-80e1-b3473f0c0000 pid=3135 execve guuid=b24de1cb-1500-0000-80e1-b347400c0000 pid=3136 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=b24de1cb-1500-0000-80e1-b347400c0000 pid=3136 execve guuid=7ac920cc-1500-0000-80e1-b347410c0000 pid=3137 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=7ac920cc-1500-0000-80e1-b347410c0000 pid=3137 clone guuid=8f5f40cc-1500-0000-80e1-b347420c0000 pid=3138 /usr/bin/busybox guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=8f5f40cc-1500-0000-80e1-b347420c0000 pid=3138 execve guuid=ad9966cc-1500-0000-80e1-b347430c0000 pid=3139 /usr/bin/chmod guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=ad9966cc-1500-0000-80e1-b347430c0000 pid=3139 execve guuid=7f08a4cc-1500-0000-80e1-b347440c0000 pid=3140 /usr/bin/dash guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=7f08a4cc-1500-0000-80e1-b347440c0000 pid=3140 clone guuid=ead5b8cc-1500-0000-80e1-b347450c0000 pid=3141 /usr/bin/rm guuid=b81f86b8-1500-0000-80e1-b347fd0b0000 pid=3069->guuid=ead5b8cc-1500-0000-80e1-b347450c0000 pid=3141 execve 7c78b54a-8c85-5adc-a27d-cc08a14544fc 196.251.115.36:80 guuid=b505d3b8-1500-0000-80e1-b347ff0b0000 pid=3071->7c78b54a-8c85-5adc-a27d-cc08a14544fc send: 94B guuid=b18e40bb-1500-0000-80e1-b347080c0000 pid=3080->7c78b54a-8c85-5adc-a27d-cc08a14544fc send: 88B guuid=bae4d0c0-1500-0000-80e1-b347150c0000 pid=3093->7c78b54a-8c85-5adc-a27d-cc08a14544fc send: 88B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=55ca56c5-1500-0000-80e1-b3471d0c0000 pid=3101->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d4969dc5-1500-0000-80e1-b3471e0c0000 pid=3102 /home/sandbox/.dbusd zombie guuid=55ca56c5-1500-0000-80e1-b3471d0c0000 pid=3101->guuid=d4969dc5-1500-0000-80e1-b3471e0c0000 pid=3102 clone guuid=7832b3c5-1500-0000-80e1-b3471f0c0000 pid=3103 /home/sandbox/.dbusd zombie guuid=55ca56c5-1500-0000-80e1-b3471d0c0000 pid=3101->guuid=7832b3c5-1500-0000-80e1-b3471f0c0000 pid=3103 clone guuid=1e30c7c5-1500-0000-80e1-b347200c0000 pid=3104 /home/sandbox/.dbusd write-config zombie guuid=7832b3c5-1500-0000-80e1-b3471f0c0000 pid=3103->guuid=1e30c7c5-1500-0000-80e1-b347200c0000 pid=3104 clone guuid=430d62c6-1500-0000-80e1-b347220c0000 pid=3106 /usr/bin/dash guuid=1e30c7c5-1500-0000-80e1-b347200c0000 pid=3104->guuid=430d62c6-1500-0000-80e1-b347220c0000 pid=3106 execve guuid=dd9302c8-1500-0000-80e1-b347280c0000 pid=3112 /home/sandbox/.dbusd dns net send-data guuid=1e30c7c5-1500-0000-80e1-b347200c0000 pid=3104->guuid=dd9302c8-1500-0000-80e1-b347280c0000 pid=3112 clone guuid=538ca7c6-1500-0000-80e1-b347240c0000 pid=3108 /usr/bin/cp guuid=430d62c6-1500-0000-80e1-b347220c0000 pid=3106->guuid=538ca7c6-1500-0000-80e1-b347240c0000 pid=3108 execve guuid=dd9302c8-1500-0000-80e1-b347280c0000 pid=3112->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 38B a1cb65f6-afd3-5a3a-9fa0-f13741392136 top1miku.duckdns.org:2004 guuid=dd9302c8-1500-0000-80e1-b347280c0000 pid=3112->a1cb65f6-afd3-5a3a-9fa0-f13741392136 send: 15B guuid=27264cca-1500-0000-80e1-b347360c0000 pid=3126->7c78b54a-8c85-5adc-a27d-cc08a14544fc con guuid=efd92acb-1500-0000-80e1-b3473c0c0000 pid=3132->7c78b54a-8c85-5adc-a27d-cc08a14544fc con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bd9daab6d720ed33025f3e6cd2cc61c2abe562b3067b904304623a6c7a503b9a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd9daab6d720ed33025f3e6cd2cc61c2abe562b3067b904304623a6c7a503b9a/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/bd9daab6d720ed33025f3e6cd2cc61c2abe562b3067b904304623a6c7a503b9a
Threat name:
Document-HTML.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-08-03 04:32:07 UTC
File Type:
Text
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwo2vnwxedwtgas7hzwnftdbykv6kyvtaz5zaqyemi5gy6sqhona._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250803-e5z7eaxtet/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bd9daab6d720ed33025f3e6cd2cc61c2abe562b3067b904304623a6c7a503b9a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh bd9daab6d720ed33025f3e6cd2cc61c2abe562b3067b904304623a6c7a503b9a

(this sample)

Mirai

elf 22a0259442cc186e532dc5869fb4f71f759cccfb2457c815d25cc86a0e1dfe74

  
URLhaus
https://urlhaus.abuse.ch/url/3592540/
  
Delivery method
Distributed via web download
  
Dropping
MD5 4a4791844870c281e29e9308494c91f2
  
Dropping
SHA256 22a0259442cc186e532dc5869fb4f71f759cccfb2457c815d25cc86a0e1dfe74
  
URLhaus
https://urlhaus.abuse.ch/url/3594284/

Comments