MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf5a1e8b25d6ef368f11028fc492cc5e4a7e623a5b603a505828ae1c2e62fa3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	bf5a1e8b25d6ef368f11028fc492cc5e4a7e623a5b603a505828ae1c2e62fa3d
SHA3-384 hash:	e62d697258d59ad0258653db2a3fce848972527a6c4e521db853230c8b309ba90d831a6415bf452dee306410d3af2d0a
SHA1 hash:	f9abe14126b5ed2c1e80044de3799c5a01c98840
MD5 hash:	2c6d6e8f4f3edce40d4557c8cc5b5b83
humanhash:	harry-sweet-eleven-floor
File name:	logicdr.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'599 bytes
First seen:	2026-01-14 01:30:34 UTC
Last seen:	2026-01-14 11:55:11 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:9+h+Nhv3+w+o1jvQpr5rta8i/TiTCrVTdzTdtz2PSA+AiGOAsDx8G5GcB8jlA2SA:xhv7NvOwrfpA4GOAyuaTk7uGet2
TLSH	T10E31B48F063F39154EC7CF1B73E107CA521862E1F087DBF49C092A26A8D9888749CED6
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://91.92.241.10/x86_64.kok	1570e62aef9187e14d40c0951f9c40ae6b9ab24391a4713f8434943b037fb750	Mirai	elf geofenced mirai ua-wget USA x86
http://91.92.241.10/x86_32.kok	9b51a4f52e88bc608501150838b64f827907cecb3279794bf1d29f0472823e5a	Mirai	elf geofenced mirai ua-wget USA x86
http://91.92.241.10/powerpc.kok	21f6f7aef040ad4422fb88996eced78ca55084e3ddd238bf848818d1b762074b	Mirai	elf geofenced mirai PowerPC ua-wget USA
http://91.92.241.10/mips.kok	37bc4aae0bd9393c08597d04af5e2f289a10c44fa8f0f08260e0e51fa6910dc1	Mirai	elf geofenced mips mirai ua-wget USA
http://91.92.241.10/mipsel.kok	671cfdd83d66fbdb1f3683d7fd18b1bf15a535d72a6f2fc920f5165b8d46ddb2	Mirai	elf geofenced mips mirai ua-wget USA
http://91.92.241.10/arm.kok	2ffa20a4410cb81c8baafac760f9e3001cb01508ef096eedd6a6994db9c60cba	Mirai	arm elf geofenced mirai ua-wget USA
http://91.92.241.10/arm5.kok	8e646a1ec0ae9ef84648d3de70787c8d78fe6985c487751a57408d0ac609aedd	Mirai	arm elf geofenced mirai ua-wget USA
http://91.92.241.10/arm6.kok	6c859a43675833bc89bdc946ba3f3230959db7b25607a40f01fb49c7862fe50e	Mirai	arm elf geofenced mirai ua-wget USA
http://91.92.241.10/arm7.kok	326e0ecd04fd4bd68c0a144ab3437194ee38a41a687d6b40116c0ac24b8a07b1	Mirai	arm elf geofenced mirai ua-wget USA
http://91.92.241.10/sparc.kok	n/a	n/a	elf ua-wget
http://91.92.241.10/m68k.kok	n/a	n/a	elf ua-wget
http://91.92.241.10/sh4.kok	n/a	n/a	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive mirai

Link:

https://www.filescan.io/uploads/6966f1ed3827c9e1249c6527/reports/fdf76445-5d2c-4416-b405-652274561586/overview

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-13T22:37:00Z UTC

Last seen:

2026-01-13T22:37:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/bf5a1e8b25d6ef368f11028fc492cc5e4a7e623a5b603a505828ae1c2e62fa3d/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/02a47d9f-be43-40af-afc5-be3b7dfd9a4b

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/bf5a1e8b25d6ef368f11028fc492cc5e4a7e623a5b603a505828ae1c2e62fa3d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf5a1e8b25d6ef368f11028fc492cc5e4a7e623a5b603a505828ae1c2e62fa3d/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/bf5a1e8b25d6ef368f11028fc492cc5e4a7e623a5b603a505828ae1c2e62fa3d

Threat name:

Script-Shell.Trojan.Geninst

Status:

Malicious

First seen:

2026-01-14 01:31:26 UTC

File Type:

Text (Shell)

AV detection:

16 of 36 (44.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x5nb5czf23xtndyrakh4jewmlzfh4yr2lnqduucyfcxbyltc7i6q._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery execution linux persistence privilege_escalation

Link:

https://tria.ge/reports/260114-bxlghaat3e/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to shm directory

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Modifies Bash startup script

Creates/modifies Cron job

Creates/modifies environment variables

Deletes log files

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Unexpected DNS network traffic destination

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bf5a1e8b25d6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh