MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0469c8400de5b76b99f26aa982023f483df42781813ebbbdaf4e4013d8fdabd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	c0469c8400de5b76b99f26aa982023f483df42781813ebbbdaf4e4013d8fdabd
SHA3-384 hash:	88dd505582b8d169e53519bb162debb01fff719eab5de391c7111acc16c8039ad60274a6475ec5c1eb7fac25a9b64704
SHA1 hash:	a82b9f2b9ae10374b182fdd285b74c925daa4704
MD5 hash:	743ac21cf9245397dae9fbfcce1c6c20
humanhash:	july-sierra-eleven-california
File name:	goahead
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'863 bytes
First seen:	2026-02-03 16:40:17 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vzyuoz3Uoz58ozHwozBwozdudzEozoCozR8ozKuozLMozH+oz7x7UfozAuozjWL:vzyuoz3Uoz58ozHwozBwozM9EozoCozE
TLSH	T11D5193C532254BB8AFB15D97B6F540057485A0D2AEC74ECAE2FC64FE018CF096C926B7
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.26.106.177/bins/sora.x86	e9e378387a21bdfc4c1f424ec79a209ceba05d1f0919d6dca05e5623e3f941fd	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.mips	5e74a50c9255cda93e51e37903260477800d9aac1301e8447a8793a83529c07a	Mirai	32-bit elf mirai Mozi
http://94.26.106.177/bins/sora.x86_64	9494683239ff99d86db9145ddd361c5014eef8506c720ef34bae542b1f140c88	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.i468	n/a	n/a	n/a
http://94.26.106.177/bins/sora.i686	28d2d9759823d69e7fc46485b53a413b38ef2f8ff504dd397b6726c21c5dcd19	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.mpsl	c62afaff80ce42bd7e8f6f3b66e45da9a3b36d00fcd630936d28fbce2c9d8f26	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.arm4	n/a	n/a	n/a
http://94.26.106.177/bins/sora.arm5	681c788f1f1c6beb7f7ef7dce47c3971dbb506c5ce58a0caedbb7999efb9bd66	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.arm6	9633a560c9e528465418f37cb0111f6cbda015a4b46f4ab2efe27eaa0b75413b	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.arm7	n/a	n/a	n/a
http://94.26.106.177/bins/sora.ppc	f67c66b6e0cf80b0546171bc249b825601f1078f0df6fb18402441eba65ad610	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.ppc440fp	n/a	n/a	n/a
http://94.26.106.177/bins/sora.m68k	482fe1c5adf10b2feb46d79a6ba89ac5865e73fda816738642d61c03e2149e07	Mirai	elf mirai ua-wget
http://94.26.106.177/bins/sora.sh4	be6d52de33de60fd6d03fc14a719eea4b605519b22370321e44acd102ba7447c	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Result

Gathering data

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/f8870a50-6d0a-4571-bbc9-bf6dc59dddbb

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c0469c8400de5b76b99f26aa982023f483df42781813ebbbdaf4e4013d8fdabd

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c0469c8400de5b76b99f26aa982023f483df42781813ebbbdaf4e4013d8fdabd/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/c0469c8400de5b76b99f26aa982023f483df42781813ebbbdaf4e4013d8fdabd

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-02-03 16:33:26 UTC

File Type:

Text (Shell)

AV detection:

22 of 36 (61.11%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ybdjzbaa3znxnom7e2vjqibd6sb56qtydaj6xo626tsacpmp3k6q._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/260203-t6ysash12h/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.37

Link:

https://yomi.yoroi.company/submissions/c0469c8400de5b76b99f26aa982023f483df42781813ebbbdaf4e4013d8fdabd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh