MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b
SHA3-384 hash: 378b46084099a29430f42c238ca2674dae5ee9dd5b0c3b1cea3545810f3919cd264ac4cef8938d03a4122edeaffc8410
SHA1 hash: 45a96930749f5b801eaeb74f7d51fbeeda6cdd7f
MD5 hash: bd204a6ae9fbf4c617b36dc8855c9a55
humanhash: winner-double-autumn-xray
File name:zxc.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:636 bytes
First seen:2025-12-22 16:41:06 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:ep3xnRDXuYnRJBnRMaLBm2nRVNITRYnRGTWnN:epfDeSJ/MaLBmEVNIlSN
TLSH T1F3F08BAE0017AF02C05CDE397A75747BB470D79A095B4B987EC580FE848D6417328D61
Magika batch
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.64/splmips4a3b75e3f968337924dfc92ac11b62ec56ce5fd449e0e0d3e3dfd50273c9d3d6 Miraielf mirai ua-wget
http://130.12.180.64/splmpsl5a8d30683a937ecf56f6e06cf1f9eb7c9de187e68b4ba1d214eae22a5f1e5bec Miraielf mirai ua-wget
http://130.12.180.64/splarme3c748cae6c49c536fb41220772ca2c9e8d15afb34de9ccf9d63e3becdcb037f Miraielf gafgyt mirai ua-wget
http://130.12.180.64/splarm54877b50dae39c0d329442cf951aa544c99c3735bd2e04a43d639a35e108a8b6c Miraielf gafgyt mirai ua-wget
http://130.12.180.64/splarm69f3c038722a236bae610bcd2010d210d07be594cbabccb3529d89359e3f696ca Miraielf mirai ua-wget
http://130.12.180.64/splarm757ad94f6a0019ae8852bac6530147b717e2bfaed768600c658c44346357c4554 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive mirai
Link:
https://www.filescan.io/uploads/694974ac84afa5547b5c2cd2/reports/eb23af7f-a0e8-4965-8cba-5e11a1e270fd/overview
Verdict:
Malicious
File Type:
text
First seen:
2025-12-22T13:59:00Z UTC
Last seen:
2025-12-24T01:52:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d6cbd00f-9f19-4a25-beef-0bf00c7f10bf
Behavior Graph:
Download SVG
%3 guuid=69cf6472-1900-0000-f3b7-5caf1a0f0000 pid=3866 /usr/bin/sudo guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874 /tmp/sample.bin guuid=69cf6472-1900-0000-f3b7-5caf1a0f0000 pid=3866->guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874 execve guuid=3c3e7c74-1900-0000-f3b7-5caf240f0000 pid=3876 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=3c3e7c74-1900-0000-f3b7-5caf240f0000 pid=3876 execve guuid=0b23447a-1900-0000-f3b7-5caf3d0f0000 pid=3901 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=0b23447a-1900-0000-f3b7-5caf3d0f0000 pid=3901 execve guuid=57d4977a-1900-0000-f3b7-5caf3f0f0000 pid=3903 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=57d4977a-1900-0000-f3b7-5caf3f0f0000 pid=3903 clone guuid=1ff9827b-1900-0000-f3b7-5caf430f0000 pid=3907 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=1ff9827b-1900-0000-f3b7-5caf430f0000 pid=3907 execve guuid=c161e37b-1900-0000-f3b7-5caf440f0000 pid=3908 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=c161e37b-1900-0000-f3b7-5caf440f0000 pid=3908 execve guuid=d570277c-1900-0000-f3b7-5caf460f0000 pid=3910 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=d570277c-1900-0000-f3b7-5caf460f0000 pid=3910 execve guuid=5a255081-1900-0000-f3b7-5caf5c0f0000 pid=3932 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=5a255081-1900-0000-f3b7-5caf5c0f0000 pid=3932 execve guuid=c7f09b81-1900-0000-f3b7-5caf5e0f0000 pid=3934 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=c7f09b81-1900-0000-f3b7-5caf5e0f0000 pid=3934 clone guuid=6a60eb82-1900-0000-f3b7-5caf660f0000 pid=3942 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=6a60eb82-1900-0000-f3b7-5caf660f0000 pid=3942 execve guuid=7c2c3383-1900-0000-f3b7-5caf670f0000 pid=3943 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=7c2c3383-1900-0000-f3b7-5caf670f0000 pid=3943 execve guuid=49977583-1900-0000-f3b7-5caf690f0000 pid=3945 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=49977583-1900-0000-f3b7-5caf690f0000 pid=3945 execve guuid=6b900c88-1900-0000-f3b7-5caf7a0f0000 pid=3962 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=6b900c88-1900-0000-f3b7-5caf7a0f0000 pid=3962 execve guuid=939e4388-1900-0000-f3b7-5caf7d0f0000 pid=3965 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=939e4388-1900-0000-f3b7-5caf7d0f0000 pid=3965 clone guuid=fb5ad389-1900-0000-f3b7-5caf860f0000 pid=3974 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=fb5ad389-1900-0000-f3b7-5caf860f0000 pid=3974 execve guuid=4c2a158a-1900-0000-f3b7-5caf880f0000 pid=3976 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=4c2a158a-1900-0000-f3b7-5caf880f0000 pid=3976 execve guuid=82f24a8a-1900-0000-f3b7-5caf8a0f0000 pid=3978 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=82f24a8a-1900-0000-f3b7-5caf8a0f0000 pid=3978 execve guuid=7473868e-1900-0000-f3b7-5caf9b0f0000 pid=3995 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=7473868e-1900-0000-f3b7-5caf9b0f0000 pid=3995 execve guuid=4eeebc8e-1900-0000-f3b7-5caf9d0f0000 pid=3997 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=4eeebc8e-1900-0000-f3b7-5caf9d0f0000 pid=3997 clone guuid=f11a398f-1900-0000-f3b7-5cafa10f0000 pid=4001 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=f11a398f-1900-0000-f3b7-5cafa10f0000 pid=4001 execve guuid=4edf7e8f-1900-0000-f3b7-5cafa30f0000 pid=4003 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=4edf7e8f-1900-0000-f3b7-5cafa30f0000 pid=4003 execve guuid=ec71bd8f-1900-0000-f3b7-5cafa40f0000 pid=4004 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=ec71bd8f-1900-0000-f3b7-5cafa40f0000 pid=4004 execve guuid=f2fe1294-1900-0000-f3b7-5cafb90f0000 pid=4025 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=f2fe1294-1900-0000-f3b7-5cafb90f0000 pid=4025 execve guuid=85cf5194-1900-0000-f3b7-5cafbb0f0000 pid=4027 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=85cf5194-1900-0000-f3b7-5cafbb0f0000 pid=4027 clone guuid=4d96d694-1900-0000-f3b7-5cafbe0f0000 pid=4030 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=4d96d694-1900-0000-f3b7-5cafbe0f0000 pid=4030 execve guuid=41041895-1900-0000-f3b7-5cafc20f0000 pid=4034 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=41041895-1900-0000-f3b7-5cafc20f0000 pid=4034 execve guuid=5c1d6395-1900-0000-f3b7-5cafc30f0000 pid=4035 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=5c1d6395-1900-0000-f3b7-5cafc30f0000 pid=4035 execve guuid=f2cf499a-1900-0000-f3b7-5cafdc0f0000 pid=4060 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=f2cf499a-1900-0000-f3b7-5cafdc0f0000 pid=4060 execve guuid=4e7a849a-1900-0000-f3b7-5cafde0f0000 pid=4062 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=4e7a849a-1900-0000-f3b7-5cafde0f0000 pid=4062 clone guuid=a2fa759b-1900-0000-f3b7-5cafe30f0000 pid=4067 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=a2fa759b-1900-0000-f3b7-5cafe30f0000 pid=4067 execve guuid=a2feb79b-1900-0000-f3b7-5cafe50f0000 pid=4069 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=a2feb79b-1900-0000-f3b7-5cafe50f0000 pid=4069 execve f22fee75-ab34-540d-95fe-696883c6f4ad 130.12.180.64:80 guuid=3c3e7c74-1900-0000-f3b7-5caf240f0000 pid=3876->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=d570277c-1900-0000-f3b7-5caf460f0000 pid=3910->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=49977583-1900-0000-f3b7-5caf690f0000 pid=3945->f22fee75-ab34-540d-95fe-696883c6f4ad send: 134B guuid=82f24a8a-1900-0000-f3b7-5caf8a0f0000 pid=3978->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=ec71bd8f-1900-0000-f3b7-5cafa40f0000 pid=4004->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=5c1d6395-1900-0000-f3b7-5cafc30f0000 pid=4035->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-22 11:41:13 UTC
File Type:
Text (Shell)
AV detection:
11 of 23 (47.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ycpsy4qcvayg22u3ra4fliqcqhbtoybu2aiai2xisfiym3cg4snq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251222-t7bn6awmfx/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b

(this sample)

Mirai

elf b4af234303f169d2c19d42bbcd6d1d5788de4e2081a50e8cf472de05dbd0e175

  
URLhaus
https://urlhaus.abuse.ch/url/3740427/
  
Delivery method
Distributed via web download
  
Dropping
MD5 0db652bb4ef23b992f306e551dc44299
  
Dropping
SHA256 b4af234303f169d2c19d42bbcd6d1d5788de4e2081a50e8cf472de05dbd0e175

Comments