MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b
SHA3-384 hash: 378b46084099a29430f42c238ca2674dae5ee9dd5b0c3b1cea3545810f3919cd264ac4cef8938d03a4122edeaffc8410
SHA1 hash: 45a96930749f5b801eaeb74f7d51fbeeda6cdd7f
MD5 hash: bd204a6ae9fbf4c617b36dc8855c9a55
humanhash: winner-double-autumn-xray
File name:zxc.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:636 bytes
First seen:2025-12-22 16:41:06 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:ep3xnRDXuYnRJBnRMaLBm2nRVNITRYnRGTWnN:epfDeSJ/MaLBmEVNIlSN
TLSH T1F3F08BAE0017AF02C05CDE397A75747BB470D79A095B4B987EC580FE848D6417328D61
Magika batch
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.64/splmipsdcb690747a11527c5ad9919521ffd27a29563f24c19df3d7f9218fdea6e88622 Miraielf mirai ua-wget
http://130.12.180.64/splmpsl0cffd5f3473dde6aecb03030cb95efa81c7e1a1bc218528dc318348af422c8cc Miraielf mirai ua-wget
http://130.12.180.64/splarm8f6a29ee517a7bb5d9c3db16b8363420c732d8a9d7993da16006a05a6b80c836 Miraielf mirai ua-wget
http://130.12.180.64/splarm599126f681aa44a7d9b99678bdc492133341e2de0ca22c50b014a1e43b8ae2d91 Miraielf mirai ua-wget
http://130.12.180.64/splarm6fa62bcbb4cff0013ab416aaa10c8fe9b2c3beb731db15f27eafba9f81d761343 Miraielf mirai ua-wget
http://130.12.180.64/splarm77cc0c7d015dfef9d1917318d0ec9b7cb9d1bb80d8b2b0bff615814bc2a0726eb Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
39
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive mirai
Link:
https://www.filescan.io/uploads/694974ac84afa5547b5c2cd2/reports/eb23af7f-a0e8-4965-8cba-5e11a1e270fd/overview
Verdict:
Malicious
File Type:
text
First seen:
2025-12-22T13:59:00Z UTC
Last seen:
2025-12-24T01:52:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d6cbd00f-9f19-4a25-beef-0bf00c7f10bf
Behavior Graph:
Download SVG
%3 guuid=69cf6472-1900-0000-f3b7-5caf1a0f0000 pid=3866 /usr/bin/sudo guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874 /tmp/sample.bin guuid=69cf6472-1900-0000-f3b7-5caf1a0f0000 pid=3866->guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874 execve guuid=3c3e7c74-1900-0000-f3b7-5caf240f0000 pid=3876 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=3c3e7c74-1900-0000-f3b7-5caf240f0000 pid=3876 execve guuid=0b23447a-1900-0000-f3b7-5caf3d0f0000 pid=3901 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=0b23447a-1900-0000-f3b7-5caf3d0f0000 pid=3901 execve guuid=57d4977a-1900-0000-f3b7-5caf3f0f0000 pid=3903 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=57d4977a-1900-0000-f3b7-5caf3f0f0000 pid=3903 clone guuid=1ff9827b-1900-0000-f3b7-5caf430f0000 pid=3907 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=1ff9827b-1900-0000-f3b7-5caf430f0000 pid=3907 execve guuid=c161e37b-1900-0000-f3b7-5caf440f0000 pid=3908 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=c161e37b-1900-0000-f3b7-5caf440f0000 pid=3908 execve guuid=d570277c-1900-0000-f3b7-5caf460f0000 pid=3910 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=d570277c-1900-0000-f3b7-5caf460f0000 pid=3910 execve guuid=5a255081-1900-0000-f3b7-5caf5c0f0000 pid=3932 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=5a255081-1900-0000-f3b7-5caf5c0f0000 pid=3932 execve guuid=c7f09b81-1900-0000-f3b7-5caf5e0f0000 pid=3934 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=c7f09b81-1900-0000-f3b7-5caf5e0f0000 pid=3934 clone guuid=6a60eb82-1900-0000-f3b7-5caf660f0000 pid=3942 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=6a60eb82-1900-0000-f3b7-5caf660f0000 pid=3942 execve guuid=7c2c3383-1900-0000-f3b7-5caf670f0000 pid=3943 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=7c2c3383-1900-0000-f3b7-5caf670f0000 pid=3943 execve guuid=49977583-1900-0000-f3b7-5caf690f0000 pid=3945 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=49977583-1900-0000-f3b7-5caf690f0000 pid=3945 execve guuid=6b900c88-1900-0000-f3b7-5caf7a0f0000 pid=3962 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=6b900c88-1900-0000-f3b7-5caf7a0f0000 pid=3962 execve guuid=939e4388-1900-0000-f3b7-5caf7d0f0000 pid=3965 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=939e4388-1900-0000-f3b7-5caf7d0f0000 pid=3965 clone guuid=fb5ad389-1900-0000-f3b7-5caf860f0000 pid=3974 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=fb5ad389-1900-0000-f3b7-5caf860f0000 pid=3974 execve guuid=4c2a158a-1900-0000-f3b7-5caf880f0000 pid=3976 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=4c2a158a-1900-0000-f3b7-5caf880f0000 pid=3976 execve guuid=82f24a8a-1900-0000-f3b7-5caf8a0f0000 pid=3978 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=82f24a8a-1900-0000-f3b7-5caf8a0f0000 pid=3978 execve guuid=7473868e-1900-0000-f3b7-5caf9b0f0000 pid=3995 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=7473868e-1900-0000-f3b7-5caf9b0f0000 pid=3995 execve guuid=4eeebc8e-1900-0000-f3b7-5caf9d0f0000 pid=3997 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=4eeebc8e-1900-0000-f3b7-5caf9d0f0000 pid=3997 clone guuid=f11a398f-1900-0000-f3b7-5cafa10f0000 pid=4001 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=f11a398f-1900-0000-f3b7-5cafa10f0000 pid=4001 execve guuid=4edf7e8f-1900-0000-f3b7-5cafa30f0000 pid=4003 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=4edf7e8f-1900-0000-f3b7-5cafa30f0000 pid=4003 execve guuid=ec71bd8f-1900-0000-f3b7-5cafa40f0000 pid=4004 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=ec71bd8f-1900-0000-f3b7-5cafa40f0000 pid=4004 execve guuid=f2fe1294-1900-0000-f3b7-5cafb90f0000 pid=4025 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=f2fe1294-1900-0000-f3b7-5cafb90f0000 pid=4025 execve guuid=85cf5194-1900-0000-f3b7-5cafbb0f0000 pid=4027 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=85cf5194-1900-0000-f3b7-5cafbb0f0000 pid=4027 clone guuid=4d96d694-1900-0000-f3b7-5cafbe0f0000 pid=4030 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=4d96d694-1900-0000-f3b7-5cafbe0f0000 pid=4030 execve guuid=41041895-1900-0000-f3b7-5cafc20f0000 pid=4034 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=41041895-1900-0000-f3b7-5cafc20f0000 pid=4034 execve guuid=5c1d6395-1900-0000-f3b7-5cafc30f0000 pid=4035 /usr/bin/wget net send-data write-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=5c1d6395-1900-0000-f3b7-5cafc30f0000 pid=4035 execve guuid=f2cf499a-1900-0000-f3b7-5cafdc0f0000 pid=4060 /usr/bin/chmod guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=f2cf499a-1900-0000-f3b7-5cafdc0f0000 pid=4060 execve guuid=4e7a849a-1900-0000-f3b7-5cafde0f0000 pid=4062 /usr/bin/dash guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=4e7a849a-1900-0000-f3b7-5cafde0f0000 pid=4062 clone guuid=a2fa759b-1900-0000-f3b7-5cafe30f0000 pid=4067 /usr/bin/rm delete-file guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=a2fa759b-1900-0000-f3b7-5cafe30f0000 pid=4067 execve guuid=a2feb79b-1900-0000-f3b7-5cafe50f0000 pid=4069 /usr/bin/rm guuid=6bd32e74-1900-0000-f3b7-5caf220f0000 pid=3874->guuid=a2feb79b-1900-0000-f3b7-5cafe50f0000 pid=4069 execve f22fee75-ab34-540d-95fe-696883c6f4ad 130.12.180.64:80 guuid=3c3e7c74-1900-0000-f3b7-5caf240f0000 pid=3876->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=d570277c-1900-0000-f3b7-5caf460f0000 pid=3910->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=49977583-1900-0000-f3b7-5caf690f0000 pid=3945->f22fee75-ab34-540d-95fe-696883c6f4ad send: 134B guuid=82f24a8a-1900-0000-f3b7-5caf8a0f0000 pid=3978->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=ec71bd8f-1900-0000-f3b7-5cafa40f0000 pid=4004->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=5c1d6395-1900-0000-f3b7-5cafc30f0000 pid=4035->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-22 11:41:13 UTC
File Type:
Text (Shell)
AV detection:
11 of 23 (47.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ycpsy4qcvayg22u3ra4fliqcqhbtoybu2aiai2xisfiym3cg4snq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251222-t7bn6awmfx/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh c09f2c7202a8306d6a9b883855a20281c3376034d010046ae89151866c46e49b

(this sample)

Mirai

elf b4af234303f169d2c19d42bbcd6d1d5788de4e2081a50e8cf472de05dbd0e175

  
URLhaus
https://urlhaus.abuse.ch/url/3740427/
  
Delivery method
Distributed via web download
  
Dropping
MD5 0db652bb4ef23b992f306e551dc44299
  
Dropping
SHA256 b4af234303f169d2c19d42bbcd6d1d5788de4e2081a50e8cf472de05dbd0e175

Comments