MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c270f8d98c57039e9e378e69335a727bdeee175e6e0af6407b0445b705c418f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	c270f8d98c57039e9e378e69335a727bdeee175e6e0af6407b0445b705c418f7
SHA3-384 hash:	ca6e2c68ef6d9befe1134bf9c5387f28adcfefea3077b383ce8aeb8fdbcfc2992625ab2470a32af616a11db77291b8b6
SHA1 hash:	e98f92ec6d7cfce59f6a238c6e838405c82be79c
MD5 hash:	cae7b77aedc7e81b0ec4eee5dba77608
humanhash:	stream-cup-papa-oklahoma
File name:	wget.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	842 bytes
First seen:	2025-12-13 09:47:30 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:KSs6wZDgMZDgMnXNyHe0fDgMGswDgMPMSYeJB/DgMCEpLDgM1ynDgMds:KSKZjtnX6rGssPcebxpv1yjO
TLSH	T1960125CE71003F65C5C9C91FB6A3896C10CD82CA46DAA7CE3CCE44769280AE4F404E58
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://84.247.129.206/arm	9d1f5585211fcaaadac45c80d471bf9f99d706d2c474c1b90c42fb9981b631f2	Mirai	32-bit elf mirai Mozi
http://84.247.129.206/arm5	f19bc67c24f411612c3b269b8942eff6ab7f3343c8dafae8ac05e34ed69b5780	Mirai	elf mirai ua-wget
http://84.247.129.206/arm7	54e02ba74f00451396135c4065c8e7c25d50463e1457aafd528652350a2166d4	Mirai	elf mirai ua-wget
http://84.247.129.206/mips	05faf3b3bce3181d44266c72838cbdee8f38f621a14ce565884a817058f81c63	Mirai	32-bit elf mirai Mozi
http://84.247.129.206/mpsl	9dd999eea5fbd01f9ec1cff3f0ed5dc0b548da53a27b95020d3bc633b6e3f5dc	Mirai	elf mirai ua-wget
http://84.247.129.206/arc	603e511427c5503a2f5a1c96080147aaf25fbbf29fa8b6e00ca92f8311a4d5c5	Mirai	elf mirai ua-wget
http://84.247.129.206/aarch64	631abf7cefc6a9426e1387f63109c4708e18217e3b2daac8576638375c20152c	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Downloader-36.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox expand lolbin

Link:

https://www.filescan.io/uploads/693d366064bd958a5210e8ee/reports/f6008307-89ef-49f8-8b9d-a393d342eea4/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-13T07:25:00Z UTC

Last seen:

2025-12-14T12:08:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p

Link:

https://opentip.kaspersky.com/c270f8d98c57039e9e378e69335a727bdeee175e6e0af6407b0445b705c418f7/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/5817cf1f-0c4f-40e3-b9d0-9a67d9571bb7

Score:

94%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c270f8d98c57039e9e378e69335a727bdeee175e6e0af6407b0445b705c418f7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c270f8d98c57039e9e378e69335a727bdeee175e6e0af6407b0445b705c418f7/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/c270f8d98c57039e9e378e69335a727bdeee175e6e0af6407b0445b705c418f7

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2025-12-13 09:41:03 UTC

File Type:

Text (Shell)

AV detection:

15 of 36 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yjyprwmmk4bz5hrxrzutgwtspppo4f26nyfpmqd3arc3oboedd3q._file

Result

Malware family:

n/a

Score:

9/10

Tags:

antivm credential_access defense_evasion discovery linux

Link:

https://tria.ge/reports/251213-lsz47sylet/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads process memory

Enumerates running processes

File and Directory Permissions Modification

Deletes system logs

Executes dropped EXE

Renames itself

Unexpected DNS network traffic destination

Contacts a large (25523) amount of remote hosts

Creates a large amount of network flows

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.29

Link:

https://yomi.yoroi.company/submissions/c270f8d98c57039e9e378e69335a727bdeee175e6e0af6407b0445b705c418f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh c270f8d98c57039e9e378e69335a727bdeee175e6e0af6407b0445b705c418f7

(this sample)

Mirai

elf 9a2715c54d3741d6d4dbbc1bb4455cc31fac4fb3189632ac2eddc2bef2c7e47e

URLhaus

https://urlhaus.abuse.ch/url/3732950/

Delivery method

Distributed via web download

Dropping

MD5 54da405cd49ded413dd36884aee18ede

Dropping

SHA256 9a2715c54d3741d6d4dbbc1bb4455cc31fac4fb3189632ac2eddc2bef2c7e47e

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample