MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2e736a01417f8466a99f63d77cb2f7d4a7d71b33351ae0d145a2e1ec5b4c0ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	c2e736a01417f8466a99f63d77cb2f7d4a7d71b33351ae0d145a2e1ec5b4c0ce
SHA3-384 hash:	98634185f30afcf725b266311d581ffbda2277f3e566b070e84c38b2f8fb5f3991376250548018eac221500932659780
SHA1 hash:	242106967d679dac99152693d1fa3a7e45cb80d1
MD5 hash:	86f7ef92c967d514c11014a3ddde04fb
humanhash:	autumn-summer-don-alabama
File name:	c2e736a01417f8466a99f63d77cb2f7d4a7d71b33351ae0d145a2e1ec5b4c0ce
Download:	download sample
Signature	Mirai Create hunting rule
File size:	5'019 bytes
First seen:	2026-06-23 23:18:36 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:Jjz+CDpYu7gHgWgCDn+h5TJksJTN4A3zgvnvHSY3U1UsUC1Zk/ndwL7jDZD4DWDg:UATCs36RCTR2WE
TLSH	T174A194A9602032F99E22DDA536999CCC3AD784AB6A670E6497DC3970F1FCF1438781C5
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	c2hunter
Tags:	sh wraith

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://64.89.162.139/bin/nerv.x86	2522ea59162e569aa18244b99521f597f0bd5082c767b80c6cf09d0dd3c8b9a5	Mirai	elf mirai opendir ua-wget x86
http://64.89.162.139/bin/nerv.x86_32	bd0d1fab22f6f81ce82f0fbc1831091bbac6311db2cfc8f610fb83fac2fd66d1	Mirai	elf mirai opendir ua-wget x86
http://64.89.162.139/bin/nerv.x86_64	584d6786596e0a2e8ae08a0de55676e10a9e5f12f7efac9e073c7f517cece228	Mirai	elf mirai opendir ua-wget x86
http://64.89.162.139/bin/nerv.mips	f27a165f3cdcb6f72dceaf130398fa7f78b2a5c7e5a22cb14db5e8c5b4151cb9	Mirai	elf mips mirai opendir ua-wget
http://64.89.162.139/bin/nerv.mpsl	088b936614445d0ef54c838f10b563343efedc68209c482d0155221de613ec18	Mirai	elf mips mirai opendir ua-wget
http://64.89.162.139/bin/nerv.arm4	cc281983d78727a9db9a1cfd24cbd45b2cc98025d5da262a93dca5a6b16075c0	Mirai	arm elf mirai opendir ua-wget
http://64.89.162.139/bin/nerv.arm5	8de571b44211ec6fd985428d1464daf0e4d31202c8286de9c2c496d026595caa	Mirai	arm elf mirai opendir ua-wget
http://64.89.162.139/bin/nerv.arm6	c7d5e21a01ce8ab4083c588d8050b286d375eeb88f41fe68b22ca02cf1bb8f8a	Mirai	arm elf mirai opendir ua-wget
http://64.89.162.139/bin/nerv.arm7	a4e9e03516d572e9b0f3238e7693b2fe69358f4b7cbe545adbe56f0397726df4	Mirai	arm elf mirai opendir ua-wget
http://64.89.162.139/bin/nerv.ppc	dc1d0d968707d8f28bc9e5d27f883ac5d6ac4ec49623dd02db79f6ea28062cf5	Mirai	elf mirai opendir PowerPC ua-wget
http://64.89.162.139/bin/nerv.sparc	d76c60aac76d011874dd64ffd9009413f0edf34556005195561199f54598b6a9	Mirai	elf mirai opendir sparc ua-wget
http://64.89.162.139/bin/nerv.m68k	57fa061f794297b1b23aa1bbf4a552d8e403568f6b01a24aa9b64257aecc8553	Mirai	elf m68k mirai opendir ua-wget
http://64.89.162.139/bin/nerv.sh4	31ce2168fbd4fd0f4c42fd9eb59b581384784e363bc0fc07f008076644b42623	Mirai	elf mirai opendir SuperH ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

118

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/6a3b14809799578a6c48cfae/reports/7ad3762f-d752-4410-8d1d-114d41ddf250/overview

Verdict:

Unknown

File Type:

Link:

https://opentip.kaspersky.com/c2e736a01417f8466a99f63d77cb2f7d4a7d71b33351ae0d145a2e1ec5b4c0ce/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/b1138c78-d6df-4290-a4a9-3b8057da1854

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c2e736a01417f8466a99f63d77cb2f7d4a7d71b33351ae0d145a2e1ec5b4c0ce

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c2e736a01417f8466a99f63d77cb2f7d4a7d71b33351ae0d145a2e1ec5b4c0ce/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/c2e736a01417f8466a99f63d77cb2f7d4a7d71b33351ae0d145a2e1ec5b4c0ce

Threat name:

Linux.Downloader.Generic

Status:

Suspicious

First seen:

2026-06-23 23:19:34 UTC

File Type:

Text (Shell)

AV detection:

18 of 36 (50.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ylttniauc74em2uz6y6xpszppvfh24ntgni24diulixb5rnuydha._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/260623-3a37ksgz6v/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c2e736a01417f8466a99f63d77cb2f7d4a7d71b33351ae0d145a2e1ec5b4c0ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh