MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5a59a6ac5b6fcfec0e55e814c57c22c353b991815c6f61f40df3b063a051980. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5a59a6ac5b6fcfec0e55e814c57c22c353b991815c6f61f40df3b063a051980
SHA3-384 hash: 7b71933a829955969e8afc9f23ebd80c6d5ce45254431c653e27cd06c3da20d1c901d742dcf54028ff78590a691bfb86
SHA1 hash: 797daf685b1f6d25133c02a896d2b3b2f65412b1
MD5 hash: 6aeb4707e180c9720e621422b8048831
humanhash: triple-avocado-quebec-alpha
File name:payload.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'308 bytes
First seen:2026-01-26 03:52:33 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:pYcNu8iM/uZp/GOTjHCp//0A+/liVX/f6aI/gQy/Xgbg/MNAo/9Q8/pLcBg/i+Um:pYmz/uXTjo/0A+/liVX/iaI/gQy/Xg80
TLSH T13A4149F89211C622236A9D54637797C8E182C8FB2560DB14BC8E74FE87BCD1065E1BF1
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://209.200.246.33/x86n/an/aelf ua-wget
http://209.200.246.33/flood.mipscb5bfe0ea43cb35262a5d94b8cc9e6df5067e267b605cf45a9845d9535a6d309 Miraielf geofenced mips mirai ua-wget USA
http://209.200.246.33/flood.mpsl3c30abaaa5645d6e09cb07aede0d97adbb28123b9ed309170f33af63aa232fdb Miraielf geofenced mips mirai ua-wget USA
http://209.200.246.33/flood.armf1d66a02dd25bced105fd72b49fdc493fd1cd6458e96cd41be8a48119f280e9d Miraiarm elf geofenced mirai ua-wget USA
http://209.200.246.33/flood.arm5a8c2004f02da42f50f9ecb96eaeea2fc081166d10a7fbf440f6c31544c065a27 Miraiarm elf geofenced mirai ua-wget USA
http://209.200.246.33/flood.arm61dd459cfe947a16429e8b4e31b48d14e386864ca8e246f9a729440f827ebe285 Miraiarm elf geofenced mirai ua-wget USA
http://209.200.246.33/flood.arm7fec6c36fb55149807721c8b729f34abdd9a4c82aae2a6ee28fb3f4e9a19f41c5 Miraiarm elf geofenced mirai ua-wget USA
http://209.200.246.33/flood.ppc7ff00b8d828ceec40fe464278c85692f8cd041b883b7d69ceba7cee471c895e5 Miraielf geofenced mirai PowerPC ua-wget USA
http://209.200.246.33/flood.m68k6940b214ee175e9d43e168d90f50052cf055a6ff72f7da9ae9b92ba29afb30fb Miraielf geofenced m68k mirai ua-wget USA
http://209.200.246.33/flood.sh4acefaead28acb62560addd6405d479bfe1aad45235051b6d3e0bf6688f88d42b Miraielf geofenced mirai SuperH ua-wget USA

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bash lolbin mirai
Link:
https://www.filescan.io/uploads/6976e52a5db9ae477091ac65/reports/6cb219ca-c19e-4460-9c47-5e1e9de18037/overview
Result
Gathering data
Verdict:
Malicious
File Type:
Script
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/c5a59a6ac5b6fcfec0e55e814c57c22c353b991815c6f61f40df3b063a051980/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/db54c1b3-94a9-4a8f-a824-81c0cd77c9df
Behavior Graph:
Download SVG
%3
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c5a59a6ac5b6fcfec0e55e814c57c22c353b991815c6f61f40df3b063a051980
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5a59a6ac5b6fcfec0e55e814c57c22c353b991815c6f61f40df3b063a051980/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/c5a59a6ac5b6fcfec0e55e814c57c22c353b991815c6f61f40df3b063a051980
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywszu2wfw36p5qhfl2auyv6cfq2txgiycxdpmh2a345qmoqfdgaa._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/260126-efrtqsat5e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c5a59a6ac5b6fcfec0e55e814c57c22c353b991815c6f61f40df3b063a051980

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh c5a59a6ac5b6fcfec0e55e814c57c22c353b991815c6f61f40df3b063a051980

(this sample)

Mirai

elf cb5bfe0ea43cb35262a5d94b8cc9e6df5067e267b605cf45a9845d9535a6d309

  
URLhaus
https://urlhaus.abuse.ch/url/3763970/
  
Delivery method
Distributed via web download
  
Dropping
MD5 91f67d2631540d03c0f92d65ed9d56ea
  
Dropping
SHA256 cb5bfe0ea43cb35262a5d94b8cc9e6df5067e267b605cf45a9845d9535a6d309

Comments