MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c71367be57de4ae4aacda61df508f5356d6a3b454ac910e9f774fac8cf27ef64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c71367be57de4ae4aacda61df508f5356d6a3b454ac910e9f774fac8cf27ef64
SHA3-384 hash: 52c4dd4afa56c35320b5bf04a7cc0e75d9ef38db842ea14f71429d817dc2b5d3321b150d9f03f7201ccfe9ce0cd4cf04
SHA1 hash: 3a8560cb0b8010acc56b50ead6c19f8d58b51b44
MD5 hash: abfd5bec5419adcccff8331cfb7dba9b
humanhash: colorado-triple-alaska-spring
File name:aws
Download: download sample
Signature Mirai
Create hunting rule
File size:4'453 bytes
First seen:2025-12-19 11:22:26 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vUhMV4kEUq1V4oUrHrWV4bUNoV4tUEpEEV4EpUJkV4JUq1V4oUOZV4MUzSV4LUDD:vbOpRPKLmzOEppb8ZtbTD6jE1jDnDv
TLSH T17B910BE6B4B4976A6DB0EDB371D6C642B14060A6E0DA8C0BF2D5F0E8044EF71F484B82
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x860134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips3a07b60b7bf3cbd9767a86a76a77e5fccb5adf9dee1dc7764b751c0a1f4c4d97 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsln/an/aelf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm47bc9d623a3eb1ba73c46550a4207ea095e39d40f97ce628de43834183da6ad7 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm506426a43bc706deb297ee11894e1c87acc0a4231a60b0dfbce4098b871b719b2 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm62c85afccbe6f0e275c639e98db4c4eec6d910bd277a1fe596a3252163b22d860 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7d945325d0279ea26eb1572d3454980a1953721baf9faae04fcf991d27969b6c8 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc051887bfe592e3f5059d7316f2913e13ead1da80061930de8236c4087cadc994 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k2ff7d666206bcb9e440f017a8538337330826fcf9dc1f0542ee062ebd148387d Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc4b0886c739672baa51a2b187f93271e1c15b56450a29a4d39d6b7709152aa645 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i68647e7f0fdd1ee38d00cc134014546c43db09eb2993bc1318cc76aaa64e595ea9f Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4d0f0ed32a8d834ef6c4aeaa382275e0a26f90898dd304f00fbffab51d964ec0e Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc62740c7d5c2cbaed0adbbba12ed865ee2136fae9528a50f296dee8365b488bb9 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/694535a53f8fdbf8e94c018a/reports/315c3f52-5744-4c53-a234-aa58c2699c98/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-12-19T08:30:00Z UTC
Last seen:
2025-12-20T02:40:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/c71367be57de4ae4aacda61df508f5356d6a3b454ac910e9f774fac8cf27ef64/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c71367be57de4ae4aacda61df508f5356d6a3b454ac910e9f774fac8cf27ef64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c71367be57de4ae4aacda61df508f5356d6a3b454ac910e9f774fac8cf27ef64/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/c71367be57de4ae4aacda61df508f5356d6a3b454ac910e9f774fac8cf27ef64
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-12-19 11:23:17 UTC
File Type:
Text (Shell)
AV detection:
18 of 24 (75.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4jwppsx3zfojkwnuyo7kchvgvwwuo2fjlerb2pxot5mrtzh55sa._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:unstable antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/251219-nhbpzahz3h/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (136745) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware Config
C2 Extraction:
cnc.504.su
scan.504.su
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c71367be57de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c71367be57de4ae4aacda61df508f5356d6a3b454ac910e9f774fac8cf27ef64

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh c71367be57de4ae4aacda61df508f5356d6a3b454ac910e9f774fac8cf27ef64

(this sample)

Mirai

elf 0134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8

  
URLhaus
https://urlhaus.abuse.ch/url/3669701/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3669705/
  
Dropping
MD5 36207ad6597e99c6826a0f960122c7b6
  
Dropping
SHA256 0134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8

Comments