MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7df8afb0d2aec1dd137524dbf1b065d43402f8a6d214b7d15f2e4bdcdec95c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	c7df8afb0d2aec1dd137524dbf1b065d43402f8a6d214b7d15f2e4bdcdec95c9
SHA3-384 hash:	a11835503bbfdbfc5c338eac80bcf8ddac429bd2eb9c1930112610fbc90d763be1656337e7f64a84a6197bb9128335b9
SHA1 hash:	b994439d03d26ec1948f0ca4ea4e780930a1b0df
MD5 hash:	6667feda2ff8966d8e08ba0ac2afcd49
humanhash:	salami-apart-tennis-seventeen
File name:	wget.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'140 bytes
First seen:	2026-01-05 13:45:53 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:6j+ELbMB3VEczLNIZEtqDEVKT5CEHU/EO99MET0P3E3eMCbEKP3eEz6gE19mdEkF:gCjnvQZajpgEetPXAqrx
TLSH	T1DF2124CF1064B96A504CCF4030AA16853AE9CBE1F1748E175D8078F388C8603B6B8FDB
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://130.12.180.28/Fantazy/Fantazy.arm4	5f4ead21261a4872c7bbdc341a3cab2d09a881bc1ca20a78f3cbe3800cd54f0d	Mirai	elf mirai
http://130.12.180.28/Fantazy/Fantazy.arm5	9df7c2bebdee16b4907509ea8cdfc4128a8c2c0fb21156ed8105db2cf8f4ecf2	Mirai	elf mirai
http://130.12.180.28/Fantazy/Fantazy.arm6	9c6625a0a04aee9ac1fe10d55edc2f0aa77f66593916a10cb8314ad29457edeb	Mirai	elf mirai
http://130.12.180.28/Fantazy/Fantazy.arm7	48b94eff6e2031ce3fd8f0c605917b5a55b26a2d9e1800b9612758189e794631	Mirai	elf mirai
http://130.12.180.28/Fantazy/Fantazy.m68k	4b6f0caf42dc42e3f8f4e7adc9a93435cb27d604df131e19503be23fbc955826	Mirai	elf mirai
http://130.12.180.28/Fantazy/Fantazy.mips	9997ba3aad89be8f8371620b5b841eaa71da6f32368d84363bab6dd57303929c	Mirai	elf mirai
http://130.12.180.28/Fantazy/Fantazy.mpsl	eeb8b37ab92777cbe5c49834cc044393207e0b745a0e2d0806b7da4e6292000b	Mirai	elf mirai
http://130.12.180.28/Fantazy/Fantazy.ppc	1f0a93ffbe48da5f9d8188060be1d5ce128fdc1545c2077a22bff830b19302cf	Mirai	elf mirai
http://130.12.180.28/Fantazy/Fantazy.sh4	69a6fc590d0f527d1c6e04a9cf1c84eb52ca88de7867e8e8cf31b0b67d94eb70	Mirai	elf mirai
http://130.12.180.28/Fantazy/Fantazy.spc	d1d3129a68b9da3ed82981110c4d48721d47a176134b004e4e34544d1e2b1cd9	Mirai	elf mirai
http://130.12.180.28/Fantazy/Fantazy.x86	ad613cf0f480c1c00f15379fc0df01af6d6c14309c9d0e452bd5e71ec6342c0f	Mirai	elf mirai
http://130.12.180.28/Fantazy/Fantazy.x86_64	5443d764e399f0cd44ef17ea0940db73fc635045faa26f0ce8a4d8b3453b5988	Mirai	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

mirai

Link:

https://www.filescan.io/uploads/695bc0a42fb7bb52ca87ca47/reports/1525980c-083a-4fff-93aa-aa6aa94f3a6d/overview

Verdict:

Malicious

File Type:

text

First seen:

2026-01-05T10:53:00Z UTC

Last seen:

2026-01-06T00:55:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.cl

Link:

https://opentip.kaspersky.com/c7df8afb0d2aec1dd137524dbf1b065d43402f8a6d214b7d15f2e4bdcdec95c9/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/6450621c-c754-4384-bcb0-a910a5b17c88

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c7df8afb0d2aec1dd137524dbf1b065d43402f8a6d214b7d15f2e4bdcdec95c9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c7df8afb0d2aec1dd137524dbf1b065d43402f8a6d214b7d15f2e4bdcdec95c9/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/c7df8afb0d2aec1dd137524dbf1b065d43402f8a6d214b7d15f2e4bdcdec95c9

Threat name:

Script.Trojan.Heuristic

Status:

Malicious

First seen:

2026-01-05 13:46:12 UTC

File Type:

Text (Shell)

AV detection:

14 of 24 (58.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y7pyv6ynflwb3ujxkjg36gyglvbual4knuquw7iv6lsl3tpmsxeq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260105-q3a1aaznb1/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c7df8afb0d2aec1dd137524dbf1b065d43402f8a6d214b7d15f2e4bdcdec95c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh