MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cadf82600085db2bd650c43d6323f2383f7696805a7cd26a2744f2f01743c8b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	cadf82600085db2bd650c43d6323f2383f7696805a7cd26a2744f2f01743c8b2
SHA3-384 hash:	56648649b4f1dc23d819398608d047c184c04f93448f52ebbc0d36bfb05a924b525a5371c8d7e73bbf2718f5f3fa60f0
SHA1 hash:	59ff7f6c8e10a7ba0a7d174d28fe425a66954621
MD5 hash:	af101253c384a312845ce430aa860fc0
humanhash:	mango-william-september-freddie
File name:	wget.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'017 bytes
First seen:	2025-12-25 19:18:55 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:oMywWW5hbUWWflaWW29NIl5MWWQCa0LKVWW1NgO0WWjJibWWZO7ZWWWSvUWW9Nt4:TulbNI7mKUzi8WAMNt0HO0PDf7
TLSH	T1DA11B9CF31911FF148089E0CF9770428558785D8FE626EA857871C3A4CDB72C7938EA6
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://94.156.152.90/bins/arm	e0844b0cdf611d8a7521ff37ca40ab691a2c2c3e28a4b9571ff9456d5b5a2b77	Mirai	elf ua-wget
http://94.156.152.90/bins/arm5	f6fbf730c614f55b266174036c98d1827bc602c3c830ccff25454272c694b91f	Mirai	elf ua-wget
http://94.156.152.90/bins/arm6	46588e27520d4ff181d33bc7ff021903d1ecd13f376657f5db7af180ca2e3ac6	Mirai	elf mirai ua-wget
http://94.156.152.90/bins/arm7	c05ee431ce3abe70afdbf9710b0ab3864ecdd8de9f8697c077f956a39bdf8217	Mirai	elf ua-wget
http://94.156.152.90/bins/m68k	0fc0c0aa10d7f989ee6709c50908144d95b2c62ad512419f690652c906db8ed5	Mirai	elf mirai ua-wget
http://94.156.152.90/bins/mips	0f8f041acce3852c7ee78caffddcb4e941206b3c5b905bb5e6c061285ce08852	Mirai	elf ua-wget
http://94.156.152.90/bins/mpsl	d80d236e16bfef3dd5b8aacb4aff4226616be790c3b5dc2325af73e71d61441c	Mirai	elf mirai ua-wget
http://94.156.152.90/bins/ppc	14d5f0267f0ca1c67bdd8e3075ee3598e2ae7444c7f87bab0b862b3b5ee6ced7	Mirai	elf ua-wget
http://94.156.152.90/bins/sh4	439b5691344326a2b67d18c5414f27c50d2b5be2bba021a6c74fbd718fd956ce	Mirai	elf ua-wget
http://94.156.152.90/bins/spc	2951437574f0b44b68855462c650bc1d7b10fbaf36ed86e7a45faec38b87ee6e	Mirai	elf ua-wget
http://94.156.152.90/bins/x86	03ecda01330d867752a09c2e6118fed74a061d4f5222d492ab43640e0d36e6c4	Mirai	elf mirai ua-wget
http://94.156.152.90/bins/x86_64	c0fe3a9a893f48296e27f62bb47a35480d0255c5df46d2185963ce8552004535	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.DownLoader.37.7824.3176.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive mirai

Link:

https://www.filescan.io/uploads/694d8e4b84afa5547b5e0063/reports/cef1233e-e17e-4457-a92c-0cc606bab350/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-25T16:25:00Z UTC

Last seen:

2025-12-27T12:48:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/cadf82600085db2bd650c43d6323f2383f7696805a7cd26a2744f2f01743c8b2/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/0ec6a626-66ff-4601-830c-91beb6e1ea34

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/cadf82600085db2bd650c43d6323f2383f7696805a7cd26a2744f2f01743c8b2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cadf82600085db2bd650c43d6323f2383f7696805a7cd26a2744f2f01743c8b2/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/cadf82600085db2bd650c43d6323f2383f7696805a7cd26a2744f2f01743c8b2

Threat name:

Script-Shell.Downloader.Heuristic

Status:

Malicious

First seen:

2025-12-25 19:19:38 UTC

File Type:

Text (Shell)

AV detection:

9 of 36 (25.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zlpyeyaaqxnsxvsqyq6wgi7sha7xnfualj6ne2rhitzpaf2dzcza._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:owari botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251225-x1skwaej71/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Enumerates active TCP sockets

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.31

Link:

https://yomi.yoroi.company/submissions/cadf82600085db2bd650c43d6323f2383f7696805a7cd26a2744f2f01743c8b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh