MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caf8a8dbb980bf9f0047043baa6d60790fc6248a90cc8800cb2eca5bc1df4441. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caf8a8dbb980bf9f0047043baa6d60790fc6248a90cc8800cb2eca5bc1df4441
SHA3-384 hash: 5ae3b554c7b53a0282cb637b026ff162da0ddb6a5046db67f0e60f111306b246985b69b98616c0271372f96023003164
SHA1 hash: fb725c734c82283c8e621e2ea6101990d32ee972
MD5 hash: 8dd8e50abe0b74faa7319bfce7421541
humanhash: hamper-oranges-princess-kansas
File name:xcurl.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'928 bytes
First seen:2025-08-07 06:59:45 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:VPWyasMUkqpWlA9A5Btaxq3c+5LijOP6o55LbYkQyvyjw:VNBsaxCWjOP6oLnYmn
TLSH T13251B7A941292C5FF7149E5BB3BACD1C12365FB9106BCF89DF803529DC4DA20A0E3622
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://213.209.150.187/odin.arm9a36946cbdf2682af5b0227ee93b120c3c0543f260076bb2094638a71b68e294 Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.arm5nd89b9aa7f0ac337077c5614d1d8321d1a0dff5280560bde0a8339c0dba0abd5d Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.arm7bdde0035d6b37dce2fff359848916a559640206659024577d4fa61608b4931bc Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.m68ka11b9aef373169010a4822273a8a16fb4deb9e386166e4b94aa791f34a25f39e Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.mipsa25ff39e978fa88f79d10bcd25a86bc48d196af8e2046be47a886ce4dd6a6650 Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.mpsl96f1e58ca140b8babe3873412dc17b203d2b87df2e70886625c249d3db092789 Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.ppce7834d6e7af525e9200c4f98255f6a3db500d86e1a1d254610c1f5d47a90575b Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.sh4b185e773d0014ff89e12a4ba6075282488a1b130af190e3d8c064d618c11cf7e Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.spc3ccec93311c41cc3a813b5762e249706c4cc3fd2c04894585300e05221268a01 Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.x86aa14c7945115ba63c093f4ca508af7a9b20198c432a70b68cab2f52bad4121c7 Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/bizy.arm5n/an/aelf ua-wget
http://213.209.150.187/bizy.arm6n/an/aelf ua-wget
http://213.209.150.187/bizy.arm7n/an/aelf ua-wget
http://213.209.150.187/bizy.arm8n/an/aelf ua-wget
http://213.209.150.187/bizy.mipsn/an/aelf ua-wget
http://213.209.150.187/bizy.mpsln/an/aelf ua-wget
http://213.209.150.187/bizy.mipssn/an/aelf ua-wget
http://213.209.150.187/bizy.mpslsn/an/aelf ua-wget
http://213.209.150.187/bizy.riscve2fbe4a0085cfa107069c0a614ecae10e3b1b04f1ecfee287f2d5abdc2b79a13 Miraielf mirai ua-wget
http://213.209.150.187/bizy.x86n/an/aelf ua-wget
http://213.209.150.187/bizy.x64n/an/aelf ua-wget
http://213.209.150.187/bizy.mips642fa27985ef9b46d3584dcff9ec777b1fdd62ea98a7660490cc3ebb5fc5b79172 Miraielf mirai ua-wget
http://213.209.150.187/bizy.mpsl648b35595ec94e07930eaf57ce734a1d48ab90db9ee97073bedda788574786eeda Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
DE DE
Vendor Threat Intelligence
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/bccde8a2-b301-4266-988f-804166326e81
Behavior Graph:
Download SVG
%3 guuid=548aef4b-1b00-0000-55b8-5b3e3a0c0000 pid=3130 /usr/bin/sudo guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137 /tmp/sample.bin guuid=548aef4b-1b00-0000-55b8-5b3e3a0c0000 pid=3130->guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137 execve guuid=1bcc6f4f-1b00-0000-55b8-5b3e430c0000 pid=3139 /usr/bin/rm guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=1bcc6f4f-1b00-0000-55b8-5b3e430c0000 pid=3139 execve guuid=60e3d44f-1b00-0000-55b8-5b3e450c0000 pid=3141 /usr/bin/curl net send-data write-file guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=60e3d44f-1b00-0000-55b8-5b3e450c0000 pid=3141 execve guuid=a7118467-1b00-0000-55b8-5b3e700c0000 pid=3184 /usr/bin/chmod guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=a7118467-1b00-0000-55b8-5b3e700c0000 pid=3184 execve guuid=28f7e667-1b00-0000-55b8-5b3e720c0000 pid=3186 /usr/bin/dash guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=28f7e667-1b00-0000-55b8-5b3e720c0000 pid=3186 clone guuid=bdf8a969-1b00-0000-55b8-5b3e740c0000 pid=3188 /usr/bin/rm guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=bdf8a969-1b00-0000-55b8-5b3e740c0000 pid=3188 execve guuid=add9476a-1b00-0000-55b8-5b3e750c0000 pid=3189 /usr/bin/curl net send-data write-file guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=add9476a-1b00-0000-55b8-5b3e750c0000 pid=3189 execve guuid=90c4d37b-1b00-0000-55b8-5b3e780c0000 pid=3192 /usr/bin/chmod guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=90c4d37b-1b00-0000-55b8-5b3e780c0000 pid=3192 execve guuid=3bd6177c-1b00-0000-55b8-5b3e7a0c0000 pid=3194 /usr/bin/dash guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=3bd6177c-1b00-0000-55b8-5b3e7a0c0000 pid=3194 clone guuid=f5f1f57c-1b00-0000-55b8-5b3e7e0c0000 pid=3198 /usr/bin/rm guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=f5f1f57c-1b00-0000-55b8-5b3e7e0c0000 pid=3198 execve guuid=d9843d7d-1b00-0000-55b8-5b3e800c0000 pid=3200 /usr/bin/curl net send-data write-file guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=d9843d7d-1b00-0000-55b8-5b3e800c0000 pid=3200 execve guuid=4321e093-1b00-0000-55b8-5b3e9f0c0000 pid=3231 /usr/bin/chmod guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=4321e093-1b00-0000-55b8-5b3e9f0c0000 pid=3231 execve guuid=8c2a6f94-1b00-0000-55b8-5b3ea00c0000 pid=3232 /usr/bin/dash guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=8c2a6f94-1b00-0000-55b8-5b3ea00c0000 pid=3232 clone guuid=d7fca597-1b00-0000-55b8-5b3ea20c0000 pid=3234 /usr/bin/rm guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=d7fca597-1b00-0000-55b8-5b3ea20c0000 pid=3234 execve guuid=af122b98-1b00-0000-55b8-5b3ea30c0000 pid=3235 /usr/bin/curl net send-data write-file guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=af122b98-1b00-0000-55b8-5b3ea30c0000 pid=3235 execve guuid=995c06ae-1b00-0000-55b8-5b3eaa0c0000 pid=3242 /usr/bin/chmod guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=995c06ae-1b00-0000-55b8-5b3eaa0c0000 pid=3242 execve guuid=d6a843ae-1b00-0000-55b8-5b3eab0c0000 pid=3243 /usr/bin/dash guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=d6a843ae-1b00-0000-55b8-5b3eab0c0000 pid=3243 clone guuid=437902af-1b00-0000-55b8-5b3eae0c0000 pid=3246 /usr/bin/rm guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=437902af-1b00-0000-55b8-5b3eae0c0000 pid=3246 execve guuid=24e94daf-1b00-0000-55b8-5b3eaf0c0000 pid=3247 /usr/bin/curl net send-data write-file guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=24e94daf-1b00-0000-55b8-5b3eaf0c0000 pid=3247 execve guuid=eb6a5bc7-1b00-0000-55b8-5b3ecc0c0000 pid=3276 /usr/bin/chmod guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=eb6a5bc7-1b00-0000-55b8-5b3ecc0c0000 pid=3276 execve guuid=1a61bcc7-1b00-0000-55b8-5b3ecd0c0000 pid=3277 /usr/bin/dash guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=1a61bcc7-1b00-0000-55b8-5b3ecd0c0000 pid=3277 clone guuid=71819ec8-1b00-0000-55b8-5b3ed00c0000 pid=3280 /usr/bin/rm guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=71819ec8-1b00-0000-55b8-5b3ed00c0000 pid=3280 execve guuid=25b305c9-1b00-0000-55b8-5b3ed20c0000 pid=3282 /usr/bin/curl net send-data write-file guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=25b305c9-1b00-0000-55b8-5b3ed20c0000 pid=3282 execve guuid=ba7eabde-1b00-0000-55b8-5b3eec0c0000 pid=3308 /usr/bin/chmod guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=ba7eabde-1b00-0000-55b8-5b3eec0c0000 pid=3308 execve guuid=edd60ddf-1b00-0000-55b8-5b3eee0c0000 pid=3310 /usr/bin/dash guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=edd60ddf-1b00-0000-55b8-5b3eee0c0000 pid=3310 clone guuid=9b4702e0-1b00-0000-55b8-5b3ef20c0000 pid=3314 /usr/bin/rm guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=9b4702e0-1b00-0000-55b8-5b3ef20c0000 pid=3314 execve guuid=2ec89de0-1b00-0000-55b8-5b3ef40c0000 pid=3316 /usr/bin/curl net send-data write-file guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=2ec89de0-1b00-0000-55b8-5b3ef40c0000 pid=3316 execve guuid=fa2a40f6-1b00-0000-55b8-5b3e1b0d0000 pid=3355 /usr/bin/chmod guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=fa2a40f6-1b00-0000-55b8-5b3e1b0d0000 pid=3355 execve guuid=044605f7-1b00-0000-55b8-5b3e1e0d0000 pid=3358 /usr/bin/dash guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=044605f7-1b00-0000-55b8-5b3e1e0d0000 pid=3358 clone guuid=71c6d8f7-1b00-0000-55b8-5b3e200d0000 pid=3360 /usr/bin/rm guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=71c6d8f7-1b00-0000-55b8-5b3e200d0000 pid=3360 execve guuid=d89c28f8-1b00-0000-55b8-5b3e210d0000 pid=3361 /usr/bin/curl net send-data write-file guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=d89c28f8-1b00-0000-55b8-5b3e210d0000 pid=3361 execve guuid=6db6870b-1c00-0000-55b8-5b3e420d0000 pid=3394 /usr/bin/chmod guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=6db6870b-1c00-0000-55b8-5b3e420d0000 pid=3394 execve guuid=1648cc0b-1c00-0000-55b8-5b3e440d0000 pid=3396 /usr/bin/dash guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=1648cc0b-1c00-0000-55b8-5b3e440d0000 pid=3396 clone guuid=4e89670c-1c00-0000-55b8-5b3e460d0000 pid=3398 /usr/bin/rm guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=4e89670c-1c00-0000-55b8-5b3e460d0000 pid=3398 execve guuid=4f96a90c-1c00-0000-55b8-5b3e480d0000 pid=3400 /usr/bin/curl net send-data write-file guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=4f96a90c-1c00-0000-55b8-5b3e480d0000 pid=3400 execve guuid=0bde6f1a-1c00-0000-55b8-5b3e690d0000 pid=3433 /usr/bin/chmod guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=0bde6f1a-1c00-0000-55b8-5b3e690d0000 pid=3433 execve guuid=8ba4ee1a-1c00-0000-55b8-5b3e6a0d0000 pid=3434 /usr/bin/dash guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=8ba4ee1a-1c00-0000-55b8-5b3e6a0d0000 pid=3434 clone guuid=4d1b9a1c-1c00-0000-55b8-5b3e6f0d0000 pid=3439 /usr/bin/rm guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=4d1b9a1c-1c00-0000-55b8-5b3e6f0d0000 pid=3439 execve guuid=d870011d-1c00-0000-55b8-5b3e700d0000 pid=3440 /usr/bin/curl net send-data write-file guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=d870011d-1c00-0000-55b8-5b3e700d0000 pid=3440 execve guuid=3a417a30-1c00-0000-55b8-5b3ea00d0000 pid=3488 /usr/bin/chmod guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=3a417a30-1c00-0000-55b8-5b3ea00d0000 pid=3488 execve guuid=181ecb30-1c00-0000-55b8-5b3ea20d0000 pid=3490 /tmp/odin.x86 net guuid=3946f24e-1b00-0000-55b8-5b3e410c0000 pid=3137->guuid=181ecb30-1c00-0000-55b8-5b3ea20d0000 pid=3490 execve 97c602e1-5e0a-5d50-938e-21befa8d56ff 213.209.150.187:80 guuid=60e3d44f-1b00-0000-55b8-5b3e450c0000 pid=3141->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 87B guuid=add9476a-1b00-0000-55b8-5b3e750c0000 pid=3189->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 89B guuid=d9843d7d-1b00-0000-55b8-5b3e800c0000 pid=3200->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 88B guuid=af122b98-1b00-0000-55b8-5b3ea30c0000 pid=3235->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 88B guuid=24e94daf-1b00-0000-55b8-5b3eaf0c0000 pid=3247->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 88B guuid=25b305c9-1b00-0000-55b8-5b3ed20c0000 pid=3282->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 88B guuid=2ec89de0-1b00-0000-55b8-5b3ef40c0000 pid=3316->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 87B guuid=d89c28f8-1b00-0000-55b8-5b3e210d0000 pid=3361->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 87B guuid=4f96a90c-1c00-0000-55b8-5b3e480d0000 pid=3400->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 87B guuid=d870011d-1c00-0000-55b8-5b3e700d0000 pid=3440->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 87B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=181ecb30-1c00-0000-55b8-5b3ea20d0000 pid=3490->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=afc60331-1c00-0000-55b8-5b3ea40d0000 pid=3492 /tmp/odin.x86 delete-file dns net send-data zombie guuid=181ecb30-1c00-0000-55b8-5b3ea20d0000 pid=3490->guuid=afc60331-1c00-0000-55b8-5b3ea40d0000 pid=3492 clone guuid=afc60331-1c00-0000-55b8-5b3ea40d0000 pid=3492->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 31B 041cf226-3866-57e8-869c-4d94a4f3b18b 104d.hldns.ru:8448 guuid=afc60331-1c00-0000-55b8-5b3ea40d0000 pid=3492->041cf226-3866-57e8-869c-4d94a4f3b18b send: 23B guuid=db812131-1c00-0000-55b8-5b3ea50d0000 pid=3493 /tmp/odin.x86 guuid=afc60331-1c00-0000-55b8-5b3ea40d0000 pid=3492->guuid=db812131-1c00-0000-55b8-5b3ea50d0000 pid=3493 clone
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/caf8a8dbb980bf9f0047043baa6d60790fc6248a90cc8800cb2eca5bc1df4441
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caf8a8dbb980bf9f0047043baa6d60790fc6248a90cc8800cb2eca5bc1df4441/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/caf8a8dbb980bf9f0047043baa6d60790fc6248a90cc8800cb2eca5bc1df4441
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-08-07 07:02:48 UTC
File Type:
Text (Shell)
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zl4krw5zqc7z6achaq52u3lapeh4mjeksdgiqaglf3ffxqo7iraq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/250807-ht553a1r13/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Mirai
Mirai family
Malware Config
C2 Extraction:
104d.hldns.ru
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/caf8a8dbb980/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/caf8a8dbb980bf9f0047043baa6d60790fc6248a90cc8800cb2eca5bc1df4441

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh caf8a8dbb980bf9f0047043baa6d60790fc6248a90cc8800cb2eca5bc1df4441

(this sample)

Mirai

elf d89b9aa7f0ac337077c5614d1d8321d1a0dff5280560bde0a8339c0dba0abd5d

  
URLhaus
https://urlhaus.abuse.ch/url/3598028/
  
Delivery method
Distributed via web download
  
Dropping
MD5 b5693def3157f47a17f279dd3c0a890c
  
Dropping
SHA256 d89b9aa7f0ac337077c5614d1d8321d1a0dff5280560bde0a8339c0dba0abd5d

Comments