MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb2c59a9d0a642a9924d97b16a500dd5ba62e3ba60f48fa974a5d85958183dd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb2c59a9d0a642a9924d97b16a500dd5ba62e3ba60f48fa974a5d85958183dd1
SHA3-384 hash: c7a0d5072512df9ed7dec1575439a1e7cb30af8f7c2ccd18361fb854a5d2214b719375051ddb4a1367c20938ac4719bd
SHA1 hash: aec1b44b2ce1a120ab4fc30f09ab723abd52a850
MD5 hash: cb51c0e3ba19f3c02ad4506448072962
humanhash: mike-bulldog-diet-yankee
File name:t
Download: download sample
Signature Mirai
Create hunting rule
File size:1'397 bytes
First seen:2025-11-23 10:40:08 UTC
Last seen:2025-11-24 00:34:28 UTC
File type: sh
MIME type:text/plain
ssdeep 24:M2wa5zcVuE6t+MB0ekr1Dnkrrkrgak9zVZT2krnk9Kk9rVuEpS:Mq5AuE6EA0ekrpkrrkrFk9JZykrnk9KN
TLSH T18A2136CF36E54CA11EB58DD97C93CE10288195D860C6CA8A388B0B66F48EF087450FBD
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://77.221.154.221/b1n/arm607ba8678ec0bedb0370c99a382fcada0a60080d2258f59d330915f4b0dae33a Miraiarm elf geofenced mirai ua-wget USA
http://77.221.154.221/b1n/arm520e959be15a37128a15848f805f1dd984f8f784c9b0b47a8fb76461b754c0505 Miraiarm elf geofenced mirai ua-wget USA
http://77.221.154.221/b1n/arm67f424b4c5bd2c14bc90380f25f64092c2ceff53b78a3194adb6f0fafa71bb4a0 Miraiarm elf geofenced mirai ua-wget USA
http://77.221.154.221/b1n/arm75d599bd71f9fc3ed8fb117dad0af6ff00c502560ef61dd35aa5dd70b204e903f Miraiarm elf geofenced mirai ua-wget USA
http://77.221.154.221/b1n/mips3256836c9f7cac124ff021679e7b2947b1633793c85c4251bae4b67b23081ee2 Gafgytelf gafgyt geofenced mips ua-wget USA
http://77.221.154.221/b1n/mpsl3c819078a12972e4ecfae0362c13747a0cbea67603271497eaef71d17a6592a9 Gafgytelf gafgyt geofenced mips ua-wget USA
http://77.221.154.221/b1n/x869e65eca49315d1425c7d8a156202fdb0629d1557ed1102bc960991a34d565651 Miraielf geofenced mirai ua-wget USA x86

Intelligence

File Origin
# of uploads :
3
# of downloads :
28
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32150.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox expand lolbin mirai
Link:
https://www.filescan.io/uploads/6922e68b6c89728b9825ee11/reports/e7df271d-955c-4abb-8744-2b627fa4ccda/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cb2c59a9d0a642a9924d97b16a500dd5ba62e3ba60f48fa974a5d85958183dd1
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/be3925e1-666e-4cc3-ab04-d6d7c41fa703
Behavior Graph:
Download SVG
%3 guuid=d4d37710-1700-0000-51b4-a80e230c0000 pid=3107 /usr/bin/sudo guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115 /tmp/sample.bin guuid=d4d37710-1700-0000-51b4-a80e230c0000 pid=3107->guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115 execve guuid=5aa2e812-1700-0000-51b4-a80e2d0c0000 pid=3117 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=5aa2e812-1700-0000-51b4-a80e2d0c0000 pid=3117 clone guuid=81bb2a14-1700-0000-51b4-a80e360c0000 pid=3126 /usr/bin/rm delete-file guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=81bb2a14-1700-0000-51b4-a80e360c0000 pid=3126 execve guuid=03c06814-1700-0000-51b4-a80e380c0000 pid=3128 /usr/bin/rm delete-file guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=03c06814-1700-0000-51b4-a80e380c0000 pid=3128 execve guuid=a2589f14-1700-0000-51b4-a80e3a0c0000 pid=3130 /usr/bin/rm delete-file guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=a2589f14-1700-0000-51b4-a80e3a0c0000 pid=3130 execve guuid=bf11d914-1700-0000-51b4-a80e3c0c0000 pid=3132 /usr/bin/rm guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=bf11d914-1700-0000-51b4-a80e3c0c0000 pid=3132 execve guuid=51e61315-1700-0000-51b4-a80e3e0c0000 pid=3134 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=51e61315-1700-0000-51b4-a80e3e0c0000 pid=3134 clone guuid=93297f15-1700-0000-51b4-a80e420c0000 pid=3138 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=93297f15-1700-0000-51b4-a80e420c0000 pid=3138 clone guuid=d5cecb15-1700-0000-51b4-a80e450c0000 pid=3141 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=d5cecb15-1700-0000-51b4-a80e450c0000 pid=3141 clone guuid=40f1c11b-1700-0000-51b4-a80e580c0000 pid=3160 /usr/bin/chmod guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=40f1c11b-1700-0000-51b4-a80e580c0000 pid=3160 execve guuid=c29e0b1c-1700-0000-51b4-a80e590c0000 pid=3161 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=c29e0b1c-1700-0000-51b4-a80e590c0000 pid=3161 clone guuid=ee02b81c-1700-0000-51b4-a80e5b0c0000 pid=3163 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=ee02b81c-1700-0000-51b4-a80e5b0c0000 pid=3163 clone guuid=69b1df21-1700-0000-51b4-a80e640c0000 pid=3172 /usr/bin/chmod guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=69b1df21-1700-0000-51b4-a80e640c0000 pid=3172 execve guuid=71d13b22-1700-0000-51b4-a80e660c0000 pid=3174 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=71d13b22-1700-0000-51b4-a80e660c0000 pid=3174 clone guuid=de485823-1700-0000-51b4-a80e680c0000 pid=3176 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=de485823-1700-0000-51b4-a80e680c0000 pid=3176 clone guuid=e9cee028-1700-0000-51b4-a80e760c0000 pid=3190 /usr/bin/chmod guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=e9cee028-1700-0000-51b4-a80e760c0000 pid=3190 execve guuid=b4ea4029-1700-0000-51b4-a80e780c0000 pid=3192 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=b4ea4029-1700-0000-51b4-a80e780c0000 pid=3192 clone guuid=b11ad12a-1700-0000-51b4-a80e7a0c0000 pid=3194 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=b11ad12a-1700-0000-51b4-a80e7a0c0000 pid=3194 clone guuid=52d9c12f-1700-0000-51b4-a80e7c0c0000 pid=3196 /usr/bin/chmod guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=52d9c12f-1700-0000-51b4-a80e7c0c0000 pid=3196 execve guuid=def90a30-1700-0000-51b4-a80e7d0c0000 pid=3197 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=def90a30-1700-0000-51b4-a80e7d0c0000 pid=3197 clone guuid=bcd1d130-1700-0000-51b4-a80e7f0c0000 pid=3199 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=bcd1d130-1700-0000-51b4-a80e7f0c0000 pid=3199 clone guuid=b5739d35-1700-0000-51b4-a80e810c0000 pid=3201 /usr/bin/chmod guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=b5739d35-1700-0000-51b4-a80e810c0000 pid=3201 execve guuid=15e1e935-1700-0000-51b4-a80e820c0000 pid=3202 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=15e1e935-1700-0000-51b4-a80e820c0000 pid=3202 clone guuid=1ccb9136-1700-0000-51b4-a80e840c0000 pid=3204 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=1ccb9136-1700-0000-51b4-a80e840c0000 pid=3204 clone guuid=068ab93b-1700-0000-51b4-a80e870c0000 pid=3207 /usr/bin/chmod guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=068ab93b-1700-0000-51b4-a80e870c0000 pid=3207 execve guuid=e63f813c-1700-0000-51b4-a80e880c0000 pid=3208 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=e63f813c-1700-0000-51b4-a80e880c0000 pid=3208 clone guuid=4757193d-1700-0000-51b4-a80e8a0c0000 pid=3210 /usr/bin/dash guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=4757193d-1700-0000-51b4-a80e8a0c0000 pid=3210 clone guuid=d2f34c41-1700-0000-51b4-a80e950c0000 pid=3221 /usr/bin/chmod guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=d2f34c41-1700-0000-51b4-a80e950c0000 pid=3221 execve guuid=6c149141-1700-0000-51b4-a80e960c0000 pid=3222 /run/user/1000/.f delete-file net write-file guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=6c149141-1700-0000-51b4-a80e960c0000 pid=3222 execve guuid=b8340d4a-1700-0000-51b4-a80eae0c0000 pid=3246 /usr/bin/rm delete-file guuid=cacc8412-1700-0000-51b4-a80e2b0c0000 pid=3115->guuid=b8340d4a-1700-0000-51b4-a80eae0c0000 pid=3246 execve guuid=3ab9f812-1700-0000-51b4-a80e2e0c0000 pid=3118 /usr/bin/cat guuid=5aa2e812-1700-0000-51b4-a80e2d0c0000 pid=3117->guuid=3ab9f812-1700-0000-51b4-a80e2e0c0000 pid=3118 execve guuid=60f20313-1700-0000-51b4-a80e2f0c0000 pid=3119 /usr/bin/grep guuid=5aa2e812-1700-0000-51b4-a80e2d0c0000 pid=3117->guuid=60f20313-1700-0000-51b4-a80e2f0c0000 pid=3119 execve guuid=e3530e13-1700-0000-51b4-a80e300c0000 pid=3120 /usr/bin/grep guuid=5aa2e812-1700-0000-51b4-a80e2d0c0000 pid=3117->guuid=e3530e13-1700-0000-51b4-a80e300c0000 pid=3120 execve guuid=c8c51b13-1700-0000-51b4-a80e310c0000 pid=3121 /usr/bin/grep guuid=5aa2e812-1700-0000-51b4-a80e2d0c0000 pid=3117->guuid=c8c51b13-1700-0000-51b4-a80e310c0000 pid=3121 execve guuid=9f8d2b13-1700-0000-51b4-a80e320c0000 pid=3122 /usr/bin/cut guuid=5aa2e812-1700-0000-51b4-a80e2d0c0000 pid=3117->guuid=9f8d2b13-1700-0000-51b4-a80e320c0000 pid=3122 execve guuid=5d5c1a15-1700-0000-51b4-a80e3f0c0000 pid=3135 /usr/bin/cp write-file guuid=51e61315-1700-0000-51b4-a80e3e0c0000 pid=3134->guuid=5d5c1a15-1700-0000-51b4-a80e3f0c0000 pid=3135 execve guuid=3c348515-1700-0000-51b4-a80e430c0000 pid=3139 /usr/bin/chmod guuid=93297f15-1700-0000-51b4-a80e420c0000 pid=3138->guuid=3c348515-1700-0000-51b4-a80e430c0000 pid=3139 execve guuid=4a74d415-1700-0000-51b4-a80e460c0000 pid=3142 /usr/bin/wget net send-data write-file guuid=d5cecb15-1700-0000-51b4-a80e450c0000 pid=3141->guuid=4a74d415-1700-0000-51b4-a80e460c0000 pid=3142 execve ff9ba7cd-abec-51d7-9cfc-8c8529874d7d 77.221.154.221:80 guuid=4a74d415-1700-0000-51b4-a80e460c0000 pid=3142->ff9ba7cd-abec-51d7-9cfc-8c8529874d7d send: 136B guuid=4c0dbf1c-1700-0000-51b4-a80e5c0c0000 pid=3164 /usr/bin/wget net send-data write-file guuid=ee02b81c-1700-0000-51b4-a80e5b0c0000 pid=3163->guuid=4c0dbf1c-1700-0000-51b4-a80e5c0c0000 pid=3164 execve guuid=4c0dbf1c-1700-0000-51b4-a80e5c0c0000 pid=3164->ff9ba7cd-abec-51d7-9cfc-8c8529874d7d send: 137B guuid=37856523-1700-0000-51b4-a80e690c0000 pid=3177 /usr/bin/wget net send-data write-file guuid=de485823-1700-0000-51b4-a80e680c0000 pid=3176->guuid=37856523-1700-0000-51b4-a80e690c0000 pid=3177 execve guuid=37856523-1700-0000-51b4-a80e690c0000 pid=3177->ff9ba7cd-abec-51d7-9cfc-8c8529874d7d send: 137B guuid=6794e62a-1700-0000-51b4-a80e7b0c0000 pid=3195 /usr/bin/wget net send-data write-file guuid=b11ad12a-1700-0000-51b4-a80e7a0c0000 pid=3194->guuid=6794e62a-1700-0000-51b4-a80e7b0c0000 pid=3195 execve guuid=6794e62a-1700-0000-51b4-a80e7b0c0000 pid=3195->ff9ba7cd-abec-51d7-9cfc-8c8529874d7d send: 137B guuid=65dfd930-1700-0000-51b4-a80e800c0000 pid=3200 /usr/bin/wget net send-data write-file guuid=bcd1d130-1700-0000-51b4-a80e7f0c0000 pid=3199->guuid=65dfd930-1700-0000-51b4-a80e800c0000 pid=3200 execve guuid=65dfd930-1700-0000-51b4-a80e800c0000 pid=3200->ff9ba7cd-abec-51d7-9cfc-8c8529874d7d send: 137B guuid=f4ea9c36-1700-0000-51b4-a80e850c0000 pid=3205 /usr/bin/wget net send-data write-file guuid=1ccb9136-1700-0000-51b4-a80e840c0000 pid=3204->guuid=f4ea9c36-1700-0000-51b4-a80e850c0000 pid=3205 execve guuid=f4ea9c36-1700-0000-51b4-a80e850c0000 pid=3205->ff9ba7cd-abec-51d7-9cfc-8c8529874d7d send: 137B guuid=5e09313d-1700-0000-51b4-a80e8b0c0000 pid=3211 /usr/bin/wget net send-data write-file guuid=4757193d-1700-0000-51b4-a80e8a0c0000 pid=3210->guuid=5e09313d-1700-0000-51b4-a80e8b0c0000 pid=3211 execve guuid=5e09313d-1700-0000-51b4-a80e8b0c0000 pid=3211->ff9ba7cd-abec-51d7-9cfc-8c8529874d7d send: 136B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=6c149141-1700-0000-51b4-a80e960c0000 pid=3222->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=27e7034a-1700-0000-51b4-a80ead0c0000 pid=3245 /run/user/1000/.f dns net send-data write-file zombie guuid=6c149141-1700-0000-51b4-a80e960c0000 pid=3222->guuid=27e7034a-1700-0000-51b4-a80ead0c0000 pid=3245 clone guuid=27e7034a-1700-0000-51b4-a80ead0c0000 pid=3245->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 70B 7eaf5626-9b05-5afa-8804-6b7e8f0066b2 blueblackside.com:6379 guuid=27e7034a-1700-0000-51b4-a80ead0c0000 pid=3245->7eaf5626-9b05-5afa-8804-6b7e8f0066b2 send: 49B 7f30281f-6565-565b-903e-76ab0b9d4286 stun.l.google.com:19302 guuid=27e7034a-1700-0000-51b4-a80ead0c0000 pid=3245->7f30281f-6565-565b-903e-76ab0b9d4286 send: 20B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/cb2c59a9d0a642a9924d97b16a500dd5ba62e3ba60f48fa974a5d85958183dd1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb2c59a9d0a642a9924d97b16a500dd5ba62e3ba60f48fa974a5d85958183dd1/
Threat name:
Script-Shell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 10:32:20 UTC
File Type:
Text (Shell)
AV detection:
4 of 36 (11.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmwftkoquzbktesns6ywuuan2w5gfy52md2i7kluuxmfswayhxiq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251123-mv739strgx/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cb2c59a9d0a642a9924d97b16a500dd5ba62e3ba60f48fa974a5d85958183dd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh cb2c59a9d0a642a9924d97b16a500dd5ba62e3ba60f48fa974a5d85958183dd1

(this sample)

Mirai

elf 607ba8678ec0bedb0370c99a382fcada0a60080d2258f59d330915f4b0dae33a

  
URLhaus
https://urlhaus.abuse.ch/url/3714876/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3714878/
  
URLhaus
https://urlhaus.abuse.ch/url/3714906/
  
URLhaus
https://urlhaus.abuse.ch/url/3714907/
  
URLhaus
https://urlhaus.abuse.ch/url/3714908/
  
URLhaus
https://urlhaus.abuse.ch/url/3714921/
  
Dropping
MD5 578375a8f1611bafef360d90b473d4c0
  
Dropping
SHA256 607ba8678ec0bedb0370c99a382fcada0a60080d2258f59d330915f4b0dae33a

Comments