MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0e064c4cc6ea3015ee06a5374b7a5d161c142b6a90afc2b67ae9a355743aa91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0e064c4cc6ea3015ee06a5374b7a5d161c142b6a90afc2b67ae9a355743aa91
SHA3-384 hash: cf97ed0ad0c7c8634f9899c3a648a24b087bf55c5cdab59d64a05197de361cef0934893823d8587b421b5ae8a7ef25a5
SHA1 hash: 12951c43612094852a02928dd4328b7a6dbb8257
MD5 hash: 1a2ecddf24e2040e1e72d1b373dcdc62
humanhash: mockingbird-december-cardinal-floor
File name:all.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:901 bytes
First seen:2026-01-31 16:34:49 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:ssYoOJrsYtfbYsYRsYnB8sYaNI/sYKsKBsYxqsY2KpsYGJsYV3c4h:sD1rDRYDRDB8DXD5GDED2KpDiDK4h
TLSH T13111EBC771E061F28878CFCFB6648884918881EADC5A6E38B4DC992B44EF58CF454771
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.148.130/bins/bot.x86847148466f680d6180583cb1de4ce9986d809dfe1df75e182fdee72843b77c12 Miraielf mirai ua-wget
http://176.65.148.130/bins/bot.x86_641ea675e257f55fdd882823516f253a573cfb3f5737d4cc10004a293a0b094029 Miraielf mirai ua-wget
http://176.65.148.130/bins/bot.arm409610940f2b32ad725a8c323dd24f5fbe80cf5df11a6efb4f3ac077da0f0c904 Miraielf mirai ua-wget
http://176.65.148.130/bins/bot.arm551663e747e9c00087a93fa1b39bcc4b3b2dc81a278f70aeb2fb36c15740a29bf Miraielf mirai ua-wget
http://176.65.148.130/bins/bot.arm6bb673fee82ba897cdd610bee644ed823384007cdd4121ab87a1448fcef1bc161 Miraielf mirai ua-wget
http://176.65.148.130/bins/bot.arm77ca6c6ba23a348f9a32435f72f63660e5a6f3adebf9d0e752318d562f48994b8 Miraielf mirai ua-wget
http://176.65.148.130/bins/bot.mips44757787937e41bb39339da8459154014c7b5caed7b5fa1859d116adea1eff91 Miraielf mirai ua-wget
http://176.65.148.130/bins/bot.mpsln/an/aelf ua-wget
http://176.65.148.130/bins/bot.ppc05138b2ceb8f7e3a4f640dd4e7c1adf726b5f2f9d4c68e4b790cf758f225915f Miraielf mirai ua-wget
http://176.65.148.130/bins/bot.sh46f915eb2f374796bc0e2206f07e25df268b8a24387f2167b4a61539ba89f38ba Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive mirai
Link:
https://www.filescan.io/uploads/697e2f50981ff1d38a42f7f2/reports/4a09b3e9-5ee9-4c9b-a25c-3b9ed6452333/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/d0e064c4cc6ea3015ee06a5374b7a5d161c142b6a90afc2b67ae9a355743aa91/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d0e064c4cc6ea3015ee06a5374b7a5d161c142b6a90afc2b67ae9a355743aa91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0e064c4cc6ea3015ee06a5374b7a5d161c142b6a90afc2b67ae9a355743aa91/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/d0e064c4cc6ea3015ee06a5374b7a5d161c142b6a90afc2b67ae9a355743aa91
Threat name:
Linux.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-31 16:30:10 UTC
File Type:
Text (Shell)
AV detection:
16 of 36 (44.44%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2dqgjrgmn2rqcxxanjjxjn5f2fq4cqvwvefpyk3hv2ndkv2dvkiq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux persistence
Link:
https://tria.ge/reports/260131-t3tn6scz3b/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Enumerates running processes
Modifies init.d
Modifies rc script
File and Directory Permissions Modification
Deletes Audit logs
Deletes journal logs
Deletes system logs
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0e064c4cc6ea3015ee06a5374b7a5d161c142b6a90afc2b67ae9a355743aa91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh d0e064c4cc6ea3015ee06a5374b7a5d161c142b6a90afc2b67ae9a355743aa91

(this sample)

Mirai

elf 847148466f680d6180583cb1de4ce9986d809dfe1df75e182fdee72843b77c12

  
URLhaus
https://urlhaus.abuse.ch/url/3766681/
  
Delivery method
Distributed via web download
  
Dropping
MD5 e85a740a2b6338ede60033768c9d9c74
  
Dropping
SHA256 847148466f680d6180583cb1de4ce9986d809dfe1df75e182fdee72843b77c12
  
URLhaus
https://urlhaus.abuse.ch/url/3766760/

Comments