MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1ebdefbfcf0967d811431319b33fc17ca5c59a130d53ee67d5f2669ecd335d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1ebdefbfcf0967d811431319b33fc17ca5c59a130d53ee67d5f2669ecd335d1
SHA3-384 hash: dac39f23d625298e083b2b35ce23d19c28379fb1548161a96a3aa9a660c2bd4266f666fdc72bed7875dd8da156783801
SHA1 hash: c2c47801e47d44551e99aa6b4fb4dc30587ab380
MD5 hash: 61a03cb9795128199b202d32e706c209
humanhash: wisconsin-summer-georgia-queen
File name:w.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:1'213 bytes
First seen:2025-12-20 16:56:56 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:4QrKfQ18gvfQtNI2SQexKd4QwQnD6QdW/9dlQdRJR8RzSRRYQSa5aSF6SgQAGnP2:4UKfivfmNIvlKd4De6pOY3vdX4qpjn
TLSH T18D2180FD077169014C848F48A42BC4CB811DADF9B58FDA0AE4BB1C7E8194B2730E6E39
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://141.98.10.91/bins/sumrak.arma8e657d363b5dc97a9e887e8686306ea0acc346c0b4b1eaf97e23cf2504a028b Miraimirai opendir
http://141.98.10.91/bins/sumrak.arm5fe42c0e128ed02574179e239ec54ac6b3979c77912af2c287c79cf7cdad837d9 Miraimirai opendir
http://141.98.10.91/bins/sumrak.arm6c7c544bd12f4e96efe9522e2b1eec9e1aaca2963f1af9d6d825a77e23055ca4d Miraimirai opendir
http://141.98.10.91/bins/sumrak.arm70eaf8243e73a2f2de8164be8c565e3fb343a382ed4e850290d043621b87d6671 Miraimirai opendir
http://141.98.10.91/bins/sumrak.sh466c60404acaf2b67f97fc3cd57d8436641d88574c388ae6403729eb83ffeaaca Miraimirai opendir
http://141.98.10.91/bins/sumrak.arcn/an/aelf ua-wget
http://141.98.10.91/bins/sumrak.mips020b5d89315667708d7d91af70bbc3bdbbf9a2abc19282644def144a7c54d538 Miraimirai opendir
http://141.98.10.91/bins/sumrak.mipseln/an/aelf ua-wget
http://141.98.10.91/bins/sumrak.sparcn/an/aelf ua-wget
http://141.98.10.91/bins/sumrak.x86_645d763d962556094f1524a6e3202365c6d7611c4988772e5f26f136cd19becdc2 Miraimirai opendir
http://141.98.10.91/bins/sumrak.i6868f18c738a20bf65a34ab2c701c018eefe824bb2ff912a2b3907804de87af7f6c Miraimirai opendir
http://141.98.10.91/bins/sumrak.i5860b265a89f89abed68d47200ed1f27f4f1d68af668103176085e362fa8979f1e9 Miraimirai opendir

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive mirai
Link:
https://www.filescan.io/uploads/6946d5745ceddcfa3ff6371a/reports/1c63b096-bc1a-40ef-ab89-c5ae63b36b45/overview
Verdict:
Malicious
File Type:
text
First seen:
2025-12-20T15:30:00Z UTC
Last seen:
2025-12-21T02:00:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/d1ebdefbfcf0967d811431319b33fc17ca5c59a130d53ee67d5f2669ecd335d1/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9c2ed813-0de7-4058-968d-51c8de603119
Behavior Graph:
Download SVG
%3 guuid=c6f0f551-1b00-0000-bd14-29da290c0000 pid=3113 /usr/bin/sudo guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118 /tmp/sample.bin guuid=c6f0f551-1b00-0000-bd14-29da290c0000 pid=3113->guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118 execve guuid=03bff853-1b00-0000-bd14-29da2f0c0000 pid=3119 /usr/bin/busybox net send-data write-file guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=03bff853-1b00-0000-bd14-29da2f0c0000 pid=3119 execve guuid=b6fb935b-1b00-0000-bd14-29da460c0000 pid=3142 /usr/bin/chmod guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=b6fb935b-1b00-0000-bd14-29da460c0000 pid=3142 execve guuid=9fd2db5b-1b00-0000-bd14-29da480c0000 pid=3144 /usr/bin/dash guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=9fd2db5b-1b00-0000-bd14-29da480c0000 pid=3144 clone guuid=581daf5c-1b00-0000-bd14-29da4c0c0000 pid=3148 /usr/bin/busybox net send-data write-file guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=581daf5c-1b00-0000-bd14-29da4c0c0000 pid=3148 execve guuid=f8cea162-1b00-0000-bd14-29da580c0000 pid=3160 /usr/bin/chmod guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=f8cea162-1b00-0000-bd14-29da580c0000 pid=3160 execve guuid=dd56e762-1b00-0000-bd14-29da5a0c0000 pid=3162 /usr/bin/dash guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=dd56e762-1b00-0000-bd14-29da5a0c0000 pid=3162 clone guuid=d3777b64-1b00-0000-bd14-29da5f0c0000 pid=3167 /usr/bin/busybox net send-data write-file guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=d3777b64-1b00-0000-bd14-29da5f0c0000 pid=3167 execve guuid=bce2e36c-1b00-0000-bd14-29da6c0c0000 pid=3180 /usr/bin/chmod guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=bce2e36c-1b00-0000-bd14-29da6c0c0000 pid=3180 execve guuid=8d162f6d-1b00-0000-bd14-29da6e0c0000 pid=3182 /usr/bin/dash guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=8d162f6d-1b00-0000-bd14-29da6e0c0000 pid=3182 clone guuid=b19b536e-1b00-0000-bd14-29da700c0000 pid=3184 /usr/bin/busybox net send-data write-file guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=b19b536e-1b00-0000-bd14-29da700c0000 pid=3184 execve guuid=97b6d87a-1b00-0000-bd14-29da7e0c0000 pid=3198 /usr/bin/chmod guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=97b6d87a-1b00-0000-bd14-29da7e0c0000 pid=3198 execve guuid=9b36397b-1b00-0000-bd14-29da7f0c0000 pid=3199 /usr/bin/dash guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=9b36397b-1b00-0000-bd14-29da7f0c0000 pid=3199 clone guuid=a562d07c-1b00-0000-bd14-29da810c0000 pid=3201 /usr/bin/busybox net send-data write-file guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=a562d07c-1b00-0000-bd14-29da810c0000 pid=3201 execve guuid=c018d98a-1b00-0000-bd14-29da8c0c0000 pid=3212 /usr/bin/chmod guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=c018d98a-1b00-0000-bd14-29da8c0c0000 pid=3212 execve guuid=1b7f278b-1b00-0000-bd14-29da8e0c0000 pid=3214 /usr/bin/dash guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=1b7f278b-1b00-0000-bd14-29da8e0c0000 pid=3214 clone guuid=b1a9678c-1b00-0000-bd14-29da940c0000 pid=3220 /usr/bin/busybox net send-data guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=b1a9678c-1b00-0000-bd14-29da940c0000 pid=3220 execve guuid=d954d190-1b00-0000-bd14-29da9f0c0000 pid=3231 /usr/bin/chmod guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=d954d190-1b00-0000-bd14-29da9f0c0000 pid=3231 execve guuid=7f4a1f91-1b00-0000-bd14-29daa00c0000 pid=3232 /usr/bin/dash guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=7f4a1f91-1b00-0000-bd14-29daa00c0000 pid=3232 clone guuid=929f2491-1b00-0000-bd14-29daa10c0000 pid=3233 /usr/bin/busybox net send-data write-file guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=929f2491-1b00-0000-bd14-29daa10c0000 pid=3233 execve guuid=ba0b8d9b-1b00-0000-bd14-29daad0c0000 pid=3245 /usr/bin/chmod guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=ba0b8d9b-1b00-0000-bd14-29daad0c0000 pid=3245 execve guuid=f1e1fd9b-1b00-0000-bd14-29daae0c0000 pid=3246 /usr/bin/dash guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=f1e1fd9b-1b00-0000-bd14-29daae0c0000 pid=3246 clone guuid=ac8fef9c-1b00-0000-bd14-29dab00c0000 pid=3248 /usr/bin/busybox net send-data guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=ac8fef9c-1b00-0000-bd14-29dab00c0000 pid=3248 execve guuid=7fdb0ca1-1b00-0000-bd14-29dab10c0000 pid=3249 /usr/bin/chmod guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=7fdb0ca1-1b00-0000-bd14-29dab10c0000 pid=3249 execve guuid=ff5657a1-1b00-0000-bd14-29dab20c0000 pid=3250 /usr/bin/dash guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=ff5657a1-1b00-0000-bd14-29dab20c0000 pid=3250 clone guuid=2b715da1-1b00-0000-bd14-29dab30c0000 pid=3251 /usr/bin/busybox net send-data guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=2b715da1-1b00-0000-bd14-29dab30c0000 pid=3251 execve guuid=981d82a5-1b00-0000-bd14-29dab40c0000 pid=3252 /usr/bin/chmod guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=981d82a5-1b00-0000-bd14-29dab40c0000 pid=3252 execve guuid=016055a6-1b00-0000-bd14-29dab50c0000 pid=3253 /usr/bin/dash guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=016055a6-1b00-0000-bd14-29dab50c0000 pid=3253 clone guuid=25956da6-1b00-0000-bd14-29dab60c0000 pid=3254 /usr/bin/busybox net send-data write-file guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=25956da6-1b00-0000-bd14-29dab60c0000 pid=3254 execve guuid=50c13eb2-1b00-0000-bd14-29daca0c0000 pid=3274 /usr/bin/chmod guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=50c13eb2-1b00-0000-bd14-29daca0c0000 pid=3274 execve guuid=96187cb2-1b00-0000-bd14-29dacc0c0000 pid=3276 /home/sandbox/sumrak.x86_64 mprotect-exec net guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=96187cb2-1b00-0000-bd14-29dacc0c0000 pid=3276 execve guuid=1f6990b3-1b00-0000-bd14-29dad10c0000 pid=3281 /usr/bin/busybox net send-data write-file guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=1f6990b3-1b00-0000-bd14-29dad10c0000 pid=3281 execve guuid=c2d715bc-1b00-0000-bd14-29dad90c0000 pid=3289 /usr/bin/chmod guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=c2d715bc-1b00-0000-bd14-29dad90c0000 pid=3289 execve guuid=209f7cbc-1b00-0000-bd14-29dadb0c0000 pid=3291 /home/sandbox/sumrak.i686 net guuid=1c91c853-1b00-0000-bd14-29da2e0c0000 pid=3118->guuid=209f7cbc-1b00-0000-bd14-29dadb0c0000 pid=3291 execve df7b537f-758f-5cbd-9393-addaae2cab06 141.98.10.91:80 guuid=03bff853-1b00-0000-bd14-29da2f0c0000 pid=3119->df7b537f-758f-5cbd-9393-addaae2cab06 send: 90B guuid=581daf5c-1b00-0000-bd14-29da4c0c0000 pid=3148->df7b537f-758f-5cbd-9393-addaae2cab06 send: 91B guuid=d3777b64-1b00-0000-bd14-29da5f0c0000 pid=3167->df7b537f-758f-5cbd-9393-addaae2cab06 send: 91B guuid=b19b536e-1b00-0000-bd14-29da700c0000 pid=3184->df7b537f-758f-5cbd-9393-addaae2cab06 send: 91B guuid=a562d07c-1b00-0000-bd14-29da810c0000 pid=3201->df7b537f-758f-5cbd-9393-addaae2cab06 send: 90B guuid=b1a9678c-1b00-0000-bd14-29da940c0000 pid=3220->df7b537f-758f-5cbd-9393-addaae2cab06 send: 90B guuid=929f2491-1b00-0000-bd14-29daa10c0000 pid=3233->df7b537f-758f-5cbd-9393-addaae2cab06 send: 91B guuid=ac8fef9c-1b00-0000-bd14-29dab00c0000 pid=3248->df7b537f-758f-5cbd-9393-addaae2cab06 send: 93B guuid=2b715da1-1b00-0000-bd14-29dab30c0000 pid=3251->df7b537f-758f-5cbd-9393-addaae2cab06 send: 92B guuid=25956da6-1b00-0000-bd14-29dab60c0000 pid=3254->df7b537f-758f-5cbd-9393-addaae2cab06 send: 93B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=96187cb2-1b00-0000-bd14-29dacc0c0000 pid=3276->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=286c72b3-1b00-0000-bd14-29dace0c0000 pid=3278 /home/sandbox/sumrak.x86_64 guuid=96187cb2-1b00-0000-bd14-29dacc0c0000 pid=3276->guuid=286c72b3-1b00-0000-bd14-29dace0c0000 pid=3278 clone guuid=567878b3-1b00-0000-bd14-29dacf0c0000 pid=3279 /home/sandbox/sumrak.x86_64 zombie guuid=96187cb2-1b00-0000-bd14-29dacc0c0000 pid=3276->guuid=567878b3-1b00-0000-bd14-29dacf0c0000 pid=3279 clone guuid=8ad27db3-1b00-0000-bd14-29dad00c0000 pid=3280 /home/sandbox/sumrak.x86_64 net send-data zombie guuid=96187cb2-1b00-0000-bd14-29dacc0c0000 pid=3276->guuid=8ad27db3-1b00-0000-bd14-29dad00c0000 pid=3280 clone guuid=8ad27db3-1b00-0000-bd14-29dad00c0000 pid=3280->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 6081b4f2-a8f4-54a6-ad7c-2654ee0f2625 141.98.10.91:19000 guuid=8ad27db3-1b00-0000-bd14-29dad00c0000 pid=3280->6081b4f2-a8f4-54a6-ad7c-2654ee0f2625 send: 18B guuid=d37293b3-1b00-0000-bd14-29dad20c0000 pid=3282 /home/sandbox/sumrak.x86_64 guuid=8ad27db3-1b00-0000-bd14-29dad00c0000 pid=3280->guuid=d37293b3-1b00-0000-bd14-29dad20c0000 pid=3282 clone guuid=a19f98b3-1b00-0000-bd14-29dad30c0000 pid=3283 /home/sandbox/sumrak.x86_64 guuid=8ad27db3-1b00-0000-bd14-29dad00c0000 pid=3280->guuid=a19f98b3-1b00-0000-bd14-29dad30c0000 pid=3283 clone guuid=1f6990b3-1b00-0000-bd14-29dad10c0000 pid=3281->df7b537f-758f-5cbd-9393-addaae2cab06 send: 91B guuid=209f7cbc-1b00-0000-bd14-29dadb0c0000 pid=3291->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 9f466f9c-0252-5aad-9e43-ab94ede630c1 0.0.0.0:61341 guuid=209f7cbc-1b00-0000-bd14-29dadb0c0000 pid=3291->9f466f9c-0252-5aad-9e43-ab94ede630c1 con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d1ebdefbfcf0967d811431319b33fc17ca5c59a130d53ee67d5f2669ecd335d1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1ebdefbfcf0967d811431319b33fc17ca5c59a130d53ee67d5f2669ecd335d1/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-20 16:58:24 UTC
File Type:
Text (Shell)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2hv556746clh3aiugeyzwm74c7ffywnbgdkt5zt5l4tgt3gtgxiq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251223-nwlr4awlg1/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d1ebdefbfcf0967d811431319b33fc17ca5c59a130d53ee67d5f2669ecd335d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh d1ebdefbfcf0967d811431319b33fc17ca5c59a130d53ee67d5f2669ecd335d1

(this sample)

Mirai

elf 330d8a9ca3bb66ddb22157e33672e392b662436271c1dda54b56e5e5596e94c0

Mirai

elf a8e657d363b5dc97a9e887e8686306ea0acc346c0b4b1eaf97e23cf2504a028b

  
URLhaus
https://urlhaus.abuse.ch/url/3738066/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3738071/
  
URLhaus
https://urlhaus.abuse.ch/url/3738079/
  
URLhaus
https://urlhaus.abuse.ch/url/3738150/
  
Dropping
MD5 515216c27d2f63f29d8c29fce144a61a
  
Dropping
SHA256 a8e657d363b5dc97a9e887e8686306ea0acc346c0b4b1eaf97e23cf2504a028b

Comments