MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d36f0bc22c7bd42ac4bfd449d1163dbe7b21e709e2d4f49febcb151c963a6ca2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	d36f0bc22c7bd42ac4bfd449d1163dbe7b21e709e2d4f49febcb151c963a6ca2
SHA3-384 hash:	843b88b03f7d86c2a5534ed239586e3528cc5aebf95472043b86f254cc8832e8ac313636d2a1e11e4f1567addd322e4c
SHA1 hash:	43978306f0f235eab2ffd1bb7611fd1831c26c0e
MD5 hash:	72aca74c21050854c924765413177dec
humanhash:	tennis-ohio-utah-football
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'959 bytes
First seen:	2025-12-26 19:53:47 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:iKxhmlKHnElKSCXlKWePlKa7azvZlKadaFvjlK9NV9z4gelKLjclKCSvlKj7jzqg:iWmlKElwXlAPlj2zvZljsFvjlUxz4ZlJ
TLSH	T150511B879251567138E7BA27FDF98F1CB1C1A29128923F16EBDC28E5528ED883046F46
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://178.16.137.37/hiddenbin/Space.arc	n/a	n/a	n/a
http://178.16.137.37/hiddenbin/Space.x86	2a00a074a3e1143ec9a46b575cb4715b925a7d0031fa0a1f24739eb4ec36f67c	Mirai	mirai opendir
http://178.16.137.37/hiddenbin/Space.x86_64	n/a	n/a	n/a
http://178.16.137.37/hiddenbin/Space.i686	n/a	n/a	n/a
http://178.16.137.37/hiddenbin/Space.mips	ab3a7a4f9fce0a9545fa14a706acd016ff59d1b8664965bd704e17c5a73c9ff3	Mirai	mirai opendir
http://178.16.137.37/hiddenbin/Space.mips64	n/a	n/a	n/a
http://178.16.137.37/hiddenbin/Space.mpsl	35db76d2c564d985c876c51594fb5553dd96d5835a4ce984fd0d811b28206f5b	Mirai	mirai opendir
http://178.16.137.37/hiddenbin/Space.arm	3b5d7f5f190805cc54f302a0cdcbd25b348f7cbb151252999fc244eb09f26d15	Mirai	mirai opendir
http://178.16.137.37/hiddenbin/Space.arm5	f9c786be9378b45248330d42a89ba3d7193f994b229793bc35ab9974e042e700	Mirai	mirai opendir
http://178.16.137.37/hiddenbin/Space.arm6	0a65b71c102bd9fe2e76c6ccd7a14f19a809857518be7579f99d62bf5b25e412	Mirai	mirai opendir
http://178.16.137.37/hiddenbin/Space.arm7	b61252cfaa435d6261cb339cd57c2d1912bb0e9cbe1e2e2b3532f4458f3b2c5a	Mirai	mirai opendir
http://178.16.137.37/hiddenbin/Space.ppc	8556b314fd3c94aa8c1d44412a855ac13634786081b1d04b3d4804ca6c95a8ae	Mirai	mirai opendir
http://178.16.137.37/hiddenbin/Space.sparc	n/a	n/a	n/a
http://178.16.137.37/hiddenbin/Space.m68k	0ae402dd53979452462cc3328f4420e2a300dfef8ccb4729c72b5fc9c36a3fc6	Mirai	mirai opendir
http://178.16.137.37/hiddenbin/Space.sh4	cf1bafc5d49488a28551a0f89bfeed48765e0955e7a8448e50003c25ac4de0a7	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

busybox

Link:

https://www.filescan.io/uploads/694ee7fbe126b9ff43928b8c/reports/b16bab1c-b7e0-4db2-9b83-1a89cb1aef21/overview

Result

Gathering data

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/0bac063a-b9e6-49a5-8458-6b0e709bc36d

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/d36f0bc22c7bd42ac4bfd449d1163dbe7b21e709e2d4f49febcb151c963a6ca2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d36f0bc22c7bd42ac4bfd449d1163dbe7b21e709e2d4f49febcb151c963a6ca2/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/d36f0bc22c7bd42ac4bfd449d1163dbe7b21e709e2d4f49febcb151c963a6ca2

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2nxqxqrmppkcvrf72re5cfr5xz5sdzyj4lkpjh7lzmkrzfr2nsra._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery linux

Link:

https://tria.ge/reports/251226-ympgqstqc1/

Behaviour

Reads runtime system information

Writes file to tmp directory

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d36f0bc22c7b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh