MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3ff060dabbfa251af5943a1389c7b8ffeb3e7e61e773d06d4ed3da1ca41f800. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	d3ff060dabbfa251af5943a1389c7b8ffeb3e7e61e773d06d4ed3da1ca41f800
SHA3-384 hash:	658eca808cc8c3d822835dba68b3a199952ff6e111c11d6058779a4efc524b29ea4908803b5f3f65ff8d5aae44dcc7f6
SHA1 hash:	034d3bf19131bf082348cb64793444e7697c11a8
MD5 hash:	c49d50f590098bf96e4c96b62b71c0e8
humanhash:	saturn-fillet-california-summer
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'007 bytes
First seen:	2026-04-28 06:12:28 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vqRFRtRHReLRBoRTRERRRZRH9R+R7aRjRNRAc:v8nPxAAF+7DHf4gVvF
TLSH	T17A51378651E24474ADF6DD12A2E6C4047580E05A3BC0FF8AD6F53CFAA98DF043C49B93
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://156.226.174.212/manji.x86	ebf52bab6189b716479624b0bac008ce47c2982fdefade9d6a6905e8f587a0e8	Mirai	elf ua-wget
http://156.226.174.212/manji.mips	fd7acf8ea2be7bb148096057431248d7618b299d2cabe805f38256877c46b486	Mirai	elf mirai ua-wget
http://156.226.174.212/manji.i468	n/a	n/a	elf ua-wget
http://156.226.174.212/manji.i686	01f341229086f721006cb4d03476f7991d6dfb93ac34f651d36011115b856edb	Mirai	elf ua-wget
http://156.226.174.212/manji.mpsl	3aceefe39982a5eb27e374338eb36ce001663f710b0cbd8d37da619e253c31bc	Mirai	elf ua-wget
http://156.226.174.212/manji.arm4	c1c4af6bbef4c3851231dfc513a58d13a06f031e84d03935b557199c77ac73b3	Mirai	elf mirai ua-wget
http://156.226.174.212/manji.arm5	6330ffa1c3268c3810c009b7478ab69acd5cd96028787ba910c4b8e3e4815407	Mirai	elf ua-wget
http://156.226.174.212/manji.arm6	c16cb63fd128e507f7ddb58f33cc288942d60746a136d42f8e6b0759c32d36f6	Mirai	elf ua-wget
http://156.226.174.212/manji.arm7	40b7c4227235062b1b5d8a3976a8cfd2e7a2783776446a5adfbc35344945d240	Mirai	elf mirai ua-wget
http://156.226.174.212/manji.ppc	7a554b95133b9d2be284dcf4d4e411b80e0cd92f3aeda094ca7006882d8f2747	Mirai	elf mirai ua-wget
http://156.226.174.212/manji.ppc440	4bb88283016c6f096cf8adcef1b2bd25be3e716bcfaab2ea77eac46758059363	Mirai	elf ua-wget
http://156.226.174.212/manji.m68k	496d0ea58eece2fdd1f18e5f34303623d2cf2d14f9831a8f09599cbb6008c16e	Mirai	elf ua-wget
http://156.226.174.212/manji.apk	40b7c4227235062b1b5d8a3976a8cfd2e7a2783776446a5adfbc35344945d240	Mirai	elf mirai ua-wget
http://156.226.174.212/manji.dbg	d0d854e91f52b8cf8e852ac2accc50eae4d80a034c29152eac563f667f76a3fd	Mirai	elf ua-wget
http://156.226.174.212/manji.sh4	512114c8359ccdf13f9dc20c643e7ce43baa38902943a106f54245f1b595fa28	Mirai	elf ua-wget
http://156.226.174.212/manji.spc	22753fee4f319addacd02755978a47336743a2a50e09fa651d2f5a19ca721816	Mirai	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

medusa mirai virus

Link:

https://www.filescan.io/uploads/69f04fd381aa9ec3bc2df518/reports/b5d4dc61-5c3a-431c-a728-f4fd00ef44c4/overview

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-04-27T11:29:00Z UTC

Last seen:

2026-04-28T01:21:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen

Link:

https://opentip.kaspersky.com/d3ff060dabbfa251af5943a1389c7b8ffeb3e7e61e773d06d4ed3da1ca41f800/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/c964564d-7dc0-4170-9563-8b2338656937

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/d3ff060dabbfa251af5943a1389c7b8ffeb3e7e61e773d06d4ed3da1ca41f800

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d3ff060dabbfa251af5943a1389c7b8ffeb3e7e61e773d06d4ed3da1ca41f800/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/d3ff060dabbfa251af5943a1389c7b8ffeb3e7e61e773d06d4ed3da1ca41f800

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-04-28 06:13:43 UTC

File Type:

Text (Shell)

AV detection:

22 of 36 (61.11%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2p7qmdnlx6rfdl2zioqtrhd3r77lhz7gdz3t2bwu5u62dssb7aaa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260428-gyggtsdy7w/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Traces itself

Family: Mirai

Malware Config

C2 Extraction:

89.190.156.145

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d3ff060dabbf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/d3ff060dabbfa251af5943a1389c7b8ffeb3e7e61e773d06d4ed3da1ca41f800

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh