MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d40680851a310907ed1eff3ab35f2defe2e27cc3c883ef74afad199646d0cd93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d40680851a310907ed1eff3ab35f2defe2e27cc3c883ef74afad199646d0cd93
SHA3-384 hash: c4161e1f5bc3e38cb24622d82b306c97c0b442cfc494393ed27c53bd66320fbc10f48b1960ec2c7adc276b7209386cbe
SHA1 hash: 96b371c0d6237def7a9f9332bc354614020a12f4
MD5 hash: 8e31659b24fa42dddfc08674a904fc42
humanhash: west-blue-kansas-finch
File name:xwget.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'630 bytes
First seen:2025-08-07 06:59:42 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:VPWyGjqspu/Rq1ClA9AYrjtE1xH7/LuZi1qP6oYDJ5tOFlGFc3Gbe6cYYl8Unv:V0jA/c195E1xb6s1qP6ocztOFlGFc2bC
TLSH T1DD51B7DE45252C4EF2259B5B73BBCC0921768FB9109FCF8D9FC4392A9D48A2070A3E55
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://213.209.150.187/odin.arm9a36946cbdf2682af5b0227ee93b120c3c0543f260076bb2094638a71b68e294 Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.arm5nd89b9aa7f0ac337077c5614d1d8321d1a0dff5280560bde0a8339c0dba0abd5d Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.arm7bdde0035d6b37dce2fff359848916a559640206659024577d4fa61608b4931bc Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.m68ka11b9aef373169010a4822273a8a16fb4deb9e386166e4b94aa791f34a25f39e Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.mipsa25ff39e978fa88f79d10bcd25a86bc48d196af8e2046be47a886ce4dd6a6650 Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.mpsl96f1e58ca140b8babe3873412dc17b203d2b87df2e70886625c249d3db092789 Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.ppce7834d6e7af525e9200c4f98255f6a3db500d86e1a1d254610c1f5d47a90575b Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.sh4b185e773d0014ff89e12a4ba6075282488a1b130af190e3d8c064d618c11cf7e Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.spc3ccec93311c41cc3a813b5762e249706c4cc3fd2c04894585300e05221268a01 Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/odin.x86aa14c7945115ba63c093f4ca508af7a9b20198c432a70b68cab2f52bad4121c7 Miraielf geofenced mirai ua-wget USA
http://213.209.150.187/bizy.arm5n/an/aelf ua-wget
http://213.209.150.187/bizy.arm6n/an/aelf ua-wget
http://213.209.150.187/bizy.arm7n/an/aelf ua-wget
http://213.209.150.187/bizy.arm8n/an/aelf ua-wget
http://213.209.150.187/bizy.mipsn/an/aelf ua-wget
http://213.209.150.187/bizy.mpsln/an/aelf ua-wget
http://213.209.150.187/bizy.mipssn/an/aelf ua-wget
http://213.209.150.187/bizy.mpslsn/an/aelf ua-wget
http://213.209.150.187/bizy.riscve2fbe4a0085cfa107069c0a614ecae10e3b1b04f1ecfee287f2d5abdc2b79a13 Miraielf mirai ua-wget
http://213.209.150.187/bizy.x86n/an/aelf ua-wget
http://213.209.150.187/bizy.x64n/an/aelf ua-wget
http://213.209.150.187/bizy.mips642fa27985ef9b46d3584dcff9ec777b1fdd62ea98a7660490cc3ebb5fc5b79172 Miraielf mirai ua-wget
http://213.209.150.187/bizy.mpsl648b35595ec94e07930eaf57ce734a1d48ab90db9ee97073bedda788574786eeda Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
DE DE
Vendor Threat Intelligence
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/c2795842-1c19-4f24-bec2-2c1215f95505
Behavior Graph:
Download SVG
%3 guuid=3cf72e2b-1c00-0000-2b08-e32d3a090000 pid=2362 /usr/bin/sudo guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365 /tmp/sample.bin guuid=3cf72e2b-1c00-0000-2b08-e32d3a090000 pid=2362->guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365 execve guuid=417c372e-1c00-0000-2b08-e32d3f090000 pid=2367 /usr/bin/rm guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=417c372e-1c00-0000-2b08-e32d3f090000 pid=2367 execve guuid=a52fb02e-1c00-0000-2b08-e32d41090000 pid=2369 /usr/bin/wget net send-data write-file guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=a52fb02e-1c00-0000-2b08-e32d41090000 pid=2369 execve guuid=531c5848-1c00-0000-2b08-e32d60090000 pid=2400 /usr/bin/chmod guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=531c5848-1c00-0000-2b08-e32d60090000 pid=2400 execve guuid=4352a148-1c00-0000-2b08-e32d61090000 pid=2401 /usr/bin/dash guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=4352a148-1c00-0000-2b08-e32d61090000 pid=2401 clone guuid=e34f3849-1c00-0000-2b08-e32d65090000 pid=2405 /usr/bin/rm guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=e34f3849-1c00-0000-2b08-e32d65090000 pid=2405 execve guuid=4ffc7149-1c00-0000-2b08-e32d67090000 pid=2407 /usr/bin/wget net send-data write-file guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=4ffc7149-1c00-0000-2b08-e32d67090000 pid=2407 execve guuid=72b73c56-1c00-0000-2b08-e32d82090000 pid=2434 /usr/bin/chmod guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=72b73c56-1c00-0000-2b08-e32d82090000 pid=2434 execve guuid=42ed7f56-1c00-0000-2b08-e32d83090000 pid=2435 /usr/bin/dash guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=42ed7f56-1c00-0000-2b08-e32d83090000 pid=2435 clone guuid=9958c958-1c00-0000-2b08-e32d8b090000 pid=2443 /usr/bin/rm guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=9958c958-1c00-0000-2b08-e32d8b090000 pid=2443 execve guuid=141a2959-1c00-0000-2b08-e32d8d090000 pid=2445 /usr/bin/wget net send-data write-file guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=141a2959-1c00-0000-2b08-e32d8d090000 pid=2445 execve guuid=fb99eb6d-1c00-0000-2b08-e32dbb090000 pid=2491 /usr/bin/chmod guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=fb99eb6d-1c00-0000-2b08-e32dbb090000 pid=2491 execve guuid=d99a456e-1c00-0000-2b08-e32dbc090000 pid=2492 /usr/bin/dash guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=d99a456e-1c00-0000-2b08-e32dbc090000 pid=2492 clone guuid=199b206f-1c00-0000-2b08-e32dbf090000 pid=2495 /usr/bin/rm guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=199b206f-1c00-0000-2b08-e32dbf090000 pid=2495 execve guuid=78d65e6f-1c00-0000-2b08-e32dc1090000 pid=2497 /usr/bin/wget net send-data write-file guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=78d65e6f-1c00-0000-2b08-e32dc1090000 pid=2497 execve guuid=726f4180-1c00-0000-2b08-e32de6090000 pid=2534 /usr/bin/chmod guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=726f4180-1c00-0000-2b08-e32de6090000 pid=2534 execve guuid=4dac8d80-1c00-0000-2b08-e32de8090000 pid=2536 /usr/bin/dash guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=4dac8d80-1c00-0000-2b08-e32de8090000 pid=2536 clone guuid=e48d9d81-1c00-0000-2b08-e32dee090000 pid=2542 /usr/bin/rm guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=e48d9d81-1c00-0000-2b08-e32dee090000 pid=2542 execve guuid=154ad881-1c00-0000-2b08-e32def090000 pid=2543 /usr/bin/wget net send-data write-file guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=154ad881-1c00-0000-2b08-e32def090000 pid=2543 execve guuid=b1038193-1c00-0000-2b08-e32d190a0000 pid=2585 /usr/bin/chmod guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=b1038193-1c00-0000-2b08-e32d190a0000 pid=2585 execve guuid=db8cc093-1c00-0000-2b08-e32d1b0a0000 pid=2587 /usr/bin/dash guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=db8cc093-1c00-0000-2b08-e32d1b0a0000 pid=2587 clone guuid=9221c994-1c00-0000-2b08-e32d200a0000 pid=2592 /usr/bin/rm guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=9221c994-1c00-0000-2b08-e32d200a0000 pid=2592 execve guuid=b5090295-1c00-0000-2b08-e32d220a0000 pid=2594 /usr/bin/wget net send-data write-file guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=b5090295-1c00-0000-2b08-e32d220a0000 pid=2594 execve guuid=169902ac-1c00-0000-2b08-e32d620a0000 pid=2658 /usr/bin/chmod guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=169902ac-1c00-0000-2b08-e32d620a0000 pid=2658 execve guuid=415a4bac-1c00-0000-2b08-e32d630a0000 pid=2659 /usr/bin/dash guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=415a4bac-1c00-0000-2b08-e32d630a0000 pid=2659 clone guuid=bbd5e9ad-1c00-0000-2b08-e32d6a0a0000 pid=2666 /usr/bin/rm guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=bbd5e9ad-1c00-0000-2b08-e32d6a0a0000 pid=2666 execve guuid=422431ae-1c00-0000-2b08-e32d6c0a0000 pid=2668 /usr/bin/wget net send-data write-file guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=422431ae-1c00-0000-2b08-e32d6c0a0000 pid=2668 execve guuid=0a435cc5-1c00-0000-2b08-e32da10a0000 pid=2721 /usr/bin/chmod guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=0a435cc5-1c00-0000-2b08-e32da10a0000 pid=2721 execve guuid=cd2d9dc5-1c00-0000-2b08-e32da30a0000 pid=2723 /usr/bin/dash guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=cd2d9dc5-1c00-0000-2b08-e32da30a0000 pid=2723 clone guuid=073172c7-1c00-0000-2b08-e32daa0a0000 pid=2730 /usr/bin/rm guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=073172c7-1c00-0000-2b08-e32daa0a0000 pid=2730 execve guuid=7b3ff1c7-1c00-0000-2b08-e32dad0a0000 pid=2733 /usr/bin/wget net send-data write-file guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=7b3ff1c7-1c00-0000-2b08-e32dad0a0000 pid=2733 execve guuid=1c317ce1-1c00-0000-2b08-e32dd20a0000 pid=2770 /usr/bin/chmod guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=1c317ce1-1c00-0000-2b08-e32dd20a0000 pid=2770 execve guuid=e681d4e1-1c00-0000-2b08-e32dd40a0000 pid=2772 /usr/bin/dash guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=e681d4e1-1c00-0000-2b08-e32dd40a0000 pid=2772 clone guuid=348387e2-1c00-0000-2b08-e32dd70a0000 pid=2775 /usr/bin/rm guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=348387e2-1c00-0000-2b08-e32dd70a0000 pid=2775 execve guuid=ea78c5e2-1c00-0000-2b08-e32dd80a0000 pid=2776 /usr/bin/wget net send-data write-file guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=ea78c5e2-1c00-0000-2b08-e32dd80a0000 pid=2776 execve guuid=99236cf1-1c00-0000-2b08-e32dee0a0000 pid=2798 /usr/bin/chmod guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=99236cf1-1c00-0000-2b08-e32dee0a0000 pid=2798 execve guuid=b80cc7f1-1c00-0000-2b08-e32def0a0000 pid=2799 /usr/bin/dash guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=b80cc7f1-1c00-0000-2b08-e32def0a0000 pid=2799 clone guuid=6b8093f2-1c00-0000-2b08-e32df10a0000 pid=2801 /usr/bin/rm guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=6b8093f2-1c00-0000-2b08-e32df10a0000 pid=2801 execve guuid=828ddff2-1c00-0000-2b08-e32df20a0000 pid=2802 /usr/bin/wget net send-data write-file guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=828ddff2-1c00-0000-2b08-e32df20a0000 pid=2802 execve guuid=838e2004-1d00-0000-2b08-e32d0e0b0000 pid=2830 /usr/bin/chmod guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=838e2004-1d00-0000-2b08-e32d0e0b0000 pid=2830 execve guuid=41128204-1d00-0000-2b08-e32d100b0000 pid=2832 /tmp/odin.x86 net guuid=8ddbbd2d-1c00-0000-2b08-e32d3d090000 pid=2365->guuid=41128204-1d00-0000-2b08-e32d100b0000 pid=2832 execve 97c602e1-5e0a-5d50-938e-21befa8d56ff 213.209.150.187:80 guuid=a52fb02e-1c00-0000-2b08-e32d41090000 pid=2369->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 138B guuid=4ffc7149-1c00-0000-2b08-e32d67090000 pid=2407->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 140B guuid=141a2959-1c00-0000-2b08-e32d8d090000 pid=2445->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 139B guuid=78d65e6f-1c00-0000-2b08-e32dc1090000 pid=2497->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 139B guuid=154ad881-1c00-0000-2b08-e32def090000 pid=2543->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 139B guuid=b5090295-1c00-0000-2b08-e32d220a0000 pid=2594->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 139B guuid=422431ae-1c00-0000-2b08-e32d6c0a0000 pid=2668->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 138B guuid=7b3ff1c7-1c00-0000-2b08-e32dad0a0000 pid=2733->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 138B guuid=ea78c5e2-1c00-0000-2b08-e32dd80a0000 pid=2776->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 138B guuid=828ddff2-1c00-0000-2b08-e32df20a0000 pid=2802->97c602e1-5e0a-5d50-938e-21befa8d56ff send: 138B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=41128204-1d00-0000-2b08-e32d100b0000 pid=2832->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e00cb504-1d00-0000-2b08-e32d120b0000 pid=2834 /tmp/odin.x86 delete-file dns net send-data zombie guuid=41128204-1d00-0000-2b08-e32d100b0000 pid=2832->guuid=e00cb504-1d00-0000-2b08-e32d120b0000 pid=2834 clone guuid=e00cb504-1d00-0000-2b08-e32d120b0000 pid=2834->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 62B 041cf226-3866-57e8-869c-4d94a4f3b18b 104d.hldns.ru:8448 guuid=e00cb504-1d00-0000-2b08-e32d120b0000 pid=2834->041cf226-3866-57e8-869c-4d94a4f3b18b send: 44B guuid=459dd104-1d00-0000-2b08-e32d130b0000 pid=2835 /tmp/odin.x86 guuid=e00cb504-1d00-0000-2b08-e32d120b0000 pid=2834->guuid=459dd104-1d00-0000-2b08-e32d130b0000 pid=2835 clone
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d40680851a310907ed1eff3ab35f2defe2e27cc3c883ef74afad199646d0cd93
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d40680851a310907ed1eff3ab35f2defe2e27cc3c883ef74afad199646d0cd93/
Threat name:
Script-Shell.Trojan.Geninst
Create hunting rule
Status:
Malicious
First seen:
2025-08-07 07:02:47 UTC
File Type:
Text (Shell)
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qdibbi2geeqp3i6745lgxzn57roe7gdzcb665fpvumzmrwqzwjq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/250807-ht5vas1r12/
Behaviour
System Network Configuration Discovery
Writes file to tmp directory
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Mirai
Mirai family
Malware Config
C2 Extraction:
104d.hldns.ru
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d40680851a310907ed1eff3ab35f2defe2e27cc3c883ef74afad199646d0cd93

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh d40680851a310907ed1eff3ab35f2defe2e27cc3c883ef74afad199646d0cd93

(this sample)

Mirai

elf d89b9aa7f0ac337077c5614d1d8321d1a0dff5280560bde0a8339c0dba0abd5d

  
URLhaus
https://urlhaus.abuse.ch/url/3598025/
  
Delivery method
Distributed via web download
  
Dropping
MD5 b5693def3157f47a17f279dd3c0a890c
  
Dropping
SHA256 d89b9aa7f0ac337077c5614d1d8321d1a0dff5280560bde0a8339c0dba0abd5d

Comments