MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d541c839c517f253efa4a31bea968d738f215dda6a067408160289e4802c7c06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	d541c839c517f253efa4a31bea968d738f215dda6a067408160289e4802c7c06
SHA3-384 hash:	f90f639df0a48f430eb2c1bb1a7cd6f1f9644fa7496e4083c653493156ec035196f37bb5d14c99401be5eb4854715444
SHA1 hash:	54306e7a371849d3b7f44428e98dd399a3c87303
MD5 hash:	d51c2e374fe3ac841d13c0a80b49a906
humanhash:	black-kilo-echo-pip
File name:	jaws.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'537 bytes
First seen:	2025-12-12 21:16:47 UTC
Last seen:	2025-12-21 22:44:06 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:SUvtsTrH6PL5oH30f0bi0yEv3WKIwVoF0SazwUsMg6oy:SUVsPH6NoH30f0bidEvm5wVoF0SKwUsC
TLSH	T1ED5167FE1626032A5D47AE0BE37D948C70338AE3A4B9CDE9DE447825938DD757160E08
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://213.209.143.176/arm	n/a	n/a	Mozi
http://213.209.143.176/arm5	f778e3737ad3ef79706bcf35f18d38dc068b7e1530b75d82a60315cb6e1443cb	Mirai	arm elf geofenced mirai ua-wget USA
http://213.209.143.176/arm6	e48469fdf3f1a8c1db70d059c6ed544a40cbae094f9b31e5fb885f254b27c1ee	Mirai	arm elf geofenced mirai ua-wget USA
http://213.209.143.176/arm7	51ee1e61eac7a0dfdc1fd42ca93676cbe73f288e5e3c9d81509855d6d184845a	Mirai	arm elf geofenced mirai ua-wget USA
http://213.209.143.176/i486	21e8420e2bce3849c7a769a7528c74f53a5add799606399b056f9090347ce6c4	Mirai	elf geofenced mirai ua-wget USA x86
http://213.209.143.176/i686	987c294af82c88d806e02abac01cb3f955533c4ea38c7fe664b84696d902f03a	Mirai	elf geofenced mirai ua-wget USA x86
http://213.209.143.176/m68k	87d56ee88baea0191d2bec7a2abb41cb74b3f2f2b976a2e197f56d20f24a3e61	Mirai	elf geofenced m68k mirai ua-wget USA
http://213.209.143.176/mips	n/a	n/a	Mozi
http://213.209.143.176/mpsl	234c1476e7002c92f77d72c166719a9db67c677c13d31d7aef445f9565dcf5c8	Mirai	elf geofenced mips mirai ua-wget USA
http://213.209.143.176/ppc	1e32f52dc84d341a165fae5e310f86ccc5f9970c898659149218ec31b9640ed4	Mirai	elf geofenced mirai PowerPC ua-wget USA
http://213.209.143.176/sh4	769c08447897057176f994fee999fdeee673535ffe3f1d639060a1fdff17bfb8	Mirai	elf geofenced mirai SuperH ua-wget USA
http://213.209.143.176/spc	6c6df42a6934cf566583861f7870d55f1e09d46ece58396af6a81cf1b16ff881	Mirai	elf geofenced mirai sparc ua-wget USA
http://213.209.143.176/x86	n/a	n/a	Mozi
http://213.209.143.176/x86_64	215ca8d287d9eb62a0823a4de5a6545d87453e41872f14bdd8047cab035831b1	Mirai	elf geofenced mirai ua-wget USA x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive medusa mirai

Link:

https://www.filescan.io/uploads/693c865d64bd958a5210ccd0/reports/3a7b2d2a-d940-4a6f-b959-41b5438411ab/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-12T18:22:00Z UTC

Last seen:

2025-12-12T19:07:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.cx HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/d541c839c517f253efa4a31bea968d738f215dda6a067408160289e4802c7c06/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/e65d1a3b-231f-4621-ae97-5d656d35751b

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/d541c839c517f253efa4a31bea968d738f215dda6a067408160289e4802c7c06

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d541c839c517f253efa4a31bea968d738f215dda6a067408160289e4802c7c06/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/d541c839c517f253efa4a31bea968d738f215dda6a067408160289e4802c7c06

Threat name:

Linux.Trojan.Vigorf

Status:

Malicious

First seen:

2025-12-12 21:17:19 UTC

File Type:

Text (Shell)

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2va4qoofc7zfh35eumn6vfunoohscxo2nidhicawake6jabmpqda._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:botnet antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251212-z476vawlcr/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d541c839c517/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/d541c839c517f253efa4a31bea968d738f215dda6a067408160289e4802c7c06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.