MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5b6eeac3f9ad2d7bf934fd5111c8b6be7eecf7166f114a5cbed451f8d3bf6ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5b6eeac3f9ad2d7bf934fd5111c8b6be7eecf7166f114a5cbed451f8d3bf6ca
SHA3-384 hash: 807f4545facc0daaf66b58a81bc739408b5ffc869498a0804be75ad0e5afbf37c74fcbcc348690779e86d747d7efcb42
SHA1 hash: 2ea3a67b3abedff53bbfe725f1a23d08084329cd
MD5 hash: 49a2acb38448a49eba300401d7fb96b7
humanhash: maine-hawaii-monkey-winner
File name:kraxe
Download: download sample
Signature Mirai
Create hunting rule
File size:465 bytes
First seen:2025-12-21 15:14:21 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:ep8hepzk5pSqAp99IKAepFNIxOipW+sKGv:ep8hepzk5pSfp99IypFNIxJpZsKGv
TLSH T179F08C9F18273512C958BC7023AB389D7840CE8A2A314F6EECD7803784CCA007F6CE64
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.64/nklmipsee7f15a7919dcdfd3dc0e5ca0aa1a5a3c19c6a4d4a797746d23f105ea1e6bbf8 Miraielf mirai ua-wget
http://130.12.180.64/nklmpsl174a973b574cd9bc3312301611ffe099b2d83595bffa2bfe1cffc6b6564c5702 Miraielf mirai ua-wget
http://130.12.180.64/nklarmddd2c782f1965ea0a08ab6c29ffeee48fe1ce17249285e0189fe81c3188db6df Miraielf mirai ua-wget
http://130.12.180.64/nklarm50cd888c4ae90abe9f45527590043089f983e1b6cd63b180fa07f32e8733b7724 Miraielf mirai ua-wget
http://130.12.180.64/nklarm6e36d2400e7ce8f2fad75a987b9061581b80ae5bc5722dadf5f0383987f6384fc Miraielf mirai ua-wget
http://130.12.180.64/nklarm7a8a957c59b97f53123a9406ded737c532249bb21ecd290c48bdcb9c2a378542e Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mirai
Link:
https://www.filescan.io/uploads/694813bce126b9ff438ad4dc/reports/b1d14b43-9dde-4f27-8fdd-5219c8553a5d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d5b6eeac3f9ad2d7bf934fd5111c8b6be7eecf7166f114a5cbed451f8d3bf6ca
Verdict:
Malicious
File Type:
text
First seen:
2025-12-21T12:37:00Z UTC
Last seen:
2025-12-22T17:04:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/d5b6eeac3f9ad2d7bf934fd5111c8b6be7eecf7166f114a5cbed451f8d3bf6ca/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f0d21d40-b322-447e-af08-348f60b6715f
Behavior Graph:
Download SVG
%3 guuid=7ebe0ce8-1b00-0000-4c89-cb36e7080000 pid=2279 /usr/bin/sudo guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289 /tmp/sample.bin guuid=7ebe0ce8-1b00-0000-4c89-cb36e7080000 pid=2279->guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289 execve guuid=bcafafec-1b00-0000-4c89-cb36f3080000 pid=2291 /usr/bin/wget net send-data write-file guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=bcafafec-1b00-0000-4c89-cb36f3080000 pid=2291 execve guuid=214ff4f4-1b00-0000-4c89-cb3604090000 pid=2308 /usr/bin/chmod guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=214ff4f4-1b00-0000-4c89-cb3604090000 pid=2308 execve guuid=f97547f5-1b00-0000-4c89-cb3605090000 pid=2309 /usr/bin/dash guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=f97547f5-1b00-0000-4c89-cb3605090000 pid=2309 clone guuid=16f27cf6-1b00-0000-4c89-cb3608090000 pid=2312 /usr/bin/wget net send-data write-file guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=16f27cf6-1b00-0000-4c89-cb3608090000 pid=2312 execve guuid=4de6dafa-1b00-0000-4c89-cb3613090000 pid=2323 /usr/bin/chmod guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=4de6dafa-1b00-0000-4c89-cb3613090000 pid=2323 execve guuid=2c921efb-1b00-0000-4c89-cb3614090000 pid=2324 /usr/bin/dash guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=2c921efb-1b00-0000-4c89-cb3614090000 pid=2324 clone guuid=80e8cdfb-1b00-0000-4c89-cb3617090000 pid=2327 /usr/bin/wget net send-data write-file guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=80e8cdfb-1b00-0000-4c89-cb3617090000 pid=2327 execve guuid=70b28cff-1b00-0000-4c89-cb361f090000 pid=2335 /usr/bin/chmod guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=70b28cff-1b00-0000-4c89-cb361f090000 pid=2335 execve guuid=aa0be4ff-1b00-0000-4c89-cb3621090000 pid=2337 /usr/bin/dash guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=aa0be4ff-1b00-0000-4c89-cb3621090000 pid=2337 clone guuid=4302ac00-1c00-0000-4c89-cb3625090000 pid=2341 /usr/bin/wget net send-data write-file guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=4302ac00-1c00-0000-4c89-cb3625090000 pid=2341 execve guuid=e6529004-1c00-0000-4c89-cb3631090000 pid=2353 /usr/bin/chmod guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=e6529004-1c00-0000-4c89-cb3631090000 pid=2353 execve guuid=c4c7e504-1c00-0000-4c89-cb3633090000 pid=2355 /usr/bin/dash guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=c4c7e504-1c00-0000-4c89-cb3633090000 pid=2355 clone guuid=d268a105-1c00-0000-4c89-cb3637090000 pid=2359 /usr/bin/wget net send-data write-file guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=d268a105-1c00-0000-4c89-cb3637090000 pid=2359 execve guuid=0ce41c0a-1c00-0000-4c89-cb3641090000 pid=2369 /usr/bin/chmod guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=0ce41c0a-1c00-0000-4c89-cb3641090000 pid=2369 execve guuid=29e0550a-1c00-0000-4c89-cb3642090000 pid=2370 /usr/bin/dash guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=29e0550a-1c00-0000-4c89-cb3642090000 pid=2370 clone guuid=7b10e40a-1c00-0000-4c89-cb3645090000 pid=2373 /usr/bin/wget net send-data write-file guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=7b10e40a-1c00-0000-4c89-cb3645090000 pid=2373 execve guuid=80115f0f-1c00-0000-4c89-cb3652090000 pid=2386 /usr/bin/chmod guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=80115f0f-1c00-0000-4c89-cb3652090000 pid=2386 execve guuid=6341ad0f-1c00-0000-4c89-cb3653090000 pid=2387 /usr/bin/dash guuid=9fa55fec-1b00-0000-4c89-cb36f1080000 pid=2289->guuid=6341ad0f-1c00-0000-4c89-cb3653090000 pid=2387 clone f22fee75-ab34-540d-95fe-696883c6f4ad 130.12.180.64:80 guuid=bcafafec-1b00-0000-4c89-cb36f3080000 pid=2291->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=16f27cf6-1b00-0000-4c89-cb3608090000 pid=2312->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=80e8cdfb-1b00-0000-4c89-cb3617090000 pid=2327->f22fee75-ab34-540d-95fe-696883c6f4ad send: 134B guuid=4302ac00-1c00-0000-4c89-cb3625090000 pid=2341->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=d268a105-1c00-0000-4c89-cb3637090000 pid=2359->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B guuid=7b10e40a-1c00-0000-4c89-cb3645090000 pid=2373->f22fee75-ab34-540d-95fe-696883c6f4ad send: 135B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d5b6eeac3f9ad2d7bf934fd5111c8b6be7eecf7166f114a5cbed451f8d3bf6ca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d5b6eeac3f9ad2d7bf934fd5111c8b6be7eecf7166f114a5cbed451f8d3bf6ca/
Threat name:
Document-HTML.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-21 15:35:29 UTC
File Type:
Text (Shell)
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2w3o5lb7tljnpp4tj7krchelnpt65t3rm3yrjjol5vcr7dj363fa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251223-lmpraaskbs/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d5b6eeac3f9ad2d7bf934fd5111c8b6be7eecf7166f114a5cbed451f8d3bf6ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh d5b6eeac3f9ad2d7bf934fd5111c8b6be7eecf7166f114a5cbed451f8d3bf6ca

(this sample)

Mirai

elf ee7f15a7919dcdfd3dc0e5ca0aa1a5a3c19c6a4d4a797746d23f105ea1e6bbf8

  
URLhaus
https://urlhaus.abuse.ch/url/3739352/
  
Delivery method
Distributed via web download
  
Dropping
MD5 c784b0f0739e426ca18ea6161a4586a1
  
Dropping
SHA256 ee7f15a7919dcdfd3dc0e5ca0aa1a5a3c19c6a4d4a797746d23f105ea1e6bbf8

Comments