MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9c5bd8dc94485e3d286637b6b97d54a4225cf23a7f2f59a4c6c92e47d16acf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	d9c5bd8dc94485e3d286637b6b97d54a4225cf23a7f2f59a4c6c92e47d16acf4
SHA3-384 hash:	021ca22d2db68698552755c0fe81505bcf6174f7c4f7e54ff49b4642dce76640bbd565e43666e194aafcf9f198c07991
SHA1 hash:	0b3b80ad99d2e728f64c192af3a2baa494197587
MD5 hash:	cb11f0774b707aa496ad7c64941d79ec
humanhash:	sink-dakota-pluto-ink
File name:	ssh.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'588 bytes
First seen:	2025-06-10 21:33:01 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:EnSyjKgNhK8z+sKgKfXSh078z+jgKqJY+T7FFosZ08onSvotC71:ESyj/1+sPSSH+kL++FNGRSUI1
TLSH	T1A1315EF521320757C40EBE0AF6AA55D8B073B7AB4633CE9A6DA9783CE56C4307512E08
Magika	txt
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://213.209.143.44/mips	2d8559c3a323ebfd0536bf99910632c2b4ce22e557553ad2dd88d63dda06fcc2	Mirai	elf mirai
http://213.209.143.44/mipsel	a28ef23eab368ee0cf4c519dc023f8ea21f2ab99e3cb4c2b7961ddefe8d4ba1a	Mirai	elf mirai
http://213.209.143.44/arm	fd2cf8bb6373bb98a0f19a32d4c393eff037016419a22911e9e1359c9569e30c	Mirai	elf mirai ua-wget
http://213.209.143.44/arm5	829188885aebea92bb695e713ffb1b1dd889bb7f59d4774cfd61f0b3be2eb98f	Mirai	elf mirai
http://213.209.143.44/arm7	d272c1dc14542558532ea0b5f242882a062f2f0fe15f1ad51390507972f6f462	Mirai	elf mirai
http://213.209.143.44/x86	5b28f780409f28c7947f3984accd20a33bcf043af7a4918082ffa10fbb05b1dd	Mirai	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-34.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6848a53b8bd5d68a12e79560linux22vpnfull_triage

Tags:

backdoor agent overt

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/d9c5bd8dc94485e3d286637b6b97d54a4225cf23a7f2f59a4c6c92e47d16acf4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d9c5bd8dc94485e3d286637b6b97d54a4225cf23a7f2f59a4c6c92e47d16acf4/

Threat name:

Linux.Trojan.Geninst

Status:

Malicious

First seen:

2025-06-10 21:23:36 UTC

File Type:

Text (Shell)

AV detection:

11 of 38 (28.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3hc33dojisc6huugmn5wxf6vjjbcltzdu7zplgsmnsjoi7iwvt2a._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250610-1ercga1sds/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d9c5bd8dc94485e3d286637b6b97d54a4225cf23a7f2f59a4c6c92e47d16acf4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.