MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e052bfab59ab1e074b7f2a998190e6d6094979bef2e93b59f32ffef096a24d83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments

SHA256 hash: e052bfab59ab1e074b7f2a998190e6d6094979bef2e93b59f32ffef096a24d83
SHA3-384 hash: 8c309ef78cd00d018e56a931f5333b28143e1d6d9f8bf3a9e365ebbdf4170a1c8f523bc10979c3a72e0e409e7fc2ed5b
SHA1 hash: e7114e32a05fcd1a8a286e175757f792a3fa21bd
MD5 hash: efc201a0642ae0c1a1733eebf9f92b9d
humanhash: fourteen-oranges-zebra-cola
File name:curl.sh
Download: download sample
Signature Mirai
File size:1'515 bytes
First seen:2026-06-24 02:12:07 UTC
Last seen:2026-06-24 21:22:14 UTC
File type: sh
MIME type:text/plain
ssdeep 24:VBvHBq25vFBMxqBCoBtBzBdT4qBxjB5B4b0BTf3ByqtBUgByUx3BpubW:rvhXd7MECcztds6x9f5tyUDycx8C
TLSH T1293158C822B017FBCED4DD527932E9EE606D84D7BE5758E4640884E36F886C5FC182A5
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://94.249.230.150/arc60ded09de33be52020e12548982c9ddd52b74e159628fdebf422d56b14d7ee8b Mirai94-249-230-150 elf mirai
http://94.249.230.150/arm31764032ea9adb75b70c06c1e612606c8ea3a5f52773af8b04ab23ace6453e74 Mirai94-249-230-150 elf mirai
http://94.249.230.150/arm5decb182a4acd5d57baa312dde32690d2e94df4708141ec7673480f0aa891fa0f Mirai94-249-230-150 elf mirai
http://94.249.230.150/arm6b1f0308d07368bdd9d389f0b4ab9627dd22f059021c1b3b1949357afe23cac8f Mirai94-249-230-150 elf mirai
http://94.249.230.150/arm7d30944617f3f3831f9f968f94592b8f007cb821df0c92c894c1f37ca851960f9 Mirai94-249-230-150 elf mirai
http://94.249.230.150/m68k223b9372c092ab4d81d5bb257680759b2bd69d3954364dca0d92773adbe990a1 Mirai94-249-230-150 elf mirai
http://94.249.230.150/mips86187dadfd543daafcdec14ea988b546467cf6b374de2ef26cd16c9de5ab3448 Gafgyt94-249-230-150 elf gafgyt mirai
http://94.249.230.150/mpsld8fc0a8f98aa0af5edf98dd20ce54f40baa9a4020fd62c61cd203a416cd4daa3 Mirai94-249-230-150 elf mirai
http://94.249.230.150/ppccbfa7a258edd1c5fd2bae5c9fc07b2af7c1f7b846a086e5b842fb67e10c3ddf7 Mirai94-249-230-150 elf mirai
http://94.249.230.150/sh46dbbc710a4b25377fd2ff447e82d754e5e51c49ed224d807b04d275e53bcead4 Mirai94-249-230-150 elf mirai
http://94.249.230.150/spc9ea203e9d1d9da977a7d667f10e7ceb273bbe9964589c7bf7e9d5600c498bc3c Miraielf mirai ua-wget
http://94.249.230.150/x86_6402cb2c50ef08bcbfae632316ad3e43961980bbeb1ba5213f15d3dd1801762f7e Mirai94-249-230-150 elf mirai
http://94.249.230.150/i686ffb744e91515a6bdb0bf0588065455efd591250c882026b6c16f6afca11ca98f Mirai94-249-230-150 elf mirai
http://94.249.230.150/x866cb6c35d7d3faab5b65a1ed166984de9cb94031d85824f408adf7a9da868ec26 Miraielf mirai ua-wget
http://94.249.230.150/i4862e8441299af33b3ad8701c04b159d8a0ff5bfca6d6f1d8bc0f0bfa0c50130b15 Mirai94-249-230-150 elf mirai

Intelligence


File Origin
# of uploads :
2
# of downloads :
127
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive
Verdict:
Malicious
File Type:
text
First seen:
2026-06-23T23:20:00Z UTC
Last seen:
2026-06-25T23:49:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p
Status:
terminated
Behavior Graph:
%3 guuid=c6197961-1900-0000-bc70-699c2f140000 pid=5167 /usr/bin/sudo guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168 /tmp/sample.bin guuid=c6197961-1900-0000-bc70-699c2f140000 pid=5167->guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168 execve guuid=44bcc863-1900-0000-bc70-699c31140000 pid=5169 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=44bcc863-1900-0000-bc70-699c31140000 pid=5169 execve guuid=2142f363-1900-0000-bc70-699c32140000 pid=5170 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=2142f363-1900-0000-bc70-699c32140000 pid=5170 execve guuid=6fa31c64-1900-0000-bc70-699c33140000 pid=5171 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=6fa31c64-1900-0000-bc70-699c33140000 pid=5171 clone guuid=30a92464-1900-0000-bc70-699c34140000 pid=5172 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=30a92464-1900-0000-bc70-699c34140000 pid=5172 execve guuid=79fa4864-1900-0000-bc70-699c35140000 pid=5173 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=79fa4864-1900-0000-bc70-699c35140000 pid=5173 execve guuid=32827b64-1900-0000-bc70-699c36140000 pid=5174 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=32827b64-1900-0000-bc70-699c36140000 pid=5174 clone guuid=83009a64-1900-0000-bc70-699c37140000 pid=5175 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=83009a64-1900-0000-bc70-699c37140000 pid=5175 execve guuid=ffe4d464-1900-0000-bc70-699c38140000 pid=5176 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=ffe4d464-1900-0000-bc70-699c38140000 pid=5176 execve guuid=0f940765-1900-0000-bc70-699c39140000 pid=5177 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=0f940765-1900-0000-bc70-699c39140000 pid=5177 clone guuid=5c6c2365-1900-0000-bc70-699c3a140000 pid=5178 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=5c6c2365-1900-0000-bc70-699c3a140000 pid=5178 execve guuid=1cf66265-1900-0000-bc70-699c3b140000 pid=5179 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=1cf66265-1900-0000-bc70-699c3b140000 pid=5179 execve guuid=e2599d65-1900-0000-bc70-699c3c140000 pid=5180 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=e2599d65-1900-0000-bc70-699c3c140000 pid=5180 clone guuid=9e4bb965-1900-0000-bc70-699c3d140000 pid=5181 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=9e4bb965-1900-0000-bc70-699c3d140000 pid=5181 execve guuid=7b69e965-1900-0000-bc70-699c3e140000 pid=5182 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=7b69e965-1900-0000-bc70-699c3e140000 pid=5182 execve guuid=0d090f66-1900-0000-bc70-699c3f140000 pid=5183 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=0d090f66-1900-0000-bc70-699c3f140000 pid=5183 clone guuid=e4c01666-1900-0000-bc70-699c40140000 pid=5184 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=e4c01666-1900-0000-bc70-699c40140000 pid=5184 execve guuid=8ccb3c66-1900-0000-bc70-699c41140000 pid=5185 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=8ccb3c66-1900-0000-bc70-699c41140000 pid=5185 execve guuid=14436c66-1900-0000-bc70-699c42140000 pid=5186 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=14436c66-1900-0000-bc70-699c42140000 pid=5186 clone guuid=c2ff7266-1900-0000-bc70-699c43140000 pid=5187 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=c2ff7266-1900-0000-bc70-699c43140000 pid=5187 execve guuid=8d999766-1900-0000-bc70-699c44140000 pid=5188 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=8d999766-1900-0000-bc70-699c44140000 pid=5188 execve guuid=2042bb66-1900-0000-bc70-699c45140000 pid=5189 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=2042bb66-1900-0000-bc70-699c45140000 pid=5189 clone guuid=6868c066-1900-0000-bc70-699c46140000 pid=5190 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=6868c066-1900-0000-bc70-699c46140000 pid=5190 execve guuid=1cb1e466-1900-0000-bc70-699c47140000 pid=5191 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=1cb1e466-1900-0000-bc70-699c47140000 pid=5191 execve guuid=35221a67-1900-0000-bc70-699c48140000 pid=5192 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=35221a67-1900-0000-bc70-699c48140000 pid=5192 clone guuid=ecf92467-1900-0000-bc70-699c49140000 pid=5193 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=ecf92467-1900-0000-bc70-699c49140000 pid=5193 execve guuid=2f4c6067-1900-0000-bc70-699c4a140000 pid=5194 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=2f4c6067-1900-0000-bc70-699c4a140000 pid=5194 execve guuid=e11a9a67-1900-0000-bc70-699c4b140000 pid=5195 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=e11a9a67-1900-0000-bc70-699c4b140000 pid=5195 clone guuid=50dab667-1900-0000-bc70-699c4c140000 pid=5196 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=50dab667-1900-0000-bc70-699c4c140000 pid=5196 execve guuid=0aebfc67-1900-0000-bc70-699c4d140000 pid=5197 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=0aebfc67-1900-0000-bc70-699c4d140000 pid=5197 execve guuid=c90b4168-1900-0000-bc70-699c4e140000 pid=5198 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=c90b4168-1900-0000-bc70-699c4e140000 pid=5198 clone guuid=8bca5f68-1900-0000-bc70-699c4f140000 pid=5199 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=8bca5f68-1900-0000-bc70-699c4f140000 pid=5199 execve guuid=eb43a568-1900-0000-bc70-699c50140000 pid=5200 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=eb43a568-1900-0000-bc70-699c50140000 pid=5200 execve guuid=50ddd868-1900-0000-bc70-699c51140000 pid=5201 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=50ddd868-1900-0000-bc70-699c51140000 pid=5201 clone guuid=9c06f668-1900-0000-bc70-699c52140000 pid=5202 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=9c06f668-1900-0000-bc70-699c52140000 pid=5202 execve guuid=5e9a2a69-1900-0000-bc70-699c53140000 pid=5203 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=5e9a2a69-1900-0000-bc70-699c53140000 pid=5203 execve guuid=98975769-1900-0000-bc70-699c54140000 pid=5204 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=98975769-1900-0000-bc70-699c54140000 pid=5204 clone guuid=710e7869-1900-0000-bc70-699c55140000 pid=5205 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=710e7869-1900-0000-bc70-699c55140000 pid=5205 execve guuid=4d38af69-1900-0000-bc70-699c56140000 pid=5206 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=4d38af69-1900-0000-bc70-699c56140000 pid=5206 execve guuid=1991e569-1900-0000-bc70-699c57140000 pid=5207 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=1991e569-1900-0000-bc70-699c57140000 pid=5207 clone guuid=b197056a-1900-0000-bc70-699c58140000 pid=5208 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=b197056a-1900-0000-bc70-699c58140000 pid=5208 execve guuid=689f3b6a-1900-0000-bc70-699c59140000 pid=5209 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=689f3b6a-1900-0000-bc70-699c59140000 pid=5209 execve guuid=696a6a6a-1900-0000-bc70-699c5a140000 pid=5210 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=696a6a6a-1900-0000-bc70-699c5a140000 pid=5210 clone guuid=81fc886a-1900-0000-bc70-699c5b140000 pid=5211 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=81fc886a-1900-0000-bc70-699c5b140000 pid=5211 execve guuid=ae72c06a-1900-0000-bc70-699c5c140000 pid=5212 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=ae72c06a-1900-0000-bc70-699c5c140000 pid=5212 execve guuid=ba5ff46a-1900-0000-bc70-699c5d140000 pid=5213 /usr/bin/dash guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=ba5ff46a-1900-0000-bc70-699c5d140000 pid=5213 clone guuid=05f1136b-1900-0000-bc70-699c5e140000 pid=5214 /usr/bin/busybox guuid=68e68c63-1900-0000-bc70-699c30140000 pid=5168->guuid=05f1136b-1900-0000-bc70-699c5e140000 pid=5214 execve
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Threat name:
Script.Trojan.Multiverze
Status:
Malicious
First seen:
2026-06-24 02:15:55 UTC
File Type:
Text (Shell)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware persistence ransomware spyware
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Enumerates connected drives
Boot or Logon Autostart Execution: Active Setup
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh e052bfab59ab1e074b7f2a998190e6d6094979bef2e93b59f32ffef096a24d83

(this sample)

  
Delivery method
Distributed via web download

Comments