MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4374bfdcc87adbb1948c4d94c7a5cd37a4041e0d82a93eb69a0d72b75093bb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	e4374bfdcc87adbb1948c4d94c7a5cd37a4041e0d82a93eb69a0d72b75093bb2
SHA3-384 hash:	0e8054e76a399b280c931b495a7e5c7505e5729b0670fba9b887a0c9a70c3ad8b5e8fa4fcb921c11f3fc690bb4a3eb90
SHA1 hash:	ac545697e41b1fca094c23eaec62fe034b9ea592
MD5 hash:	c100bdb1224091875f790a52363fe0a7
humanhash:	east-william-bakerloo-saturn
File name:	run.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'665 bytes
First seen:	2026-02-16 04:20:56 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:1z5TGNIWxIK5GhGXFHIHvcFoRikBjSuF7THy:RxQikFoRBguU
TLSH	T1653147D631303EDAC351CE9DFB70C8084EEE80E7ED5B279AD75B075D888920E3949A61
Magika	shell
Reporter	adliwahid

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://87.106.146.195/bins/narm	373a50f9d62f471cfb23b05a3ab79cbc345255c1e9a91846d7ad9a26d9d8f2c1	Mirai	mirai
http://87.106.146.195/bins/narm5	ff884b18295b7250a7f0b09d235839cc3c8a3e80355f3d19dbe72965d62796bd	Mirai	mirai
http://87.106.146.195/bins/narm6	92108a42515284c8a5225e35d8d5be2fc77e56e58c45a6c217d80e70a6cd098d	Mirai	mirai
http://87.106.146.195/bins/narm7	f039d8d34cf6d07cd8c9dac16e7d886691a08c7ae2a75483487df9f061108ab5	Mirai	mirai
http://87.106.146.195/bins/nm68k	c2b548e96d92872e073db11c2098e3b369d261aa23225e4eb4316423e90442b7	Mirai	mirai
http://87.106.146.195/bins/nmips	bf663d0a11eaf9ba7c676d2de4724eabc26c6ea47ee389935412deaed20f26ea	Mirai	mirai
http://87.106.146.195/bins/nmpsl	76f9c5aa8dab0c57211b0d51ecd0306606a852bcdefaeb08ce3245b5f3384b13	Mirai	mirai
http://87.106.146.195/bins/nppc	45bb4a5b31189d1cad986509739acfb6d25ba1e212a9efa2e3a429d9d8d495ad	Mirai	mirai
http://87.106.146.195/bins/nppc440	495058786666d3baa811c488a19fb88be607a9d9cdcbe8a7223c2e4b75a3f4b1	Mirai	mirai
http://87.106.146.195/bins/nsh4	09b11dffefc60d5aeff9f8abee9a95aa5682731ae098e7cc32a856c0c5239104	Mirai	mirai
http://87.106.146.195/bins/nx486	b2feaaf1ca43452cbb5aa24d6100cffaa704b6ec196e2f35e528c034308d05e9	Mirai	mirai
http://87.106.146.195/bins/nx686	0086b623fe36ab4a7b6ef1f8a3bd7d6a88a99a24169ffc1037d8b3399ee05d85	Mirai	mirai
http://87.106.146.195/bins/nx86	d7bdee44442f5548ff81564d4df5f84efcf7b57e19a0557c97b9c29afcc4946d	Mirai	mirai
http://87.106.146.195/bins/nx86_64	fa7ce9e3232f1d0b8c990220bc40e65ba4d26a3bceadc648964cbdc15ad3fa06	Mirai	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

File Type:

text

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/e4374bfdcc87adbb1948c4d94c7a5cd37a4041e0d82a93eb69a0d72b75093bb2/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/4f561c68-d9e0-4cc2-b551-0a4e248128ec

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e4374bfdcc87adbb1948c4d94c7a5cd37a4041e0d82a93eb69a0d72b75093bb2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e4374bfdcc87adbb1948c4d94c7a5cd37a4041e0d82a93eb69a0d72b75093bb2/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/e4374bfdcc87adbb1948c4d94c7a5cd37a4041e0d82a93eb69a0d72b75093bb2

Threat name:

Script-Shell.Trojan.Geninst

Status:

Malicious

First seen:

2026-02-15 21:30:53 UTC

AV detection:

11 of 24 (45.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4q3ux7omq6w3wgkiytmuy6s42n5eaqpa3avjh23judlsw5ijhoza._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260216-eyqdmac16c/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e4374bfdcc87adbb1948c4d94c7a5cd37a4041e0d82a93eb69a0d72b75093bb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh