MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8ee8ab1fdfc2e908493c8433ab4c67295e7a04c2fb98831bb56101d8ea73c26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	e8ee8ab1fdfc2e908493c8433ab4c67295e7a04c2fb98831bb56101d8ea73c26
SHA3-384 hash:	4eeffc7417d843375d458e1f528bd2b1768278edd13f4da78b559ceeee3fdd619ceb923d68966e955799af98d8e51712
SHA1 hash:	b8a50581aea9305240d77413268408d954a216b5
MD5 hash:	596fff9ffffffb50b14b6167131abdd7
humanhash:	mango-oranges-pluto-stairway
File name:	fentbins.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'820 bytes
First seen:	2026-01-11 05:43:58 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vqxdqCUqRheGqvCkqMcLqZtJq2MqS8qnRqOz:vqxdqCUqLeGqvdqMcLqZ7q2MqS8qnRqa
TLSH	T1963110C53341353169A1DD2B7ABBC984B2F47059BEC52A2966D43CE8C1DCF08BC55F92
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://87.121.112.124/bins/fent.x86	0d32236bfdd18985046bc80818bfa5b8baec2ca0a982d61bf4b62d898d94d08f	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.mips	6668094256bac1ecf829e2686192d4de0322c65ad24b6bce0137dc1ca5ccb844	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.mpsl	7b3f23580daa37bf9fc7811a111b25ad60eeb3b6ebed2fb531fd3b44fb2ee8a6	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.arm4	n/a	n/a	elf ua-wget
http://87.121.112.124/bins/fent.arm5	3b50fa8b73b431bf3c4ceafc12bbf57d7227d1f2586cb6cabe5fded45e511d55	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.arm6	803e8a0df8506cb0c52a095ae7c1512540964ccf6ef96887afd62ef9f5a18710	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.arm7	1bf10173feab7e57ff553a91fa313a213a025f5e295852db136707fe1173bb14	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.ppc	c948fc6cc962dcdfd94b0351ab7df2f1fc4034ded3023e2e54bccd57417f805c	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.m68k	0a147ad163eb46d153a692d285093dd08042cc9f377fe75cff63189e5c82eee8	Mirai	elf mirai ua-wget
http://87.121.112.124/bins/fent.sh4	05733b6df5ecb188fcece2cce03ee0cd4926facf754d10a2b6e8143c315ba18a	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/696338cd30368802bb7fce66/reports/c6c7bf17-5a40-488a-9603-6373163dfa40/overview

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

Link:

https://opentip.kaspersky.com/e8ee8ab1fdfc2e908493c8433ab4c67295e7a04c2fb98831bb56101d8ea73c26/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/c907a674-941a-4ebb-ab6d-17e7a008af23

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e8ee8ab1fdfc2e908493c8433ab4c67295e7a04c2fb98831bb56101d8ea73c26

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e8ee8ab1fdfc2e908493c8433ab4c67295e7a04c2fb98831bb56101d8ea73c26/

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-01-11 05:33:43 UTC

File Type:

Text (Shell)

AV detection:

22 of 36 (61.11%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5dxivmp57qxjbbetzbbtvnggokk6picmf64yqmn3kyib3dvhhqta._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260111-gfgd4saz8a/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e8ee8ab1fdfc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/e8ee8ab1fdfc2e908493c8433ab4c67295e7a04c2fb98831bb56101d8ea73c26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh