MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee35e97129adbf882d22489c5e1feff97ba3fa2f03d2fa397e08f648c1f6320b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee35e97129adbf882d22489c5e1feff97ba3fa2f03d2fa397e08f648c1f6320b
SHA3-384 hash: d88c28842c654648f0c402ba1be4b1f565870baa899ad627169743ebf300a0f85df1d4d3bc4f14cb0d98177a9631dbf4
SHA1 hash: fe8dd5e7dffe7668f570aedfddc3e086ba4e54ca
MD5 hash: 5a10f4aef93d485dc8a3b71906471a48
humanhash: virginia-mirror-carbon-single
File name:c.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:4'335 bytes
First seen:2026-04-22 16:08:37 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:R0ZTWe3DxR9TWGesWJ9TKebb9Tdeyi9TuevD9TPeUc9TTeYo9B9TaerD9Txem692:R6SDWjZXAsYO
TLSH T1B8912FDE0590EC738DB5DF01336797B090C4CDA738E7EB6CD88C386588A4954B2AEB49
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter BlinkzSec
Tags:mirai
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.139.20/static/ciubuc_x8662818417f373da1e38b671da98d6257792a5741c1bb15732c8fcf3cbc6151973 Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_aarch643997f1ee72c837fa05af9d9d9b1a072ab4d75063a884a90851ed3ff27467ee0f Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_armf08e0cb0cc13b4006757161a36538de50335dd1e792c527d3ae00c21d57e96d5 Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_arm57e46358dbc1db4cbd6d674fdb0b518885f7198414575374ef2436897d751f9ff Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_arm6f261dc446b5ae9717cbc4da485b5d3e8e02171e2d4cdecee76653e377dcf93a7 Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_arm757c8babc94e4f0800939aad23d4382fc978d910fa884ec1447ef129e53be8006 Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_i486eab92ddb536aa5393b427eec8c2b0be76beb90894018cfcd5aba09ce8cdd1e5e Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_i58662818417f373da1e38b671da98d6257792a5741c1bb15732c8fcf3cbc6151973 Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_i6863b4b6aa5b1bacef9174218fcd97c76cab4349cfee2ff00405237d6a6e29674de Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_m68kfaebd5ba34e23efbb919260b3f2a53d6c1d4634c4c54772adc5c30be34c3e1b1 Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_mipsdafc5322de2542d327656373333afb07baf4cd5dd21b83362da13a3d9fe1859d Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_mips645be3e94b8cc808d8491804eb840122e2f693c465ad732dcac1ed3826cb464d4b Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_mpsl9756ceebeb89b86c4e3755b23039faf5536313e8fdec7c4ee2423c815cc7f900 Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_ppce97e7480f33159a968b94f9ec03bafd0f3c4a648f2e0aa2838befd105413acda Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_sh4d496b03b6bd5dabe6c314ad089185789c0d476ca5bc825a450f2daf2a52761a7 Mirai176-65-139-20 elf mirai ua-wget
http://176.65.139.20/static/ciubuc_spcn/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
AE AE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox mirai
Link:
https://www.filescan.io/uploads/69e8f466c06ec088bf5aec5a/reports/a95eef8d-12c4-4082-a0c1-abe959c7ae58/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-04-22T13:21:00Z UTC
Last seen:
2026-04-24T09:41:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/ee35e97129adbf882d22489c5e1feff97ba3fa2f03d2fa397e08f648c1f6320b/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ee35e97129adbf882d22489c5e1feff97ba3fa2f03d2fa397e08f648c1f6320b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee35e97129adbf882d22489c5e1feff97ba3fa2f03d2fa397e08f648c1f6320b/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/ee35e97129adbf882d22489c5e1feff97ba3fa2f03d2fa397e08f648c1f6320b
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-04-22 16:06:23 UTC
File Type:
Text (Shell)
AV detection:
5 of 24 (20.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5y26s4jjvw7yqljcjcof4h7p7f52h6rpapjpuol6bd3erqpwgifq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/260422-tl5p4sa13m/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Checks CPU configuration
Enumerates running processes
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Modifies Watchdog functionality
Traces itself
Contacts a large (151550) amount of remote hosts
Creates a large amount of network flows
Family: Mirai
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee35e97129ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh ee35e97129adbf882d22489c5e1feff97ba3fa2f03d2fa397e08f648c1f6320b

(this sample)

Mirai

elf 85164fea465e06401fe7441a11df99c229f4c37d3fd80050e906532f80df9fd0

  
URLhaus
https://urlhaus.abuse.ch/url/3828766/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3828799/
  
Dropping
MD5 b9d5ecba445ff37df2770a870181baba
  
Dropping
SHA256 85164fea465e06401fe7441a11df99c229f4c37d3fd80050e906532f80df9fd0

Comments