MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee8a417c0f8b854d1e541e78d75855507ceb08eec8427860d5562a84c6151120. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee8a417c0f8b854d1e541e78d75855507ceb08eec8427860d5562a84c6151120
SHA3-384 hash: b19f7780dada4e82ff212d77cbbe018dfc873dfe9bffcd96ba708b58de107924b076ffd6d1158aa48645457b76879374
SHA1 hash: 42e9479734dfac3e0234fb47c35377ea974c8a28
MD5 hash: e8f731797aa24113a82ed989944b4370
humanhash: beryllium-oranges-twenty-south
File name:w.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:980 bytes
First seen:2025-12-25 09:58:17 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:poV3XZjNIBS+TQoKSrTjxHXleM8brl9AXYl9oVHTxyaPF6wHhyrQbk:pgFNII0KSr5358/l9Aq98XLOQw
TLSH T1A7119DD921D0882A44EACC4C32A48828963BD5C579418F7CDDBD44B741E6AFCBF2CE8C
Magika batch
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://190.123.46.72/bins/main_arm0b423d1b9e7a9e6719bf77dfa5363998d04f9edad2ee8e2de911c7ae995a391a Miraielf mirai ua-wget
http://190.123.46.72/bins/main_arm55d94992dac0b6d592f86b0d59af84c52168f05d7aa1713a0c4fd62820be71630 Miraielf mirai ua-wget
http://190.123.46.72/bins/main_arm65b1cf87888710837c0007fd20877644abec191d7fed82763a15b959d591444d4 Miraielf mirai ua-wget
http://190.123.46.72/bins/main_arm7cf40305398ee234528ebd18bb54b13e1bb94f90a501636857e25ba114bb1c9c6 Miraielf mirai ua-wget
http://190.123.46.72/bins/main_sh4fd893a3ee002cd623137b4f65fda5624232eb22e53f5fec40601bc26e7eed29a Miraielf mirai ua-wget
http://190.123.46.72/bins/main_m68k7cca33815eaccd864db722658cce4a234c32280e2ee7266c9fecd8601652c95f Miraielf mirai ua-wget
http://190.123.46.72/bins/main_mips261cbea15e9c316a7a13d6ee7c496feb4364d264355821dc03664c17f398bcd1 Miraielf mirai ua-wget
http://190.123.46.72/bins/main_mpsl2322a5098627d113e939e6ac7ddb5c80ed5e253a650c6b6e1737baa4617db415 Miraielf mirai ua-wget
http://190.123.46.72/bins/main_x86_646c22bec08f6ce62b43664b22028e033d496990b06a053c4aee5168b3af787c55 Miraielf mirai ua-wget
http://190.123.46.72/bins/main_ppcb1d611c59c43c5f2ae26da403ac6f4c59f721d91716cd5c07e3293351db8124c Miraielf mirai ua-wget
http://190.123.46.72/bins/main_x8605466e5727f528209cff95c2e7e2b197aa0fe4e312fd3709c13a1605c8cc2555 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash busybox lolbin mirai
Link:
https://www.filescan.io/uploads/694d0af3e126b9ff4390ede5/reports/a83dc49f-42b1-494c-abe6-30fd362e46ea/overview
Verdict:
Clean
File Type:
text
Link:
https://opentip.kaspersky.com/ee8a417c0f8b854d1e541e78d75855507ceb08eec8427860d5562a84c6151120/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b951b144-4f23-4497-9f8e-e1327e10ee8d
Behavior Graph:
Download SVG
%3 guuid=7f8625e4-1800-0000-da9d-22f764090000 pid=2404 /usr/bin/sudo guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406 /tmp/sample.bin guuid=7f8625e4-1800-0000-da9d-22f764090000 pid=2404->guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406 execve guuid=40b072e7-1800-0000-da9d-22f767090000 pid=2407 /usr/bin/busybox net send-data write-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=40b072e7-1800-0000-da9d-22f767090000 pid=2407 execve guuid=0111a416-1900-0000-da9d-22f7be090000 pid=2494 /usr/bin/chmod guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=0111a416-1900-0000-da9d-22f7be090000 pid=2494 execve guuid=7b18de16-1900-0000-da9d-22f7bf090000 pid=2495 /usr/bin/dash guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=7b18de16-1900-0000-da9d-22f7bf090000 pid=2495 clone guuid=04631418-1900-0000-da9d-22f7c3090000 pid=2499 /usr/bin/busybox net send-data write-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=04631418-1900-0000-da9d-22f7c3090000 pid=2499 execve guuid=789d8b46-1900-0000-da9d-22f7360a0000 pid=2614 /usr/bin/chmod guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=789d8b46-1900-0000-da9d-22f7360a0000 pid=2614 execve guuid=11fed646-1900-0000-da9d-22f7380a0000 pid=2616 /usr/bin/dash guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=11fed646-1900-0000-da9d-22f7380a0000 pid=2616 clone guuid=48cf4c48-1900-0000-da9d-22f73d0a0000 pid=2621 /usr/bin/busybox net send-data write-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=48cf4c48-1900-0000-da9d-22f73d0a0000 pid=2621 execve guuid=65778992-1900-0000-da9d-22f7df0a0000 pid=2783 /usr/bin/chmod guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=65778992-1900-0000-da9d-22f7df0a0000 pid=2783 execve guuid=b136e192-1900-0000-da9d-22f7e10a0000 pid=2785 /usr/bin/dash guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=b136e192-1900-0000-da9d-22f7e10a0000 pid=2785 clone guuid=6a80de93-1900-0000-da9d-22f7e60a0000 pid=2790 /usr/bin/busybox net send-data write-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=6a80de93-1900-0000-da9d-22f7e60a0000 pid=2790 execve guuid=11d90fdf-1900-0000-da9d-22f7750b0000 pid=2933 /usr/bin/chmod guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=11d90fdf-1900-0000-da9d-22f7750b0000 pid=2933 execve guuid=22495adf-1900-0000-da9d-22f7770b0000 pid=2935 /usr/bin/dash guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=22495adf-1900-0000-da9d-22f7770b0000 pid=2935 clone guuid=ff1b03e0-1900-0000-da9d-22f77b0b0000 pid=2939 /usr/bin/busybox net send-data write-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=ff1b03e0-1900-0000-da9d-22f77b0b0000 pid=2939 execve guuid=feceeb17-1a00-0000-da9d-22f7d10b0000 pid=3025 /usr/bin/chmod guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=feceeb17-1a00-0000-da9d-22f7d10b0000 pid=3025 execve guuid=ead05418-1a00-0000-da9d-22f7d30b0000 pid=3027 /usr/bin/dash guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=ead05418-1a00-0000-da9d-22f7d30b0000 pid=3027 clone guuid=32069519-1a00-0000-da9d-22f7d80b0000 pid=3032 /usr/bin/busybox net send-data write-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=32069519-1a00-0000-da9d-22f7d80b0000 pid=3032 execve guuid=d95a1052-1a00-0000-da9d-22f7350c0000 pid=3125 /usr/bin/chmod guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=d95a1052-1a00-0000-da9d-22f7350c0000 pid=3125 execve guuid=2f349852-1a00-0000-da9d-22f7370c0000 pid=3127 /usr/bin/dash guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=2f349852-1a00-0000-da9d-22f7370c0000 pid=3127 clone guuid=e9588f53-1a00-0000-da9d-22f73a0c0000 pid=3130 /usr/bin/busybox net send-data write-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=e9588f53-1a00-0000-da9d-22f73a0c0000 pid=3130 execve guuid=3e22b193-1a00-0000-da9d-22f79c0c0000 pid=3228 /usr/bin/chmod guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=3e22b193-1a00-0000-da9d-22f79c0c0000 pid=3228 execve guuid=274f1594-1a00-0000-da9d-22f79e0c0000 pid=3230 /usr/bin/dash guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=274f1594-1a00-0000-da9d-22f79e0c0000 pid=3230 clone guuid=39d1a595-1a00-0000-da9d-22f7a10c0000 pid=3233 /usr/bin/busybox net send-data write-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=39d1a595-1a00-0000-da9d-22f7a10c0000 pid=3233 execve guuid=d0a305cd-1a00-0000-da9d-22f7c10c0000 pid=3265 /usr/bin/chmod guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=d0a305cd-1a00-0000-da9d-22f7c10c0000 pid=3265 execve guuid=2df4bccd-1a00-0000-da9d-22f7c40c0000 pid=3268 /usr/bin/dash guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=2df4bccd-1a00-0000-da9d-22f7c40c0000 pid=3268 clone guuid=58a852cf-1a00-0000-da9d-22f7c80c0000 pid=3272 /usr/bin/busybox net send-data write-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=58a852cf-1a00-0000-da9d-22f7c80c0000 pid=3272 execve guuid=859dccfd-1a00-0000-da9d-22f7180d0000 pid=3352 /usr/bin/chmod guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=859dccfd-1a00-0000-da9d-22f7180d0000 pid=3352 execve guuid=fdfc4cfe-1a00-0000-da9d-22f71b0d0000 pid=3355 /home/sandbox/main_x86_64 delete-file net guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=fdfc4cfe-1a00-0000-da9d-22f71b0d0000 pid=3355 execve guuid=fca888fe-1a00-0000-da9d-22f71d0d0000 pid=3357 /usr/bin/busybox net send-data write-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=fca888fe-1a00-0000-da9d-22f71d0d0000 pid=3357 execve guuid=7582c459-1b00-0000-da9d-22f7a90d0000 pid=3497 /usr/bin/chmod guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=7582c459-1b00-0000-da9d-22f7a90d0000 pid=3497 execve guuid=22d1385a-1b00-0000-da9d-22f7ab0d0000 pid=3499 /usr/bin/dash guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=22d1385a-1b00-0000-da9d-22f7ab0d0000 pid=3499 clone guuid=54b71d5c-1b00-0000-da9d-22f7b00d0000 pid=3504 /usr/bin/busybox net send-data write-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=54b71d5c-1b00-0000-da9d-22f7b00d0000 pid=3504 execve guuid=10891ea5-1b00-0000-da9d-22f7260e0000 pid=3622 /usr/bin/chmod guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=10891ea5-1b00-0000-da9d-22f7260e0000 pid=3622 execve guuid=613aa8a5-1b00-0000-da9d-22f7280e0000 pid=3624 /home/sandbox/main_x86 delete-file net guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=613aa8a5-1b00-0000-da9d-22f7280e0000 pid=3624 execve guuid=32fa07a6-1b00-0000-da9d-22f72a0e0000 pid=3626 /usr/bin/rm delete-file guuid=7886f1e6-1800-0000-da9d-22f766090000 pid=2406->guuid=32fa07a6-1b00-0000-da9d-22f72a0e0000 pid=3626 execve dafb67d5-df68-55a8-a871-37e37b4e86bd 190.123.46.72:80 guuid=40b072e7-1800-0000-da9d-22f767090000 pid=2407->dafb67d5-df68-55a8-a871-37e37b4e86bd send: 89B guuid=04631418-1900-0000-da9d-22f7c3090000 pid=2499->dafb67d5-df68-55a8-a871-37e37b4e86bd send: 90B guuid=48cf4c48-1900-0000-da9d-22f73d0a0000 pid=2621->dafb67d5-df68-55a8-a871-37e37b4e86bd send: 90B guuid=6a80de93-1900-0000-da9d-22f7e60a0000 pid=2790->dafb67d5-df68-55a8-a871-37e37b4e86bd send: 90B guuid=ff1b03e0-1900-0000-da9d-22f77b0b0000 pid=2939->dafb67d5-df68-55a8-a871-37e37b4e86bd send: 89B guuid=32069519-1a00-0000-da9d-22f7d80b0000 pid=3032->dafb67d5-df68-55a8-a871-37e37b4e86bd send: 90B guuid=e9588f53-1a00-0000-da9d-22f73a0c0000 pid=3130->dafb67d5-df68-55a8-a871-37e37b4e86bd send: 90B guuid=39d1a595-1a00-0000-da9d-22f7a10c0000 pid=3233->dafb67d5-df68-55a8-a871-37e37b4e86bd send: 90B guuid=58a852cf-1a00-0000-da9d-22f7c80c0000 pid=3272->dafb67d5-df68-55a8-a871-37e37b4e86bd send: 92B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=fdfc4cfe-1a00-0000-da9d-22f71b0d0000 pid=3355->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d2e379fe-1a00-0000-da9d-22f71c0d0000 pid=3356 /home/sandbox/main_x86_64 dns net send-data zombie guuid=fdfc4cfe-1a00-0000-da9d-22f71b0d0000 pid=3355->guuid=d2e379fe-1a00-0000-da9d-22f71c0d0000 pid=3356 clone guuid=d2e379fe-1a00-0000-da9d-22f71c0d0000 pid=3356->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 33B b5fc0f9c-0bf2-54e3-b5e0-f32b946dd7e8 chmod0777kk.com:1995 guuid=d2e379fe-1a00-0000-da9d-22f71c0d0000 pid=3356->b5fc0f9c-0bf2-54e3-b5e0-f32b946dd7e8 send: 12B guuid=35f195fe-1a00-0000-da9d-22f71e0d0000 pid=3358 /home/sandbox/main_x86_64 guuid=d2e379fe-1a00-0000-da9d-22f71c0d0000 pid=3356->guuid=35f195fe-1a00-0000-da9d-22f71e0d0000 pid=3358 clone 3f1e71b3-a182-5ac2-81e8-a43db939d069 chmod0777kk.com:80 guuid=fca888fe-1a00-0000-da9d-22f71d0d0000 pid=3357->3f1e71b3-a182-5ac2-81e8-a43db939d069 send: 89B guuid=54b71d5c-1b00-0000-da9d-22f7b00d0000 pid=3504->3f1e71b3-a182-5ac2-81e8-a43db939d069 send: 89B guuid=613aa8a5-1b00-0000-da9d-22f7280e0000 pid=3624->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ecc7f7a5-1b00-0000-da9d-22f7290e0000 pid=3625 /home/sandbox/main_x86 dns net send-data zombie guuid=613aa8a5-1b00-0000-da9d-22f7280e0000 pid=3624->guuid=ecc7f7a5-1b00-0000-da9d-22f7290e0000 pid=3625 clone guuid=ecc7f7a5-1b00-0000-da9d-22f7290e0000 pid=3625->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 33B guuid=ecc7f7a5-1b00-0000-da9d-22f7290e0000 pid=3625->b5fc0f9c-0bf2-54e3-b5e0-f32b946dd7e8 send: 12B guuid=49461ca6-1b00-0000-da9d-22f72c0e0000 pid=3628 /home/sandbox/main_x86 guuid=ecc7f7a5-1b00-0000-da9d-22f7290e0000 pid=3625->guuid=49461ca6-1b00-0000-da9d-22f72c0e0000 pid=3628 clone
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ee8a417c0f8b854d1e541e78d75855507ceb08eec8427860d5562a84c6151120
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee8a417c0f8b854d1e541e78d75855507ceb08eec8427860d5562a84c6151120/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/ee8a417c0f8b854d1e541e78d75855507ceb08eec8427860d5562a84c6151120
Threat name:
Script-Shell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-25 09:49:24 UTC
File Type:
Text (Shell)
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=52fec7aprocu2hsudz4nowcvkb6owchozbbhqygvkyvijrqvceqa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251225-lzmsfssmcr/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ee8a417c0f8b854d1e541e78d75855507ceb08eec8427860d5562a84c6151120

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh ee8a417c0f8b854d1e541e78d75855507ceb08eec8427860d5562a84c6151120

(this sample)

Mirai

elf 0b423d1b9e7a9e6719bf77dfa5363998d04f9edad2ee8e2de911c7ae995a391a

  
URLhaus
https://urlhaus.abuse.ch/url/3743193/
  
Delivery method
Distributed via web download
  
Dropping
MD5 994af88b29ff2e3d59e6f45a01cd710b
  
Dropping
SHA256 0b423d1b9e7a9e6719bf77dfa5363998d04f9edad2ee8e2de911c7ae995a391a

Comments