MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 effdc669bb714427240ba6037afd7da3da9b501b57717e1735bde3c77a22d261. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	effdc669bb714427240ba6037afd7da3da9b501b57717e1735bde3c77a22d261
SHA3-384 hash:	7e22ffd385fff31e7794bc5e4c41c266229414e4c43b0f2fd9c5b69bc25a10379bb50d4dbb415a0ce16131f3c1edac9e
SHA1 hash:	933f5c6f07eaaa71a4758276ec2d0a2f35a0d50d
MD5 hash:	d93fbbfe536bd855e6886a492fec80a8
humanhash:	berlin-stairway-finch-five
File name:	massload
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'148 bytes
First seen:	2026-05-20 02:47:35 UTC
Last seen:	2026-05-20 07:58:53 UTC
File type:	sh
MIME type:	text/plain
ssdeep	24:QvQhBh9M0oy1Jp7esrRFKXybBJq7rRryFKXXbC:QvQhno0hrqZKR
TLSH	T1BD213A9829E17F667505CF0CE2A2EE05D012E9CF21D50637B2DC9536ACAC118B826F4B
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://92.42.100.131/meow/mips	60a0bf900b6644c8ead28cd4029386af7167bb31dc6aff8fd410ea5f681017c7	Mirai	elf mips mirai ua-wget
http://92.42.100.131/meow/mpsl	02ef3cb6addd90f7d731b56ec9878c1921edc4d5d0374c21ede508e9852b34ea	Mirai	elf mips mirai ua-wget
http://92.42.100.131/meow/arm	d7ddcdbc8bd707ab051306766971704b011da1b23b3bb83bb163f06c769259d3	Mirai	arm elf mirai ua-wget
http://92.42.100.131/meow/arm5	f36cb5280c561465441d3c758524973486f322dec38b9f5f20627e99f9e06e2b	Mirai	arm elf mirai ua-wget
http://92.42.100.131/meow/arm7	cc4cdc137cbfc563d8da1cdef5627a00caa2070eddce812a40b4d51d87509c49	Mirai	arm elf mirai ua-wget
http://92.42.100.131/meow/x86	c4e5610e4463cfaccd98f8202f0eee441a3584cef7b215d60f8d9dd81ab5f849	Mirai	elf mirai ua-wget x86

Intelligence

File Origin

# of uploads :

168

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6a0d6a36efbd399b39bdfcea/reports/b9a565b3-77da-4f38-91c9-3521ef25df37/overview

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/effdc669bb714427240ba6037afd7da3da9b501b57717e1735bde3c77a22d261

Gathering data

Threat name:

Linux.Worm.Mirai

Status:

Malicious

First seen:

2026-05-20 04:37:48 UTC

AV detection:

15 of 38 (39.47%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5764m2n3ofccojaluybxv7l5upnjwua3k5yx4fzvxxr4o6rc2jqq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260520-jwf5dscz7r/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/effdc669bb714427240ba6037afd7da3da9b501b57717e1735bde3c77a22d261

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh