MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f256da4be409350fadc4620c8b977355181562fd787fd3652f47080a5af54725. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	f256da4be409350fadc4620c8b977355181562fd787fd3652f47080a5af54725
SHA3-384 hash:	9459659a6c482282e65c43bb30722ede2f73f39e1536309d4b9898c2c31a85df583d92ac06e2d043f0b537f41ae16249
SHA1 hash:	906f0776a913f7b52a2d8176b36e7bc6710371a8
MD5 hash:	cab1af79e501983b896a51e6bf5e25e0
humanhash:	twelve-eleven-cat-oregon
File name:	all.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'560 bytes
First seen:	2026-04-05 07:17:17 UTC
Last seen:	2026-04-06 03:14:12 UTC
File type:	sh
MIME type:	text/plain
ssdeep	24:sF+RxvFtP3kF8MgApn0ttRV/5BCBMNzFEXUd5AOq:eEDt3kKMnp0tVxBCSNFGE5rq
TLSH	T1353190C651E2546A3DE8D94AB16FCC1E7446768E25CA5F49B8CC30F6A88CD40F0C1F57
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.139.67/x86_64	7a416069805e038aa1000e43b18aac8107502b1d5cc2ef223d294d1d55ad2719	Mirai	censys elf mirai ua-wget
http://176.65.139.67/mpsl	a0b8e360dacef8f07ad5376f24c32db347dbac14b9b9b0c94c9b43d478686edc	Mirai	censys elf mirai ua-wget
http://176.65.139.67/mips	e08406f2e345c2687c8b3b89c83e2e12aa44af75d66267c9c4e4bd023f3a369a	Mirai	censys elf mirai ua-wget
http://176.65.139.67/arm4	n/a	n/a	censys elf ua-wget
http://176.65.139.67/arm5	cebc631971fb334a22a64f013505ff0bfd90b4ce1455db1085f40775d178aa80	Mirai	censys elf mirai ua-wget
http://176.65.139.67/arm6	d9cf616d3ee2e3876c290d87b32ee7ae84d0bdbaabaad7e2345e85a480e2004e	Mirai	censys elf mirai ua-wget
http://176.65.139.67/arm7	d5ba31f3cc0a1ac9ae8e0f31c93aa8d730f47d9ed4241cba168c69547711d916	Mirai	censys elf mirai ua-wget
http://176.65.139.67/m68k	8bfb00aa025648f1baf72ee0328199fbdb8409a62267c8d42a6496feaa3b17ce	Mirai	censys elf mirai ua-wget
http://176.65.139.67/x86	3ae5fe39220114be834f20f83580c0b4f2bf3f12131a6b3c13bcc42dd6f1444f	Mirai	censys elf mirai ua-wget
http://176.65.139.67/spc	n/a	n/a	censys elf ua-wget
http://176.65.139.67/ppc	08892b942d00c640a81cdede68d06e5616cf080b6362b0c1dbc7ec9f2ce7a8d1	Mirai	censys elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive mirai

Link:

https://www.filescan.io/uploads/69d20c8100ad3636940be239/reports/89c421ce-e500-40d0-ab74-95148cd3bd95/overview

Verdict:

Malicious

File Type:

text

First seen:

2026-04-05T04:26:00Z UTC

Last seen:

2026-04-05T06:48:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/f256da4be409350fadc4620c8b977355181562fd787fd3652f47080a5af54725/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/d7bbc0b1-9c58-4b06-885e-7e089f3c03af

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f256da4be409350fadc4620c8b977355181562fd787fd3652f47080a5af54725

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f256da4be409350fadc4620c8b977355181562fd787fd3652f47080a5af54725/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/f256da4be409350fadc4620c8b977355181562fd787fd3652f47080a5af54725

Threat name:

Linux.Downloader.Generic

Status:

Suspicious

First seen:

2026-04-05 07:18:54 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6jlnus7ebe2q7loemigixf3tkumbkyx5pb75gzjpi4eauwxvi4sq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260405-h4h4aagt4v/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f256da4be409350fadc4620c8b977355181562fd787fd3652f47080a5af54725

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh