MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2cc4b87ce96d79f73365cfd237f7315c01de55947e4480792f4fdaf7d5d8baa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	f2cc4b87ce96d79f73365cfd237f7315c01de55947e4480792f4fdaf7d5d8baa
SHA3-384 hash:	1a3b89423b8c8d5478ebe02f9a75e3a469cc4f4767ef0b0d7195f6f7e3cfbb54a4cb371adfd3cc1f4a0bc8c452989779
SHA1 hash:	5c4e06f773ab7e829dfa987918f1b3ca68b37b6c
MD5 hash:	4dd05622bebb6c4176eb24862c80b322
humanhash:	twelve-thirteen-mississippi-double
File name:	run.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	6'282 bytes
First seen:	2025-10-26 05:08:51 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	96:ZVdGRURlR2JMgOabiB6FuZK+GRKTgEbwW:SFuZEEbwW
TLSH	T1EBD1658F11458731DF09CB4E77F47234920FA1D2BACBDB94B994482D4FC6D8C6685EA2
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnaarch64xnxn	n/a	n/a	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnalphaxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnarcxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnarm-gnueabixnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/bins/xnxnxnxnxnxnxnxncskyxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnhppaxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnhppa64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/bins/xnxnxnxnxnxnxnxni386xnxn	n/a	n/a	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnloongarch64xnxn	2cfae3dffa973d69607fa57bff6659758ae02ae9eb165f99436d303df69ec1c0	Mirai	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnm68kxnxn	d03af00a45e512727d12ca0a188c8b989c5bb4aab90b5ef85bb081b16b819b8c	Mirai	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnmicroblazexnxn	df0c8106b15edd65fc2a206aff0a33b0b2645e0b80f6c43e3a94cfc7d7257ba6	Mirai	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnmipsxnxn	n/a	n/a	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnmips64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnor1kxnxn	31b49b7f11276d9f390bd221cac81ff7bb3c0804df440afbc811416ae14deb7e	Mirai	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnpowerpcxnxn	n/a	n/a	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnpowerpc64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnriscv32xnxn	4465d6a9dec1b274cfb1c06a8d98164905784284c0fb60194f1f314343e21a9e	Mirai	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnriscv64xnxn	5e0663a0756c64c911dd23f0cc7c165cf90d4f48ed212528596ee32ec4d57cd2	Mirai	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxns390xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnsh2xnxn	4c6986553f9bd369c6f6f10f36bfb89b3ac2a39ec738d890c15dc3a945fdef78	Mirai	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnsh4xnxn	834f4003c8d047d623383985b918f4b3d2d4e87fe8d225bf487ca65345578afd	Mirai	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnsparcxnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnsparc64xnxn	n/a	n/a	elf ua-wget
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnx86_64xnxn	n/a	n/a	mirai opendir
http://196.251.80.30/bins/xnxnxnxnxnxnxnxnxtensaxnxn	n/a	n/a	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

File Type:

text

First seen:

2025-10-25T22:58:00Z UTC

Last seen:

2025-10-26T04:28:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/f2cc4b87ce96d79f73365cfd237f7315c01de55947e4480792f4fdaf7d5d8baa/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/21a487ef-a36b-40a6-8a13-1bd290d2b3c0

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f2cc4b87ce96d79f73365cfd237f7315c01de55947e4480792f4fdaf7d5d8baa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2cc4b87ce96d79f73365cfd237f7315c01de55947e4480792f4fdaf7d5d8baa/

Threat name:

Linux.Downloader.Generic

Status:

Suspicious

First seen:

2025-10-26 03:54:11 UTC

File Type:

Text (Shell)

AV detection:

8 of 38 (21.05%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6lgexb6os3lz64zwlt6sg73tcxab3zkzi7seqb4s6t6267k5rova._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251026-ftg25avjdr/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f2cc4b87ce96d79f73365cfd237f7315c01de55947e4480792f4fdaf7d5d8baa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh f2cc4b87ce96d79f73365cfd237f7315c01de55947e4480792f4fdaf7d5d8baa

(this sample)

elf 7c3431040e6118fb398d033ee6e37899c8f9ad9a0f9c104802aee252ca897246

URLhaus

https://urlhaus.abuse.ch/url/3685672/

Delivery method

Distributed via web download

Dropping

MD5 1f601cda5fffe74cbbb26485b79b27b8

Dropping

SHA256 7c3431040e6118fb398d033ee6e37899c8f9ad9a0f9c104802aee252ca897246

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample