MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5f7e99c2b01bada211a396efc4921ff6b23cd19fcb0be3ba5bdc137bfd48e9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	f5f7e99c2b01bada211a396efc4921ff6b23cd19fcb0be3ba5bdc137bfd48e9a
SHA3-384 hash:	55ef61be9423470dd96f795384d8569f6d084cb92ac525014df6e0c00ba26226fe19fecca1d20d97ad718752b94e370f
SHA1 hash:	810c8e59452b2ce5ee022218ae82850e2b22a8e2
MD5 hash:	e69b37fab18b363907affbf55b65db63
humanhash:	eleven-april-golf-monkey
File name:	wget1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'139 bytes
First seen:	2025-07-04 04:30:35 UTC
Last seen:	2025-07-04 07:04:09 UTC
File type:	sh
MIME type:	text/plain
ssdeep	24:ACqUGFUKmUSNI70UqKjUS+USU03U4tmUVU4yU4kvioSUzAozUI5ogUIDoVU6KgG+:AjdHwd7HRjGV
TLSH	T13221FBAD21301EB68914DD47F83343E8702EE5CDE6708F5639CF58B98C976807D50B4A
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.208.158.140/arm	8271f1f986b352fff15ea4a77cc5fec53c1d9dcca742d4a9c9d2ab6891eab18a	Mirai	elf gafgyt mirai ua-wget
http://185.208.158.140/arm5	575ef1a01819dd1f1c2c0fb09b0001725599230fc4ce03d197b52751ff85a341	Mirai	elf mirai ua-wget
http://185.208.158.140/arm6	6402c8ac9e7bcc47f493ed249ef2b5a0e1b0b317e0dbd8012b61d3507c67fd0e	Mirai	elf mirai ua-wget
http://185.208.158.140/arm7	37d405a2afcd051f24faa7d536ac292e28148575a2ee02766b92046f413a3c57	Mirai	elf mirai ua-wget
http://185.208.158.140/mips	7b02048872ec82be36a7a9c28d8479a1c884a2df339416c822554211e6d5b05e	Mirai	elf gafgyt mirai ua-wget
http://185.208.158.140/mipsel	f0c4dc9e697cc34437766c67140cc210be04bd62997bf2ace3c389e3d9e32ff7	Mirai	elf mirai ua-wget
http://185.208.158.140/powerpc	cefd6e28cd1c138a151a1721dbbe1a53b410424b259179faa792fcc8063952ba	Mirai	elf mirai ua-wget
http://185.208.158.140/sh4	dfc72b2b40890a9747c242f69db7c4941794bf89c5ff0ef75dab6e1338c6cd6f	Mirai	elf mirai ua-wget
http://185.208.158.140/sparc	36eb14fd17bd36eb37ce29bdffe3109b88ffef2387f94647593d267b3214b134	Mirai	elf mirai ua-wget
http://185.208.158.140/x86_64	1d9f46542a855257b2a801c72449db0482435d1bb05cffccc0ad56a82e4631e6	Mirai	elf mirai ua-wget
http://185.208.158.140/x86_32	7cc20c4f63b03aa33b99d2ad360b8b4697616676e3df8e6be4a8f49eb425e345	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68675918c9eb974737662454linux22vpnfull_triage

Tags:

n/a

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/a74e530a-cc77-4b09-90ed-61b6ede51f7c

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f5f7e99c2b01bada211a396efc4921ff6b23cd19fcb0be3ba5bdc137bfd48e9a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f5f7e99c2b01bada211a396efc4921ff6b23cd19fcb0be3ba5bdc137bfd48e9a/

Threat name:

Script-Shell.Worm.Mirai

Status:

Malicious

First seen:

2025-07-04 04:31:21 UTC

File Type:

Text (Shell)

AV detection:

14 of 38 (36.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6x36thblag5nuii2hfxpysjb75vshtiz7syl4o5fxxatpp6ur2na._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250704-e5jvesap8z/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f5f7e99c2b01bada211a396efc4921ff6b23cd19fcb0be3ba5bdc137bfd48e9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.