MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6ca4791f32e862451b294da6300cd72ed2375b176b16e42e2f914e7201c0691. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6ca4791f32e862451b294da6300cd72ed2375b176b16e42e2f914e7201c0691
SHA3-384 hash: 4a77ce6ee14ee25a861824e5c17b257c595d857a48254d3a421f5e772e014f82a75ed36e8816b9bc0112ed3242a27dd3
SHA1 hash: 73356b6d8535e2cb42fa5f977c5475133d05814d
MD5 hash: d444e7a2597082301cea027f9a1c6c94
humanhash: muppet-kilo-triple-fifteen
File name:m
Download: download sample
Signature Mirai
Create hunting rule
File size:3'394 bytes
First seen:2025-12-26 22:20:37 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:z56jhL8QoqziViu5/TwCayHYHPiQsyS+YwliQHdiaM:F6jhnf05/TwdsyVPM
TLSH T1076147FE349A6F32369CCDC0B2B1A558B88FA9D426A00D749F9A14E6C8F99057B04735
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.126/mips7f811a1cdf3914ea41daa77485f3b4db99551015182b5c31594b35e521fabc11 Mirai32-bit elf mirai ua-wget
http://130.12.180.126/mpsl9be519da66cb95b5d74388860437a98240957d347b6da9c1ce01c37209d64f26 Miraielf gafgyt mirai ua-wget
http://130.12.180.126/arm440ee4b2d7cdb0e3181f62b9a1a9371346f7bf9993cae9524c0dc8ccae875cdf1 Miraielf mirai ua-wget
http://130.12.180.126/arm5083e5beea5b26771cee1d513a4d864a85e87a7107f8e0cb8d0e586b5e9de908e Miraielf mirai ua-wget
http://130.12.180.126/arm75e611c0ad2bb70becdf4a772162a14356ee476e3e0bebabd21cd00860bf4e4cc Miraiarm elf geofenced mirai ua-wget USA
http://130.12.180.126/x86_64001c9c983afed1489f2a681b2d4045ae6120ecca1640045068d68d443891168b Miraielf mirai ua-wget
http://130.12.180.126/aarch64a237dd386bf93f8cc5e262fd169c5a7a6d29268c80a9ed820d44bfdc496ba155 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
34
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox mirai
Link:
https://www.filescan.io/uploads/694f878a3f8fdbf8e9533294/reports/cfe32eb5-d620-4c9b-958c-380a5fea817a/overview
Verdict:
Malicious
Labled as:
Bash.MiraiA.Generic
Link:
https://www.hybrid-analysis.com/sample/f6ca4791f32e862451b294da6300cd72ed2375b176b16e42e2f914e7201c0691
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-12-26T19:47:00Z UTC
Last seen:
2025-12-27T12:48:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/f6ca4791f32e862451b294da6300cd72ed2375b176b16e42e2f914e7201c0691/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f6ca4791f32e862451b294da6300cd72ed2375b176b16e42e2f914e7201c0691
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6ca4791f32e862451b294da6300cd72ed2375b176b16e42e2f914e7201c0691/
Threat name:
Script-Shell.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-26 23:21:40 UTC
File Type:
Text (Shell)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=63fepeptf2dciunsstnggagnolwsg5nro2yw4qxc7ekooia4a2iq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
antivm credential_access defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260106-nz117a1mbw/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Checks CPU configuration
Reads system network configuration
Reads process memory
UPX packed file
Enumerates active TCP sockets
Enumerates running processes
File and Directory Permissions Modification
Deletes system logs
Executes dropped EXE
Renames itself
Unexpected DNS network traffic destination
Contacts a large (30037) amount of remote hosts
Creates a large amount of network flows
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6ca4791f32e862451b294da6300cd72ed2375b176b16e42e2f914e7201c0691

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh f6ca4791f32e862451b294da6300cd72ed2375b176b16e42e2f914e7201c0691

(this sample)

Mirai

elf 6a9914d42b78eff4c863cb9c297b695935e91b8a65ca4e54136fe037421f9e5b

  
URLhaus
https://urlhaus.abuse.ch/url/3744377/
  
Delivery method
Distributed via web download
  
Dropping
MD5 b44d6cf9a048543391f2684d21b75f70
  
Dropping
SHA256 6a9914d42b78eff4c863cb9c297b695935e91b8a65ca4e54136fe037421f9e5b

Comments