MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6f3b06ff42116c675cdf5a6165a9d52b30fdfd232622eaa3840383bf363f25e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash: f6f3b06ff42116c675cdf5a6165a9d52b30fdfd232622eaa3840383bf363f25e
SHA3-384 hash: ba66ece1361dbe17922e865741fef0cc466ba4fac6e8eae310baad486a7b38db4509844774545b0e00bc44bbac1df4f2
SHA1 hash: 68208ebc39593e3be91f2ec536f90ed2ac5ef9d9
MD5 hash: 05fda71868fe0643b0a4935897800eeb
humanhash: three-item-ink-five
File name:bins.sh
Download: download sample
Signature Mirai
File size:1'900 bytes
First seen:2026-06-27 18:01:56 UTC
Last seen:2026-06-28 06:47:37 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 24:1OJXUI6TpeBtmNIiNI+KPOKPnn2vsH2vpdUHTdR:eX8pctCKPOKPnn2vsH2vMHTdR
TLSH T1C241B28B726434B3C40AEE55F3E495C4E18997E3E2B7CAB8B4A48763105D12CF5A6F70
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://91.92.42.125/x86caa9408fdf9272b4a2c02061218f78c96124608dd23694cfc19ab0747ec1a43c Miraielf mirai ua-wget
http://91.92.42.125/i386caa9408fdf9272b4a2c02061218f78c96124608dd23694cfc19ab0747ec1a43c Miraielf mirai ua-wget
http://91.92.42.125/amd64ba01bc4f787871ce0f3ab3c2382cf5fe250dbdda7a06bdf38908d22fe79d6b8a Miraielf mirai ua-wget
http://91.92.42.125/armcc5adaad983d6eae97c7e7abc75452e6fbc8caf9a57f413f646164e2d4ca044a Miraielf mirai ua-wget
http://91.92.42.125/armv7lcc5adaad983d6eae97c7e7abc75452e6fbc8caf9a57f413f646164e2d4ca044a Miraielf mirai ua-wget
http://91.92.42.125/arm572ae99c2af2f47b65dc99c828a8227d88b3143f698ba7bf4370f8a90f18ac37d Miraielf mirai ua-wget
http://91.92.42.125/arm6527430cb7b27167ef60dfaf0cfa44d1cebab0466b331bc25e4b21072cccf72eb Miraielf mirai ua-wget
http://91.92.42.125/arm64f44b6ad0761b7503866d2ec0881a5b73523cd761d4e9e3db4b9f83b172e11ec7 Miraielf mirai ua-wget
http://91.92.42.125/android_arm64edc55031874e45f3ddf47ab9c5940911bf59f290a781bcfe79b77d0d830dec8f Miraielf mirai ua-wget
http://91.92.42.125/mips457ff20c00a295e27fe60a0a3e1a1aed1d297cc1cebe4c5cd876bcc21903fbfc Miraielf mirai ua-wget
http://91.92.42.125/mipsle94c4072f7e4c6020f5f9c2eb4dcf1ac1808776804ee4daeaf798c01e69fcbce3 Miraielf mirai ua-wget
http://91.92.42.125/bot.exen/an/aexe

Intelligence


File Origin
# of uploads :
2
# of downloads :
75
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-06-27T15:24:00Z UTC
Last seen:
2026-06-28T12:58:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=6bb104f3-1f00-0000-1d0c-9d794a140000 pid=5194 /usr/bin/sudo guuid=dcc183f5-1f00-0000-1d0c-9d794b140000 pid=5195 /tmp/sample.bin guuid=6bb104f3-1f00-0000-1d0c-9d794a140000 pid=5194->guuid=dcc183f5-1f00-0000-1d0c-9d794b140000 pid=5195 execve guuid=2f44c4f5-1f00-0000-1d0c-9d794c140000 pid=5196 /usr/bin/wget net send-data write-file guuid=dcc183f5-1f00-0000-1d0c-9d794b140000 pid=5195->guuid=2f44c4f5-1f00-0000-1d0c-9d794c140000 pid=5196 execve guuid=213b3c1b-2000-0000-1d0c-9d7954140000 pid=5204 /usr/bin/chmod guuid=dcc183f5-1f00-0000-1d0c-9d794b140000 pid=5195->guuid=213b3c1b-2000-0000-1d0c-9d7954140000 pid=5204 execve guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5205 /tmp/x86 delete-file net send-data write-config write-file guuid=dcc183f5-1f00-0000-1d0c-9d794b140000 pid=5195->guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5205 execve 056d6cb8-8069-5110-8934-25de63a089ae 91.92.42.125:80 guuid=2f44c4f5-1f00-0000-1d0c-9d794c140000 pid=5196->056d6cb8-8069-5110-8934-25de63a089ae send: 130B 6700bd8d-ef61-5e94-94e7-5667893c225f 91.92.42.125:9111 guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5205->6700bd8d-ef61-5e94-94e7-5667893c225f send: 142B guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5206 /tmp/x86 guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5205->guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5206 clone guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5207 /tmp/x86 send-data guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5205->guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5207 clone guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5208 /tmp/x86 send-data guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5205->guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5208 clone guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5209 /tmp/x86 send-data guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5205->guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5209 clone guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5210 /tmp/x86 send-data guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5205->guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5210 clone guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5243 /tmp/x86 send-data guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5205->guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5243 clone guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5207->6700bd8d-ef61-5e94-94e7-5667893c225f send: 317B guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5208->6700bd8d-ef61-5e94-94e7-5667893c225f send: 105B guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5209->6700bd8d-ef61-5e94-94e7-5667893c225f send: 140B guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5210->6700bd8d-ef61-5e94-94e7-5667893c225f send: 176B guuid=c3039e1b-2000-0000-1d0c-9d7955140000 pid=5243->6700bd8d-ef61-5e94-94e7-5667893c225f send: 35B
Threat name:
Linux.Trojan.Vigorf
Status:
Malicious
First seen:
2026-06-27 02:40:50 UTC
File Type:
Text (Shell)
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux persistence privilege_escalation
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
Modifies Bash startup script
Creates/modifies environment variables
Write file to user bin folder
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh f6f3b06ff42116c675cdf5a6165a9d52b30fdfd232622eaa3840383bf363f25e

(this sample)

  
Delivery method
Distributed via web download

Comments