MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8a2d018127d94ab2de0ed028463db33663d4c2a68239428367ed435b2f4fc96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash: f8a2d018127d94ab2de0ed028463db33663d4c2a68239428367ed435b2f4fc96
SHA3-384 hash: da5563a6dda2c3f65a2af739ab2aecd12096907d405a41a6f068a9fd68f9a1682e2baf69f573a49761358e3c5283bf83
SHA1 hash: 1baaf1cffc765fa90830cb80fb113e5d45a7054a
MD5 hash: e2a0ad7b2a1b341f72b8728905d50f8b
humanhash: seven-crazy-skylark-maryland
File name:wget.sh
Download: download sample
Signature Mirai
File size:437 bytes
First seen:2026-07-11 05:35:28 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:ShJSYh3a/L0+h3aQeLz+h3aq0LKV0+h38b+h3+J:Shdxcfx6LqxoKJx8Sx+J
TLSH T12BE01CED79951B7B8E44CD43E863886E615BAAC055802BCFB9CDA5A65494A81F030E88
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://217.60.195.214/armf64518bd3b3a5bb045e654b17bb9ea81adfa48bbb31341e90b98ed6c25a21928 Miraiarm elf ua-wget
http://217.60.195.214/arm53be2e505cc89927908a6ed4bd11aae81500fd7cf0992a3c46b8cfab64278580f Miraiarm elf ua-wget
http://217.60.195.214/arm721f220ef118fc887169ee1e134987551bac58868fbcdad95e14c7fc68a3b053d Miraiarm elf ua-wget
http://217.60.195.214/mips458597708ff0f5e3591e08f4f771e2c60f3d2f969ff92401c4e6125824a3860c Miraielf mips ua-wget
http://217.60.195.214/mpslb326230d8d04b69a557949e38c5616b7dc8c9e4ea6db75037fe50e342e848014 Miraielf mips ua-wget

Intelligence


File Origin
# of uploads :
1
# of downloads :
58
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox downloader evasive exploit mirai
Verdict:
Malicious
File Type:
text
First seen:
2026-07-09T11:09:00Z UTC
Last seen:
2026-07-13T01:45:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p
Status:
terminated
Behavior Graph:
%3 guuid=7d13859e-2000-0000-76a9-b322cb0c0000 pid=3275 /usr/bin/sudo guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282 /tmp/sample.bin guuid=7d13859e-2000-0000-76a9-b322cb0c0000 pid=3275->guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282 execve guuid=db7823a1-2000-0000-76a9-b322d40c0000 pid=3284 /usr/bin/rm guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=db7823a1-2000-0000-76a9-b322d40c0000 pid=3284 execve guuid=78176ba1-2000-0000-76a9-b322d50c0000 pid=3285 /usr/bin/busybox net send-data write-file guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=78176ba1-2000-0000-76a9-b322d50c0000 pid=3285 execve guuid=375e12a6-2000-0000-76a9-b322e10c0000 pid=3297 /usr/bin/chmod guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=375e12a6-2000-0000-76a9-b322e10c0000 pid=3297 execve guuid=f8a554a6-2000-0000-76a9-b322e30c0000 pid=3299 /usr/bin/dash guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=f8a554a6-2000-0000-76a9-b322e30c0000 pid=3299 clone guuid=c7f8dea6-2000-0000-76a9-b322e50c0000 pid=3301 /usr/bin/busybox net send-data write-file guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=c7f8dea6-2000-0000-76a9-b322e50c0000 pid=3301 execve guuid=34a709ac-2000-0000-76a9-b322f20c0000 pid=3314 /usr/bin/chmod guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=34a709ac-2000-0000-76a9-b322f20c0000 pid=3314 execve guuid=e65967ac-2000-0000-76a9-b322f40c0000 pid=3316 /usr/bin/dash guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=e65967ac-2000-0000-76a9-b322f40c0000 pid=3316 clone guuid=a2093dad-2000-0000-76a9-b322f80c0000 pid=3320 /usr/bin/busybox net send-data write-file guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=a2093dad-2000-0000-76a9-b322f80c0000 pid=3320 execve guuid=91b455b2-2000-0000-76a9-b322050d0000 pid=3333 /usr/bin/chmod guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=91b455b2-2000-0000-76a9-b322050d0000 pid=3333 execve guuid=e9079db2-2000-0000-76a9-b322060d0000 pid=3334 /usr/bin/dash guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=e9079db2-2000-0000-76a9-b322060d0000 pid=3334 clone guuid=f64442b3-2000-0000-76a9-b3220a0d0000 pid=3338 /usr/bin/busybox net send-data write-file guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=f64442b3-2000-0000-76a9-b3220a0d0000 pid=3338 execve guuid=73fb6eb8-2000-0000-76a9-b322160d0000 pid=3350 /usr/bin/chmod guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=73fb6eb8-2000-0000-76a9-b322160d0000 pid=3350 execve guuid=231fdcb8-2000-0000-76a9-b322180d0000 pid=3352 /usr/bin/dash guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=231fdcb8-2000-0000-76a9-b322180d0000 pid=3352 clone guuid=c9748bb9-2000-0000-76a9-b3221c0d0000 pid=3356 /usr/bin/busybox net send-data write-file guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=c9748bb9-2000-0000-76a9-b3221c0d0000 pid=3356 execve guuid=bcad73be-2000-0000-76a9-b322280d0000 pid=3368 /usr/bin/chmod guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=bcad73be-2000-0000-76a9-b322280d0000 pid=3368 execve guuid=caa5b6be-2000-0000-76a9-b3222a0d0000 pid=3370 /usr/bin/dash guuid=4af9e3a0-2000-0000-76a9-b322d20c0000 pid=3282->guuid=caa5b6be-2000-0000-76a9-b3222a0d0000 pid=3370 clone f692037b-ed4e-5131-96ee-49a294b0f977 217.60.195.214:80 guuid=78176ba1-2000-0000-76a9-b322d50c0000 pid=3285->f692037b-ed4e-5131-96ee-49a294b0f977 send: 80B guuid=c7f8dea6-2000-0000-76a9-b322e50c0000 pid=3301->f692037b-ed4e-5131-96ee-49a294b0f977 send: 81B guuid=a2093dad-2000-0000-76a9-b322f80c0000 pid=3320->f692037b-ed4e-5131-96ee-49a294b0f977 send: 81B guuid=f64442b3-2000-0000-76a9-b3220a0d0000 pid=3338->f692037b-ed4e-5131-96ee-49a294b0f977 send: 81B guuid=c9748bb9-2000-0000-76a9-b3221c0d0000 pid=3356->f692037b-ed4e-5131-96ee-49a294b0f977 send: 81B
Threat name:
Document-HTML.Worm.Mirai
Status:
Malicious
First seen:
2026-07-09 17:41:48 UTC
File Type:
Text (Shell)
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh f8a2d018127d94ab2de0ed028463db33663d4c2a68239428367ed435b2f4fc96

(this sample)

  
Delivery method
Distributed via web download

Comments