MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f956fc9d97640ad663bf9d9f193702de858f32b1b03d235bfe5f374a3827d58f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	f956fc9d97640ad663bf9d9f193702de858f32b1b03d235bfe5f374a3827d58f
SHA3-384 hash:	3ebc63b12c52d77ae78a6ea408107f84d2a1e482d3ba8696e56898eb7eadd989927db71fd8fdfcd771234c2a9463e264
SHA1 hash:	ebaaeff8fde922947ef404f8c694ae21113c608a
MD5 hash:	25283562baf572ec8c48a32cdcbe4cdb
humanhash:	triple-connecticut-london-network
File name:	olor
Download:	download sample
Signature	Mirai Create hunting rule
File size:	242 bytes
First seen:	2025-12-05 18:21:31 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	6:L6Frx8ZXt5/jNwAK7PSrx8Vzg6FrLJZXt5/ZWJNwAbJ78J0bZrLJn:vth2A9m5XthoTwA2aZh
TLSH	T1FBD05E9BD004A6B4D20AE88E317003DE72238B9F70A74F51AD48307FA2C44D8B011A08
Magika	batch
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://213.209.143.64/zermips	3f622b288e8182003119ed88145a8c767b94813a364eae2c6e12344c8787ca3e	Mirai	elf mirai ua-wget
http://213.209.143.64/zermpsl	d601648e9899e851aeed28f8647b34e99568d2db7ec355b1bb006a13ef3193a8	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive mirai

Link:

https://www.filescan.io/uploads/69332423ff25e40750d514b1/reports/cb8a3aef-77ff-42d0-a8f0-925360e1bf59/overview

Verdict:

Malicious

File Type:

text

First seen:

2025-12-05T16:20:00Z UTC

Last seen:

2025-12-07T12:20:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/f956fc9d97640ad663bf9d9f193702de858f32b1b03d235bfe5f374a3827d58f/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f956fc9d97640ad663bf9d9f193702de858f32b1b03d235bfe5f374a3827d58f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f956fc9d97640ad663bf9d9f193702de858f32b1b03d235bfe5f374a3827d58f/

Threat name:

Script-Shell.Browser.Tsunami

Status:

Malicious

First seen:

2025-12-05 18:26:20 UTC

File Type:

Text (Shell)

AV detection:

8 of 38 (21.05%)

Threat level:

4/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7flpzhmxmqfnmy57twprsnyc32cy6mvrwa6sgw76l43uuobh2whq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251205-w36pvaxkds/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f956fc9d97640ad663bf9d9f193702de858f32b1b03d235bfe5f374a3827d58f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.