MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 faa5d65ba56b6200d9aca632f4d58d558022064f4db22e77f659ebdbd97b4e3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash: faa5d65ba56b6200d9aca632f4d58d558022064f4db22e77f659ebdbd97b4e3c
SHA3-384 hash: b69964fbf579b0147767c543db8005113dc04bb09a62d6019dcc99effb3858b46b08a27d47c6a638775d7274023736ea
SHA1 hash: f4b823f32d8b7e38dd435c42ead7713eb42e2289
MD5 hash: 739a1fe8d16d90efaf451d5e1429e6e6
humanhash: low-blue-fourteen-freddie
File name:payload.sh
Download: download sample
File size:6'377 bytes
First seen:2026-06-29 19:11:50 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 192:kTyloSdeQgQ5RQAQ5gQgQ5PQgQ52ak5cak5tak5ZXTylAKx6EFMeCF+xgvIyvUq5:hgQ5OAQ5RgQ5ogQ5215c15t15ZifJKUy
TLSH T10BD196E790B0FF3388845A1BF456F43CF46F23B26D740268356D39EAA1D0606B5A754E
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter BlinkzSec
URLMalware sample (SHA256 hash)SignatureTags
http://31.56.209.84/monero.x8613c5c94775f264cf9407e1aec42b51a55e2a7d7db611e02e3abb39f357eb8102 Mirai31-56-209-84 elf mirai
http://31.56.209.84/monero.mipsd4a7cbab265c80a26349ea916835206f31b169e367fd69ae0819ca7e59ab595d Mirai31-56-209-84 elf mirai
http://31.56.209.84/monero.arme13b8f85e0cef9889fb25edf9de8f947b27823c86b65ba456b1651b5e630cead Miraiarm elf mirai ua-wget
http://31.56.209.84/monero.arm5e13b8f85e0cef9889fb25edf9de8f947b27823c86b65ba456b1651b5e630cead Mirai31-56-209-84 elf mirai
http://31.56.209.84/monero.arm6e13b8f85e0cef9889fb25edf9de8f947b27823c86b65ba456b1651b5e630cead Mirai31-56-209-84 elf mirai
http://31.56.209.84/monero.arm7606632c141c6b730ace7cb72d7a14850d40a3a8d44d3b4dbd5ac438119e06dc6 Miraiarm elf mirai ua-wget
http://31.56.209.84/monero.arm80954c9d3f9c35a9e2557fea766da12e190e192d0bb0643b691d53bded9c27d87 Mirai31-56-209-84 elf mirai
http://31.56.209.84/monero.mipsel331e472f4295c9c2f3d1bea540e82d39a3407c2d93527cde7d4d9494581c98fa Mirai31-56-209-84 elf mirai
http://31.56.209.84/monero.ppc0348bc1e7db9a0fb758e7c3bf7d97c89cb873577dea51112c378b84cfef3700a Mirai31-56-209-84 elf mirai

Intelligence


File Origin
# of uploads :
1
# of downloads :
50
Origin country :
US US
Vendor Threat Intelligence
No detections
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-06-29T16:16:00Z UTC
Last seen:
2026-06-30T01:49:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p
Threat name:
Linux.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-29 19:11:33 UTC
File Type:
Text (Shell)
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
linux
Behaviour
Writes file to tmp directory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh faa5d65ba56b6200d9aca632f4d58d558022064f4db22e77f659ebdbd97b4e3c

(this sample)

  
Delivery method
Distributed via web download

Comments