MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fca0b419653c29b2b3c30df673d8810227ed32743035f7f063f005c540a6f45e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	fca0b419653c29b2b3c30df673d8810227ed32743035f7f063f005c540a6f45e
SHA3-384 hash:	de189c0b73b88cb7a7b8eeb6af221b6c62dfa036d620044c20efb9f91ebb86f01b1f5cf73f52e078f9b22181a21e1cbf
SHA1 hash:	68037301289ffebb5187eab921171a297b5cd7a3
MD5 hash:	2c57715711dd9d1da1c02bee5f2ac7df
humanhash:	diet-oklahoma-missouri-carbon
File name:	massload
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'583 bytes
First seen:	2025-12-19 05:21:20 UTC
Last seen:	2025-12-19 14:41:10 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:z5EMy0MBkUtU7xU+UVaUCU9WUbUVJU5UzKXRCAUTAU73XU8XUVozUQzU9UgHhUFW:z563mjCBHFHmbOOjuoXT4
TLSH	T1125150B829719F374C65DF8770224BB9740FACCFE8A48B5C949F24FC8E6A505741071A
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.208.158.242/mips	0e1ab2890eef2d63ca248b23f71f63b0bb2654799a9147843f9a7fa197fe0818	Mirai	32-bit elf mirai Mozi
http://185.208.158.242/mpsl	f717ada653d0adf9a0f1a7c338c9b03521fdc0d8a78356dffc7226c47588dea7	Mirai	elf geofenced mips mirai ua-wget USA
http://185.208.158.242/arm4	n/a	n/a	elf ua-wget
http://185.208.158.242/arm5	fd853807beb17822d8654b02f8ab34feb54f60e2d844cdce29a0a4976725739c	Mirai	arm elf geofenced mirai ua-wget USA
http://185.208.158.242/arm7	c819cd3e58864a49bd657b76cf4d8959b82e39ce99acd9e2cfd4658172aa5d64	Mirai	arm elf geofenced mirai ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox

Link:

https://www.filescan.io/uploads/6944ee28e126b9ff43883caf/reports/8b1723d4-5a5b-4fbb-95d5-d7b4dece554b/overview

Verdict:

Malicious

Labled as:

Trojan[Downloader]/Shell.Agent

Link:

https://www.hybrid-analysis.com/sample/fca0b419653c29b2b3c30df673d8810227ed32743035f7f063f005c540a6f45e

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-19T03:15:00Z UTC

Last seen:

2025-12-20T12:21:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/fca0b419653c29b2b3c30df673d8810227ed32743035f7f063f005c540a6f45e/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/0f5b1f95-0b77-4de2-9e5f-5dd1fc093c21

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/fca0b419653c29b2b3c30df673d8810227ed32743035f7f063f005c540a6f45e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fca0b419653c29b2b3c30df673d8810227ed32743035f7f063f005c540a6f45e/

Verdict:

Malicious

Threat:

Family.Mirai

Link:

https://tip.neiki.dev/file/fca0b419653c29b2b3c30df673d8810227ed32743035f7f063f005c540a6f45e

Threat name:

Linux.Trojan.Vigorf

Status:

Malicious

First seen:

2025-12-19 06:18:18 UTC

File Type:

Text (Shell)

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7sqliglfhqu3fm6dbx3hhwebait62mtuga27p4dd6ac4kqfg6rpa._file

Result

Malware family:

n/a

Score:

10/10

Tags:

antivm credential_access defense_evasion discovery linux

Link:

https://tria.ge/reports/251219-g2t74aykdw/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Changes its process name

Checks CPU configuration

Reads process memory

Deletes log files

Enumerates running processes

File and Directory Permissions Modification

Deletes system logs

Executes dropped EXE

Renames itself

Unexpected DNS network traffic destination

Contacts a large (29041) amount of remote hosts

Creates a large amount of network flows

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fca0b419653c29b2b3c30df673d8810227ed32743035f7f063f005c540a6f45e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh