MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd94dbbff5b06684c9366467bf6030abe96ad0e6d232d31240e5e23e6ba1f6c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	fd94dbbff5b06684c9366467bf6030abe96ad0e6d232d31240e5e23e6ba1f6c6
SHA3-384 hash:	49aa2fbd594a198c51bd71d597683cb350389162ee1c40696e02dc83959e0ad2bafed0d897f7967ee290d6b072b62dc3
SHA1 hash:	b55232ceb9cb1f92a3e2aef8cb83cee379c85560
MD5 hash:	9190d1f66f25ab4841c28978c7559c01
humanhash:	oxygen-red-mountain-march
File name:	wget.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	914 bytes
First seen:	2026-01-26 18:18:05 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:yw1YhalN9NIl5iCa0LKvNgOF9JM/O7tjLSOZhNtYif2G9aftVv:BzljNI7/KeI7B5LlbNtYiO0afLv
TLSH	T1D81198DD2591A36E06899D08FC710C4EB108C1C9A4F52F74ED49587E89D77057425FE7
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://147.135.3.192/bins/arm	1396d4e1232caaf2f1a4ef6cfb0f6d1e1be161ffde737df4b1dcb2de7977e68f	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://147.135.3.192/bins/arm5	18b715dbe9d54e5aacaa0ff45c569ec651e9cd8f618195a104317b0dc2f54f70	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://147.135.3.192/bins/arm6	a9477a12b3f266a05f62e5eff528e8162e2cd36e0e0b891d5ad088d33c4b79d1	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://147.135.3.192/bins/arm7	93b9307448b4b74889840101b77336a5153e5f07c13d368445f29a881079bd40	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://147.135.3.192/bins/m68k	2d3089c3fe4d0a894c8a526545aa53b1d1271b411be14f5c665df690d173a916	Mirai	elf geofenced m68k mirai opendir ua-wget USA
http://147.135.3.192/bins/mips	d02346db29ea7d2673b5a77f4db60be737f8dfef0201bdbeaf2d57076190c97f	Mirai	elf geofenced mips mirai opendir ua-wget USA
http://147.135.3.192/bins/mpsl	n/a	n/a	geofenced ua-wget USA
http://147.135.3.192/bins/ppc	717afd051e5da8bda3f26ebb733732c8f672db20b544aab2d23e924dcf9f596a	Mirai	elf geofenced mirai opendir PowerPC ua-wget USA
http://147.135.3.192/bins/sh4	ec1c1f0f7bfc129b1f6ce18609f137795b9d332d91c2d6adce581081dffbbd25	Mirai	elf geofenced mirai opendir SuperH ua-wget USA
http://147.135.3.192/bins/spc	b44cb571bd84e3a4b06c7260a8bd68c98e647d4cb68c3629f2c7263e88126a7d	Mirai	elf geofenced mirai opendir sparc ua-wget USA
http://147.135.3.192/bins/x86	3ca32132130a999b589e3da4dfb47ddc44527b8e6ee15176bf6b9354cd62ae67	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://147.135.3.192/bins/x86_64	239d22c2de73458f22e29788e84a4405791d7b744142568949f0e9d2f098a4cd	Mirai	elf geofenced mirai opendir ua-wget USA x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-25T10:02:00Z UTC

Last seen:

2026-01-27T21:39:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/fd94dbbff5b06684c9366467bf6030abe96ad0e6d232d31240e5e23e6ba1f6c6/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/30d8509c-a632-4636-bae2-4f902ade5068

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/fd94dbbff5b06684c9366467bf6030abe96ad0e6d232d31240e5e23e6ba1f6c6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fd94dbbff5b06684c9366467bf6030abe96ad0e6d232d31240e5e23e6ba1f6c6/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/fd94dbbff5b06684c9366467bf6030abe96ad0e6d232d31240e5e23e6ba1f6c6

Threat name:

Document-HTML.Downloader.Heuristic

Status:

Malicious

First seen:

2026-01-25 13:26:05 UTC

File Type:

Text (Shell)

AV detection:

15 of 36 (41.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7wknxp7vwbtijsjwmrt36ybqvpuwvuhg2izngesa4xrd425b63da._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:owari botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260126-wxvqdsdy2e/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Enumerates active TCP sockets

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/fd94dbbff5b06684c9366467bf6030abe96ad0e6d232d31240e5e23e6ba1f6c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh