MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff86b365045d30bad56d386f863d9aaf133f19b6653b9f5a16a3a41c323653ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	ff86b365045d30bad56d386f863d9aaf133f19b6653b9f5a16a3a41c323653ac
SHA3-384 hash:	645196d796ec56c59710a3b4476463857488c8c38b3c9834e898eb0bbe3102419a7e68df30f03492e40b987be0dcde91
SHA1 hash:	237aecd0e986d5b645aa42c6f43679ba75810349
MD5 hash:	824615a653b714292cc441b4f3944646
humanhash:	london-idaho-blue-winner
File name:	w.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'140 bytes
First seen:	2025-12-21 02:23:22 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:TObLzjIXOzxNI5nXz1rKDgzUp5zd+4zfsp5zBCq5ztuklzcxxzyvYgzTMuHA:TeLzoOzAXzxygzk5zM4zfM5zIq5zQklA
TLSH	T1F82178CE22509226C90CDF883F5D653CA558ABE4E5A08F289CDD487DAB9CA187167F09
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://143.20.185.78/bins/frost.arm	8a6ddd16ceeec5a114f3e8319a225ce5f75cba9225d79855231de0b113472d1f	Mirai	arm elf geofenced mirai ua-wget USA
http://143.20.185.78/bins/frost.arm5	98e2d7934b42ebce6ecbdbf56fb8bb1c0335bab4dc8b644404b8d8b41a496543	Mirai	arm elf geofenced mirai ua-wget USA
http://143.20.185.78/bins/frost.arm6	30d1e33d231e28919cf36bf997a44965ad39c7f8dad59484906fd1e8e2826ed4	Mirai	arm elf geofenced mirai ua-wget USA
http://143.20.185.78/bins/frost.arm7	c9a4f7b1626cfc17d700850cf30703632e96354ae80b1c49532acb3b464d19ec	Mirai	arm elf geofenced mirai ua-wget USA
http://143.20.185.78/bins/frost.m68k	d265fd196d8c4113f2a52dd397cfd60d75c125983f944e4869adf929e78ce039	Mirai	elf geofenced m68k mirai ua-wget USA
http://143.20.185.78/bins/frost.mips	37c634fbfbfce823c3e25f381578336d285b49208ad9bb155493ab2b3923d23a	Mirai	elf geofenced mips mirai ua-wget USA
http://143.20.185.78/bins/frost.mpsl	881c736b0ef28f73fd09a7ed06dc6b4935f0a9e95bcd8ad05ed9bd022e3a4a7f	Mirai	elf mirai ua-wget
http://143.20.185.78/bins/frost.ppc	cf642a2210f02af51797257777169041c7d55d1558d030e36ce69d2321ff8601	Mirai	elf geofenced mirai PowerPC ua-wget USA
http://143.20.185.78/bins/frost.sh4	ab4454e6726ed09e3045755d53d4168e30b74fb5c3f2fb82d472789b65059075	Mirai	elf geofenced mirai SuperH ua-wget USA
http://143.20.185.78/bins/frost.spc	199380dcab2a4acf4d919972002884eff2d01a7e4f1b9228514bf187efef6ff6	Mirai	elf geofenced mirai sparc ua-wget USA
http://143.20.185.78/bins/frost.x86	eec7f66f18d53e7a73987d079bbea53d3cb060b83388fd0d850cff7a5aac1f8e	Mirai	elf geofenced mirai ua-wget USA x86
http://143.20.185.78/bins/frost.x86_64	2bdb5c71ddc686e9387663a1d114aa12f8c9f5466a47b3da0e9050c6694cd6c4	Mirai	elf geofenced mirai ua-wget USA x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Downloader-32.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

busybox mirai

Link:

https://www.filescan.io/uploads/69475a4f3f8fdbf8e94d4888/reports/86542fa9-6db4-4acf-9cf6-08d0587dc1ba/overview

Verdict:

Malicious

File Type:

ps1

First seen:

2025-12-21T00:18:00Z UTC

Last seen:

2025-12-21T15:06:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/ff86b365045d30bad56d386f863d9aaf133f19b6653b9f5a16a3a41c323653ac/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/78ecf339-9c65-4eb3-9bfa-0883042d1001

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/ff86b365045d30bad56d386f863d9aaf133f19b6653b9f5a16a3a41c323653ac

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff86b365045d30bad56d386f863d9aaf133f19b6653b9f5a16a3a41c323653ac/

Threat name:

Linux.Trojan.Generic

Status:

Suspicious

First seen:

2025-12-21 03:15:10 UTC

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=76dlgzieluylvvlnhbxympm2v4jt6gnwmu5z6wqwuosbymrwkowa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251223-n3cg1awpdv/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/ff86b365045d30bad56d386f863d9aaf133f19b6653b9f5a16a3a41c323653ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh