MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b780042004c95f24509f5495365713cd9e30cb9ea479e9621cb1fc8c890ebff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b780042004c95f24509f5495365713cd9e30cb9ea479e9621cb1fc8c890ebff
SHA3-384 hash: a38d85941e07a315b949dee6027b4552052ed179d22e1384b8ef6c4f8f2bbb8ed3e4c36d5cd1011360b5c35bd06f7ff5
SHA1 hash: 7d91c9b9e072c6112497e3cc050a8b44a8a27bda
MD5 hash: 89084199299f5436d76b38b52f42761d
humanhash: nevada-minnesota-colorado-kilo
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'224 bytes
First seen:2025-11-23 17:36:56 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:It1sZgVTisP7OnJGL91L94NIAksRB3sLe3bJY:iuZgxzP7OJijL8JRB3sL49Y
TLSH T18961599A30420AB16C79CFB372ADA5583183D0E69EEF3F05D6DD2AEC80ACD56F540742
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://5.180.82.195/windyloveyou/windy.x865db94cabb4b0b15b59009ad712ddf60e4cb7b88e687ce72ce109a23ca1e836a3 Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.mips28ba3f9880e1530c986c241f1de4245ed8c59ee8f67c9a6d9e82f8ccc84fb2a2 Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.arc357d5b31d3a00a1907e06904a9502feab02e2a6387eca4eaf1aebef87f1dcb14 Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.i468n/an/aelf ua-wget
http://5.180.82.195/windyloveyou/windy.i686ff1b5b181b04d3b18b5522a827e0f97727e140a8c3ff7853e4acbc61f289fb31 Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.x86_644551d2fb0b9f348564161dd0c3fb706c871fd0a08d1f031272378eb2d39ed6d1 Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.mpsl8baa023d02513e6f70db36ea3bdb248b645bc131e797f762a8404cb04ea5b545 Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.armfa8112599efe186712a6883ce5ac028f6d7d8e5d7301b92f5ec42ac1801c939d Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.arm5a1b14673caab6263f864ea5cfdbee227f5b10b65f138cd157bc71765d0973ef3 Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.arm6c9d427896d2e97a6ea63cacc6a8aed0d611c965339be89165d332ae9935cc0c5 Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.arm7f326d8d662ea92ec9c0c073ee18b0f20df776a752a137383e7674a8a4b8d39e8 Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.ppc592a0212029d3b77c6fa2dd9da73eaf8c3656bc2f89b23edea61ae1ab22817a5 Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.spc5ec5e1e7a90dd14c7f212e3e032fe6a3cf12d584f790493de038f33c3d5fb34c Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.m68k2d125480f55af5c726ab22994bfe2fc32899e738a381cc98827558cbb027953f Miraielf ua-wget
http://5.180.82.195/windyloveyou/windy.sh4fa3e5fc1874e50e801704a5825b7e6fd61e9f2f5a8fd13d646ab18c52b36add0 Miraielf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive medusa mirai obfuscated
Link:
https://www.filescan.io/uploads/69234650f96b58f0dc80f062/reports/33e0a1fa-d3eb-45fc-93fc-f1f360c97fa1/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-23T13:21:00Z UTC
Last seen:
2025-11-23T14:07:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/8b780042004c95f24509f5495365713cd9e30cb9ea479e9621cb1fc8c890ebff/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/2d2db77d-f551-4383-a792-4c6885b17da7
Behavior Graph:
Download SVG
%3 guuid=6a6d3ea7-1800-0000-9aa5-f842bb090000 pid=2491 /usr/bin/sudo guuid=a8839aa9-1800-0000-9aa5-f842c5090000 pid=2501 /tmp/sample.bin guuid=6a6d3ea7-1800-0000-9aa5-f842bb090000 pid=2491->guuid=a8839aa9-1800-0000-9aa5-f842c5090000 pid=2501 execve guuid=4cbaf3a9-1800-0000-9aa5-f842c7090000 pid=2503 /usr/bin/cp guuid=a8839aa9-1800-0000-9aa5-f842c5090000 pid=2501->guuid=4cbaf3a9-1800-0000-9aa5-f842c7090000 pid=2503 execve guuid=e15875b0-1800-0000-9aa5-f842d3090000 pid=2515 /usr/bin/wget guuid=a8839aa9-1800-0000-9aa5-f842c5090000 pid=2501->guuid=e15875b0-1800-0000-9aa5-f842d3090000 pid=2515 execve
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8b780042004c95f24509f5495365713cd9e30cb9ea479e9621cb1fc8c890ebff
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b780042004c95f24509f5495365713cd9e30cb9ea479e9621cb1fc8c890ebff/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 17:37:23 UTC
File Type:
Text (Shell)
AV detection:
20 of 36 (55.56%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rn4aaqqajsk7erij6vevgzlrhtm6gdfz5jdz5frbzmp4rseq5p7q._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251123-v7ayasyray/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Creates a large amount of network flows
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
dot.cbzp.fun
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b780042004c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 8b780042004c95f24509f5495365713cd9e30cb9ea479e9621cb1fc8c890ebff

(this sample)

Mirai

elf e922a76fe8b0c8991708a89274bb2a03bffdfb0d9581fd968e879360bb02609b

Mirai

elf 28ba3f9880e1530c986c241f1de4245ed8c59ee8f67c9a6d9e82f8ccc84fb2a2

  
URLhaus
https://urlhaus.abuse.ch/url/3714633/
  
Delivery method
Distributed via web download
  
Dropping
MD5 68042595150573b6445d4034802ea8ad
  
Dropping
SHA256 28ba3f9880e1530c986c241f1de4245ed8c59ee8f67c9a6d9e82f8ccc84fb2a2

Comments