MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 027634fc4a6cfb7aa05f59966c5285314f37aafb985d27b116863988ecf0adef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	027634fc4a6cfb7aa05f59966c5285314f37aafb985d27b116863988ecf0adef
SHA3-384 hash:	8be87a8e5c9876ae4cd038a48a151717bf86a06001e5b41bb5507aec4428523d0698117e3fb8f88a77c181ac5ce7c98b
SHA1 hash:	31e64948ab58612378d5e812a461c4b634f7fa07
MD5 hash:	ff9f171a78d936451d53f5cd9f8d8d50
humanhash:	bulldog-robert-lion-magazine
File name:	2.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'362 bytes
First seen:	2025-11-15 07:35:17 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:xjlStMXSsBbuSP+NSU5lASynYSGTUSTnTGxJSpA/S2jMSlnlNIpJS8xMtSgduS7e:/bo1Mam+TQJTGpYCNGzBgJVFjv
TLSH	T17C6170F72388063B5CB6C9D672B90444B19481AB14CE6F73ABDC38B61D8DECC7C42662
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://41.216.189.110/00101010101001/morte.x86	6b8117e57a2b87b7c07cd609d3478f8027ade35043062b6488457fe9466d8568	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/morte.mips	2d4a96fdb4a0dcc89308bc1d799f8a4d3509bfcb381c8525b321b6b7bcab9aa0	Mirai	elf geofenced mips mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.arc	5160c864a5c5542b4efa4b7952f1e982c95d0576cf5c149bad7e18017ef9aada	Mirai	arc elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.i468	n/a	n/a	elf ua-wget
http://41.216.189.110/00101010101001/morte.i686	c09490aa3ea0e45aa2512f7a369a34399f6b0b4dd9f654d8946202096d3d48a6	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/morte.x86_64	5fa965225e35c97914d3d6b771c39e2971d4b8914609922852fe1efbc9a6010d	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/morte.mpsl	1394597ae3c643387f065c3aab90c5a6c4d0ab7d6ec30f6ca761cf446d509d66	Mirai	elf geofenced mips mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.arm	0439be6a9f9aaf5623ce70f54f82ab5268a44e746bde17138516f52896edeeec	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.arm5	f5a3b1941dce7671aad2f0c427452a8f4643d0bd6506fd563f669c22d6db4a05	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.arm6	963e41aeaa3f297bff3ae1f0acc83b9a4d94f941d00aea025bc8a091757860f7	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.arm7	dfafa5b4d7a552dfbbc3f03e47adc80fa21ad45da03c1ebcf927377229d8c867	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.ppc	67bcae4e962af5378b2e2b6c29ab298d1806cb7487158138b4e9fbf503e427f2	Mirai	elf geofenced mirai opendir PowerPC ua-wget USA
http://41.216.189.110/00101010101001/morte.spc	4fe283d9131ca04a8dc9da34a9ca9b8b92db99f1a39bd434e20f0c39095b9f2c	Mirai	elf geofenced mirai opendir sparc ua-wget USA
http://41.216.189.110/00101010101001/morte.m68k	ceba64aafe8d83bf0ea695c0290fd23e591b6afb660962ef4fd7ec27e4675610	Mirai	elf geofenced m68k mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.sh4	a392585d6003c1ce9fe4983cb7edf01cc8d36b2f33fbda420380fb48dbc6be79	Mirai	elf geofenced mirai opendir SuperH ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive medusa mirai

Link:

https://www.filescan.io/uploads/69182d4259887d113b3468f3/reports/a4d2f86d-320d-4869-a817-4796292362a2/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-15T01:31:00Z UTC

Last seen:

2025-11-15T02:13:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/027634fc4a6cfb7aa05f59966c5285314f37aafb985d27b116863988ecf0adef/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/e837fed9-fccc-4462-843b-8c9e8d5bc41a

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/027634fc4a6cfb7aa05f59966c5285314f37aafb985d27b116863988ecf0adef

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/027634fc4a6cfb7aa05f59966c5285314f37aafb985d27b116863988ecf0adef/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-15 07:35:29 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aj3dj7cknt5xvic7lglgyuufgfhtpkx3tbospmiwqy4yr3hqvxxq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/251115-jexqtasmes/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/027634fc4a6cfb7aa05f59966c5285314f37aafb985d27b116863988ecf0adef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.