MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0779e3aaecf413f7e1cf4bda84bdbd020093977742df6889dcf6cf535070690e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	0779e3aaecf413f7e1cf4bda84bdbd020093977742df6889dcf6cf535070690e
SHA3-384 hash:	39db775053e91a8ce6626651e41ed14fb2f1dc055b4758410674df99d32a92ea88791bc8fcb910e238dbe27390dda566
SHA1 hash:	49a90cc34adaa6f508fda84d9963bf4a6003c191
MD5 hash:	f39d54871f6b5ca8163460e2ff0e256b
humanhash:	snake-echo-avocado-washington
File name:	lol.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'874 bytes
First seen:	2025-10-26 22:43:59 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItrsZyV5bZ8sUYo7vJFC0CLF8O8NIuHksLsK6wCsLqYYO7/NYGsM:igZSNZRUYo7BILLcJ6+LqYD7/NYGsM
TLSH	T1F5815A8D24565F7358ADAF62E26A054B7357649186CF8F06FBCC68E98088D0E7304BCD
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://143.20.185.102/windyluvexecutor/executor.x86	865a75b150a813340a7104d5560a85cd6d67a2356222dcc869996f5a4419517e	Mirai	DEU elf geofenced mirai ua-wget USA x86
http://143.20.185.102/windyluvexecutor/executor.mips	dc64c12b0ec473e915c9d177dd4731f88e8d3d50e6eb0c5dbd2f5d37c9a4da35	Mirai	elf geofenced mips mirai ua-wget USA
http://143.20.185.102/windyluvexecutor/executor.arc	7f379aa86e371fdc573095e500828b2e143a1fb77c11a8223216d0d96786739a	Mirai	arc elf geofenced mirai ua-wget USA
http://143.20.185.102/windyluvexecutor/executor.i468	n/a	n/a	DEU elf geofenced ua-wget
http://143.20.185.102/windyluvexecutor/executor.i686	23c81b361a96e2884bb187ba241e751cdab9f5da2f1dde37dd2c9c8e1505f9c8	Mirai	elf geofenced mirai ua-wget USA x86
http://143.20.185.102/windyluvexecutor/executor.x86_64	03796d3a2d2ab7dbd786648e5d972f5a8456bb61cc635f34797dd7d63d95126b	Mirai	elf geofenced mirai ua-wget USA x86
http://143.20.185.102/windyluvexecutor/executor.mpsl	c0e9a142c33347f399bfdf1069309e9a8eed39e79ee22e494ffd58af2631abc8	Mirai	elf geofenced mips mirai ua-wget USA
http://143.20.185.102/windyluvexecutor/executor.arm	bac5d8c3e9b94bae1a46746647843b0432cad631c81ce78a0119c3528c2fd9a3	Mirai	arm DEU elf geofenced mirai ua-wget USA
http://143.20.185.102/windyluvexecutor/executor.arm5	8cd3535da95571a635a3237a6442789af1b8f8876c5fc14b085b09b2bc18f21e	Mirai	arm DEU elf geofenced mirai ua-wget USA
http://143.20.185.102/windyluvexecutor/executor.arm6	e5b9b14bbee46a556b83c426ae2ff1333002d8af8a05dd500dd764338950cfcc	Mirai	arm elf geofenced mirai ua-wget USA
http://143.20.185.102/windyluvexecutor/executor.arm7	ce7ea8c1648fcb4720e47f3d08356f74b58dcf4f4d5030f970ffb5a8d5f23385	Mirai	arm DEU elf geofenced mirai ua-wget USA
http://143.20.185.102/windyluvexecutor/executor.ppc	25065b23fd9d6e28220ff769f3277344ea8237999862953f9bbb546744c1dccf	Mirai	elf geofenced mirai PowerPC ua-wget USA
http://143.20.185.102/windyluvexecutor/executor.spc	ed18b58920110d347404ee4367ba6e198ea83c37bdac26d989ec2429e443ce18	Mirai	elf geofenced mirai sparc ua-wget USA
http://143.20.185.102/windyluvexecutor/executor.m68k	8dc34fdd0f9b236af5d88c1d4e8fb06381488dc70903f16c106d5393da816f14	Mirai	elf geofenced m68k mirai ua-wget USA
http://143.20.185.102/windyluvexecutor/executor.sh4	8b72d37d2e563142a0bcafc4b1e4cd7a9b1e4f97fd906e799b4a4bf8d9c250e6	Mirai	DEU elf geofenced mirai SuperH ua-wget USA
http://143.20.185.102/windyluvexecutor/executor.arm64	148ddb73e5415fcb6564679c37c9361615d6d9c1650a1060e076b25ce28fc1d2	Mirai	arm DEU elf geofenced mirai ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-26T04:18:00Z UTC

Last seen:

2025-10-27T10:13:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/0779e3aaecf413f7e1cf4bda84bdbd020093977742df6889dcf6cf535070690e/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/43b8eaad-a2aa-439d-882d-f3d4a5991128

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/0779e3aaecf413f7e1cf4bda84bdbd020093977742df6889dcf6cf535070690e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0779e3aaecf413f7e1cf4bda84bdbd020093977742df6889dcf6cf535070690e/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-26 09:10:19 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a546hkxm6qj7pyopjpnijpn5aiajhf3xilpwrco463hvgudqneha._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251026-2n771swpaq/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/0779e3aaecf4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/0779e3aaecf413f7e1cf4bda84bdbd020093977742df6889dcf6cf535070690e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.