MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09deb8e173ac1e46564968aa656b83723d4456fd7599182e185c8f376fd8711f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	09deb8e173ac1e46564968aa656b83723d4456fd7599182e185c8f376fd8711f
SHA3-384 hash:	f9a603811113003139406c544b06599d4028dfc5e118241faa7677fec4c541166b7bb834301a923d3b2ed456b646be17
SHA1 hash:	47f80c7f15389bc7678e5985a2fef363ef8b6e57
MD5 hash:	f3107d7fbba8987342c138b8b2932759
humanhash:	arkansas-carpet-arizona-charlie
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'077 bytes
First seen:	2025-09-10 03:45:06 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:YZZsfbhFkXlfXmsbT1uGgJ16znLzYNIpKksnMEvhJszMcGgJslRpk:YcNGtHP1u14LLuJhJizMBgJsJk
TLSH	T1715196E7238286335DF98EE735A88404728590ABD9CF9F7595ECB4BB0C5DF08B841653
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.117.150/bins/morte.x86	801a0f818048c2c72ccb610201e9371f3e7bfa33903c0fc7a798b6212fb9ae76	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.mips	e3c363c11a9cf54dfc72e796ea144cabaec43f7c5a4aa43d8e59ec03953a957d	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.arc	3d7530b2277449d52dcdac5f911ce7f4566bad04614fa1d65ae873024fdbecb5	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.i468	n/a	n/a	elf ua-wget
http://196.251.117.150/bins/morte.i686	23e2bdd536f81547ff57557d4d9b968c2a86cb75a156852c2bb38518f4e4952d	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.x86_64	d2c003bcbd57d29a13fcc8e39e4cee790914fd25e11824fd0b7b38c30634b213	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.mpsl	1a93705a2ab9e8661a0d9200cf8f05740395f6fa085f2e297aebcdc7a0443627	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.arm	7ed88c543f895ca2f753078b8b4ef0fc6b73069863d50ea5c27b35d87aa92dea	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.arm5	be96c5be1afbeb5b7ccb38b0197b96933144614c64cbed063c3af27702e15e2d	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.arm6	8b6883b128be51de0848f94b1062fb718b66db92536dd83777f3c48dc87140c2	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.arm7	24b000a8b8a924f968ccaf56b46292435d34084e0df4818ff1a4691a8ffb20f5	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.ppc	f90ba1da6d074a7e93130333104cf32c27925986c0075d4a97274a18e40a163b	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.spc	ab3c438e902a906e23b9da59c947df25f80d58468c14c887c9d92e2e6306f507	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.m68k	9fcd74fec43be953b48ce3263efff28766b511044033d3cbcf8851d11fd86322	Mirai	elf mirai ua-wget
http://196.251.117.150/bins/morte.sh4	81c4c4deb29820b176bf08f1fd0fcabb64c7dce256645f3aae0411b378befc97	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-10T01:37:00Z UTC

Last seen:

2025-09-10T01:37:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/09deb8e173ac1e46564968aa656b83723d4456fd7599182e185c8f376fd8711f/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/4cd5ecfb-6a05-4a2f-8204-a1e2b2bbd710

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/09deb8e173ac1e46564968aa656b83723d4456fd7599182e185c8f376fd8711f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/09deb8e173ac1e46564968aa656b83723d4456fd7599182e185c8f376fd8711f/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-09-10 03:46:34 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bhplryltvqpemvsjncvgk24doi6uivx5owmrqlqylshto36yoepq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250910-ebkjvscm3w/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

UPX packed file

Deletes log files

Enumerates running processes

File and Directory Permissions Modification

Deletes Audit logs

Deletes journal logs

Deletes system logs

Executes dropped EXE

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/09deb8e173ac/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/09deb8e173ac1e46564968aa656b83723d4456fd7599182e185c8f376fd8711f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.