MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1041e0cd4983cf59126b1fef00d9e3661c719bc7c3d63b716d60b162104b866f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	1041e0cd4983cf59126b1fef00d9e3661c719bc7c3d63b716d60b162104b866f
SHA3-384 hash:	fbe140056ee8ba8ff2ea400b814f9c7d03fb35b219acf2bb55c0023575180b3005b4d722454837c49e571758c57bb9a3
SHA1 hash:	a9401a9505e307893d653a7b848f946142a4ae51
MD5 hash:	553b90237f71e6d9910c716e71b671b0
humanhash:	cardinal-stream-jupiter-juliet
File name:	tvt.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	669 bytes
First seen:	2025-04-28 19:37:43 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:dWKDbnPZCz7whnKRz7wN0nKRz7wcnKRz78MnKRz78xnx:EIbkvNvELvcv8jv8D
TLSH	T13201FFDB08E1987440A60D9A7D93553454A5EE4839CAFFCAB8AD247FD2D8A34F0D3EC4
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.39.207.117/skid.arm	27f17c3a0788772b007a1a73f7d17e59b7315336e8d0a6d86858cd4260914d82	Mirai	censys elf mirai
http://185.39.207.117/skid.arm5	be13c9102d64e3959af0e91e865d1505a167aa86ffbb8b7ef534854b401089ad	Mirai	censys elf mirai
http://185.39.207.117/skid.arm7	6f3f6fbed4acbc2300cf98200234bae7ee8ef56b3189ae5a140a0f0c05d03d74	Mirai	censys elf mirai
http://185.39.207.117/skid.mips	3eae873cfc0e77ba60b0aedd75999fe5eab630ea57978d173f5939f5d5682940	Gafgyt	censys elf gafgyt
http://185.39.207.117/skid.mpsl	90eedf6f8a2582d2e20f22c3b65e285091f43e6d916b4cbdb436ca85c03250d6	Mirai	censys elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-36.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=680fe025c8b2e86d0ac3ee1dlinux22vpnfull_triage

Tags:

downloader mirai agent virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive expand lolbin remote

Link:

https://www.filescan.io/uploads/680fd939833df795debd0317/reports/1bc552bb-17ec-43de-834c-f5b813b80fe7/overview

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/1041e0cd4983cf59126b1fef00d9e3661c719bc7c3d63b716d60b162104b866f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1041e0cd4983cf59126b1fef00d9e3661c719bc7c3d63b716d60b162104b866f/

Threat name:

Linux.Downloader.SAgnt

Status:

Malicious

First seen:

2025-04-28 19:38:31 UTC

File Type:

Text (Shell)

AV detection:

12 of 24 (50.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cba6btkjqphvsetld7xqbwpdmyohdg6hypldw4lnmcyweeclqzxq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

credential_access defense_evasion discovery linux

Link:

https://tria.ge/reports/250428-ycgn5sxscz/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to shm directory

Writes file to tmp directory

Changes its process name

Reads process memory

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Renames itself

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1041e0cd4983cf59126b1fef00d9e3661c719bc7c3d63b716d60b162104b866f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 1041e0cd4983cf59126b1fef00d9e3661c719bc7c3d63b716d60b162104b866f

(this sample)

Mirai

elf 27f17c3a0788772b007a1a73f7d17e59b7315336e8d0a6d86858cd4260914d82

URLhaus

https://urlhaus.abuse.ch/url/3529210/

Delivery method

Distributed via web download

Dropping

MD5 7a4c6659930f27be0a0dfb273ae4bb0d

Dropping

SHA256 27f17c3a0788772b007a1a73f7d17e59b7315336e8d0a6d86858cd4260914d82

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample