MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13779d2d17a962b7f2d9644c0fcbb1c2ac4a61baccfe6ff9a3cc1b66637c1521. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	13779d2d17a962b7f2d9644c0fcbb1c2ac4a61baccfe6ff9a3cc1b66637c1521
SHA3-384 hash:	6a352ec01a8d16ed0f627a54eff790d529eb174bd6a3464281e4df108d6fbbcc449105ab0b7a50eacc9f4a68b84da689
SHA1 hash:	1c4183fc2968732b0a13c7103579ecb5384559ee
MD5 hash:	025e6dc91cf49b9db71b98efa0f794c4
humanhash:	salami-purple-network-echo
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'346 bytes
First seen:	2025-07-28 16:47:24 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:Gm/ZsvbhTkHlfrmsvTtAGgJr63nL72NIpKksnMEvhHs7KcGgJsNdpk:GmqdA9D7tA12XLAJhJM7KBgJsJk
TLSH	T1136172FA13924633DDAA8EE332A88404718541DB94CE5FF55BFC34B50C8CED8BC42652
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.116.34/00101010101001/morte.x86	bd297ae9c45ffbfe444213d57dd4eb32d6212465d6c840f1a497cc20c533d4e9	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.mips	568780e2ac25888e3151dd8e8cb76d1ebdfd2e986e0fed4931d15656fa5b9eb1	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.arc	7321f337422bcdbac4f2a90af9d827e18fb1ead5acee542ecf05e4fe37e5822e	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.i468	n/a	n/a	elf opendir ua-wget
http://196.251.116.34/00101010101001/morte.i686	82444c55629dc38a74ad72ef9af7239b973f85aadd1c7d227205e529901e97fb	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.x86_64	750684d31633710b2a8bd3ffe886405d3a7ed4e5ad57779c742fba4e7a592018	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.mpsl	5d1b62d8c2acef405d9027ce927733d49d04464ed761421a74c9652bd0339709	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.arm	f83b76f66452fe975e2c15145bbcd4fb24b12192eddc87b1272a9413f11b4018	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.arm5	8b536240087f1627bf1417ee5529c42a17561a64b3f8628c907d1e023cc91893	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.arm6	f6ceab5e38268a31528821a82a6ad66b27031c8ecffef6c7e718bcca359d03b5	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.arm7	00969384d60395745426767373265dcc7aca5888936df57b2deafaefe780b9e4	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.ppc	ce2a3ca361d668031c19ea9bf31a5c96e37d6dc7d10c6ed9d7b7919df009850c	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.spc	196663d92cac163ac2730d386e4bc9261d29b8c6d811e8f5b5370c8633375f99	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.m68k	c9b7bbf730c616b2edbfc26eda34f7bff8d306bab45974e45083175778ebecce	Mirai	elf mirai ua-wget
http://196.251.116.34/00101010101001/morte.sh4	9756731375c8aaa5e4deb59e70739d555fbee90ec01276d839ea965f3c1c58b6	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/29722bb7-6b12-4861-8f8a-75cb60e31876

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/13779d2d17a962b7f2d9644c0fcbb1c2ac4a61baccfe6ff9a3cc1b66637c1521

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/13779d2d17a962b7f2d9644c0fcbb1c2ac4a61baccfe6ff9a3cc1b66637c1521/

Verdict:

Malicious

Threat:

HEUR:Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/13779d2d17a962b7f2d9644c0fcbb1c2ac4a61baccfe6ff9a3cc1b66637c1521

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-28 16:48:29 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cn3z2lixvfrlp4wzmrga7s5rykweuyn2zt7g76ndzqnwmy34cuqq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence upx

Link:

https://tria.ge/reports/250728-vbbjysznv5/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/13779d2d17a962b7f2d9644c0fcbb1c2ac4a61baccfe6ff9a3cc1b66637c1521

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.