MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1551d33d26531767211244f0e646501a707170399859c9866ac1e704888d1939. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	1551d33d26531767211244f0e646501a707170399859c9866ac1e704888d1939
SHA3-384 hash:	f90f80a5602c16aefb2b32de4aef74b35aacea52c2c4a672dae285ac706fd4f94196d921cd6f1184bc1a82006d5dd14f
SHA1 hash:	95339e0e5a5e8d50828c94fcebbc4465cf83fe01
MD5 hash:	3b33f816b3b545c43bf80fb6a461a133
humanhash:	pip-july-single-july
File name:	test.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'583 bytes
First seen:	2025-09-29 18:21:49 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	48:UaebsLsa7U/sQ0sNshs/DBslY0sfsnsGYsH/sdf:UaeQAaG2q/DKeUsGtUN
TLSH	T1805153C9277267352C56DA7273AF8808B2B1E0AA70CA1F4769DC38F5C48DE053275EB5
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://161.97.149.138/systemcl/arc	62fe11867609d9e615a9e4356e2770c1186cf083109c2aa6e06bd3273969246c	Mirai	elf mirai
http://161.97.149.138/systemcl/arm	0aa6fd4f78bcee9f77a93153de85f0db4aa2e42464afcad9564ef46528697d44	Mirai	32-bit elf mirai Mozi
http://161.97.149.138/systemcl/arm5	4b3fafa6af227c69f3164a2b4f85e7024361a714347c7f691099ed80736916ab	Mirai	elf mirai
http://161.97.149.138/systemcl/arm6	899c7e47c4e8f921e14bed7dcca677ed995ead6369168433011cac67ef6e5a59	Mirai	elf mirai
http://161.97.149.138/systemcl/arm7	527debaef309134677a1c3a450dc5aea1f3a2a6f742fad86a20c80274c749630	Mirai	elf mirai
http://161.97.149.138/systemcl/m68k	b819a17fd9314f13890dce05291b4c14b40477f0546c7481b4c2af576928244e	Mirai	elf mirai
http://161.97.149.138/systemcl/mips	dc49d000be3daa749c372da39aad50bc49e8d944c7c868fb70b7d15e159d79d3	Mirai	32-bit elf mirai Mozi
http://161.97.149.138/systemcl/mpsl	c5da1b833565988e4bb1729244b07d55ff21148392a7143ff5aab70f43788d6b	Mirai	elf mirai
http://161.97.149.138/systemcl/ppc	dcd7d4b917223e33897da06b7fdb676d16aa4d7afc0276bb4525c275b0a45b10	Mirai	elf mirai
http://161.97.149.138/systemcl/sh4	n/a	n/a	elf ua-wget
http://161.97.149.138/systemcl/spc	n/a	n/a	elf ua-wget
http://161.97.149.138/systemcl/x86	d167fe5abe306825e029bd799bb645048ccae15dca31ea4ac9fcb8b416142a3a	Mirai	32-bit elf mirai Mozi
http://161.97.149.138/systemcl/x86_64	d167fe5abe306825e029bd799bb645048ccae15dca31ea4ac9fcb8b416142a3a	Mirai	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

text

Link:

https://opentip.kaspersky.com/1551d33d26531767211244f0e646501a707170399859c9866ac1e704888d1939/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/d45e071a-0d16-4463-84c9-26fec12b2cf8

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/1551d33d26531767211244f0e646501a707170399859c9866ac1e704888d1939

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1551d33d26531767211244f0e646501a707170399859c9866ac1e704888d1939/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/1551d33d26531767211244f0e646501a707170399859c9866ac1e704888d1939

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-09-29 18:00:26 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cvi5gpjgkmlwoiisityomrsqdjyhc4bztbm4tbtkyhtqjcende4q._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250929-wz6kns1td1/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/1551d33d26531767211244f0e646501a707170399859c9866ac1e704888d1939

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.