MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d5e0a8d1c8d12a09502db45cc6fb08de9456b81ccaf1fbc22cec2fcdb4e0c61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	1d5e0a8d1c8d12a09502db45cc6fb08de9456b81ccaf1fbc22cec2fcdb4e0c61
SHA3-384 hash:	ee5e86dfb23cb4baccc9b8805b3b183bba7a991c84a2ad11bf4c00c57ecf71dac5e2fd957ba5d7e88a55c34951d27544
SHA1 hash:	7517058079d3532892333ffa04ca5d57b0b84a97
MD5 hash:	d13d2a795eca68d7965bb032780dd035
humanhash:	uniform-nebraska-massachusetts-colorado
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'314 bytes
First seen:	2025-07-08 18:08:03 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:i1Cf1lV10z1Nl1L51Tx1JKJ11e31LFL1K9J1JN1FR1g71/M/BgJs1xtk:iUZyhHjy43LEBRGBaBgJsZk
TLSH	T1B46184F6134246379CAACED3F2AC8404719944EB98CE5FB55BEC24F50C4EECA6C49692
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.66.49/00101010101001/morte.x86	cb3f49e50746bdb71f5e94cd03515487ed44b2db7a95c95bbaf80d556c176727	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.mips	19156bf22314ec78c26630536480b209d4645506a626938da34fa2e8646e155d	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.arc	8d712c16d97dedcf9efd0c3f397f200f1ab242ad256d3640ac85ad3692cc6ce2	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.i468	n/a	n/a	elf opendir ua-wget
http://196.251.66.49/00101010101001/morte.i686	c1ef439d00f41b7894174d28e3d1eca87c122894932c50d0b2e796cafb9d6814	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.x86_64	a2f9296b0600dede87844bf36a06d78d2afc280ad30c906357003c9551ef1f48	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.mpsl	99ae81a903132daa0e24d6a262823dfd2d265576859de4046b823b92368b51ae	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.arm	df7c267e5f3652c0c53e99c456bc23c485dd95e7e9337ac8097f8acebca1a385	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.arm5	84fb0d63535ea22e0fd9c6a158b3e9c5ff145955c5ef15f2c2120180cfa02fc9	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.arm6	8a6db9328511240df3d9167e9ad5b65c00628b9493b5451c213d95db5bebae6a	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.arm7	4c82c0b42b481f82ba5787395353f4fa6bf2fe7c26ca3df25030bb3af1636f88	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.ppc	6b3b67e96b251d2f83028afbf40175e9c0755f1a04f4d68469745d2c441ebc99	MIrai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.spc	40e64974441e7cd96114fd668ad1495d55f9dd391bfc97d9b991528ea53beb0b	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.m68k	02149a95b52a914458fab63ff8e05ed05a45c51b801a03a21ec80e1b290cdf4a	Mirai	elf mirai opendir ua-wget
http://196.251.66.49/00101010101001/morte.sh4	2c6e4eeb739165fe37c87bc3fbc130a2ca901f808d5db07a491c3d9ca71b6b85	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686d5e9d900df8e7f868a06clinux22vpnfull_triage

Tags:

downloader phishing trojan agent

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/e384c64b-8081-494e-9afb-394eca776715

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/1d5e0a8d1c8d12a09502db45cc6fb08de9456b81ccaf1fbc22cec2fcdb4e0c61

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d5e0a8d1c8d12a09502db45cc6fb08de9456b81ccaf1fbc22cec2fcdb4e0c61/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-08 18:08:24 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dvpavdi4rujkbfic3nc4y35qrxuuk24bzsxr7pbcz3bpzw2obrqq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence upx

Link:

https://tria.ge/reports/250708-wq1ytsxrt2/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Deletes log files

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

Writes file to system bin folder

File and Directory Permissions Modification

Deletes Audit logs

Deletes journal logs

Deletes system logs

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1d5e0a8d1c8d12a09502db45cc6fb08de9456b81ccaf1fbc22cec2fcdb4e0c61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.