MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2767e8ece559b00a39917ae961fb26116d0e85015ad796850166cf025670f3e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	2767e8ece559b00a39917ae961fb26116d0e85015ad796850166cf025670f3e9
SHA3-384 hash:	ffdbf21f07910aa19247d967f4723ea740761e1cb2afb517599af8acdcd02d913ee41bc59f0c12bc54b506f92bfd4c21
SHA1 hash:	60644ebc0207ff7178347a7e938236ca1b4eb9ad
MD5 hash:	703e98d86baafe1c39780bdfec5478ca
humanhash:	fanta-music-lima-music
File name:	jewn.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'763 bytes
First seen:	2025-11-10 18:25:54 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vnVonWqnOqYnNbknsEBn3Enu2nIsnpgnUH:viByCP0pVmG
TLSH	T11D31BCC9096500BA6CA36B7BF2B41D1C35D8AE9556CAAFE6D3DC38B8408CEC5B071643
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://103.163.118.111/trc/TRC.x86	9197a85c5180866d5f4bdff9ce443e20976f814e88a57db498d694ed6130f1c1	Mirai	elf mirai opendir
http://103.163.118.111/trc/TRC.mips	58a0697ace786bada774996adec154a736fbcc23034c78de67c4188348fc3b17	Mirai	elf mirai opendir
http://103.163.118.111/trc/TRC.mpsl	4c5d3fc2facde344db1304361e6b51311f9f82c57e7ca7a2ce57c9e1819d8058	Mirai	elf mirai opendir
http://103.163.118.111/trc/TRC.arm4	n/a	n/a	elf ua-wget
http://103.163.118.111/trc/TRC.arm5	01ad4495cbbb79b950027c5530d5b2464d89d64fcb6bd442056b9dbdba68da12	Mirai	elf mirai opendir
http://103.163.118.111/trc/TRC.arm6	18072699656453a0d16873793d436a0671b4ca543370b0a537acbcce57630002	Mirai	elf mirai opendir
http://103.163.118.111/trc/TRC.arm7	9368bfad1522138480ea08813c64c06ee392e0fb90c2dafcf5b20d8c61c349f7	Mirai	elf mirai opendir
http://103.163.118.111/trc/TRC.ppc	e2d41fb6c3ceb3340dea8706e9d706d826af2c8952b04acbf1c261b617d130f1	Mirai	elf mirai opendir
http://103.163.118.111/trc/TRC.m68k	61ffa89b2eac0463377408ca3fbad67e1f05bb4dc34c47a701dae43eea5390f4	Mirai	elf mirai opendir
http://103.163.118.111/trc/TRC.sh4	3f1d9a9c9db6985f68fd172a3a1aee1ae15dac7d8d64cebc221386774b1ba86c	Mirai	elf mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

medusa mirai

Link:

https://www.filescan.io/uploads/69122e45935d9f0d73ca8664/reports/5bacd1e0-ead8-4689-8057-ffec13912c6d/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-10T15:37:00Z UTC

Last seen:

2025-11-11T01:22:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/2767e8ece559b00a39917ae961fb26116d0e85015ad796850166cf025670f3e9/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/def7ef57-2bd8-4f43-893d-4939bcd4af41

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/2767e8ece559b00a39917ae961fb26116d0e85015ad796850166cf025670f3e9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2767e8ece559b00a39917ae961fb26116d0e85015ad796850166cf025670f3e9/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/2767e8ece559b00a39917ae961fb26116d0e85015ad796850166cf025670f3e9

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2025-11-10 16:17:55 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e5t6r3hflgyauomrpluwd6zgcfwq5biblllznbibm3hqevtq6puq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:owari antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251110-w29p4stlcz/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2767e8ece559/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.42

Link:

https://yomi.yoroi.company/submissions/2767e8ece559b00a39917ae961fb26116d0e85015ad796850166cf025670f3e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.