MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f41a835cb6bc86899353a027422a36158febfc62eca6f521916431b42dbeef2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	2f41a835cb6bc86899353a027422a36158febfc62eca6f521916431b42dbeef2
SHA3-384 hash:	ae734dec22d5222a205ee4270e2cf6a034d48bee156c7c1909a119cdc47e7d45f88f9dfe7dbe5adaf9eb2f228b97786a
SHA1 hash:	928e4ebb228053b175601d73d9cc5be1b9723cfb
MD5 hash:	c5e0865de650b1d4089632dfb9894cfb
humanhash:	whiskey-ack-apart-spring
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'254 bytes
First seen:	2025-08-23 02:48:26 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:iPADPb5PC3PL5P5tPBVPGfP0bPZ5LPYfPvhP71PGPPjejBgJsP3hk:4kBgJJ
TLSH	T1516171FA135146775CAA89D332AC440462C048AB64CE5F795BDC38F98CAEFDE2C46691
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://163.5.63.89/00101010101001/morte.x86	134264c8865b586a194591967c2c1d9238fdd11bb7d507532183fade84cc3f4c	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.mips	76e8938a58555924b03dfc826fcf6b3ed2d20ed7f1ec6f61e874ca3cec49fc43	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.arc	6aaa42b794d3f8987f104542bb2ddb9cfe7c377e833dc2f9fbd24647bd2060f9	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.i468	n/a	n/a	elf ua-wget
http://163.5.63.89/00101010101001/morte.i686	50e67f52b8353b134b6118899bee8413547cb38c3a915d5c3b3b1ec5431a4464	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.x86_64	f13188e81cac3f55bd0a4c499a8b524cd7656b77130997a123c4516960e55e45	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.mpsl	d7b5d0f754163b8b27c8a649a38938c6efeed0f6b52cf938b76c3a9bbbd8bb2e	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.arm	cc87a411276a5960ddd7c751b5b7f6205db0f26e2db2180599520fb2d873c701	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.arm5	26d4b29a52ec7dfc59e6e66a0a9d8759e1cc3ed255aef690bed53485ea77d91b	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.arm6	dfdd3fd2c40326aa104fe95c28a671f66dae57caffb2ea390ba8f2726d459a7f	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.arm7	ca2a562bd8606f953e1249ad1f8811db47279736057cb66432ccd4a908593c51	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.ppc	1f732524278e5b2af1e78751c40c1d0fe1db1188fe39db7d741e328bdf734e72	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.spc	68a55330c8b7eb8b6220475aeebd7cbd4c41f27d42889c375ff0a8e6fb0a113a	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.m68k	3240804c076c7fabd619b1e7aaef80e263568ce358039cc52cf4e37554720fcf	Mirai	elf mirai ua-wget
http://163.5.63.89/00101010101001/morte.sh4	e80eef4929318ff24d31170fee00d2ff8f9fceb27b3f8ca96f1a07206345cc6f	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-08-22T23:56:00Z UTC

Last seen:

2025-08-22T23:56:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/2f41a835cb6bc86899353a027422a36158febfc62eca6f521916431b42dbeef2/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/5238e4c5-00a8-4236-940f-0218e2c7b701

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/2f41a835cb6bc86899353a027422a36158febfc62eca6f521916431b42dbeef2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2f41a835cb6bc86899353a027422a36158febfc62eca6f521916431b42dbeef2/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/2f41a835cb6bc86899353a027422a36158febfc62eca6f521916431b42dbeef2

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-08-23 02:49:33 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f5a2qnolnpegrgjvhibhiivdmfmp5p6gf3fg6uqzczbrwqw353za._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250823-daqh2sgk8t/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

bbos.p-e.kr

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2f41a835cb6b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/2f41a835cb6bc86899353a027422a36158febfc62eca6f521916431b42dbeef2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.