MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38e9165bd405ff0c08e06839c8989ab958a367f304417180e05660a0d1f1b607. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	38e9165bd405ff0c08e06839c8989ab958a367f304417180e05660a0d1f1b607
SHA3-384 hash:	7723092825cfe92096620008a2bf10ae271066a2cd4acea5c448fa1d004b312e0c86152d683f90f2e54592906d3f9506
SHA1 hash:	0c204f24b907d753332573830e48293592c3524b
MD5 hash:	68d3ae4e683772701744267391dd98c2
humanhash:	sad-skylark-tennessee-uniform
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'314 bytes
First seen:	2025-11-28 19:59:07 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItXZsbbh3knlfTmsbTq9GgJX6TnLkLNIpKksHMEZhnsKBcGgJsS+pk:iCZ0d7Pq91qrL6JB7sKBBgJsHk
TLSH	T197615FFB134646336CA7C9D3B2A844056240849B99CF6F79EFDC78A65E8CEC93C41643
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://45.135.194.71/00101010101001/morte.x86	3cf1d1b529bccef9141c0ab6741c16ce7e741dbada74ce45f0a983441a6946cf	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.mips	699c8f11c521f5847eddba7decee1cc532746577d3b2baea9e161f09c8addff5	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.arc	9b7d7a31128d56fc6658bf376fb02b891c15f0e1eb6cadf15f0fca27c8838b6e	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.i468	n/a	n/a	elf ua-wget
http://45.135.194.71/00101010101001/morte.i686	b0a47d02af0ca35829fa988410ae80267986b1e5b0720a14b7934faea454404c	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.x86_64	11332376904f8bed307fc0656dad462388db91aaec7c4997f95456af5f3de070	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.mpsl	bb5772839a5c7767d9097e2de6e9d4d825f9038158fc82160537b1fc96540832	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.arm	ba4f63fad129eb60be3fcf0033d2d256d592845b561e97bbecf1aed54143e805	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.arm5	269cb3fa7be74dd9e1a854c6933ba9c1fca7c3d10fc82940a9ffd835a43ff3a5	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.arm6	ffd18fe19ad8d5d4eccbddcd513f914667b0d24a8cb33ba337621a0f5bf3158a	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.arm7	ec7cc4c1b3944c9b9d9d514915ca193206f348a283ef15287a3c363d7c4edb6b	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.ppc	1e5e9462a84458354cab5374f4c31c9d2c87eeec794a77a060c9fdb06f6c65c2	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.spc	d615368fe82f437637ecc28839faaa5ff4f726efeb466bfca9f01da543034653	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.m68k	3cb64bfb612f62f9b47d0981067811afa1e9694f6314ec61f1ce949a798c1d02	Mirai	mirai opendir
http://45.135.194.71/00101010101001/morte.sh4	65dbf6d14fd4d3daaad1f2a7e92ed78115dc7bddd2e288107d5b1aab74cf5237	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/6929ff112cd29ea630030487/reports/25d3254a-a508-4a9b-8a8e-9b947bf197ee/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-28T13:55:00Z UTC

Last seen:

2025-11-29T08:07:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/38e9165bd405ff0c08e06839c8989ab958a367f304417180e05660a0d1f1b607/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/1d560cad-4485-491b-a15c-b74093995f3a

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/38e9165bd405ff0c08e06839c8989ab958a367f304417180e05660a0d1f1b607

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/38e9165bd405ff0c08e06839c8989ab958a367f304417180e05660a0d1f1b607/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-28 15:23:50 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hdurmw6uax7qychana44rge2xfmkgz7taraxdahakzqkbuprwydq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux

Link:

https://tria.ge/reports/251128-yqhhla1jer/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/38e9165bd405/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/38e9165bd405ff0c08e06839c8989ab958a367f304417180e05660a0d1f1b607

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.