MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3913c5e5e2c0324d51da1c172928b0d32e8dbbecae4f180b4f0ab643afcbd389. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	3913c5e5e2c0324d51da1c172928b0d32e8dbbecae4f180b4f0ab643afcbd389
SHA3-384 hash:	4c68f6cc6a3bc8295153d86947e0b81cc5e457020ee98c229c202bf8cb276d3c53a608b888befbea56b44ef94e5465f1
SHA1 hash:	9e69956514d31537049846ef3ef493c5c3088cbe
MD5 hash:	b63a273e684a33e15daea979ac367396
humanhash:	grey-twelve-apart-missouri
File name:	qkuys.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'954 bytes
First seen:	2025-11-22 16:36:45 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:i7gA7dm7KM7Ve7jC73S70aa0aX3KL7snA7nIL7IuJ7dO7R67G872Y71bh:i7gA7dm7KM7Ve7jC73S7010E3KL7snAi
TLSH	T1B0516F8910D24A7EBE979A5372B9DF043981E0DA25C66F4EECDE34B5684CF153500FE2
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://154.6.197.44/bin/Polar.x86	93a1c252d10d76024a5d488f92658d0f9cd32dc0ad90ed9ed64b26bcb93194ca	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://154.6.197.44/bin/Polar.mips	59c55501918e0f7c6c0fbdfb9582b3bd2cb851d56608bbe4cfd76eb5225bed7f	Mirai	elf geofenced mips mirai opendir ua-wget USA
http://154.6.197.44/bin/Polar.arc	ed92383ba83cf87045d54e5235418a73b279258abe9c1ad0c00c093ce42da7aa	Mirai	arc elf geofenced mirai opendir ua-wget USA
http://154.6.197.44/bin/Polar.i468	n/a	n/a	elf ua-wget
http://154.6.197.44/bin/Polar.i686	e4887d3bd2122919343f1cd0d222deb98f1a652fceb4dc4746cef8a64ac84266	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://154.6.197.44/bin/Polar.x86_64	d5f6fe226289a3f9cb5d83db63a2fdbf0024f61ac7b893b670129813e9fa0a08	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://154.6.197.44/bin/Polar.mpsl	acc9ea729fb577311870758f13e08f838e1e658d3fcf1046682667331426f223	Mirai	elf geofenced mips mirai opendir ua-wget USA
http://154.6.197.44/bin/Polar.arm	583901d5241b61add64f1c5a4b0db6f208e1966b59f875c6b752c9ba1a97f2aa	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://154.6.197.44/bin/Polar.arm5	ee9753ac80e2def70e03baeab0451978552c4705ff035fa4e674bb40a3ccaa91	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://154.6.197.44/bin/Polar.arm6	721fe15d7d32f9940823b6401dba7004634d31e5d0144e778e07fd24d266d0f1	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://154.6.197.44/bin/Polar.arm7	4fe7c8ec1c0bc38038cd295f0e86e4ee82a6acfacf078216dca3ec934b9a9419	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://154.6.197.44/bin/Polar.ppc	5f4e153c8107eba841c35ec284550fef6f37149f5e340f8c93a51de95eeb368f	Mirai	elf geofenced mirai opendir PowerPC ua-wget USA
http://154.6.197.44/bin/Polar.spc	31089c8a5283bb413a4d4baf0465cc0865bd741ec5243fa42c9e4a0b1e8b23a8	Mirai	elf geofenced mirai opendir sparc ua-wget USA
http://154.6.197.44/bin/Polar.m68k	3bbb478c8b9d843bfac8b3e30c1a8995c8083c9bec566afb0a8cc83f0152a855	Mirai	elf geofenced m68k mirai opendir ua-wget USA
http://154.6.197.44/bin/Polar.sh4	3ab21df5266014a5d499a423818b1ecce0ed014d99cb2670e582b2449a1d9789	Mirai	elf geofenced mirai opendir SuperH ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-22T14:06:00Z UTC

Last seen:

2025-11-23T10:33:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/3913c5e5e2c0324d51da1c172928b0d32e8dbbecae4f180b4f0ab643afcbd389/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/f152856a-fe74-427f-b608-010906421323

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/3913c5e5e2c0324d51da1c172928b0d32e8dbbecae4f180b4f0ab643afcbd389

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3913c5e5e2c0324d51da1c172928b0d32e8dbbecae4f180b4f0ab643afcbd389/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-22 16:37:40 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hej4lzpcyaze2uo2dqlsskfq2mxi3o7mvzhrqc2pbk3ehl6l2oeq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251122-t44wjabj6y/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Creates a large amount of network flows

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

lolzzmortex.duckdns.org

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3913c5e5e2c0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/3913c5e5e2c0324d51da1c172928b0d32e8dbbecae4f180b4f0ab643afcbd389

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.