MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cfe855904e7de53b26131ce9ba990333f0e19b36f85767164d0178f49f75fa8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	3cfe855904e7de53b26131ce9ba990333f0e19b36f85767164d0178f49f75fa8
SHA3-384 hash:	c9378c24fea2d30780039b43c360d3b4ed6285e304a92c84967335b03b910fa1376375b9ae23811c996915709473ac95
SHA1 hash:	4c2d7e495fa6d1f26e3f5f0527acf36f2db8b7a3
MD5 hash:	f87717aedb017b774056083ab2ee4e6c
humanhash:	kentucky-rugby-lamp-ink
File name:	shit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'772 bytes
First seen:	2026-01-14 19:17:59 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:iJGW32JaaWJ+O5J2mNJbvfPTJbzUJ4P4oeJ4/zEJkNIJDf7J/UsJHdJa8JY7:iz321WL5lN1rmt1ZF+sLjY
TLSH	T1CE51E3C61111C7307DA6DAA3B3BA9608F1B8B086A5C7CF5CDCDE39F9D48CE087165A52
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://143.20.185.225/bin/sshdd	d45a24a0e3b94a40cb8716571b92fcdcebc2b58afb8c7b1c7c16f9b836f8697f	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/telnetdd	5c8d98cd2804722c5f879eb145dc5b9b0e35591c023778195f62d7f5c93d63e4	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/networkdd	bc41f2dc924c4cb42e4b1efac4cfcc6f96b9ca71cf4357d37e2ea9e1419f7052	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/httpdd	16ab9ef817bc9ca02b1ed22b1b88018afab562a6a6d22bf35c767606d0e5d22b	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/systemdd	85a4bc45ce91a9a516217650d9c611b9c3e482832fc7c1be092ccd624d594f70	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/kerneld	9ab64d8c66d973ca952966360e68ad30a7ce20bfa9f45c6da31b6727969b58ec	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/systemd-networkd	578b49c78c0f112584ab67fa82dffef3dfeb87737e7ceefb3127fddc376687bd	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/systemd-resolved	52b8f6f38a358d86956ce2d85260ca20a6e944bfd1b4df6564c3d21a4b3c0d24	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/systemd-timesyncd	597f2799478a431819083b42ef6a07029a05c0a219e9fd8a7c4dbbc8e35a1d2a	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/systemd-logind	881aa5a2a6d4df3463ead5570f399fdb19f9a48f9d98d9935b1d03573bb5433c	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/kworker	39cd41e0e918c53ef478a55b4f1a8950825feabc6f0ae562fa7275d04e1cb828	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/ksoftirqd	f5953c026d680521bedcb65dc73cc8ba227037ed3a2b4e6ecb7c4d7f0a78dffd	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/rcu_gp	f46107f0f0d10e18a72166ad9c817adeea4c20403b1d05071692c4c35453fe02	Mirai	elf mirai ua-wget
http://143.20.185.225/bin/migration	1a267160f248f1d9fe962667c6d2f15cfca276f8666e4f963b68e4bfe4179e2b	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive medusa mirai obfuscated

Link:

https://www.filescan.io/uploads/6967ec013827c9e1249e298c/reports/5e4e29e6-85f9-41c9-b99b-e23fcfaec937/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-14T16:58:00Z UTC

Last seen:

2026-01-15T12:48:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/3cfe855904e7de53b26131ce9ba990333f0e19b36f85767164d0178f49f75fa8/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/da6df1d7-ac73-4a51-a179-0bb0610aa265

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/3cfe855904e7de53b26131ce9ba990333f0e19b36f85767164d0178f49f75fa8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3cfe855904e7de53b26131ce9ba990333f0e19b36f85767164d0178f49f75fa8/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-01-14 18:16:25 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ht7ikwie47pfhmtbghhjxkmqgm7q4gntn6cxm4le2aly6spxl6ua._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260114-xz55kscy3h/

Behaviour

Reads runtime system information

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

lolzzmortex.duckdns.org

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3cfe855904e7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.56

Link:

https://yomi.yoroi.company/submissions/3cfe855904e7de53b26131ce9ba990333f0e19b36f85767164d0178f49f75fa8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.