MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d2acd9571f1e62e42aaf6d34a320d96eb07a1d4b16cce9dc74885aeb0b03f4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	3d2acd9571f1e62e42aaf6d34a320d96eb07a1d4b16cce9dc74885aeb0b03f4f
SHA3-384 hash:	e18f8da7a9b9a795eabab870ad83e62e59a84a9bda3c4634a378e6815204d158333ca0349cfad5f514da678bcfd859dd
SHA1 hash:	8f095ba8a86dfaa659454697e3dbfa30a35d2c41
MD5 hash:	95f205501f8ec39971ff13e2ba4db664
humanhash:	april-cup-blossom-steak
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'344 bytes
First seen:	2025-08-22 01:51:43 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:It3ZsxbhTkFlf5msJTgNGgJX6JnLWbNIpKksNME3hDswZcGgJsAopk:iiTAPZZgN1qVLCJfR4wZBgJsZk
TLSH	T1386185F61342493F9CAACED335A8C408B545C09B94CE5FBA5FEE24F60C4CEC96C41A52
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.73.215/00101010101001/morte.x86	e8099bae8e84278b060f8651d0f601d2e3de08797024a0a13dba0138b3095b43	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.mips	dd1b6595a3a898630f14f8a55a695c2e501cbeb3c909bff9ceb29537c2127ab4	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.arc	08516780febe4d87e6104cd34e313ec0542dfd6ab0e51022f0d4e00e2a533c20	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.i468	n/a	n/a	elf ua-wget
http://196.251.73.215/00101010101001/morte.i686	f036a7842232a000fd0a07d87feddd0d7b8b54b3d32f7d92a2addcca2d563548	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.x86_64	62a70e26cea6c21fcaf3750479ba6222e1a655b26f05978bdd04ea221722f0e7	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.mpsl	1a62aabc26ace9ee3e99e2dff5a2237f8a1f1e36dfbfcbc2c9bf5f6beb8d00f1	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.arm	537bf941eb034d76632909f39a03d5e018f433c09be32d7bd6c4b9d89d1fe764	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.arm5	4b8a0d8113d0f2d71abc0fef204c1a05d3144c59e727666e519283489693f116	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.arm6	09b59c56685eec32cb847b6596ffd452c2ecc580212d2ef58bbba09f78b67003	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.arm7	7530228f8f2c854bd6b3a5b1c6eba9f554bc37f69d195fb0355eabdbfa790f26	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.ppc	e656926beee61ada6d06880d8b23a47941231d04c90683fe9ea2edb12980b71f	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.spc	6622164c76b52290e0fedd1eea0ce0940188f8ac40db272eb0627ace7628b3fe	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.m68k	7de8085dd54c5ea46dda7f42c2c4da30088dc43e27e46f40defa96f23f5a2a52	Mirai	elf mirai ua-wget
http://196.251.73.215/00101010101001/morte.sh4	c2bc223a2d9c0716ae88f1f3c197342982753679782d2bf685eb0b0098fb3191	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/1624e576-2d30-4676-8155-8ee7b2b36535

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/3d2acd9571f1e62e42aaf6d34a320d96eb07a1d4b16cce9dc74885aeb0b03f4f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3d2acd9571f1e62e42aaf6d34a320d96eb07a1d4b16cce9dc74885aeb0b03f4f/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/3d2acd9571f1e62e42aaf6d34a320d96eb07a1d4b16cce9dc74885aeb0b03f4f

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-08-22 01:52:38 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=huvm3flr6htc4qvk63juumqns3vqpiouwfwm5hohjcc25mfqh5hq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence upx

Link:

https://tria.ge/reports/250822-cap2vaal41/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3d2acd9571f1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/3d2acd9571f1e62e42aaf6d34a320d96eb07a1d4b16cce9dc74885aeb0b03f4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.