MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f0be4730da078e8bde3bc8a98c8cfbda1771a1df293575348734e16d45557f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	3f0be4730da078e8bde3bc8a98c8cfbda1771a1df293575348734e16d45557f6
SHA3-384 hash:	e5732f4ccceaaf926a664d5cb5202a891790b6210253e641bc06e608b2b166519bb82b4b7c3ef3f1d9ba725ca8eddf48
SHA1 hash:	71ea52080bc0c003f2c892e85a4ca1c95b81d717
MD5 hash:	6c7eb82ab60fb2814afe2f1a62ef6eb9
humanhash:	north-florida-purple-fifteen
File name:	giga.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'836 bytes
First seen:	2025-07-31 23:24:24 UTC
Last seen:	2025-08-01 11:45:40 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:SXZXU3dfofYxLfzUuacYgja2p+aX2VaQHon1Q7LDvAOj:SXZMofYxLfzUuacYgja2p+aX2VaQHonG
TLSH	T1965186840FD3417A7EB56F37B9AAC258258A909B7BC1DFA244FD3CF1544CE04A492D53
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.115.36/HBTs/top1miku.arc	22a0259442cc186e532dc5869fb4f71f759cccfb2457c815d25cc86a0e1dfe74	Mirai	elf mirai opendir ua-wget
http://196.251.115.36/HBTs/top1miku.i586	809ea53b8504a335103fb7400ed77bafae562e22443988ebce61577a1e950236	Mirai	elf geofenced mirai opendir ua-wget USA
http://196.251.115.36/HBTs/top1miku.x86_64	6874b1163b73786d72b89d1aac59d84e71c1a441be25bc612c24270909d77335	Mirai	elf geofenced mirai opendir ua-wget USA
http://196.251.115.36/HBTs/top1miku.i686	d35606a53e34a64f61406a84c406478ebeab1759e43c7b9d8821bf7b707ae2ac	Gafgyt	elf gafgyt geofenced opendir ua-wget USA
http://196.251.115.36/HBTs/top1miku.mips	8833ab23e04d218c18e782a07ba82a0a0635f17d37a65e99ff59099cbb3daf3a	Mirai	elf geofenced mirai opendir ua-wget USA
http://196.251.115.36/HBTs/top1miku.mipsel	0769cf479597eb4a09ebfd4aade04ed32913121feeadee993bcff3a5171ed1d9	Mirai	elf mirai opendir ua-wget
http://196.251.115.36/HBTs/top1miku.armv4l	b44b7abed7fb7b4ce7ddace42c8b012c4a0c933bf11b636b76b88928c44f1b46	Mirai	elf geofenced mirai opendir ua-wget USA
http://196.251.115.36/HBTs/top1miku.armv5l	f674ac1a986d52a6b9c771d34a0200124ba850f323c46d4861be0629f86d8584	Mirai	elf geofenced mirai opendir ua-wget USA
http://196.251.115.36/HBTs/top1miku.armv6l	4efe343901cd1e8b14225d8788f7521d2df9e6eb4b3092bd10daf7644050a9c3	Mirai	elf geofenced mirai opendir ua-wget USA
http://196.251.115.36/HBTs/top1miku.armv7l	53a1a9058313b55e43e3190ed913a3f01835cbff31bdec7b9de08a3656d4eb00	Gafgyt	elf gafgyt geofenced opendir ua-wget USA
http://196.251.115.36/HBTs/top1miku.powerpc	3c4866b60ac379643446fbbb1fd2ce38bd586ce2b91ecfec5aedbf304d022b36	Mirai	elf mirai opendir ua-wget
http://196.251.115.36/HBTs/top1miku.sparc	n/a	n/a	elf geofenced opendir ua-wget USA
http://196.251.115.36/HBTs/top1miku.m68k	64b9835344669837dfc0eff895ad3deb3689e914d87c07ced068a68f9c772dec	Mirai	elf geofenced mirai opendir ua-wget USA
http://196.251.115.36/HBTs/top1miku.sh4	f060682bfe5b7cc17deee33cc26f55d017e725428e8092226fa57f3b458e6750	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/1ec320ec-ab12-4602-8984-0f42b7bf6fd2

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/3f0be4730da078e8bde3bc8a98c8cfbda1771a1df293575348734e16d45557f6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3f0be4730da078e8bde3bc8a98c8cfbda1771a1df293575348734e16d45557f6/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/3f0be4730da078e8bde3bc8a98c8cfbda1771a1df293575348734e16d45557f6

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-31 23:25:35 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h4f6i4ynub4orppdxsfjrsgpxwqxogq56kjvou2ionhbnvcvk73a._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery linux persistence

Link:

https://tria.ge/reports/250731-3ejnqshr2s/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Contacts a large (1968795) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Malware Config

C2 Extraction:

top1miku.duckdns.org

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3f0be4730da0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.