MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f69ba905c14f4c84e3008d252f0828d1283451e4b48d8065049bfca3d6b6a47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	3f69ba905c14f4c84e3008d252f0828d1283451e4b48d8065049bfca3d6b6a47
SHA3-384 hash:	ee095b5fd9c361ac9091119b49a691e5d02da688b83c7d435768323208bb8d4739f13e6e5ba6131056d31236cf1e3f06
SHA1 hash:	6e03e3eebdcff86e00eb26118da68b6f3b51e85a
MD5 hash:	5a91877097ffa6fe11de60d1a3a853df
humanhash:	arizona-arkansas-blossom-blossom
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'044 bytes
First seen:	2025-07-21 12:42:18 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ip4R4qp4g48p4z4Kp484cp4W4Ep4O4Qp4UO4U1p4p4ap4W4eLp4r4YJp4c4Ip4eQ:iG+qG98GUKGZcGvEGXQGiGGGaGveLG8J
TLSH	T1B1514FEA23C186736CFADAD776A98404728155EBEC8F2F3694DCE8E9808DE097040752
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.148.210/bins/morte.x86	bd297ae9c45ffbfe444213d57dd4eb32d6212465d6c840f1a497cc20c533d4e9	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.mips	568780e2ac25888e3151dd8e8cb76d1ebdfd2e986e0fed4931d15656fa5b9eb1	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.arc	7321f337422bcdbac4f2a90af9d827e18fb1ead5acee542ecf05e4fe37e5822e	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.i468	n/a	n/a	elf opendir ua-wget
http://176.65.148.210/bins/morte.i686	82444c55629dc38a74ad72ef9af7239b973f85aadd1c7d227205e529901e97fb	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.x86_64	750684d31633710b2a8bd3ffe886405d3a7ed4e5ad57779c742fba4e7a592018	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.mpsl	5d1b62d8c2acef405d9027ce927733d49d04464ed761421a74c9652bd0339709	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.arm	f83b76f66452fe975e2c15145bbcd4fb24b12192eddc87b1272a9413f11b4018	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.arm5	8b536240087f1627bf1417ee5529c42a17561a64b3f8628c907d1e023cc91893	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.arm6	f6ceab5e38268a31528821a82a6ad66b27031c8ecffef6c7e718bcca359d03b5	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.arm7	00969384d60395745426767373265dcc7aca5888936df57b2deafaefe780b9e4	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.ppc	ce2a3ca361d668031c19ea9bf31a5c96e37d6dc7d10c6ed9d7b7919df009850c	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.spc	196663d92cac163ac2730d386e4bc9261d29b8c6d811e8f5b5370c8633375f99	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.m68k	c9b7bbf730c616b2edbfc26eda34f7bff8d306bab45974e45083175778ebecce	Mirai	elf mirai opendir ua-wget
http://176.65.148.210/bins/morte.sh4	9756731375c8aaa5e4deb59e70739d555fbee90ec01276d839ea965f3c1c58b6	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/fe61be83-ae0c-4055-a9a4-e996b74b84e7

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/3f69ba905c14f4c84e3008d252f0828d1283451e4b48d8065049bfca3d6b6a47

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3f69ba905c14f4c84e3008d252f0828d1283451e4b48d8065049bfca3d6b6a47/

Verdict:

Malicious

Threat:

HEUR:Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/3f69ba905c14f4c84e3008d252f0828d1283451e4b48d8065049bfca3d6b6a47

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-21 12:43:20 UTC

File Type:

Text (Shell)

AV detection:

15 of 23 (65.22%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=h5u3vec4ct2mqtrqbdjff4ecrujigri6jnenqbsqjg74upllnjdq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery linux persistence upx

Link:

https://tria.ge/reports/250721-px2qdatyds/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.37

Link:

https://yomi.yoroi.company/submissions/3f69ba905c14f4c84e3008d252f0828d1283451e4b48d8065049bfca3d6b6a47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.