MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 405c4a42e15b46925e6e8e8ed2203308f64eb6c94a1d773d4c4615f7763ed5dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	405c4a42e15b46925e6e8e8ed2203308f64eb6c94a1d773d4c4615f7763ed5dd
SHA3-384 hash:	73f0e8294490b2020017c5775098e63948757638c27f8ce50d4fa34a2c166abd8b844fecf7dda408f20709574502cc9c
SHA1 hash:	20f54ee5c201e77f69028bec6fb729e014acb97e
MD5 hash:	44b051dc8438cfb55782fb21dda8b4bc
humanhash:	lion-wolfram-ten-oscar
File name:	sh.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'633 bytes
First seen:	2025-02-26 19:49:01 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:vmpdksF+NRu4AmReLib4cNXtTAWJ+GXayAy5:vmp/KKmReLib4op+GKyA4
TLSH	T12C3181C922F227792DA1982B72BD8C5871C0608DD8D1AF85F7DE3CB496CED052165A63
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://46.19.143.10/jklx86	28bb529e99c8730de533d64995979a491d6af643ddcd99997788ff945dc6b426	Mirai	mirai opendir
http://46.19.143.10/jklmips	6fc1f441c08b49ceb3083fa2a201d424c5282ec7a5cd2431bd017490ba2b23de	Mirai	mirai opendir
http://46.19.143.10/jklmpsl	0ee587fea341d9da43777102b508c6017d29ad537594afa596e042d4ecd67cf8	Mirai	mirai opendir
http://46.19.143.10/jklarm4	n/a	n/a	n/a
http://46.19.143.10/jklarm5	270336c1d58b1ffaa8ebba18d47d73c2451fa149194f37cc44e980ac96cf1443	Mirai	mirai opendir
http://46.19.143.10/jklarm6	906399d69e39253d0551c6bf9c59451b2ee12e5e7e8ac557040b38c6b813e711	Mirai	mirai opendir
http://46.19.143.10/jklarm7	494100c806fe62f35ed5c3be8beff7469d490f0ab1f0bb7e48cff5ee2338c704	Mirai	mirai opendir
http://46.19.143.10/jklppc	b825d7abc8614fc03e79be548c6ef93dd9f759e6713e2b4a7a7f596edf43aeb8	Mirai	mirai opendir
http://46.19.143.10/jklm68k	50f4f9c94f0a96aead95a0ca2866a99bda3d3f9d8c2360a02bd993dfc37c5f2a	Mirai	mirai opendir
http://46.19.143.10/jklsh4	ba7faa58d615bd5f4ebaaf7f42b7fe484639b7a0a96217c541b592837899d4e7	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

1

# of downloads :

90

Origin country :

DE

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67bf70bfa0fd713c335d0d28linux22vpnfull_triage

Tags:

shellcode phishing agent overt

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/67bf706af8726576332b1e57/reports/b23ed442-a9c9-4d77-bbc5-54b4960e4dff/overview

Result

Verdict:

MALICIOUS

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/405c4a42e15b46925e6e8e8ed2203308f64eb6c94a1d773d4c4615f7763ed5dd

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/405c4a42e15b46925e6e8e8ed2203308f64eb6c94a1d773d4c4615f7763ed5dd/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2025-02-26 19:49:26 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iboeuqxblndjextor2hneibtbd3e5nwjjioxopkmiyk7o5r62xoq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:botnet antivm botnet credential_access defense_evasion discovery linux

Link:

https://tria.ge/reports/250226-yjrspa1my3/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Renames itself

Unexpected DNS network traffic destination

Contacts a large (186167) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 405c4a42e15b46925e6e8e8ed2203308f64eb6c94a1d773d4c4615f7763ed5dd

(this sample)

elf f373c7b87b0ed7bddefbcb25623e60f9e1da7e6900a0553c435cdd91fbf5b383

URLhaus

https://urlhaus.abuse.ch/url/3458558/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3458661/

URLhaus

https://urlhaus.abuse.ch/url/3458741/

URLhaus

https://urlhaus.abuse.ch/url/3458773/

URLhaus

https://urlhaus.abuse.ch/url/3458849/

URLhaus

https://urlhaus.abuse.ch/url/3458862/

Dropping

MD5 1fee4f85de36e4039a855de319da7c0b

Dropping

SHA256 f373c7b87b0ed7bddefbcb25623e60f9e1da7e6900a0553c435cdd91fbf5b383

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample