MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 451131b8cfef5b5fdcffbf59ee034ea1c6f205d32ab95ce8bc08175011033eef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	451131b8cfef5b5fdcffbf59ee034ea1c6f205d32ab95ce8bc08175011033eef
SHA3-384 hash:	ef7696eb980fa1c330aabec0da27929833ae927dfd406eaee5fba1404ce4ca12f5ac961b4f3a87f79756ab5945c8c284
SHA1 hash:	31a2a445bfbcd97aeb2f7f5f23f3c66bb5b310ad
MD5 hash:	7f0cea77e086e2a2e7d9194f66c3d794
humanhash:	wolfram-sink-sierra-december
File name:	yak.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'062 bytes
First seen:	2024-12-28 12:20:47 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:v5M5A5W35E5NHKhdJ5w5635w5W55NsysRswss5NI32YL5Na46ok5b:v5M5A5W35E5NHKhr5w5Q5w5W55N1ofBh
TLSH	T1F54180FBD0A15EBC7F50B563B299890130E0E5AA48DE5F3B9DDC38EA409CD9C25C194B
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://pirati.privatedns.org/yakuza.mips	b5b9df9595f6b17ddd8e1ced288a5930d6051d2a03001ea0fae8e0b58af5a1d0	Mirai	botnetdomain censys elf mirai WebServerPirata
http://pirati.privatedns.org/yakuza.mipsel	587e2662ce70a04da90f6a9ba3cd377b98f7b5e5acf84becce53d30e63178454	Mirai	botnetdomain censys elf mirai WebServerPirata
http://pirati.privatedns.org/yakuza.sh	1048b724804b1ac5ecd6b444eea2bfb4b71bcb121834064df010f3b613931afb	Mirai	botnetdomain censys mirai sh WebServerPirata
http://pirati.privatedns.org/yakuza.x86	d413731643aeee91c44c73061eb1493c8438740af31399c5edf96829ff536b7d	Mirai	botnetdomain censys elf mirai WebServerPirata
http://pirati.privatedns.org/yakuza.arm6	554f13d37e612f6659240bb2aa948811f1203caae072ebed8a6de7a1a46d7d63	Mirai	botnetdomain censys elf mirai WebServerPirata
http://pirati.privatedns.org/yakuza.i686	03552d3dbc4b2d927c1fb444f5a3a503aaf6a18a04d29fca619932f433e71422	Mirai	botnetdomain censys elf mirai WebServerPirata
http://pirati.privatedns.org/yakuza.ppc	459b9c13b83a65fab8e2d4b5ac826284bc763ff0e5f2181969825daacc75e500	Mirai	botnetdomain censys elf mirai WebServerPirata
http://pirati.privatedns.org/yakuza.i586	13f67366deebf2a241ba194510f0b28d19a3afa2264d63af646125d8132f79cc	Mirai	botnetdomain censys elf mirai WebServerPirata
http://pirati.privatedns.org/yakuza.m68k	2efac1cd60b65ae44779c66a7e5cbf9683a9641bae55a1919684c2f442f7d415	Mirai	botnetdomain censys elf mirai WebServerPirata
http://pirati.privatedns.org/yakuza.arm4	a16ebc0b13345358f405148c0486e9d50657b0c7547834cf4210b0be8c7fd649	Mirai	botnetdomain censys elf mirai WebServerPirata
http://pirati.privatedns.org/yakuza.arm5	4cd7f3968b97c48ba7cec174c11f4af27f7dc6a71806103d9e3c39faad3e0fc1	Mirai	botnetdomain censys elf mirai WebServerPirata
http://pirati.privatedns.org/yakuza.arm7	c18eda50c259a7d782286992c1464084a2ef944f5e13a6f69ce7dd3875fe049a	Mirai	botnetdomain censys elf mirai WebServerPirata
http://pirati.privatedns.org/yakuza.sparc	72c8548250c102168910248bb15590f75d3e554372353213ecd67e3cf3fa81e6	Mirai	botnetdomain censys elf mirai WebServerPirata

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=676fed2f75fb913a1478e72blinux22vpnfull_triage

Tags:

trojandownloader agent

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug bash evasive lolbin remote

Link:

https://www.filescan.io/uploads/676fed317f94244df692a4c8/reports/e7d7e998-4e7a-4e77-a097-88ad20f2fff1/overview

Result

Verdict:

MALICIOUS

Score:

73%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/451131b8cfef5b5fdcffbf59ee034ea1c6f205d32ab95ce8bc08175011033eef

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/451131b8cfef5b5fdcffbf59ee034ea1c6f205d32ab95ce8bc08175011033eef/

Threat name:

Win32.Trojan.Mirai

Status:

Malicious

First seen:

2024-12-28 12:21:05 UTC

File Type:

Text (Shell)

AV detection:

15 of 23 (65.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iuitdogp55nv7xh7x5m64a2ouhdpebotfk4vz2f4balvaeidh3xq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux

Link:

https://tria.ge/reports/241228-pjba9sxqfs/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Reads CPU attributes

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.97

Link:

https://yomi.yoroi.company/submissions/451131b8cfef5b5fdcffbf59ee034ea1c6f205d32ab95ce8bc08175011033eef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.