MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46626ff6e0c9ca700c398f551d7ad5a3fea186abf400c37de81dbb13b0e1f3f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	46626ff6e0c9ca700c398f551d7ad5a3fea186abf400c37de81dbb13b0e1f3f2
SHA3-384 hash:	fa2d5baf3e4630b0c646a561e02334d82a81cec7d0c661eed54112c3f85d7f4f715e64b780c3bb00338ae551afbd816c
SHA1 hash:	b198afaf3ca90a4e0bd01a6fdee7905fae796e04
MD5 hash:	27b24d7250b68302f663d8e7fa452431
humanhash:	cup-zebra-east-august
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'344 bytes
First seen:	2025-07-11 06:59:15 UTC
Last seen:	2025-07-15 23:28:00 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItHZsRbhfkdlfdmsNTsNGgJ369nLybNIpKks1ME7hPsUFcGgJs8Apk:iyzc3VlsN1KxLeJnV0UFBgJsVk
TLSH	T15A61A3F60342457BDCAACAD7B1AC8405624944ABA4CF4FF1CBECA4F41E4CEC86C85656
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.69.179/00101010101001/morte.x86	f4185560f61a2e65676dca39e34f3bf58df70e31bac15ff102a457d017bd03b9	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.mips	d3e2b7563f92982267e822718ac8c3283de40870e3de3d0f4617bb13e13e00b2	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.arc	c378185b0f76947eb0183861f4d01ef7df4964a68640d7280ca312ee4280868e	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.i468	n/a	n/a	elf ua-wget
http://196.251.69.179/00101010101001/morte.i686	7d6e0067be1beb10bc1c9976049964f5970a8ace8db721b41dd41865b577c5ed	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.x86_64	85d0a0a8f6e490d799733d5cfa6aab5329b952ebb4cd59a719628e48de26e062	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.mpsl	cbacea9fabf5d49ccd0200a0aac24fa0bfd6d0decb1dfa3dcb486ac681c6b329	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.arm	bbfd89b8e5789aea24faabc0ad57cfc040c2380e8cc7bd2c37bf6f9fafbed785	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.arm5	33a6f20085ccee2f138076d19681c70bc51e85de8a9a9feff8244cb8e781a53b	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.arm6	de5961922467e9b023a48e56fa3df60e136c84e01a1d73aa34c20015804ba173	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.arm7	b40189b56d6e902a21d45b28a9a5aeef87f311628872922e510cbbfd19b6ead6	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.ppc	03e95dd682d96c01e1c6e93ed45531c38b71e644b837a71044146d7abce4abaf	Mirai	CoinMiner mirai opendir
http://196.251.69.179/00101010101001/morte.spc	f0acbd7cd2a32d3a5230a1760980619f9e1cb32a230d31ad452723c62c76576a	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.m68k	dfb19a5c962ceedd185ebe83c688189f666e7e62f4a07c36242a44d8bb8f42c6	Mirai	mirai opendir
http://196.251.69.179/00101010101001/morte.sh4	97d65ac4d7ef56c46367a3b4bd6ca5fd3e22c3b45f86f8f377864ec77814c5e5	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6870b695900df8e7f869ba63linux22vpnfull_triage

Tags:

downloader phishing trojan agent

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/089a100e-a0ed-4803-9bbd-897d6f7edbb0

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/46626ff6e0c9ca700c398f551d7ad5a3fea186abf400c37de81dbb13b0e1f3f2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/46626ff6e0c9ca700c398f551d7ad5a3fea186abf400c37de81dbb13b0e1f3f2/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-11 07:00:30 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=izrg75xazhfhadbzr5kr26wvup7kdbvl6qamg7pidw5rhmhb6pza._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery linux persistence upx

Link:

https://tria.ge/reports/250711-hstqmsgq3z/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Malware Config

C2 Extraction:

abc.izumisv1.cc

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/46626ff6e0c9ca700c398f551d7ad5a3fea186abf400c37de81dbb13b0e1f3f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.