MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ea30e2466ac21c67873e946bc93b824d154a224ee8a2fe76f314f49e1b6446a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	4ea30e2466ac21c67873e946bc93b824d154a224ee8a2fe76f314f49e1b6446a
SHA3-384 hash:	0670690fbc861048790169bf2afb6e8a3e4af25d92a563a36e759b5845a9936f7885bf6f5d601aa2c5e0c5d2f2b0f98e
SHA1 hash:	620c141f62eb7141619441bf1ef5a55355f9af6e
MD5 hash:	21f76baf5a73eba37fdb9d6e5e7ef21f
humanhash:	vegan-blossom-pip-carolina
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'969 bytes
First seen:	2025-10-19 23:28:30 UTC
Last seen:	2025-10-20 22:42:29 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItkT4sk8XkKOKsFkU1BkK+skSrkhTh5JkAAAaNka3LkvTvNI8kskIbkM/k6A6XXM:i+bJHsFPxxSFf2FLeJ/J7XHOju/i
TLSH	T15F519FD520658B703E659D2AF7B9481C3C85A1DB50C71FA6AAEA3CA848CFD2875C07D2
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://144.172.109.62/Orbt/Orbt.x86	68c85af1a2a9ef2f74cd53ed39cc9e00333b961e9f51b9c55ff679c0197a2ae0	Mirai	elf mirai ua-wget
http://144.172.109.62/Orbt/Orbt.mips	74b0536ba2de49f1989592c085010eb3400aa33b4a4b85424e320fb74d143d82	Mirai	elf gafgyt mirai ua-wget
http://144.172.109.62/Orbt/Orbt.arc	0d82c11a95b346a400b5a0e83c7f4a71fd0ccee56e66169cf6bfbc86d8d97e5f	Mirai	elf mirai ua-wget
http://144.172.109.62/Orbt/Orbt.i468	n/a	n/a	elf ua-wget
http://144.172.109.62/Orbt/Orbt.i686	3355e0e1089c7f56e7d89ac87e9726ad9132d773c120342787eb2113e6956f32	Mirai	elf mirai ua-wget
http://144.172.109.62/Orbt/Orbt.x86_64	68aa9d2e946a9cd7b886e7b1e3c0e30e3599260a76f8ccd45883748bdd4d43e0	Mirai	elf mirai ua-wget
http://144.172.109.62/Orbt/Orbt.mpsl	784db215b440dbd938978437151c78733af63be748c51c04ea8a52e9ba560576	Mirai	elf mirai ua-wget
http://144.172.109.62/Orbt/Orbt.arm	dae6bf3bd0f3c3d79660d75ca611430d1f8b2c0857be97b5ed27372db2a2bfd6	Mirai	elf mirai ua-wget
http://144.172.109.62/Orbt/Orbt.arm5	367d2f567b2b318282e3cd5a389b481205d4161bd2811f7cc5f728eaa154a3ba	Mirai	elf mirai ua-wget
http://144.172.109.62/Orbt/Orbt.arm6	56bc93c42245723780b706d193f7f1a3a2c46d4665c333f22bf9c58116b9cd18	Mirai	elf mirai ua-wget
http://144.172.109.62/Orbt/Orbt.arm7	4f7ea3e11393cbe8863cadbcbdeabde5a091dba32cdb22bd8ef3bdf3c2b615b2	Mirai	elf mirai ua-wget
http://144.172.109.62/Orbt/Orbt.ppc	2541e7c6889f9f3322ac0a8eda7f15f46b8c4f8d742953235d8818a41245e62b	Gafgyt	elf gafgyt mirai ua-wget
http://144.172.109.62/Orbt/Orbt.spc	6eda1367bf822811a7d0e2b47903fa6983741685b017f17282638fbf9b889091	Mirai	elf mirai ua-wget
http://144.172.109.62/Orbt/Orbt.m68k	a4c662015b1a6698af83ffa3b2f90562d673299e8b7516c8aa4a0a145b6173ef	Mirai	elf mirai ua-wget
http://144.172.109.62/Orbt/Orbt.sh4	0018c3a0ebe07eafddadceb7fef8fe50ce6a468fc22df79f7d586d0c96b82499	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-19T20:33:00Z UTC

Last seen:

2025-10-21T18:33:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/4ea30e2466ac21c67873e946bc93b824d154a224ee8a2fe76f314f49e1b6446a/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/31214e81-8b11-44c1-a87d-54c5e93d2227

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/4ea30e2466ac21c67873e946bc93b824d154a224ee8a2fe76f314f49e1b6446a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4ea30e2466ac21c67873e946bc93b824d154a224ee8a2fe76f314f49e1b6446a/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/4ea30e2466ac21c67873e946bc93b824d154a224ee8a2fe76f314f49e1b6446a

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-19 23:29:32 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j2rq4jdgvqq4m6dt5fdlze5yetivjire52fc7z3pgfhutynwirva._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251019-3gatlsykbp/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Unexpected DNS network traffic destination

Creates a large amount of network flows

Mirai

Mirai family

Malware Config

C2 Extraction:

mirailoversddos.duckdns.org

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4ea30e2466ac/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/4ea30e2466ac21c67873e946bc93b824d154a224ee8a2fe76f314f49e1b6446a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.