MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f330df2b5e0e3cac30d9f2907ccd155eba3fed8f3f5ebcb66650b542c183fec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	4f330df2b5e0e3cac30d9f2907ccd155eba3fed8f3f5ebcb66650b542c183fec
SHA3-384 hash:	9b3f9f2dbeea385bb855c73e747579b0693100a94bd12dbffa1ccfbda2c5e54ab07cd5e57ef5deff0584fa544f5d7880
SHA1 hash:	463b70db77c55dc3b979e3ed6c7a0f0ef4a61669
MD5 hash:	bcd1db9de826cfd3e3dc82a2e37b7ee3
humanhash:	zulu-earth-fix-robin
File name:	pulse
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'835 bytes
First seen:	2025-10-14 20:14:59 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vTKNYKNqKNEKNOKNNkzEKNJKNqKNjKNEKNSKNLRUfKNZKNGKa:vTKNYKNqKNEKNOKNmEKNJKNqKNjKNEKp
TLSH	T1C9514EC4B32243B07FE25D727DB5406CB2C9E1D1B6C59E89D8ECA8BD818DF0C14A06A3
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://64.91.237.162/bins/sora.x86	9209da6b229bc24256cf26833723fc3a7c89272a5af754861c095d350b99de10	Mirai	mirai opendir
http://64.91.237.162/bins/sora.mips	29c7491b527a0e18a776b8cc1831a8ba4b97d917fd76d047c96cc5ae21a79924	Mirai	mirai opendir
http://64.91.237.162/bins/sora.x86_64	7e8a271658bd0f9be6bf33a2ea92ce4fad4774aafac33c5b2caedf6417fd15ac	Mirai	mirai opendir
http://64.91.237.162/bins/sora.i468	n/a	n/a	elf ua-wget
http://64.91.237.162/bins/sora.i686	92575fbaacd79518241425e42a4cdacbf65def900864a48fc0b27504f78cbff4	Mirai	mirai opendir
http://64.91.237.162/bins/sora.mpsl	a3b52b958c8ea783c24f7a02fb57b5228fc1969791021519b42e14e58124e30d	Mirai	mirai opendir
http://64.91.237.162/bins/sora.arm4	n/a	n/a	elf ua-wget
http://64.91.237.162/bins/sora.arm5	6357efa12b55a6c1f2d555f6dbbe40a0ed2d5c1e2dced815347fa98881eeefcb	Mirai	mirai opendir
http://64.91.237.162/bins/sora.arm6	579e9db35f7d3e276a6fd3b2bb98091a12c58d4cb0cd0ed3ae3cdbfd19304b0a	Mirai	mirai opendir
http://64.91.237.162/bins/sora.arm7	a2a3eda8d88cb807ffc26480a5a40cf79ac74b135b8aadaa225fed856da77cef	Mirai	mirai opendir
http://64.91.237.162/bins/sora.ppc	773298e6d3a314ffe9554eeea412ac65fbb16cf4030acf0e2553c42a1f159bb2	Mirai	mirai opendir
http://64.91.237.162/bins/sora.ppc440fp	n/a	n/a	elf ua-wget
http://64.91.237.162/bins/sora.m68k	a25e8659220a59deaae914fc945fa6b31667bc0c7146a968bec1c4be9ffee9ed	Mirai	mirai opendir
http://64.91.237.162/bins/sora.sh4	0dd50416937f0bbb202464b09fb982739b34bde7d11834b78a137fc4659502de	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-14T17:40:00Z UTC

Last seen:

2025-10-14T19:48:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/4f330df2b5e0e3cac30d9f2907ccd155eba3fed8f3f5ebcb66650b542c183fec/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/084a921b-3c75-4cd2-aabb-e300f0b411c2

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/4f330df2b5e0e3cac30d9f2907ccd155eba3fed8f3f5ebcb66650b542c183fec

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f330df2b5e0e3cac30d9f2907ccd155eba3fed8f3f5ebcb66650b542c183fec/

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2025-10-14 20:22:25 UTC

File Type:

Text (Shell)

AV detection:

23 of 38 (60.53%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j4zq34vv4dr4vqynt4uqptgrkxv2h7wy6p26xs3gmufvilayh7wa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:sora antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251014-y3475atsbv/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

UPX packed file

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Contacts a large (46567) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4f330df2b5e0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/4f330df2b5e0e3cac30d9f2907ccd155eba3fed8f3f5ebcb66650b542c183fec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.