MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50de2de4e0d17e5815c7a27c097b4cda9f136e7dd639fe8c054c5ef5761b0f50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	50de2de4e0d17e5815c7a27c097b4cda9f136e7dd639fe8c054c5ef5761b0f50
SHA3-384 hash:	5e4feaa14d6fd46433c82519dc1c2b13267c84ee1a943fc4e20e9b7ccdf82fefd2da7771d70747525af84e6d57c01b65
SHA1 hash:	664b8406746ee1e16aa7fc702e0851856063243e
MD5 hash:	f8114cef626e0e17ed77b3b4c612db6e
humanhash:	friend-uranus-alanine-spaghetti
File name:	pay
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'904 bytes
First seen:	2026-01-29 16:34:40 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:JCkp0FrglwumCX0FrGIlGyT71X0FrBNilBVwWeBo0FrCl13zYaX0Fr1LlzQO0FrJ:ItXumCsRGXtJSO/QL5xuMkscjCAshn4g
TLSH	T10341C4C81B921835ED56BA7A33B9080032F97A939CEB5A5053FAF8F5449DF08287174E
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://81.94.151.189/bins/astro.x86	ed812f1ea95712e8d9047e40e11b16deef7d52b78fe9a0c518d2c1cc345a29e6	Mirai	elf mirai
http://81.94.151.189/bins/astro.mips	936d6c1a6cff713caaceeb9154f5d8c8d4a0608c60f3d2272f429c3e751e8f18	Mirai	elf mirai
http://81.94.151.189/bins/astro.mpsl	6b458fbc1a63cb770788942f342fba2ac9ce82dd48dddf5f43394f53253d1bde	Mirai	elf mirai
http://81.94.151.189/bins/astro.arm4	n/a	n/a	elf ua-wget
http://81.94.151.189/bins/astro.arm5	770794251f42253b66fa1689a61419bab97805a0f785afd9e43c8acdeb211bcb	Mirai	elf mirai
http://81.94.151.189/bins/astro.arm6	da613a27cbdb9b59c3e33ab0bdd0f373784b40f15d731fc357cf4dcfa3437bac	Mirai	elf mirai
http://81.94.151.189/bins/astro.arm7	9bc64e57530bee4ea3b2ef51f6ed149286ac968f49c62887a137d1504d3e9694	Mirai	elf mirai
http://81.94.151.189/bins/astro.ppc	2471023cf6b6dfcb2af3c9ee921d5416c8d460cb4875be863237d2ff9fb10dfd	Mirai	elf mirai
http://81.94.151.189/bins/astro.m68k	bc99a099a6938268f9ad972d4b4c29bc826f00687aee1630ddae87dfba6f4820	Mirai	elf mirai
http://81.94.151.189/bins/astro.sh4	c1e5034618b2140ab4b3dba6107593f0f1ed44c61242b6a2e11d468335dfb9bb	Mirai	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox medusa mirai

Link:

https://www.filescan.io/uploads/697b8c57d91d37abdd6497d9/reports/b6edede7-b8aa-4d41-b78f-8947b592cc72/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-29T13:42:00Z UTC

Last seen:

2026-01-30T12:53:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen

Link:

https://opentip.kaspersky.com/50de2de4e0d17e5815c7a27c097b4cda9f136e7dd639fe8c054c5ef5761b0f50/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/26f6f7a5-8645-4190-a1b6-c1ab743075c6

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/50de2de4e0d17e5815c7a27c097b4cda9f136e7dd639fe8c054c5ef5761b0f50

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/50de2de4e0d17e5815c7a27c097b4cda9f136e7dd639fe8c054c5ef5761b0f50/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/50de2de4e0d17e5815c7a27c097b4cda9f136e7dd639fe8c054c5ef5761b0f50

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-01-29 16:29:18 UTC

File Type:

Text (Shell)

AV detection:

21 of 36 (58.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kdpc3zha2f7fqfohuj6as62m3kprg3t52y475dafjrppk5q3b5ia._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:sora botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260129-t3y9nahy5e/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Contacts a large (49020) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/50de2de4e0d1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/50de2de4e0d17e5815c7a27c097b4cda9f136e7dd639fe8c054c5ef5761b0f50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh