MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51fb02af385d80e4fed4eabaef5891900b3fa10082c925dd5b93c37dfeab8ba7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	51fb02af385d80e4fed4eabaef5891900b3fa10082c925dd5b93c37dfeab8ba7
SHA3-384 hash:	f35ee49b1c23b0cd6b55b57aa7735c7f97f84ca4a14a9ccb6a83e25f62110e25da860f36f309d42f179b120938a7258c
SHA1 hash:	d3497e7f0e2304926fe0b53524c0d28aa4a8a4cc
MD5 hash:	dd5e7f4e8bab509f4d5a761ec22e4a9e
humanhash:	apart-social-chicken-avocado
File name:	m
Download:	download sample
Signature	Mirai Create hunting rule
File size:	926 bytes
First seen:	2025-05-07 16:32:22 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:yRk5zOt+MB0O939XkYarYwnwnkYarYt5kYarYniikYard:4k5CEA0akprKkpr0kpr2kprd
TLSH	T1B51104CF00DCCBB615808AEDB5D38D1A644ED4C628D9CF89359F01E6A8CCF0D7854E5A
Magika	txt
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.142.53.233/arm	4e630d71a3ebf5faede6525d46ec1ce4880c2276b941e71f03fea47189efcbe4	Mirai	ddos elf mirai
http://185.142.53.233/arm5	71922b4599572f865e6446137409eddcca93ef567eeded9c2684c5adf9d33c72	Mirai	ddos elf mirai
http://185.142.53.233/arm6	b1d10651ccda9afdfb1876f967df8b4f2971283e928dfcbc6f867abc58581dcb	Mirai	ddos elf mirai
http://185.142.53.233/arm7	b530d6edb5659f75331fac721a888aaae428a06d6b3f658b1b0c9d23c4b75ba0	Mirai	mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Clean

Score:

82.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681b8c1d91991ead82b5df07linux22vpnfull_triage

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/681b8b4c0b64e174c41c3f95/reports/eb9cbdc2-9f51-4fe6-a162-37c9075de01e/overview

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/51fb02af385d80e4fed4eabaef5891900b3fa10082c925dd5b93c37dfeab8ba7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/51fb02af385d80e4fed4eabaef5891900b3fa10082c925dd5b93c37dfeab8ba7/

Threat name:

Linux.Downloader.SAgnt

Status:

Malicious

First seen:

2025-05-07 16:35:31 UTC

File Type:

Text (Shell)

AV detection:

10 of 36 (27.78%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kh5qflzylwaoj7wu5k5o6wersaft7iiaqleslxk3spbx37vlrotq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250507-t3x2latwaz/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/51fb02af385d80e4fed4eabaef5891900b3fa10082c925dd5b93c37dfeab8ba7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.