MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5316df86854e8f99b024a8039843b12275fc3a10c8680d3393e699d735bb4bef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	5316df86854e8f99b024a8039843b12275fc3a10c8680d3393e699d735bb4bef
SHA3-384 hash:	c8ce18516ad553edb6d7ca5ca32fe38d948b42aa5f5135b2745c9a5baad942173955fcf4da76efcc4716ce7094ccc73e
SHA1 hash:	e8236dd7cbaf78980868bcfb7735976eb3a94e00
MD5 hash:	717411451d46f3aa422d3097e9625fee
humanhash:	september-lemon-eleven-bakerloo
File name:	test.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'531 bytes
First seen:	2025-09-17 15:17:34 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	48:UITUTbsIidsI3r3U/sIUq0sI1usI+5sI2M2BsISlS0sIvCsIz+sIgaYsIKZ/sIjs:UITUTQIiGI7RIUAI1vI+yI2M2KISKIvU
TLSH	T16D5196CD17321F712D529DB672AB4458B3A6A4CBB4890E0798DC38F5C08CE0577D1EE5
Magika	csv
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://64.188.8.180/systemcl/arc	n/a	n/a	elf ua-wget
http://64.188.8.180/systemcl/arm	a2812bf91c1836b0749615f8c92f49b055ed1152a0cfcb03cffb4473388ae1f9	Mirai	elf mirai
http://64.188.8.180/systemcl/arm5	467ca3ecdb388a31f9687f3f93134ae992fbfbe2936cfbd700c3d198b3b65ecb	Mirai	elf mirai
http://64.188.8.180/systemcl/arm6	7a4627901da5e02ceacaf688cc103b4944a3cf75b4f1f4316ee638893eaa4104	Mirai	elf mirai
http://64.188.8.180/systemcl/arm7	1745a1dc09e108e719186017f4d6f10e1835aa4ba3f74b50b8394e3268c66524	Mirai	elf mirai
http://64.188.8.180/systemcl/m68k	19abfca0200531ee5ddc2dd7bc4454af84d9ffe0ef2e12cd2a54fc828ebdc659	Mirai	elf mirai
http://64.188.8.180/systemcl/mips	ad42066092b60784e1579fb3742cf3a41450dacc13b254e9c3a0c5b84aaf0db4	Mirai	elf mirai
http://64.188.8.180/systemcl/mpsl	7365564e3fc5bc60caa91eb8b6b87a6d8da423389be87134899fcd0caaeb3242	Mirai	elf mirai
http://64.188.8.180/systemcl/ppc	abfd19ac36a02a8d3552a65a6e023b7499af427f7ea558cbc5064b8475bd955e	Mirai	elf mirai
http://64.188.8.180/systemcl/sh4	b5d5a320320766751e9a1e31bc6ff850196e0c3f0b5baee15eee600b8a3cdae2	Mirai	elf mirai
http://64.188.8.180/systemcl/spc	2b4e44a8a37c63ce0a2c007bb22d903ae9d13b643b6b556f4d15199926cdd54c	Mirai	elf mirai
http://64.188.8.180/systemcl/x86	2e9b4bb064c078485eab38389da45cfecd1f865d77cd5c199ae3c2fe195daf72	Mirai	elf mirai
http://64.188.8.180/systemcl/x86_64	47a0fa2b9aa3ebdb48324d5ad43903187a528176193716db81991191b3d3b230	Mirai	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-17T12:51:00Z UTC

Last seen:

2025-09-17T12:51:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/5316df86854e8f99b024a8039843b12275fc3a10c8680d3393e699d735bb4bef/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/8daaaf42-10b2-4b24-8037-bf15740bc80a

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5316df86854e8f99b024a8039843b12275fc3a10c8680d3393e699d735bb4bef

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5316df86854e8f99b024a8039843b12275fc3a10c8680d3393e699d735bb4bef/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-09-17 14:57:23 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kmln7bufj2hztmbevabzqq5rej27yoqqzbua2m4t42m5onn3jpxq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250917-spspaafl6x/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5316df86854e8f99b024a8039843b12275fc3a10c8680d3393e699d735bb4bef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.