MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 543cbc7724eee94c5c81c785982d5753b7c599c4326155084ecc664e20477236. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	543cbc7724eee94c5c81c785982d5753b7c599c4326155084ecc664e20477236
SHA3-384 hash:	5ebae524e837b37507d87ef1be067640a6cafdfb37f5ede689ab36afe298d0d9d5819e481f3b049294213cc0b6d851b1
SHA1 hash:	214ed7c293b9e77109ea7f74837455f0a1badcf1
MD5 hash:	4dadf514cba35ffd566cac4445eccbca
humanhash:	social-cup-carolina-michigan
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'017 bytes
First seen:	2025-07-13 22:46:51 UTC
Last seen:	2025-07-14 08:19:38 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:YeG6erMeUae3se9UelgeE1E1eOqedOLecoJe3YeVQesKe8v8BgJseJUk:YeG6erMeUae3se9UelgeaWeOqedOLec9
TLSH	T1DD5168E7238197372CBB9EDB77AA4405724251DBA8CF2F7955DCB4E945CDE08B040B41
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://194.26.192.12/bins/morte.x86	6b89288f82c10313cc04d6801994f61ae0f454a8e49ae902416549475d22563e	Mirai	mirai opendir
http://194.26.192.12/bins/morte.mips	db7c3f4a4d9955f60e2428d33081b7516d2b05a554549ef7435ad5f0da26aebc	Mirai	mirai opendir
http://194.26.192.12/bins/morte.arc	bc7ba0be21d0bd4d5f8ffba11fb517a6128ed67aaee485f4e9ad55ebb206dfd7	Mirai	mirai opendir
http://194.26.192.12/bins/morte.i468	n/a	n/a	elf ua-wget
http://194.26.192.12/bins/morte.i686	ec6877d780e5c08a52316ed53c1e24688df1bb77573a73552807b446682303e1	Mirai	mirai opendir
http://194.26.192.12/bins/morte.x86_64	0f3d5843dbea20320950015e6b16d397ead64d3a0cc0c0c9d236ab0c329e5c3c	Mirai	mirai opendir
http://194.26.192.12/bins/morte.mpsl	6a381680badfe72a680a7ebbac5a87b69b92bef8cf495dea18c08768ae4a8104	Mirai	mirai opendir
http://194.26.192.12/bins/morte.arm	1e084f768e6f712bd7a6550bfd1d6651475110be15afdaf20ea165035e41825b	Mirai	mirai opendir
http://194.26.192.12/bins/morte.arm5	bb58685e750ea7ea86ef5e8e0272309259225751e891a8180edeb43f00e12237	Mirai	mirai opendir
http://194.26.192.12/bins/morte.arm6	fc5cd925ce297000ca57784ead53c74be59b7f1947fe30fc596b8288b58e34ac	Mirai	mirai opendir
http://194.26.192.12/bins/morte.arm7	f668ad9e7208fb93503504745e844534c2f1cd03bb8be6580ceb107b2f3e5c1f	Mirai	mirai opendir
http://194.26.192.12/bins/morte.ppc	4c2307922752b1dda4168efb06f7f577df1e1a6b559b16e290533fa875bbfb67	Mirai	mirai opendir
http://194.26.192.12/bins/morte.spc	600fc077b364f1e19774afc961c350ca78168a7c89985b8d649d18a784bb54ca	Mirai	mirai opendir
http://194.26.192.12/bins/morte.m68k	b34ab7b3235520d509129dbf8ce61fa4aaf07c689caf1086678d209c2bdfb15f	Mirai	mirai opendir
http://194.26.192.12/bins/morte.sh4	aeaca0a823b1c1ba1fef65021e4435d355d8da6763b976bfecfe002a17023b80	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/70064260-f136-4734-bacf-bbadc12f672d

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/543cbc7724eee94c5c81c785982d5753b7c599c4326155084ecc664e20477236

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/543cbc7724eee94c5c81c785982d5753b7c599c4326155084ecc664e20477236/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-13 22:48:02 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kq6ly5ze53uuyxeby6czqlkxko34lgoegjqvkccozrte4ichoi3a._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence upx

Link:

https://tria.ge/reports/250713-2qqezswtds/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/543cbc7724eee94c5c81c785982d5753b7c599c4326155084ecc664e20477236

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.