MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54c17679f17896eb29bb02e7c44fd57af875570c1927f077f09f97a7fb53775d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	54c17679f17896eb29bb02e7c44fd57af875570c1927f077f09f97a7fb53775d
SHA3-384 hash:	e98c7e5f527de9c9093036cd9a92516362a0dc0cf3d0597867a3dcd7fa94be1d116071516b71490b30086721a3169572
SHA1 hash:	d8e591a48943503886810980b45d1a2caa718fab
MD5 hash:	a06361c8d975b81addd0b81d26178c04
humanhash:	jupiter-georgia-kansas-texas
File name:	dvr.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	667 bytes
First seen:	2025-12-19 01:19:29 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:t9EUTZD+UaHWlUo+UjHWlUOzv+UOzMHWlUK5IjD+UK5IMHWlU5D+UuHWq:t9EUTZKUMWlUnU7WlUOzmUOzGWlU65UF
TLSH	T1BB01F4EF006048595C94BA9F79634974700DAADFBCE54F4C948F1CB91E8FA18B415F58
Magika	batch
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.208.158.242/mips	0e1ab2890eef2d63ca248b23f71f63b0bb2654799a9147843f9a7fa197fe0818	Mirai	32-bit elf mirai Mozi
http://185.208.158.242/mpsl	f717ada653d0adf9a0f1a7c338c9b03521fdc0d8a78356dffc7226c47588dea7	Mirai	elf geofenced mips mirai ua-wget USA
http://185.208.158.242/arm4	n/a	n/a	elf ua-wget
http://185.208.158.242/arm5	fd853807beb17822d8654b02f8ab34feb54f60e2d844cdce29a0a4976725739c	Mirai	arm elf geofenced mirai ua-wget USA
http://185.208.158.242/arm7	c819cd3e58864a49bd657b76cf4d8959b82e39ce99acd9e2cfd4658172aa5d64	Mirai	arm elf geofenced mirai ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive expand lolbin mirai

Link:

https://www.filescan.io/uploads/6944a85684afa5547b5a264b/reports/a575c25c-6f69-47af-9a42-b1da4347a0d2/overview

Verdict:

Malicious

File Type:

text

First seen:

2025-12-18T23:37:00Z UTC

Last seen:

2025-12-18T23:59:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/54c17679f17896eb29bb02e7c44fd57af875570c1927f077f09f97a7fb53775d/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/ed333342-f05c-45a5-bda7-d9afd9bdcb21

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/54c17679f17896eb29bb02e7c44fd57af875570c1927f077f09f97a7fb53775d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/54c17679f17896eb29bb02e7c44fd57af875570c1927f077f09f97a7fb53775d/

Threat name:

Linux.Trojan.Generic

Status:

Suspicious

First seen:

2025-12-19 01:20:32 UTC

File Type:

Text (Shell)

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ktaxm6prpclowkn3alt4it6vpl4hkvymdet7a57qt6l2p62to5oq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251223-p7w8mszkgv/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/54c17679f17896eb29bb02e7c44fd57af875570c1927f077f09f97a7fb53775d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.