MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54f074f9741c2480533ce774637dae79d011ba9bc616e1215ad9ddf488e162f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	54f074f9741c2480533ce774637dae79d011ba9bc616e1215ad9ddf488e162f6
SHA3-384 hash:	2322b6a02ed0f6c8aada55177ef506d96df5c02779d5354026043aa1deb318ccd7387007027115dc31f41467658ef308
SHA1 hash:	a874100187ea57278aae5e504c4a38536e94c134
MD5 hash:	04dbcaf16b0c7e7bf92a85d6916241aa
humanhash:	uncle-double-virginia-grey
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'344 bytes
First seen:	2025-10-12 23:02:31 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItTZs3bhvkvlfrms/T10GgJH6HnLzKNIpKksHMEXh7szmcGgJslVpk:im1sVDL101aHLkJBxQzmBgJs5k
TLSH	T1F6615DFA134146379CAA8AD332A88508F164B49B94CE9F75DFDD28F99C8CEC93C41A41
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://143.20.185.225/00101010101001/morte.x86	3d241827f1484f1b5f563efc3d6f116f9346380a920ba93349d8d4dbceae9b4f	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.mips	ff9c2d0dcb7c4a5b58574473bcc5fae143b4360365b4692e6d4fa59fb2bac44a	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.arc	fc2f69664dd6fdef2e2863488657f4119b857758613de17704c4bea0edb3d705	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.i468	n/a	n/a	elf ua-wget
http://143.20.185.225/00101010101001/morte.i686	518faa4fee85b372113e37daa020f4e9484048e50e42941368cc26056c7680ef	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.x86_64	002b721da2bc498543d53ab4bcc641e976a15c696684a65d1366110df21e047a	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.mpsl	914b57aae4cf6c5531aeab24f6a3938ba5dcd2c28135d7c335b268c40c85d3fd	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.arm	0d8c79a42954c491d90b49dc10af15238c1074393e38ba89f7608e41fc7c17e2	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.arm5	41be03d1af06f01382a1a71a5e2601b19fa3e99a108fde20d8047045f80f61e9	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.arm6	a2ee8855a507124bd599a0255ee2f7d30b5087fe272df9430da1c5e01b813f82	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.arm7	332b0e4952931f17911218e567821cb8cb7e412bef0728056d830e36c4ead9ac	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.ppc	8e4a8babc19265eb83b123f623aa20e48d2655af0e7939e234af11eb50acb8db	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.spc	a552e30759dc66cbc35dc894d48071f4397366cc1658b79efd16d91a81d54b5f	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.m68k	932c003508cb926db5a6fb1db1cf9bc107f2ca0c3a97344f4723316115f297ee	Mirai	elf mirai ua-wget
http://143.20.185.225/00101010101001/morte.sh4	07b1adb027946202303d522c62c3efb2254bb498f343f49957aacf51e55a6d8b	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

no reply from clamd

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-12T21:10:00Z UTC

Last seen:

2025-10-14T10:39:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/54f074f9741c2480533ce774637dae79d011ba9bc616e1215ad9ddf488e162f6/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/7a98bfca-fe69-4524-b211-2ba5e97721bb

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/54f074f9741c2480533ce774637dae79d011ba9bc616e1215ad9ddf488e162f6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/54f074f9741c2480533ce774637dae79d011ba9bc616e1215ad9ddf488e162f6/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-12 23:03:36 UTC

File Type:

Text (Shell)

AV detection:

22 of 36 (61.11%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ktyhj6ludqsiauz4452gg7nophibdou3yylocik23ho7jchbml3a._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251012-21y5wa1lx6/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

uraniumc2.ddns.net

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/54f074f9741c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/54f074f9741c2480533ce774637dae79d011ba9bc616e1215ad9ddf488e162f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.