MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59fc56d62ed4addf42bf46b4a251e9bf5a736fe2e53c7e13f65ab887b241022b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash: 59fc56d62ed4addf42bf46b4a251e9bf5a736fe2e53c7e13f65ab887b241022b
SHA3-384 hash: 2cb9dd12df984b82486d4dac3a10fad6c1c0ca26b444ccce97448515f1d15a60d4ddc4624084de3158368b08617d8e93
SHA1 hash: 971a31279eed227b3fba17d76b4b410a5e7c672f
MD5 hash: 97422ce882dc1144e13fa279dc141b0a
humanhash: pasta-oxygen-bacon-floor
File name:1.sh
Download: download sample
Signature Mirai
File size:3'314 bytes
First seen:2026-06-29 19:10:35 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:ItgpYZsg61bhgPSkgKllfgczmsg4PTgvDvGgJgt86gofnLgBDBNIpKksgSdMEgGc:iyJQN/38L1qTLKJlPIkHBgJsbk
TLSH T14C6161FA23610F336CEA8AD772A84418714240DB94CF1FF59BEC68A95D8CFC9BC41681
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://94.154.43.192/00101010101001/morte.x865d0ef6c936fdb360b9ee59fdbde8cbc9c0fbf987cb4abb6ba984182d453c7957 Miraielf mirai opendir ua-wget x86
http://94.154.43.192/00101010101001/morte.mipsf5abf45db7a0c112812b5673b19f1990ca7ddac41998cf5d127c5acfbe682451 Miraielf mips mirai opendir ua-wget
http://94.154.43.192/00101010101001/morte.arcecbbc791819eb63a8e42820f69db3222f565a8eefc88bab4aba665b523fc90c5 Miraiarc elf mirai opendir ua-wget
http://94.154.43.192/00101010101001/morte.i468n/an/aelf ua-wget
http://94.154.43.192/00101010101001/morte.i68616b70ea2d8e30680b097872fb5f04171baecd65414bf322135fae57036f8201c Miraielf mirai opendir ua-wget x86
http://94.154.43.192/00101010101001/morte.x86_64ff32e0dab5044b52843772765f9c2e0b87da6b8345dc45d0c6f4f019cadc957c Miraielf mirai opendir ua-wget x86
http://94.154.43.192/00101010101001/morte.mpsl39c0aa8e83774e185751a6b9633a97042b54341a4d2b19dfefec48f0df70201a Miraielf mips mirai opendir ua-wget
http://94.154.43.192/00101010101001/morte.arm6361f5497881328549d7432fd77bc16f671aeacc051830fa789a5a591c3e7380 Miraiarm elf mirai opendir ua-wget
http://94.154.43.192/00101010101001/morte.arm50202321c9326d6013039deadd9c3994ab8137637206b32f1e131dc870ae6dbe7 Miraiarm elf mirai opendir ua-wget
http://94.154.43.192/00101010101001/morte.arm657d3e8130b61807b4f92abb4a39272443e8670dd189501af0b6c6fe0c38df5a8 Miraiarm elf mirai opendir ua-wget
http://94.154.43.192/00101010101001/morte.arm737c3bce4bc35fc0215acd0cdc4be0b93ce1a5fb11b78f94d7e29bdf4dcc19057 Miraiarm elf mirai opendir ua-wget
http://94.154.43.192/00101010101001/morte.ppc5c9fa24b3cdd8e0ef033fdd5437587283911faeed1dee09304453cbf16876696 Miraielf mirai opendir PowerPC ua-wget
http://94.154.43.192/00101010101001/morte.spcd276c2b960f728173bcb2f09b7f0f5891e47400b05596965ce54b761f7c57af9 Miraielf mirai opendir sparc ua-wget
http://94.154.43.192/00101010101001/morte.m68k786634933c38897f46b03de08a6d54e6a20f790b7671a08bc8ad54339597779b Miraielf m68k mirai opendir ua-wget
http://94.154.43.192/00101010101001/morte.sh4b9aa2c1cd4e15e072f9c6b964f7a3a760f31bb826eeff4dd09c36d3b09de07e7 Miraielf mirai opendir SuperH ua-wget

Intelligence


File Origin
# of uploads :
1
# of downloads :
58
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox downloader evasive
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-06-29T16:20:00Z UTC
Last seen:
2026-07-01T13:13:00Z UTC
Hits:
~10
Threat name:
Linux.Downloader.Medusa
Status:
Malicious
First seen:
2026-06-29 19:12:06 UTC
File Type:
Text (Shell)
AV detection:
17 of 24 (70.83%)
Threat level:
  3/5
Result
Malware family:
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Family: Mirai
Malware Config
C2 Extraction:
hjcddajltcsdas.hopto.org
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 59fc56d62ed4addf42bf46b4a251e9bf5a736fe2e53c7e13f65ab887b241022b

(this sample)

  
Delivery method
Distributed via web download

Comments