MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a96fae1b29481f182219ce3b894a7180a432da54728a7d3f667c465cc9ad580. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	5a96fae1b29481f182219ce3b894a7180a432da54728a7d3f667c465cc9ad580
SHA3-384 hash:	61c29a8b4bed7fb78d9f0c7b3c61b2967ff5de3f5820d07af24d6f5e7e1bcb24b4a81bdc1b92eea4333ed8bfed5d1e51
SHA1 hash:	bade26119b1a1675f05f0df69bd50b0d217ffe8f
MD5 hash:	caf5577b07a182916ea3b62ef2f4733f
humanhash:	maine-freddie-ten-diet
File name:	sshd.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'620 bytes
First seen:	2025-12-10 16:46:38 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:2KU9SDOEDvdD8GD/9DprDRtiqDtitmDaED5+MLD2uvJDbFD/RDIGDEAzDj6:9npPJNfp/HVLnldPTzC
TLSH	T13551A0C912524F316CEFD92F77A588883184A9FB74C6DF64D9EE78FE448CE09B044A46
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://151.242.30.13/bins/x86	37f7a145112264b800b0d92a85bcc3ae6569fd50189e4080a9e13b0292df746c	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://151.242.30.13/bins/mips	8977246c2eec422c5afb958b7431376b315d6fe4676c7a85edeb6e04e66515db	Mirai	elf geofenced mips mirai opendir ua-wget USA
http://151.242.30.13/bins/arc	a24a51b3ea4777475bad5ad18c053d99707d85d0e816278e4a27058a919eb224	Mirai	arc elf geofenced mirai opendir ua-wget USA
http://151.242.30.13/bins/i468	n/a	n/a	elf ua-wget
http://151.242.30.13/bins/i686	51e5d00211eb3a69cd7796e2208a2010aa263ce3490cf19ced71bec279bd303b	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://151.242.30.13/bins/x86_64	2cfe3d9f0100eb65810c632cd830a0ab516ce17a86536dee646ad819776b700a	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://151.242.30.13/bins/mpsl	n/a	n/a	elf geofenced mips mirai opendir ua-wget USA
http://151.242.30.13/bins/arm	65ec93db8296b4ae09dd7a92272be5305f2c2ecd32566d73b07ae32eaf991056	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://151.242.30.13/bins/arm5	d4ac7e5c0f78e10f1fe63eb105a7f6c295ac5cc9b1cdc9eddeb2642acc51639e	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://151.242.30.13/bins/arm6	1f984d0ca8c9f8b92d0f34afd449b540206b6634730e2975b309d494bc682e13	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://151.242.30.13/bins/arm7	0a61672a8fa4115cc530b8b7651c20d5e9030af98f99ed92b35cdb6e8fc7c9e2	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://151.242.30.13/bins/ppc	cea109a1388edb5a1829d952637a0d9b37a48d8eee6fed0c2fe7b250085c707f	Mirai	elf geofenced mirai opendir PowerPC ua-wget USA
http://151.242.30.13/bins/spc	07019ea27232f2c0f528115a443e5b61fc45a53b05ccc28f60496ddd8a08b40a	Mirai	elf geofenced mirai opendir sparc ua-wget USA
http://151.242.30.13/bins/m68k	31c7ba1ae705063552f31e6deca1602468cfa6f93ed33e59b89312bb7dd0d8aa	Mirai	elf geofenced m68k mirai opendir ua-wget USA
http://151.242.30.13/bins/sh4	14d4af82d5566a2cd3a4f81aef840a0f5d4c6f62f95eee5d7ae9e838bccabdf3	Mirai	elf geofenced mirai opendir SuperH ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-11T02:26:00Z UTC

Last seen:

2025-12-11T03:12:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/5a96fae1b29481f182219ce3b894a7180a432da54728a7d3f667c465cc9ad580/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/e1cd77be-44e9-4be3-afc5-090a1834964c

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5a96fae1b29481f182219ce3b894a7180a432da54728a7d3f667c465cc9ad580

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5a96fae1b29481f182219ce3b894a7180a432da54728a7d3f667c465cc9ad580/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-12-10 16:47:15 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lklpvynsssa7darbttr3rffhdafeglnfi4ukpu7wm7cglte22waa._file

Result

Malware family:

n/a

Score:

6/10

Tags:

discovery linux

Link:

https://tria.ge/reports/251210-valzaszjfp/

Behaviour

Reads runtime system information

Writes file to tmp directory

Enumerates running processes

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5a96fae1b294/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5a96fae1b29481f182219ce3b894a7180a432da54728a7d3f667c465cc9ad580

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.