MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b5d30ce0854edba215c967e9845f034e1f35be2b1c72552e27eea2509590bb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	5b5d30ce0854edba215c967e9845f034e1f35be2b1c72552e27eea2509590bb7
SHA3-384 hash:	a3be8955e8e22703f485bd6c876d0293b7d411535b12312c88401098ba8720ad0efb088b6b59982946ff3ff21d1ed867
SHA1 hash:	b121fbddbcdb30ed1aeb854e43f091a011459683
MD5 hash:	1efaae5c5b9c761f38fe3028fd5a107e
humanhash:	whiskey-mirror-oxygen-salami
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'142 bytes
First seen:	2025-11-08 18:39:00 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:N5sX5lnh55R5jzJ52L50b5875Th5t554Qv:NEBBPKk8n1Dv
TLSH	T1C541AFCA016A5134EC99D4AA22B7481C678A58EB4ACB1F7EEDD874F7804CC147DC3642
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://89.35.130.116/huhu/titanjr.x86_64	4ba70027fdfa176f4ce98a9b46e31070ac40738b0a9ef7f12fcbc126b806d47b	Mirai	elf mirai ua-wget
http://89.35.130.116/huhu/titanjr.x86_32	a1dab206a740808694a3a99b6f98f531b4b5df2eb9b5832efe87a3d928a45e50	Mirai	elf mirai ua-wget
http://89.35.130.116/huhu/titanjr.arm	9b9dbb95ba9e39c1706de99639adffa83a9cd25d33932218fc728f2578848950	Mirai	elf mirai ua-wget
http://89.35.130.116/huhu/titanjr.arm6	4c7da7f93f8645b3ec037c6cc501a382bbeecfd74a7b2444d0ec5cbebaa0cef6	Mirai	elf mirai ua-wget
http://89.35.130.116/huhu/titanjr.mips	c5f329b6c92027aa18f2055d5893c483f26ec6ece96a3ca65c5e24d55324e2cf	Mirai	elf mirai ua-wget
http://89.35.130.116/huhu/titanjr.mipsl	99c8064702b0727a422f9a8b38b7964472d41846acfed5aa2b933f05ba3fce26	Mirai	elf mirai ua-wget
http://89.35.130.116/huhu/titanjr.ppc	aecb17419e4a5aab5829745c9aef9ee2cc3f06926b151883589a89bc0dbde733	Mirai	elf mirai ua-wget
http://89.35.130.116/huhu/titanjr.spc	818d53bf873aaaa9be3683e53602a3c961c8faee11ef0b7ba92b778ccb0ed53b	Mirai	elf mirai ua-wget
http://89.35.130.116/huhu/titanjr.m68k	0dc1f23f1aa04089e0d5144ab48af826d4f3aad564f7b2e9ca465fb53ca467d6	Mirai	elf mirai ua-wget
http://89.35.130.116/huhu/titanjr.sh4	0feda0f2f68bfa767dc9430253144c5160a2b022362fa1319409c5e3aaa98045	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Gathering data

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-08T15:59:00Z UTC

Last seen:

2025-11-08T17:04:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/5b5d30ce0854edba215c967e9845f034e1f35be2b1c72552e27eea2509590bb7/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/d9789d78-84b1-4679-a518-359adecf8a23

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5b5d30ce0854edba215c967e9845f034e1f35be2b1c72552e27eea2509590bb7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5b5d30ce0854edba215c967e9845f034e1f35be2b1c72552e27eea2509590bb7/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-08 18:39:17 UTC

File Type:

Text (Shell)

AV detection:

21 of 38 (55.26%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lnotbtqiktw3uik4sz7jqrpqgtq7gw7cwhdskuxcp3vckckzbo3q._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm credential_access defense_evasion discovery linux persistence

Link:

https://tria.ge/reports/251108-xaprastrdm/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5b5d30ce0854/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.