MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c72a1e4915ec8bf92686718745b0b7ed24d8a513b620e9470557c363106932d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	5c72a1e4915ec8bf92686718745b0b7ed24d8a513b620e9470557c363106932d
SHA3-384 hash:	7a7577cb8975ae29526a10f36e17f924bd2c14067b094815a2d8bb02bc24ef7ef1e27dc656b4f7ced595b018741060ba
SHA1 hash:	c2b8f27b9a0053bb1090ab4b1aeb46f1ccb7cc9b
MD5 hash:	c6cb224d848583e9d1ba2f2ad3d135c0
humanhash:	stairway-three-may-undress
File name:	2.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'212 bytes
First seen:	2025-11-20 03:31:42 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:/4LdGVVeHa04cUPFy+MRJh+JB0ryA/NvsuNN:/4LdGVVeHa04cUPFy+LJB0ryA/NVN
TLSH	T1746172F6518807356CE2AB97627D4048709692A740FA7F23A7DC38B15D8DFDCBC41663
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://41.216.189.110/00101010101001/S3o.x86	d3f10f6d5e3c2b912e20a40579c75536930b660f07129c21bbd9788ac4efc728	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/S3o.mips	21782793f8c22a44cc00c57d28fc4468469c09be0879bae0921e423ff5a55f17	Mirai	elf geofenced mips mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.arc	20b10e19db7094870b5c049dfab380a9af22bf0ab6b857d016f6e1870e0555a6	Mirai	arc elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.i468	n/a	n/a	elf ua-wget
http://41.216.189.110/00101010101001/S3o.i686	66f67c3960faab5dafa836ccaf9bc63733dc49a84e972fdd81bc47c45e6eb5fa	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/S3o.x86_64	13c4df50e1cac452500fa11a328b86e70414281a294016b02151dff0152faf5c	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/S3o.mpsl	5c08ebe6558b86f3ab363b062cefb8e699a27f699d7d1e4cc67d90fb3e5766c6	Mirai	elf geofenced mips mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.arm	fbe97ea7d5fad0c72fe5249bbfadff0d9c0f5ec90b0bcd4b1ad354bba51abba4	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.arm5	48494bc2a98774569b60d6e657af2c1c781be83867fe60a12a8fa2f4279964b6	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.arm6	86d1089b91ce9ce616774fee8146704ea26f33188be13aa4aba1efff6c5ec79c	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.arm7	759b7b535e312929274b186c9baa02472a9cc3731e56c997c8fdf401a7dd9a61	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.ppc	81f81e4ad3508cd865b9245b2c856241111d01b7fa839f20e202815589a0f043	Mirai	elf geofenced mirai opendir PowerPC ua-wget USA
http://41.216.189.110/00101010101001/S3o.spc	3789076d4c74180c9ea1f824f606fb32b2ef97c635cc8f567cd8b0bd598ca2e8	Mirai	elf geofenced mirai opendir sparc ua-wget USA
http://41.216.189.110/00101010101001/S3o.m68k	bb719d6a4197953f3bf91eff21abb3692df553e35cf0c78a87ca25834731b6dd	Mirai	elf geofenced m68k mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.sh4	a1cbc4b0188f1476ed7c316842583952b48c0069473d00b1b212fac91764450f	Mirai	elf geofenced mirai opendir SuperH ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive medusa mirai

Link:

https://www.filescan.io/uploads/691e8bc39c3a35e61022f5b2/reports/84b7b095-871f-46f0-becc-62ebe16455a5/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-19T23:08:00Z UTC

Last seen:

2025-11-20T12:02:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/5c72a1e4915ec8bf92686718745b0b7ed24d8a513b620e9470557c363106932d/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/76c98e51-fe1d-4b5d-b537-cd9979388a1b

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5c72a1e4915ec8bf92686718745b0b7ed24d8a513b620e9470557c363106932d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5c72a1e4915ec8bf92686718745b0b7ed24d8a513b620e9470557c363106932d/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-20 03:32:20 UTC

File Type:

Text (Shell)

AV detection:

20 of 36 (55.56%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lrzkdzerl3el7etim4mhiwylp3je3csrhnra5fdqkv6dmmigsmwq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/251120-d3r8cabm2y/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5c72a1e4915ec8bf92686718745b0b7ed24d8a513b620e9470557c363106932d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.