MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c9f8b254cb85abdf05baf043034d47d1c32b4e2249ca1a25e4f21c617645f2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	5c9f8b254cb85abdf05baf043034d47d1c32b4e2249ca1a25e4f21c617645f2f
SHA3-384 hash:	787c91ebe8335a16b22fb37a033e1d7ce950dfdade994bfa5089e090c24333611101665f1705c4a8fca78056a9c5aeda
SHA1 hash:	cc10c4442235daf11eebb53723976c73021ef27e
MD5 hash:	99b27bdfb5beb3ceed6715c915e60ee0
humanhash:	low-pasta-seventeen-william
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'314 bytes
First seen:	2025-07-08 23:11:13 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItNZsHbhFknlfDms3TBOGgJh6fnLP4NIpKks/ME3hRsHYcGgJsRRpk:iIFGdLjBO18fLyJ5RqHYBgJsxk
TLSH	T1866180FA1346463FACAACEE332A884047149409B95CE5FB55BEE2CF51C8CEC96C4165A
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.69.95/00101010101001/morte.x86	05310b8660041be2fc065b10f5e3552682a96328ea729cbef06ac2f4d9b90e83	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.mips	51187e3313a6eb3d216971154920fffe3eb5934f45591253a77d1e7502b42028	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.arc	ed67075b604a4e4ef9da5e3d8c5d65805c943c6912cd09ffaff7b9545c9df571	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.i468	n/a	n/a	elf opendir ua-wget
http://196.251.69.95/00101010101001/morte.i686	e8fd96cd277a25f91d504f2498e9cd2ae43b5cfc8496967807d3d40fc4473fb8	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.x86_64	85be94ab11a8e87c5645a30393b98307a4e784ff634402ec5aeb59d8644b558b	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.mpsl	40184fbf50c0d0258d78b8f38a83b0e0cb1315b80fdff27887387f8304eb93ab	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.arm	88844b8b2e3d2f04e5f65fc885186bd91027a968dadf7183287e7d1d7f6f291f	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.arm5	45d4741837c95127ad9887e696fafd69f6dd37ace0a891cbd62abfc24d040cb4	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.arm6	55bd81bc000ebd24dc7571b745420bb1faf9607112da3723482fe5f045cd67de	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.arm7	2d7ac5ba36cc73adcfc53e78fbe8e156a7bbbcaaec8e833d83f3e562d8030a94	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.ppc	d9787c1edf201fbf158ab62554ea6369387e002551a07f97f50629ec6bd706e4	Mirai	CoinMiner elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.spc	1f40f43a66f215886efa655b96a8f8dace7502940485c266bb141e67fd04d6f7	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.m68k	64167acd17aac2637cbb4dd84f0159a2395e0f1f9057f1f471bbe37646b9c20a	Mirai	elf mirai opendir ua-wget
http://196.251.69.95/00101010101001/morte.sh4	23e3d7a1ea1eb6be1b0ed170f1c0fe7126fcbaf5da1e1358507b5553d9da5f07	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686da59cc9eb97473767b509linux22vpnfull_triage

Tags:

downloader phishing trojan agent

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/50a30e2b-c24a-42e1-a58c-f8d52f67bef7

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5c9f8b254cb85abdf05baf043034d47d1c32b4e2249ca1a25e4f21c617645f2f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5c9f8b254cb85abdf05baf043034d47d1c32b4e2249ca1a25e4f21c617645f2f/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-08 23:11:21 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lspywjkmxbnl34c3v4cdangupuodfnhcesokdis6j4q4mf3el4xq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence upx

Link:

https://tria.ge/reports/250708-26ecnafl6x/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

abc.galaxias.cc

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5c9f8b254cb85abdf05baf043034d47d1c32b4e2249ca1a25e4f21c617645f2f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.