MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cea6237f2e47265f9bd38c0c907adeab2a5e4000e4770f6ad1c757955a95059. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 4

Intelligence 4 IOCs YARA 2 File information Comments

SHA256 hash:	5cea6237f2e47265f9bd38c0c907adeab2a5e4000e4770f6ad1c757955a95059
SHA3-384 hash:	9fc7ec4e9dffc8b85208768047e01b8c64a754f269c85dc94f0ec2330be0b0174ccc8e5321bb6330015a8a6dd0272557
SHA1 hash:	a25eb873bdc6304b0cf44e03d8a581c305b5a160
MD5 hash:	84fd6b6633d1becafe28dedd80ef1b1a
humanhash:	twelve-double-eighteen-fix
File name:	test.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'531 bytes
First seen:	2025-08-21 07:52:26 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	48:UWabsfsWvU/sE0sNs5sD3Bs5w0sXsHsGYsD/s5f:UWaQUua2yD3KGcMGtop
TLSH	T10E5165CD17B376312D96D97272AE4488B6B2A0A630C91F4B98DD38F5C49CF053271EB6
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://161.97.74.69/systemcl/arc	n/a	n/a	elf ua-wget
http://161.97.74.69/systemcl/arm	a2812bf91c1836b0749615f8c92f49b055ed1152a0cfcb03cffb4473388ae1f9	Mirai	32-bit elf mirai Mozi
http://161.97.74.69/systemcl/arm5	467ca3ecdb388a31f9687f3f93134ae992fbfbe2936cfbd700c3d198b3b65ecb	Mirai	elf mirai ua-wget
http://161.97.74.69/systemcl/arm6	7a4627901da5e02ceacaf688cc103b4944a3cf75b4f1f4316ee638893eaa4104	Mirai	elf mirai ua-wget
http://161.97.74.69/systemcl/arm7	1745a1dc09e108e719186017f4d6f10e1835aa4ba3f74b50b8394e3268c66524	Mirai	elf mirai ua-wget
http://161.97.74.69/systemcl/m68k	19abfca0200531ee5ddc2dd7bc4454af84d9ffe0ef2e12cd2a54fc828ebdc659	Mirai	elf mirai ua-wget
http://161.97.74.69/systemcl/mips	ad42066092b60784e1579fb3742cf3a41450dacc13b254e9c3a0c5b84aaf0db4	Mirai	32-bit elf mirai Mozi
http://161.97.74.69/systemcl/mpsl	7365564e3fc5bc60caa91eb8b6b87a6d8da423389be87134899fcd0caaeb3242	Mirai	elf mirai ua-wget
http://161.97.74.69/systemcl/ppc	abfd19ac36a02a8d3552a65a6e023b7499af427f7ea558cbc5064b8475bd955e	Mirai	elf mirai ua-wget
http://161.97.74.69/systemcl/sh4	b5d5a320320766751e9a1e31bc6ff850196e0c3f0b5baee15eee600b8a3cdae2	Mirai	elf mirai ua-wget
http://161.97.74.69/systemcl/spc	2b4e44a8a37c63ce0a2c007bb22d903ae9d13b643b6b556f4d15199926cdd54c	Mirai	elf mirai ua-wget
http://161.97.74.69/systemcl/x86	2e9b4bb064c078485eab38389da45cfecd1f865d77cd5c199ae3c2fe195daf72	Mirai	32-bit elf mirai Mozi
http://161.97.74.69/systemcl/x86_64	47a0fa2b9aa3ebdb48324d5ad43903187a528176193716db81991191b3d3b230	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/7baaab02-2bb0-4faf-bf39-e33378de5587

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5cea6237f2e47265f9bd38c0c907adeab2a5e4000e4770f6ad1c757955a95059

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5cea6237f2e47265f9bd38c0c907adeab2a5e4000e4770f6ad1c757955a95059/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-08-21 06:35:29 UTC

File Type:

Text (Shell)

AV detection:

21 of 36 (58.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ltvgen7s4rzgl6n5hdamsb5n5kzklzaabzdxb5vndr2xsvnjkbmq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250821-jrz2ps1px4/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5cea6237f2e47265f9bd38c0c907adeab2a5e4000e4770f6ad1c757955a95059

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.