MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e3f7ec55b3f15b049e594a50bc20e8b655d1b33fe74f120cff586f24e1970a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	5e3f7ec55b3f15b049e594a50bc20e8b655d1b33fe74f120cff586f24e1970a0
SHA3-384 hash:	f91131a868b19c56f2d84b89fc68513cd4e79b900cdfeec412a1603430e40d796a3e79cf77c91a083280527ed4fe7faf
SHA1 hash:	ceaa16f9073823811db0f4b27cbe3e15beed3d87
MD5 hash:	3c43534228b73697fe111a21e17ff0a5
humanhash:	bulldog-speaker-football-sixteen
File name:	i
Download:	download sample
Signature	Mirai Create hunting rule
File size:	4'856 bytes
First seen:	2025-12-18 23:32:26 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	96:1xAPxH2lFcbpXH2dYHeE/ljaxBgHdXHGtCoXHssHK7H3THM:YR/XWdY+E/ljax2HdXmtXXMsq7XTs
TLSH	T1E5A119D9787117B7CDE2AD28F615493F3046C2C49C76DFB4E45DB0BDB8ABD88A200945
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://158.94.208.162/z/89/mips	1ef86f38b7e44a7511f09e4bec9a1da105e70db6d522467ac14b4ea42df632c9	Mirai	elf mirai ua-wget
http://158.94.208.162/z/89/mpsl	b3af651dbf2ffce881ed5539fcb7a3371f94f301eb4f7ac757d6aba63e5e1038	Mirai	elf mirai ua-wget
http://158.94.208.162/z/89/x86_64	9c033cf8304f0ed83cbba11c153b4fa29d766a90e57b1e8b715b9d25ef05ed76	Mirai	elf mirai ua-wget
http://158.94.208.162/z/89/arm4	n/a	n/a	elf ua-wget
http://158.94.208.162/z/89/arm5	71ecf29f0548ecb0051046067bf46b3966c596a554bde739db08900b38198918	Mirai	elf mirai ua-wget
http://158.94.208.162/z/89/arm6	28d8a15cfb38b9e56722fac60e7b53c84f53fcd678a62f67e82312be67b88bd7	Mirai	elf mirai ua-wget
http://158.94.208.162/z/89/arm7	8730e029d0f40e909494760198bd41b3a6aa44843a8968910cff20dea0fc35ca	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox medusa mirai virus

Link:

https://www.filescan.io/uploads/6944ee27e126b9ff43883cac/reports/43cac1d9-18e6-42cb-9a17-25169f144d3e/overview

Verdict:

Malicious

Labled as:

Linux.Medusa.C.Generic

Link:

https://www.hybrid-analysis.com/sample/5e3f7ec55b3f15b049e594a50bc20e8b655d1b33fe74f120cff586f24e1970a0

Verdict:

Malicious

File Type:

text

First seen:

2025-12-18T23:21:00Z UTC

Last seen:

2025-12-19T13:03:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/5e3f7ec55b3f15b049e594a50bc20e8b655d1b33fe74f120cff586f24e1970a0/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/2a6d3261-4abd-4690-b720-49f62e2890ec

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5e3f7ec55b3f15b049e594a50bc20e8b655d1b33fe74f120cff586f24e1970a0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5e3f7ec55b3f15b049e594a50bc20e8b655d1b33fe74f120cff586f24e1970a0/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-12-19 00:10:55 UTC

File Type:

Text (Shell)

AV detection:

12 of 24 (50.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ly7x5rk3h4k3aspfsssqxqqornsv2gzt7z2pcigp6wdpetqzocqa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251223-p53bwazkcx/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5e3f7ec55b3f15b049e594a50bc20e8b655d1b33fe74f120cff586f24e1970a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh