MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f6d315261a928c32802d53c6ca693c57affda17939b3a7290ed5d8ea9138f4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	5f6d315261a928c32802d53c6ca693c57affda17939b3a7290ed5d8ea9138f4a
SHA3-384 hash:	842c2415d4e915a9566a904cd8ded8cd9d5d4cbdcbcbf2f74c05491ee40e68d6c81dfc767ebaa13469bab44194821d72
SHA1 hash:	2837f44a08d92758db975b150726dd2aed11a4ed
MD5 hash:	c46841de88d00810142be7753b8b81c0
humanhash:	king-hotel-arizona-speaker
File name:	ok
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'778 bytes
First seen:	2025-11-21 22:40:51 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vJACyfJMO3GJ//JJllXnJOwjJhBEJRURWTJRRGJF7Frb0SolJ6sCsKe3JZeZgrBw:vJACyfJMO3GJ//JJllXnJOwjJhBEJyke
TLSH	T1545142DD2AA05A215810D8BAF2AAC5CC7195A2F71CBAEF4098DF36F5C06CD447C7C762
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://83.150.218.225/SupplySrvarm	bc8e56b086d6dff8c4bbc0024306f2f368dad282fb69e01f832facedd66f52c5	Mirai	arm elf geofenced mirai ua-wget USA
http://83.150.218.225/SupplySrvarm6	3be70fc3e9f54f38da5acb854babcce2bea80d5a38987dabd9d60c9dde6d917c	Mirai	arm elf geofenced mirai ua-wget USA
http://83.150.218.225/SupplySrvarm5	n/a	n/a	elf ua-wget
http://83.150.218.225/SupplySrvarm7	n/a	n/a	elf ua-wget
http://83.150.218.225/SupplySrvm68k	37444aaf2a15551e182f35b0501adb44ae52705c0b385d709e822ee18ae6b286	Mirai	elf geofenced m68k mirai ua-wget USA
http://83.150.218.225/SupplySrvmips	d4cd65f586307579b6eba2540779633ae3e7a68906b6ca3a772e99532fedd605	Mirai	elf geofenced mips mirai ua-wget USA
http://83.150.218.225/SupplySrvmpsl	e33743491df24ba92b79656fea6b398302042a6d07bbff9bbf254243317b1f7e	Mirai	elf geofenced mips mirai ua-wget USA
http://83.150.218.225/SupplySrvppc	964b22f03b8c29dd5a24b8b2bd5648eaec1a750ada4e0f1a4a001e9f2dc27bb7	Mirai	elf geofenced mirai PowerPC ua-wget USA
http://83.150.218.225/SupplySrvsh4	abe2a6cf5eeb276ef68c627032aea68f769e049203fe29d3c5a565c7fb68475a	Mirai	elf geofenced mirai SuperH ua-wget USA
http://83.150.218.225/SupplySrvspc	24b8846706503e38321a71be85d68169326030a20a8efb64bedc8145103d22ee	Mirai	elf geofenced mirai sparc ua-wget USA
http://83.150.218.225/SupplySrvx64	16b870f6de57049a36b6a8b6c8ce5610efa69cb5b6d6495d82d549cb74bd38bb	Mirai	elf geofenced mirai ua-wget USA x86
http://83.150.218.225/SupplySrvx86	dddd16cb5c5e035211360a5458544611738fc8571ced8ba4138e5e13158c9cbe	Mirai	elf geofenced mirai ua-wget USA x86

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive medusa mirai

Link:

https://www.filescan.io/uploads/6920ea92eecb08e4aa442778/reports/c56a7d44-a8bf-4089-a233-cb96ff30c77a/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-21T20:55:00Z UTC

Last seen:

2025-11-21T23:42:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/5f6d315261a928c32802d53c6ca693c57affda17939b3a7290ed5d8ea9138f4a/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/7a57bf5d-098f-4ec2-a743-2ddd2938dc57

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5f6d315261a928c32802d53c6ca693c57affda17939b3a7290ed5d8ea9138f4a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5f6d315261a928c32802d53c6ca693c57affda17939b3a7290ed5d8ea9138f4a/

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2025-11-21 22:41:23 UTC

File Type:

Text (Shell)

AV detection:

15 of 24 (62.50%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l5wtcutbveumgkac2u6gzjutyv5p7wqxsontu4uq5voy5kitr5fa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:owari antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251121-2l9ytswpgv/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Enumerates active TCP sockets

Enumerates running processes

Modifies Watchdog functionality

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Malware Config

C2 Extraction:

sophos1997.camdvr.org

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5f6d315261a9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.31

Link:

https://yomi.yoroi.company/submissions/5f6d315261a928c32802d53c6ca693c57affda17939b3a7290ed5d8ea9138f4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.