MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c
SHA3-384 hash:	deb0bfcfbfd0b2ab170460f7d33c47a88a8d8f49be321a134b00e168c0ffae4359bbd7d5e78687cbe2d36b3af690b3eb
SHA1 hash:	83ec62481372011209099213f805e2afbd92e2d8
MD5 hash:	22e649659177e0e427eeb324f04016b1
humanhash:	lamp-wisconsin-romeo-muppet
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'194 bytes
First seen:	2025-11-27 09:49:51 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:iw9/P9/dGVsw9u95w9V9/w9G95w9o9Vw9/89/UPFyRw9rV9rJhLw9b97w9E9ZLwm:iypdGVsxWl/y+UPFyRYQvL2hDuMJ6
TLSH	T1E16161F6014807346CE2AB9B627E804D3295969750FE7F26A7DC2CA44D8EFDCBC41663
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://41.216.189.185/00101010101001/S3o.x86	f3671912e920c0192b13ce4823deb94d0279a6811ceaa5a298ac2449ba4b114f	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.mips	177855572b18035ea4e6b5670b352028be6b382c1ecb67fbfff8d6c9a60230c5	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.arc	544c10d18002e0aa0d61e415160312171bc5773d87b509ebec2bccaad6427111	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.i468	n/a	n/a	elf ua-wget
http://41.216.189.185/00101010101001/S3o.i686	a8535d3f759f25d0e1b4cc2600c4618330ae5ccb5fbdedd751621d2e5ead66eb	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.x86_64	95983a3d1b34fdfeb7324de8a5bc22b1adc1481a0534c6d1672c48cab7f824eb	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.mpsl	86bf803fef0733d389528a4ff753384548f2d6800c8416d02657bbfb4ce3b837	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.arm	f88cd33bfce579378f84b0292c6742bd6694fa106d19d75c618f2f6a0bb33d76	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.arm5	2947d98fdd6bbbbfb124ab6fe4130bc607103e5c339744573ce6745e1fde68fd	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.arm6	4993faca41f1d8c2a44adb82741cf8b569a81eb02a76a8dc55a607e474efbf4c	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.arm7	91314409f98a8c03bc86ab0aefb2d2d09c769d2623218a6b5414f6b4bed4212e	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.ppc	85ff0534653f5fd0e74db6a1d22c80de1224e7af3b9e9c95761281bc4649132d	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.spc	ab19eb422ff1848dc460657921a8db9bb113fd5328de25289c7b79c982dd92a4	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.m68k	77746a9734fded35d458bae05497ee40d4d169c26daabed1abba75f0fae8ae42	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.sh4	23a8fef9e04345bcbfe4ceb393db7540418a589147c94a4436b18f033c2281dd	Mirai	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/69281f13152f10c0af85bf4d/reports/e9bac8bc-f729-4bdf-88be-3612fa006194/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-27T07:06:00Z UTC

Last seen:

2025-11-28T23:59:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/9cb2931e-1fa7-4db8-bb08-f5f6290a155e

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-27 09:50:23 UTC

File Type:

Text (Shell)

AV detection:

20 of 36 (55.56%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mjpwphbsyhwk6ecruim3q5fan2gnvtqm5w33fqcfqkbp3skmesga._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux

Link:

https://tria.ge/reports/251127-lvyn6aer4z/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/625f679c32c1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.