MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c
SHA3-384 hash:	deb0bfcfbfd0b2ab170460f7d33c47a88a8d8f49be321a134b00e168c0ffae4359bbd7d5e78687cbe2d36b3af690b3eb
SHA1 hash:	83ec62481372011209099213f805e2afbd92e2d8
MD5 hash:	22e649659177e0e427eeb324f04016b1
humanhash:	lamp-wisconsin-romeo-muppet
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'194 bytes
First seen:	2025-11-27 09:49:51 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:iw9/P9/dGVsw9u95w9V9/w9G95w9o9Vw9/89/UPFyRw9rV9rJhLw9b97w9E9ZLwm:iypdGVsxWl/y+UPFyRYQvL2hDuMJ6
TLSH	T1E16161F6014807346CE2AB9B627E804D3295969750FE7F26A7DC2CA44D8EFDCBC41663
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://41.216.189.185/00101010101001/S3o.x86	9637633bd1a0b2f9f4caabdf6bec6813c226e8e59a40dd135a3616c7fcce6c9b	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.mips	d93eaf1c83df36d8892e04725ac14233f1fe8b0a02fd9b74336563a1bce21022	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.arc	6901b00d7e4aa059db5e07cefa1119074374f414aa24f2d6d64dc287b8a91889	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.i468	n/a	n/a	elf ua-wget
http://41.216.189.185/00101010101001/S3o.i686	efdedf4d6d4ee19fa6ba6b6913f8ddaaa7c8a2dae07cd750979b40e2445108e5	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.x86_64	f42a960c0a6d49d775374265809840f3f3a234e7494352c2d8849191df802e3a	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.mpsl	f8ad4daab6d3dcba4d818dc0063b7f31778a253283695fd2940baa30a5ed3816	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.arm	58a05c7c581576e5ff5b000871f2fde3bf21f8456b042a254b6dbcd891354f95	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.arm5	899181b984d763d03e4149a899b98bfffa8d2491a9b5be8395425ec6a0c620a4	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.arm6	02c81968271113a1bc6540977d87ee29615b6dc72cdec2cbcb20ae1dbf1306b0	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.arm7	aa661eef247ea9e6d62f556d831449cab1560e514c4353681057d8b3be32b2be	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.ppc	8562260a9835de79d39e5b7ef2096cd8fc671362cf23a0dadc81f1350597f3f9	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.spc	61860825478ae40b130a5cf31208864cb63fbbb3ae525bc92bac19241f83920f	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.m68k	659addfe6384773380cb43283ffc71814c52645cc38505a5b42601138bb156f0	Mirai	mirai
http://41.216.189.185/00101010101001/S3o.sh4	3933eba9b69193538a4b2cc6614d498646e75a55d20e7cf4f9de056976a6ef5a	Mirai	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/69281f13152f10c0af85bf4d/reports/e9bac8bc-f729-4bdf-88be-3612fa006194/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-27T07:06:00Z UTC

Last seen:

2025-11-28T23:59:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/9cb2931e-1fa7-4db8-bb08-f5f6290a155e

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-27 09:50:23 UTC

File Type:

Text (Shell)

AV detection:

20 of 36 (55.56%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mjpwphbsyhwk6ecruim3q5fan2gnvtqm5w33fqcfqkbp3skmesga._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux

Link:

https://tria.ge/reports/251127-lvyn6aer4z/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/625f679c32c1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/625f679c32c1ecaf1051a219b874a06e8cdace0cedb7b2c0458282fdc94c248c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.