MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64a93c5b0e32cd73f1312dc3d10a9cc63ee26e139ca1f5c9c9d580c120d73980. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	64a93c5b0e32cd73f1312dc3d10a9cc63ee26e139ca1f5c9c9d580c120d73980
SHA3-384 hash:	86daf563f8951d34cd7cf40acd58592cdb4d3add7e6b6a62b46b9901f39f2fb2ae188fa3866340a1ce12162e4d3d78bf
SHA1 hash:	083c557078857e922f01c865d722ca1cd0aaf37d
MD5 hash:	eaa26f164b5006ab9db083c5b2ab9c15
humanhash:	cola-pip-nuts-beer
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'224 bytes
First seen:	2026-01-12 11:18:50 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:Iti0C05si0X0Ei0w0yi0j0+Ti0Z0Xsi0B04i0sp0snJi0q0+Li0J0i1Li0yp0yNe:iibcX1RubJyNLaJLV3kLCJY
TLSH	T1286172A9218252B43CB9CF63226D46183283C4B6ADDF7F46F5EC79E8809CE56F042742
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://202.1.31.175/windyloveyou/windy.x86	bcfd1c9b186666483509dba5d0377d67e440449b7699f4304509855346cb6564	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.mips	0bbed3bade9eb683c8de2830666302183923641e7d83a7fa4c5bdcf2a7a53d1e	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.arc	c90c08d68c7f3844b7055f345eccca551e589bbe98a23b36c64370c159fa6679	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.i468	n/a	n/a	elf ua-wget
http://202.1.31.175/windyloveyou/windy.i686	01563d7779828af88279dac3d95cd3332434f5be7963254e75dc4756cdb6235a	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.x86_64	a16884f22c23b1eaf3cf4592db352d6059a8a7cb755bd99f5843bcaa77950d8b	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.mpsl	e92795e5c1b34a77a7233a5d184e29fb7149c120a05c3d105c998e2be63a2b42	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.arm	a1bb22f212902bebe68dfd700ec35da759169060b9ff62bac552037dde65d728	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.arm5	cb52ae19dce8f112409e790bdffae28ae8514edd23e17f38b48b8df4bce83dae	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.arm6	17eb2359948a9d523b3c15b97364c0658eb74080c042d319518c9f706accdc15	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.arm7	6d0329f2cdaf6670732328f9f9ffd0282af6aa99e284643e44bf9b33f70cd9e9	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.ppc	3cf072e8e36a2a49b1bc3dcf6fc1564fb72792af672906010282a19d3e118af2	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.spc	458a71e1d9feb07eeb09cb2cc4b8dcabd9aaa89774687ba9aad1e6f1bd518d8a	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.m68k	15d22fe6d17b10f7dcd5e5336526743926031355bc9b396a6644d59890b3fa71	Mirai	elf mirai ua-wget
http://202.1.31.175/windyloveyou/windy.sh4	76b5daf6bc1527726048d5ee444b5e2d79f99f519a1b290bbada05892cf14d78	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/6964d8e040358be74af93cb3/reports/32489589-640c-41e6-9882-f7d112eaf337/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-12T08:25:00Z UTC

Last seen:

2026-01-14T09:00:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/64a93c5b0e32cd73f1312dc3d10a9cc63ee26e139ca1f5c9c9d580c120d73980/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/ce5346b7-4641-48e4-bd36-b420a38729d7

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/64a93c5b0e32cd73f1312dc3d10a9cc63ee26e139ca1f5c9c9d580c120d73980

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/64a93c5b0e32cd73f1312dc3d10a9cc63ee26e139ca1f5c9c9d580c120d73980/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/64a93c5b0e32cd73f1312dc3d10a9cc63ee26e139ca1f5c9c9d580c120d73980

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-01-12 11:08:04 UTC

File Type:

Text (Shell)

AV detection:

15 of 24 (62.50%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=msutywyoglgxh4jrfxb5ccu4yy7oe3qttsq7lsoj2wamcigxhgaa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260112-ne79rsdy3f/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

202.1.31.175

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/64a93c5b0e32/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/64a93c5b0e32cd73f1312dc3d10a9cc63ee26e139ca1f5c9c9d580c120d73980

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh