MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 653df28c2b81bc8cfa666dcf70b1abb21b24cddb6cba2e7429eec4f9e07fd080. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	653df28c2b81bc8cfa666dcf70b1abb21b24cddb6cba2e7429eec4f9e07fd080
SHA3-384 hash:	6a054e59659380fea3014553351d9bd0e2a83d3c128bd99fefaff83d50f2b632a37100a3d9de59b3529a480ea9f966b5
SHA1 hash:	b1e89da8d60fcb7b20cffdabd67f1703b460da39
MD5 hash:	b39526f2ac1c6eb7eefc39b0c08df495
humanhash:	romeo-undress-orange-double
File name:	b
Download:	download sample
Signature	Mirai Create hunting rule
File size:	4'939 bytes
First seen:	2025-06-12 14:30:23 UTC
Last seen:	2025-08-03 14:44:17 UTC
File type:	sh
MIME type:	text/plain
ssdeep	48:jLrBLYsL+JdLUGLwYqLLDLaXZU9YxEN0SCJho0UYgXHWXJJAJzYYP1XeeTN48yVr:HZF+zVTcbaXBxOhCrxvgXWXkddXVkZp
TLSH	T1DAA1D0893E625A73CE51DF6AE325C52A784680D580608FF524BE30BCBCBFD48EA11567
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.116.9/mips	n/a	n/a	elf ua-wget
http://196.251.116.9/z/89/mpsl	342b3027479e52477e392189cfb728f709d705856afa7c9ee7ce2a555b0050d6	Mirai	elf mirai ua-wget
http://196.251.116.9/z/89/x86_64	b711de28c460548a23b75a63e61cfe559c8a3534af1bbb5497cca20ce95ea193	Mirai	elf mirai ua-wget
http://196.251.116.9/z/89/arm4	n/a	n/a	elf ua-wget
http://196.251.116.9/z/89/arm5	37a352c914d463e97fd51ca4c3a23ef5cd75e853e395239a11bce808e33bf1fd	Mirai	elf mirai ua-wget
http://196.251.116.9/z/89/arm6	ab66ba18ba7aef0d63af43ecc2cc8388cc461072bc7d6103ac89704deee8e60d	Mirai	elf mirai ua-wget
http://196.251.116.9/z/89/arm7	51e83cce6c75d1baf3c7e7ab255c53d3f02f0fe71bb071ce68333c38e98e739e	Mirai	elf mirai ua-wget
http://196.251.116.9/z/89/mips	79ab393b5c0b62a5e4272793f0f4e4d42762fe4cd7daa4555fb0b2ddb0dc77ee	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

38

# of downloads :

61

Origin country :

DE

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=684af53f8bd5d68a12e836fdlinux22vpnfull_triage

Tags:

n/a

Verdict:

Malicious

Labled as:

Linux.Medusa.C.Generic

Link:

https://www.hybrid-analysis.com/sample/653df28c2b81bc8cfa666dcf70b1abb21b24cddb6cba2e7429eec4f9e07fd080

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/653df28c2b81bc8cfa666dcf70b1abb21b24cddb6cba2e7429eec4f9e07fd080

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/653df28c2b81bc8cfa666dcf70b1abb21b24cddb6cba2e7429eec4f9e07fd080/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-06-12 14:46:53 UTC

File Type:

Text (Shell)

AV detection:

17 of 38 (44.74%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mu67fdblqg6iz6tgnxhxbmnlwinsjto3ns5c45bj53cptyd72caa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250612-s37elayzgx/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/653df28c2b81bc8cfa666dcf70b1abb21b24cddb6cba2e7429eec4f9e07fd080

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 653df28c2b81bc8cfa666dcf70b1abb21b24cddb6cba2e7429eec4f9e07fd080

(this sample)

elf 37a352c914d463e97fd51ca4c3a23ef5cd75e853e395239a11bce808e33bf1fd

URLhaus

https://urlhaus.abuse.ch/url/3561469/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3561473/

URLhaus

https://urlhaus.abuse.ch/url/3561474/

URLhaus

https://urlhaus.abuse.ch/url/3561471/

URLhaus

https://urlhaus.abuse.ch/url/3561470/

URLhaus

https://urlhaus.abuse.ch/url/3561472/

Dropping

MD5 5782bea009a3c7dc81d65c47728c94a1

Dropping

SHA256 37a352c914d463e97fd51ca4c3a23ef5cd75e853e395239a11bce808e33bf1fd

URLhaus

https://urlhaus.abuse.ch/url/3561519/

URLhaus

https://urlhaus.abuse.ch/url/3561520/

URLhaus

https://urlhaus.abuse.ch/url/3561521/

URLhaus

https://urlhaus.abuse.ch/url/3561522/

URLhaus

https://urlhaus.abuse.ch/url/3561523/

URLhaus

https://urlhaus.abuse.ch/url/3561524/

URLhaus

https://urlhaus.abuse.ch/url/3561525/

URLhaus

https://urlhaus.abuse.ch/url/3561526/

URLhaus

https://urlhaus.abuse.ch/url/3561528/

URLhaus

https://urlhaus.abuse.ch/url/3561529/

URLhaus

https://urlhaus.abuse.ch/url/3561527/

URLhaus

https://urlhaus.abuse.ch/url/3561530/

URLhaus

https://urlhaus.abuse.ch/url/3561531/

URLhaus

https://urlhaus.abuse.ch/url/3561532/

URLhaus

https://urlhaus.abuse.ch/url/3561533/

URLhaus

https://urlhaus.abuse.ch/url/3561534/

URLhaus

https://urlhaus.abuse.ch/url/3561535/

URLhaus

https://urlhaus.abuse.ch/url/3561536/

URLhaus

https://urlhaus.abuse.ch/url/3561537/

URLhaus

https://urlhaus.abuse.ch/url/3561538/

URLhaus

https://urlhaus.abuse.ch/url/3561539/

URLhaus

https://urlhaus.abuse.ch/url/3561540/

URLhaus

https://urlhaus.abuse.ch/url/3561541/

URLhaus

https://urlhaus.abuse.ch/url/3561570/

URLhaus

https://urlhaus.abuse.ch/url/3561578/

URLhaus

https://urlhaus.abuse.ch/url/3561568/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample