MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a8d53ea31222c720aa4bd2fb640416d4f329bef1548b2e1ac199ac46051656c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	6a8d53ea31222c720aa4bd2fb640416d4f329bef1548b2e1ac199ac46051656c
SHA3-384 hash:	eb7fe531406387326eb0e47cb278f47854e62506bc41c3b2fa2d0ffef54524ad21cf1f2f5b0fffc3fb58470c2480cb06
SHA1 hash:	803c111503034fda0adc7da50b17b2c54df2c957
MD5 hash:	a8504ed7dd829276b7e341ae6043dcc3
humanhash:	beer-undress-april-stairway
File name:	2.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'363 bytes
First seen:	2025-09-04 05:18:18 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:xjlSdIZdIQXSdIgdIdbuSdITdIqNSdIQdItlASdIedI7YSdIydInUSdIXndIXGxU:/bqpKY0fiQJvsz6i99sBgJVljd
TLSH	T193617EF703BC06735CB689D662B90444B1D1C19B19CEAF72ABDC38A40D8DECC7C52A62
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://41.216.189.108/00101010101001/morte.x86	eb9a8d69e1d6cf3e86860b5d91104b858ade924228d071dbe5496cce62fae767	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.mips	9e3a5beb39f0f1d9b3f504701e938187cb333b5db08295a4accd43d273ead784	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.arc	1f798b92dbd5bbbcc598b59a5cf30db8389a04fb751fce08610b146c391fc429	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.i468	n/a	n/a	elf ua-wget
http://41.216.189.108/00101010101001/morte.i686	6c788438c08bdcbd1ec4218c4bd927044faad9d8554d917fce5cc4c101a0d17a	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.x86_64	3af40b5a3d850ee6d5bf827fd7d0ee0b52924e6914afc2e779d43228d19bc519	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.mpsl	30422e84b03c2bc2bdc6918beb432067bc782fd947dcd0a6c388af905fd34367	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.arm	f6ec77abe2e518f31cdcd64ebbecf43f7e8fb167b680a7281cb167f6171529bf	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.arm5	62aa6cb6ffa0cf504df63b17f68d262e6d416a95d2e1c8359e080e5797429a85	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.arm6	da32c7587d5e92c90dbf300d3a846cb485c3c718043ef3442c2a0f6d717ccb99	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.arm7	de6e8f7300f52785f0c2f37be043a0be6768368c1d1ecb48eb956a6fb71738e8	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.ppc	37045a357173998ba8c15b10e36ac48a538482ac82b25a50f54dc6ba3c05c71a	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.spc	0f5532eb67be29a3c2cfcabab8f25327e54c1cb136fd2f623f0bd57da30d0ffd	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.m68k	49f17558034fb80ab6c8fb730c0c29d980550008ea85882e230c918a35038b18	Mirai	elf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.sh4	5386cb300a953d7700dffd314df6750e5a5ccfc9c3fd6b9b22bc7063cbec2543	Mirai	elf geofenced mirai opendir ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-04T02:24:00Z UTC

Last seen:

2025-09-04T02:24:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/6a8d53ea31222c720aa4bd2fb640416d4f329bef1548b2e1ac199ac46051656c/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/963338fd-abc3-446f-aeaa-f0577ee51f1f

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6a8d53ea31222c720aa4bd2fb640416d4f329bef1548b2e1ac199ac46051656c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6a8d53ea31222c720aa4bd2fb640416d4f329bef1548b2e1ac199ac46051656c/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/6a8d53ea31222c720aa4bd2fb640416d4f329bef1548b2e1ac199ac46051656c

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-09-04 05:19:15 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nkgvh2rreiwhecvexux3mqcbnvhtfg7pcvelfynmdgnmiycrmvwa._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/250904-fzh7daal2s/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6a8d53ea31222c720aa4bd2fb640416d4f329bef1548b2e1ac199ac46051656c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.