MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b662161f5760b5032e316cb28468c0a16a8f628df06418329f99c5da33f4dab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	6b662161f5760b5032e316cb28468c0a16a8f628df06418329f99c5da33f4dab
SHA3-384 hash:	27fe76a5f0978ff172dd08a8bc2be556918b03d990d374a525155294a06943719b554925faefaf4172763329977977e0
SHA1 hash:	5b722011201acd64602c35da9e0d4d1c383a4bba
MD5 hash:	fddb9173147eb441570e48d98d78a8e1
humanhash:	muppet-two-lithium-johnny
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'047 bytes
First seen:	2025-07-26 22:43:40 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:YjZs3bh7kHlfXmsLTx4GgJH6DnL/eNIpKksPMEHhns3mcGgJshlpk:Y21o9H/x41a7L0JJBs3mBgJsRk
TLSH	T1765191EF23E24A33ADB98FE737A8C404718550DBD5CE5FB554E8B8B9088CE18B441A53
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.116.34/bins/morte.x86	e41cf98b55686fca887f880de8ebb0d6b05e6b26649b0d95a59729081ac709f5	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.mips	d17de3b065d524a85522d7ed5ab4b15575407c438be1ee5f892445b9148963bd	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.arc	be3824168a5d476bec60bb9f771a5228fa752a6078a05ff079bdca0a4166cdfd	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.i468	n/a	n/a	DEU elf geofenced ua-wget
http://196.251.116.34/bins/morte.i686	157c027217ced4b50771bbc0e222dc4760f4a0f804763010d3a0a79d84cd0600	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.x86_64	623a439ec19f826bdd9cd68d00e38279d60b5ccd8f6fab633b1c6e84207c75a1	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.mpsl	815ba825cad23a8791a89ce794d1df9048133a152c2b37ed05066b2d8c6a68e9	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.arm	a1fa785a37fd03276effde035c81addd23415dfa8ab4ccce30e7deb806d3bb24	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.arm5	4dcdfc88ddee2531c6caee9c75192843af953b42845654a86937ae82df6072ee	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.arm6	2ce39c00011d45b712f7310b3d3738c592edcb581b981010f37ddb3853dfdbd9	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.arm7	d91ec037d4a3bd3da8068121fd9d0447dd5eb7549051e7122b5d217cdb46af81	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.ppc	aca86d90aef3a6b4ad4c0bab0bcac9b306e0f3db025b06735ece832013d40c11	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.spc	8f7c1622b81de5ba394145552b33b51e86a009392f7884408ba0507ea148b841	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.m68k	bec7cd4fd3d3921bcb4b581fb9474610cd702b70f5f93d91bc0ee424cfc94dda	Mirai	elf mirai opendir ua-wget
http://196.251.116.34/bins/morte.sh4	921022e867133faf030885d2a04b10224417a897c499cd4ee2481ae9c9cd4cb6	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/34aefd4d-b608-4c08-9482-05f9b818a47c

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6b662161f5760b5032e316cb28468c0a16a8f628df06418329f99c5da33f4dab

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6b662161f5760b5032e316cb28468c0a16a8f628df06418329f99c5da33f4dab/

Verdict:

Malicious

Threat:

HEUR:Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/6b662161f5760b5032e316cb28468c0a16a8f628df06418329f99c5da33f4dab

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-26 22:44:22 UTC

File Type:

Text (Shell)

AV detection:

20 of 35 (57.14%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nntccypvoyfvamxdc3fsqrumbilkr5ri34dedazj7gof3iz7jwvq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence upx

Link:

https://tria.ge/reports/250726-2nzkwatpy9/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6b662161f5760b5032e316cb28468c0a16a8f628df06418329f99c5da33f4dab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.