MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d6b5320e19cf931959185618a2d7d3a910ac4f42e5fe171a4dfdc856c06e255. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	6d6b5320e19cf931959185618a2d7d3a910ac4f42e5fe171a4dfdc856c06e255
SHA3-384 hash:	157e5606356a120ef6304e81abc4684082aafc7f916d992d2bf074eccaa15dbb5999d588089b2a69fa1049a66dc820ff
SHA1 hash:	27665c70ee52d5275718e7b722a3e4b0609246f6
MD5 hash:	071c75573101f72568ee241d1ff9604c
humanhash:	saturn-ack-florida-zulu
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'761 bytes
First seen:	2025-07-17 17:24:56 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ircwZrEyElhrO8rNerycynnrEnE2ErJc1JMprJXJ11UrJIJeDrJ9JRvmr21CrDFo:ircwZrEyElhrO8rNerlOrEnE2ErJc1Jt
TLSH	T16C51D2C54E8341762C769E37BABA46883E96DC6338C86D9795EC3CEB444DE0530B1E63
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://161.97.77.188/HBTs/top1miku.i586	63d867a35531716d2e18314fbe4d2b0ffc3cc4bbb56d61a49ad1a42220746dac	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.mips	6dba5a43486ad2c883f236754e25806a860f5063fcf73e225f4f86c1c1741ead	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.arc	380cdfff39fab66e0d2f0e3217f0e2573374ebbde28f6a96343e2cb72c0ca944	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.i686	b80576044beece1b4d384a03a1cf722b0859177e554946eb0a6b0c96ae98d92d	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.x86_64	5c03e74290ffbc6332f3d357d54853000ea53f19ee0fa3fb36d466989c48826f	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.mipsel	d1fab6b2f50e0ff23b55efacb28d56953902bd7bf276d1bbb0e8b8008cdbb7e6	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.armv4l	861077a289df2f605a07e5054d37a41cc087751a1347d57c0c5977d91197e7b3	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.armv5l	e32f0af161e9dc5d213b9dc2d291da8dda9e836b9478d13a773a051a27075b89	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.armv6l	6541c73c5c61b39d318d6e8e2c84a512824d846e03dce12a05ce5749315e10d7	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.armv7l	21fde295094321e113cc7fe87fb3dc1230c4f602a21ea1919997e9289d683194	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.powerpc	f9619daee99e761f7ef1df5c67a70f966af51d6f5c603bd3cf09a68f7f00b26f	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.powerpc-440fp	050fb23f00a9e0583cc357a453959ec9f7d6e5268b285caec9476eef5b25c618	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.m68k	af5ef5773b4f244557be125fa269d59bfa897f6ad5ddbbd600a224a7fe38fdb8	Mirai	elf mirai opendir ua-wget
http://161.97.77.188/HBTs/top1miku.sh4	200f50c4e8e10d7cd12823b2ff9dcc4fd4643094ee0cb1bbd321a636af1acdc4	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/1bce87cc-41e0-4855-8542-54a90d75bff4

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6d6b5320e19cf931959185618a2d7d3a910ac4f42e5fe171a4dfdc856c06e255

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6d6b5320e19cf931959185618a2d7d3a910ac4f42e5fe171a4dfdc856c06e255/

Verdict:

Malicious

Threat:

Linux.Downloader.Medusa

Link:

https://tip.neiki.dev/file/6d6b5320e19cf931959185618a2d7d3a910ac4f42e5fe171a4dfdc856c06e255

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-17 17:25:34 UTC

File Type:

Text (Shell)

AV detection:

23 of 38 (60.53%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nvvvgihbtt4tdfmrqvqyull5hkiqvrhufzp6c4ne37oik3ag4jkq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery linux persistence

Link:

https://tria.ge/reports/250717-vzj61azqw3/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

Enumerates running processes

Modifies init.d

Modifies rc script

Enumerates active TCP sockets

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Malware Config

C2 Extraction:

top1miku.duckdns.org

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6d6b5320e19cf931959185618a2d7d3a910ac4f42e5fe171a4dfdc856c06e255

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.