MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b4acd4f11779c0b1016957bad0cbc77b90e630177aeff6c60c09f86d7b744a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	7b4acd4f11779c0b1016957bad0cbc77b90e630177aeff6c60c09f86d7b744a2
SHA3-384 hash:	b52745e4239f37a35ee788f957661a5f1b8a743f62c7adf9a7a759caa5e393e4147aaff5b49c72cd333294ade07145cd
SHA1 hash:	14ffdf9a4a5220cc9389cbd8b56d0f7bc6a1abb0
MD5 hash:	952a16d5625c23f01d6950778ccdc782
humanhash:	fanta-mango-november-enemy
File name:	test.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'466 bytes
First seen:	2025-08-19 01:55:21 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	48:UeGKG/se9yseGTGUjseh3Gsea5ser8sezSzZsepBpGseO7seC02seftKseZuse8v:UlR04qgyIcISsyiHmL4N
TLSH	T1CE51C7DD27215E74ED57DA33F1AA44087190A4E374CA4F0658FD3CF8C89EF0431A5AA9
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://138.201.154.194/systemcl/arc	n/a	n/a	elf ua-wget
http://138.201.154.194/systemcl/arm	a2812bf91c1836b0749615f8c92f49b055ed1152a0cfcb03cffb4473388ae1f9	Mirai	32-bit elf mirai Mozi
http://138.201.154.194/systemcl/arm5	467ca3ecdb388a31f9687f3f93134ae992fbfbe2936cfbd700c3d198b3b65ecb	Mirai	elf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/arm6	7a4627901da5e02ceacaf688cc103b4944a3cf75b4f1f4316ee638893eaa4104	Mirai	elf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/arm7	1745a1dc09e108e719186017f4d6f10e1835aa4ba3f74b50b8394e3268c66524	Mirai	elf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/m68k	19abfca0200531ee5ddc2dd7bc4454af84d9ffe0ef2e12cd2a54fc828ebdc659	Mirai	elf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/mips	ad42066092b60784e1579fb3742cf3a41450dacc13b254e9c3a0c5b84aaf0db4	Mirai	32-bit elf mirai Mozi
http://138.201.154.194/systemcl/mpsl	7365564e3fc5bc60caa91eb8b6b87a6d8da423389be87134899fcd0caaeb3242	Mirai	elf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/ppc	abfd19ac36a02a8d3552a65a6e023b7499af427f7ea558cbc5064b8475bd955e	Mirai	elf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/sh4	b5d5a320320766751e9a1e31bc6ff850196e0c3f0b5baee15eee600b8a3cdae2	Mirai	elf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/spc	2b4e44a8a37c63ce0a2c007bb22d903ae9d13b643b6b556f4d15199926cdd54c	Mirai	elf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/x86	2e9b4bb064c078485eab38389da45cfecd1f865d77cd5c199ae3c2fe195daf72	Mirai	32-bit elf mirai Mozi
http://138.201.154.194/systemcl/x86_64	47a0fa2b9aa3ebdb48324d5ad43903187a528176193716db81991191b3d3b230	Mirai	elf geofenced mirai opendir ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/e482d830-72ac-4514-87d7-9fb39be59fe8

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/7b4acd4f11779c0b1016957bad0cbc77b90e630177aeff6c60c09f86d7b744a2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7b4acd4f11779c0b1016957bad0cbc77b90e630177aeff6c60c09f86d7b744a2/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/7b4acd4f11779c0b1016957bad0cbc77b90e630177aeff6c60c09f86d7b744a2

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-08-19 01:55:34 UTC

File Type:

Text (Shell)

AV detection:

14 of 24 (58.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pnfm2tyro6oaweawsv522df4o64q4yybo6xp63daycpynv5xisra._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250819-ccdftsyry7/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/7b4acd4f11779c0b1016957bad0cbc77b90e630177aeff6c60c09f86d7b744a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.