MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f55eb9ac447608017451a30425c2a7ce85a51fa5cf436b16c215cbeec25d909. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	7f55eb9ac447608017451a30425c2a7ce85a51fa5cf436b16c215cbeec25d909
SHA3-384 hash:	764d5110bed841e73a46620e090ccb499ce7bb9fd3b03e4ba26093bb98c897f320c7b2c10f66d5f27dd3f84460c2003b
SHA1 hash:	dfe2bc857a1b47853049d9c9f8e31f7a21696ee3
MD5 hash:	a6dd49e8a65beaac72703a41f5696f98
humanhash:	east-december-early-queen
File name:	qkuys.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'014 bytes
First seen:	2025-11-18 17:23:58 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:iJbgbAJbDbmJbKbMJbbbeJbRbCJbFbSJb0aab0aX3KLJbcbnAJb1bILJbobuJJbh:iViAV/mVsMV3eVdCVJSV0X0E3KLV2nAS
TLSH	T188515A8A10D1877EAE56DB9373ADC708B9AAB4D694C79F0CDCDE25F9A04CF093110762
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://143.20.185.225/bin/Polar.x86	c71b9710d13d3152d370b46d22afda921cbe0815bbfc49eb703c6a0c739dc91f	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.mips	4a98d6bd63190c2aef2a7567e36f11fafbf12d64c161ec17bc01f60384ed30d0	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.arc	9ad3a1c947bef2d67ab1d659ee391b47b4655af952a214fc2d5ad8a6c16ad58f	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.i468	n/a	n/a	elf ua-wget
http://143.20.185.225/bin/Polar.i686	70a46bf2111e393fda22863bd7449630867cab7023117e0672be2b829f6ff429	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.x86_64	b784633b94f332feb9cf753e478adb69f8cd2a80b90293f06ef4ce7bcb1eb690	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.mpsl	46d699e5fecb934da82228f81c8d2ede537e4ed84cdcf0c6816dba773073577c	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.arm	094a10196a06c26e7d02316a2364cf2ee7a85266a0409b90f433fe77b8dacc9b	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.arm5	4476a4f8616cfe832f9740c6aadc02d72976b81f123ca2ff8ceb8b5110bba58d	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.arm6	bd52db8e0392c1cd596862981f2c0951829d5c379f4b6e2f81e1f52d032c82ca	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.arm7	4429f00e0efabe0ce89644caba8979e00a2b064bde1e43a30b87e3c4a345988b	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.ppc	e3dade7ec1a0db7c080a50d555492ec6329457f2b10801bea3c942550acb62c8	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.spc	ef728dc73fe11f9aac29ade59130c96215d151b6c1e74ced52c5a9673a2380a7	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.m68k	212b314cf46d30641138c55c90f537be908c0d889fe835c40cf6d779de90504e	Mirai	mirai opendir
http://143.20.185.225/bin/Polar.sh4	1c72cb6c8c31e9c467706a0190f99717c165a8935b3a163778f172c2f6db6a99	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/691cac4496b510474f565795/reports/80fae1ee-862f-4dbc-839e-61fd2d580a8b/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-18T14:45:00Z UTC

Last seen:

2025-11-20T10:18:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/7f55eb9ac447608017451a30425c2a7ce85a51fa5cf436b16c215cbeec25d909/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/640e4f0b-a2a6-402c-961e-e1df4c1c0bed

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/7f55eb9ac447608017451a30425c2a7ce85a51fa5cf436b16c215cbeec25d909

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f55eb9ac447608017451a30425c2a7ce85a51fa5cf436b16c215cbeec25d909/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-18 16:53:28 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p5k6xgwei5qiaf2fdiyeexbkptufuup2lt2dnmlmefol53bf3eeq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251118-vzr7lsgy8e/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

uraniumc2.ddns.net

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7f55eb9ac447/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/7f55eb9ac447608017451a30425c2a7ce85a51fa5cf436b16c215cbeec25d909

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.