MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80a38307191ee64af780665afa1ea0ebfc7355d66ce420f8469cf63f0eaa17d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	80a38307191ee64af780665afa1ea0ebfc7355d66ce420f8469cf63f0eaa17d3
SHA3-384 hash:	6832487a9ffdd73e4d77cd2cec7996900a905626aa5195eb64505b6ca5b7fa15e9e4a06f59c4e915b736834442874878
SHA1 hash:	9bbf49ea5705f1f574b37718d60c1c85a89f30c2
MD5 hash:	200975240313bfd610508d9225489780
humanhash:	aspen-two-helium-kitten
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'074 bytes
First seen:	2025-07-21 23:23:17 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:It/ZsnbhTkzlfbmsvToLGgJv63nLONNIpKks/ME5hzsoncGgJsYApk:iqlAxT7oL1SXLCJ5bIonBgJsvk
TLSH	T1905164E663814AB31CBA8DDB76A84884735D40DFE4AF9F3AD5D8E4E9428EF187440741
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.213.240.242/bins/morte.x86	6b89288f82c10313cc04d6801994f61ae0f454a8e49ae902416549475d22563e	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.mips	db7c3f4a4d9955f60e2428d33081b7516d2b05a554549ef7435ad5f0da26aebc	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.arc	bc7ba0be21d0bd4d5f8ffba11fb517a6128ed67aaee485f4e9ad55ebb206dfd7	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.i468	n/a	n/a	elf opendir ua-wget
http://185.213.240.242/bins/morte.i686	ec6877d780e5c08a52316ed53c1e24688df1bb77573a73552807b446682303e1	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.x86_64	0f3d5843dbea20320950015e6b16d397ead64d3a0cc0c0c9d236ab0c329e5c3c	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.mpsl	6a381680badfe72a680a7ebbac5a87b69b92bef8cf495dea18c08768ae4a8104	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.arm	1e084f768e6f712bd7a6550bfd1d6651475110be15afdaf20ea165035e41825b	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.arm5	bb58685e750ea7ea86ef5e8e0272309259225751e891a8180edeb43f00e12237	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.arm6	fc5cd925ce297000ca57784ead53c74be59b7f1947fe30fc596b8288b58e34ac	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.arm7	f668ad9e7208fb93503504745e844534c2f1cd03bb8be6580ceb107b2f3e5c1f	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.ppc	4c2307922752b1dda4168efb06f7f577df1e1a6b559b16e290533fa875bbfb67	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.spc	600fc077b364f1e19774afc961c350ca78168a7c89985b8d649d18a784bb54ca	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.m68k	b34ab7b3235520d509129dbf8ce61fa4aaf07c689caf1086678d209c2bdfb15f	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.sh4	aeaca0a823b1c1ba1fef65021e4435d355d8da6763b976bfecfe002a17023b80	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/a91f10dd-a999-4d65-af1e-3472e045297a

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/80a38307191ee64af780665afa1ea0ebfc7355d66ce420f8469cf63f0eaa17d3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/80a38307191ee64af780665afa1ea0ebfc7355d66ce420f8469cf63f0eaa17d3/

Verdict:

Malicious

Threat:

HEUR:Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/80a38307191ee64af780665afa1ea0ebfc7355d66ce420f8469cf63f0eaa17d3

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-22 01:52:00 UTC

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qcrygbyzd3tev54amznpuhva5p6hgvowntscb6cgtt3d6dvkc7jq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence upx

Link:

https://tria.ge/reports/250721-3dadns1lv9/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Unexpected DNS network traffic destination

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/80a38307191ee64af780665afa1ea0ebfc7355d66ce420f8469cf63f0eaa17d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.