MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84ac17f8f375db46b63c584072f69a035cc99201f9bf4d20ac8d831c27b45800. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	84ac17f8f375db46b63c584072f69a035cc99201f9bf4d20ac8d831c27b45800
SHA3-384 hash:	e11974553567fa7eb65deed598f435a0b974edf84ecbe3371969a03be87a87c5c35681a82678bb61c0bd88c6fe54f693
SHA1 hash:	9fe1d363832240e5b857a3b95ecc2715df07d05e
MD5 hash:	d4f97b606edc6bdcc35da13410ec524c
humanhash:	tennis-mobile-crazy-lake
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'284 bytes
First seen:	2025-10-18 16:10:54 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItkOrskv6kwwkjcTk1pskBukOTOnJkGQLkZA1Lk4T4NIAksknuk1o3kIILkSi3kj:iWtUFDfzKJazLUJFN34Lc5Y
TLSH	T187616FA5205247B12D798F27A2BD4524358BC1E61CDF3F65D7DE2CE888EDD66F080782
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://144.172.109.62/windyloveyou/windy.x86	518f6cfb42ff0f73ac52dd7186514146a8a77ead49dbc05376053179d47e0ec3	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.mips	f724354019be79c202e6ca22e8f15c7bec16f3f1a730d0f7563e9d523a69c72d	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.arc	117860228d073394ca034c9bbe95026a5dc34e5363099e0b5b14e839a78f3a53	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.i468	n/a	n/a	elf ua-wget
http://144.172.109.62/windyloveyou/windy.i686	1f4d49a91b5021c697a6e8fb3b0c6ea8232198dec8c7180dac8cc5a12387f850	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.x86_64	f57fc99d3e88e27f631d671334ccc10003f7157cf2fd9cc8ebb9e4b9d29d7426	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.mpsl	9d373e15bc16dbc8e0339970133bd9550c5806590cefef3b6bf6cdc06e96df53	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.arm	fdc3fb5d18cd397a31024b23da5b78508dc6c8cc2a725c256544c45257a28c35	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.arm5	1cc449c05fd6488e01aad1af2423c350d60f7141390c836b17c0c19a37373f18	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.arm6	e5977123ba788c84cb3c95400526f66e0f4cceb99e2356b33ccdc4b410c0ab46	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.arm7	07084e051caa2be13ba83885b796624fa406d3e0bfc67bc2b0cf1a89a76505d7	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.ppc	5f2c2f0184a86cc41a609ab925f23f8510d7b4dd1c20bf3e8c462d018ecba254	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.spc	f4b68be66dba8049c12aecc82c90942add630480f85acfb7279af78a94996f4c	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.m68k	ce6aa7d53b98f94b76f5ab6329fe22830bd8a0efe04d6a1a0b44ced538fea142	Mirai	mirai opendir
http://144.172.109.62/windyloveyou/windy.sh4	75022e80defe89dfad712cc089111506ccbc0047b49dcc8f16fc65158c5294e3	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-18T13:23:00Z UTC

Last seen:

2025-10-19T17:25:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/84ac17f8f375db46b63c584072f69a035cc99201f9bf4d20ac8d831c27b45800/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/23c36e19-678c-4696-ad9b-3ddc34060e9a

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/84ac17f8f375db46b63c584072f69a035cc99201f9bf4d20ac8d831c27b45800

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/84ac17f8f375db46b63c584072f69a035cc99201f9bf4d20ac8d831c27b45800/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-18 16:21:36 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qswbp6htoxnunnr4lbahf5u2anomteqb7g7u2ifmrwbryj5ulaaa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251018-tpf6xsew3f/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

mirailoversddos.duckdns.org

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/84ac17f8f375/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/84ac17f8f375db46b63c584072f69a035cc99201f9bf4d20ac8d831c27b45800

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.