MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86665d0fac0c9482fc9f74ac34bbe325874b7886ef111b35b41e6f7956487304. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	86665d0fac0c9482fc9f74ac34bbe325874b7886ef111b35b41e6f7956487304
SHA3-384 hash:	e9461d468acc28b3a8958068da86f06012a57d0fec33d312b2023d88b199da517418d8e447015f4e4175d7f397529ec5
SHA1 hash:	e843cf13d8ee3c48826fc419443428bcbee731de
MD5 hash:	65b39a66a500118758ab817a890986e4
humanhash:	alpha-west-twelve-stream
File name:	hy.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	556 bytes
First seen:	2025-01-14 21:02:28 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:v0FSp3R0FSgna0FS9NIIeSvv0FSZcZKag:U8i7fuNIrFlK5
TLSH	T12BF030DB215305FE2C989C9779AE891075D8A38A19D7DF5E6CDD34D800ACE3432016A2
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://103.188.82.218/x/garm	399c7ffb446081836660326ef7e781fc68d0273bcf01e287c1de5f2bd69ecf83	Mirai	mirai
http://103.188.82.218/x/garm5	731311dd0b479c5b363e1d08c29e40ab1277990877dc2e09623402a730af3864	Mirai	mirai
http://103.188.82.218/x/garm6	2fe129193ab490709239439578830f6ff60cfccf2fe5d405e5a447a8b6629709	Mirai	mirai
http://103.188.82.218/x/garm7	044f2d0a3268bccd9e6c38e35bda5d7d5206feb6c34ae8ad384a7655346a667e	Mirai	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6786d1084487910100df09fflinux22vpnfull_triage

Tags:

gafgyt mirai

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug evasive lolbin remote

Link:

https://www.filescan.io/uploads/6786d10833837f9f2ac01329/reports/dfea6015-db09-4911-8df1-bba866d31284/overview

Result

Verdict:

MALICIOUS

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/86665d0fac0c9482fc9f74ac34bbe325874b7886ef111b35b41e6f7956487304

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/86665d0fac0c9482fc9f74ac34bbe325874b7886ef111b35b41e6f7956487304/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-01-14 21:03:04 UTC

File Type:

Text (Shell)

AV detection:

12 of 24 (50.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qztf2d5mbskif7e7oswdjo7dewduw6eg54irwnnudzxxsvsiomca._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250114-zv1emszlhs/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/86665d0fac0c9482fc9f74ac34bbe325874b7886ef111b35b41e6f7956487304

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.