MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89402c312709aed5cad1d36b09af669cb6ae61044e82b3a93bddb84c8a4605ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	89402c312709aed5cad1d36b09af669cb6ae61044e82b3a93bddb84c8a4605ca
SHA3-384 hash:	5f19bfba5a04b7700b22c93100fdc4f201c33a2a056e6ebcf520d76cd726bb6b4e4789061a5f086211b25b0ee8004f89
SHA1 hash:	5e88f8101ca6c241bb31cf03d4c38f022e3dc87f
MD5 hash:	d227547b5c9a479e9aab6855536de26a
humanhash:	maine-zulu-papa-bakerloo
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'929 bytes
First seen:	2025-11-13 18:53:25 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:itMhmltqnEltFCXltRePltaWazvZltagaFvjlt9NI9z4geltmjclt1SvltjWjzqa:isml4El+XlSPl83zvZl8NFvjlnAz4Zlj
TLSH	T140514EC7525249317CA7BE23FDB98E1C7181D5D228E1BF06E6DD34A56A8CE88B044E87
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://154.6.197.57/hiddenbin/Space.arc	f438873a4b974a11349447ccc92baffad798a25dbb68267502e42e443fee1a06	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.x86	dc5d927ae1d9a03fdcded6d9dbaef245c04325631b827146e6fab3684d061152	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.x86_64	eae1e2f2eae8409963501047f28538caafd7cf048c793ea0b8ce5f51526c74ef	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.i686	096cfe73e683d7ff42965463b9b1056a3e2e895d022733c49cc23e2fc4d2d042	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.mips	6d9b15f5bb693b582a37daf5649651caae1a03990534da760ef7686e1d691d94	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.mips64	n/a	n/a	elf ua-wget
http://154.6.197.57/hiddenbin/Space.mpsl	5e1108cd939c54fa3108c71eca741c68cc06fd7a175c9b433c54b505a642b9d5	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.arm	6287032e8fb67e424052d7ee38e13c0871d89de19d5c648cf91dba0981a774aa	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.arm5	ffd937f73c2ea7500eacaa35a811af741b8271d5295fe55ac3481462e7212fd0	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.arm6	17d5f71755c7268d3c5e04ac9422e671ea4d7fc552d00b9f00449be207bf8338	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.arm7	d93910b55f54518bec48a7c86d33a597fc2f27b5f31cbce5bbb357bb555b4a0a	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.ppc	2678bc15468a574dca8c6061f9c3ac4b449e581607ac55de7effe702bc2d1a40	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.sparc	n/a	n/a	elf ua-wget
http://154.6.197.57/hiddenbin/Space.m68k	aced7bfae49f2214dc3fd512efd50444cf25c1faeb688ea262cb1604f35f3bda	Mirai	mirai opendir
http://154.6.197.57/hiddenbin/Space.sh4	9dfdc925d26b05fa4220ac1f094a89bb3f7ce979d07bfee8c2b42c92b202392d	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Gathering data

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-13T16:16:00Z UTC

Last seen:

2025-11-14T12:56:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/89402c312709aed5cad1d36b09af669cb6ae61044e82b3a93bddb84c8a4605ca/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/da41c959-50d0-45bb-ac47-d46cd5c0112f

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/89402c312709aed5cad1d36b09af669cb6ae61044e82b3a93bddb84c8a4605ca

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/89402c312709aed5cad1d36b09af669cb6ae61044e82b3a93bddb84c8a4605ca/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/89402c312709aed5cad1d36b09af669cb6ae61044e82b3a93bddb84c8a4605ca

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-13 18:54:41 UTC

File Type:

Text (Shell)

AV detection:

23 of 38 (60.53%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rfacymjhbgxnlswr2nvqtl3gts3k4yiej2blhkj33w4ezcsgaxfa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251113-xka1wsbj8v/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/89402c312709/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.06

Link:

https://yomi.yoroi.company/submissions/89402c312709aed5cad1d36b09af669cb6ae61044e82b3a93bddb84c8a4605ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.