MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a2880ab70300e517b82d6aebb562ea7c0d6b9c1214484a59d6c2a186d77ffc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	8a2880ab70300e517b82d6aebb562ea7c0d6b9c1214484a59d6c2a186d77ffc7
SHA3-384 hash:	1a8e1396542fddfe5f0c0a0051f9f3bce8b682fa80b24d25b0c26694ed8a1851bb5a72a2c89b8ad4cf435a3fad275b49
SHA1 hash:	11615ead76a97973b2183c7b992aaf13bdd8f67e
MD5 hash:	7f31c47ae746b95f5ed225a2325bc2cc
humanhash:	music-uncle-colorado-triple
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'815 bytes
First seen:	2025-10-10 15:09:36 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ipKR3pFzp4JpXk0pPnp9O93pmtpnDLpCPJphzpVHpUxpwNp51C:iA3nOC0leoxLsnvae5C
TLSH	T13F516E8D04C5533BECEDCB5672A6A844F08041D7E5EB6F0D98DD65E984CCEC6B540782
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.141.49/Labello.x86	fb5c3b5b3ee1171cb391a402d33f10f25d7c21d24397b0e2a122175633d2dd6d	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.mips	f129a25f6eac5d365835e5e7f09cbc0ea7f98e26b283387eea120a91cec4e68a	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.arc	2ed8440a13b4effca2017f5ddb82697ae1fb14854bcc8e68c05bcb54a3f5f8e2	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.i686	b038000754c79ece7606709994dac9b45ab547834e1101af82b0a433c70c4457	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.x86_64	22ee4f7ab07f4f4c940c4025b7c65f0f2ef3f41301aa8699d75a55d629710b35	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.mpsl	a51ed193e922b4e506e512b19620380e1e622a47eac1b6031ce2945c0df6f9d7	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.arm	5d4a2758ebb2dea081409851ee66870bc683c6430f810ceefdea61f296477757	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.arm5	ac526f696e7d73b04415db7037213034c9df13b27233b325d8e920fa622a4ead	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.arm6	e8a1602b8b85ee1b4a5cc11ce248403a3b1ce59535787804aad8c0a622c0ddfa	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.arm7	06def9d3dfbee86a313b559b968b29443b117e330b0f35bf1d30227bf7c420e2	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.ppc	2a6e4db61790ca29acbff63b5523eb4316e68f1ce7d56bdc31b3f99a481013d5	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.spc	2fdead0288b6be1072c9bc095d8382377a5a9bb4a744790a71a4982facb9d6aa	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.m68k	32ffe10fd2a236e1f7c7362ab79090166fd6c4b2ef9c2cffa9082aee2c1bfb6b	Mirai	elf mirai ua-wget
http://176.65.141.49/Labello.sh4	1af15a2ff64e84e80b0ec826a76fa5c5b61daa166c10331d4fd089f7f63852d6	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-10T13:18:00Z UTC

Last seen:

2025-10-11T01:04:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/8a2880ab70300e517b82d6aebb562ea7c0d6b9c1214484a59d6c2a186d77ffc7/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/d4048d6f-44cc-4f16-aed8-24a12a0b0d95

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/8a2880ab70300e517b82d6aebb562ea7c0d6b9c1214484a59d6c2a186d77ffc7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8a2880ab70300e517b82d6aebb562ea7c0d6b9c1214484a59d6c2a186d77ffc7/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-10 15:10:25 UTC

File Type:

Text (Shell)

AV detection:

19 of 32 (59.38%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=riuibk3qgahfc64c22xlwvrou7annoobefcijjm5nqvbq3lx77dq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251010-skexma1zgy/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

UPX packed file

Deletes log files

Enumerates running processes

File and Directory Permissions Modification

Deletes Audit logs

Deletes journal logs

Deletes system logs

Executes dropped EXE

Mirai

Mirai family

Malware Config

C2 Extraction:

ptptonuwu.duckdns.org

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8a2880ab7030/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8a2880ab70300e517b82d6aebb562ea7c0d6b9c1214484a59d6c2a186d77ffc7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.