MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 914522b59aaa66b6dea702bb084cf8b130868a07f2ced84e40e48b41586d8af6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	914522b59aaa66b6dea702bb084cf8b130868a07f2ced84e40e48b41586d8af6
SHA3-384 hash:	1f14c85cfbb0226645491e5964b419f9b4662df4654a9125cc080ec34483928c10c8997954c0d3ff61d195ad605e0f19
SHA1 hash:	e035f739ff360a1e3242407942c808bce600b813
MD5 hash:	60bba2d250301f1ee43e16412d9fc173
humanhash:	oklahoma-sodium-monkey-coffee
File name:	tplink.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'170 bytes
First seen:	2025-06-20 08:59:03 UTC
Last seen:	2025-06-20 17:40:10 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:FyayOyCytMyGTjy+yV4yyyrQtyayiyBiRhyXeyH:FyayOyCyKyay+yKyyyCyayiyqhyXeyH
TLSH	T1404142CA24A719706DA8DDA775BA840870E0B9C671CA3F259CDD3DF544CDF093180B87
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.96.131.92/mips	a42c4d58ed1e56eec68d559bcb17a65f079d4a64e41248c8c62e85d38eecec5d	Mirai	elf mirai ua-wget
http://176.96.131.92/mipsel	29092ff60d3c10e486bf39919ac545a968c32cbba8dcd8bad4b823a13a535c14	Mirai	elf mirai ua-wget
http://176.96.131.92/sh4	bbc50de11f561797de5ffda50e882073fff54add68f89b408b143df2183f84ef	Mirai	elf mirai ua-wget
http://176.96.131.92/x86_64	fd04838d3192096a4996446e53cb1a2b83969116db3903d88c3f2df4a60f8cdd	Mirai	elf mirai ua-wget
http://176.96.131.92/arm6	n/a	n/a	n/a
http://176.96.131.92/i686	9c647eb049c31c689bd89181f6c8a043deca07d2f2b39a8480ce8e9f2d20efdb	Mirai	elf mirai ua-wget
http://176.96.131.92/powerpc	e0e66d83469487cd3fcab72ea1db5a48d51ccd3ec94233201b594de44c4a8328	Mirai	elf mirai ua-wget
http://176.96.131.92/x86	e4b312250b02502668017e7452d2376e7e548ebcaacb5f79830f6e5e5c5b116c	Mirai	elf mirai ua-wget
http://176.96.131.92/m68k	eaebb4d7d87945e2c5bc6d7c1bdfcb59d889c5022e04d70235490d4ae4a959f4	Mirai	elf mirai ua-wget
http://176.96.131.92/spc	n/a	n/a	n/a
http://176.96.131.92/arm	82ae6c673060bb1b8c81851e7ed1e24568bb5ec8070a5d705a3957b268780e7d	Mirai	elf mirai ua-wget
http://176.96.131.92/arm5	be6cc0f4fb1f9434817e6e9195bb8e5a12da1ff5753a4077dec5f80b8c88c3a5	Mirai	elf mirai ua-wget
http://176.96.131.92/ppc4fp	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685522f6bb25757a6a1b1635linux22vpnfull_triage

Tags:

agent hype sage

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/520fb1d8-8fd1-40bf-aec9-825b2ff7a73b

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/914522b59aaa66b6dea702bb084cf8b130868a07f2ced84e40e48b41586d8af6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/914522b59aaa66b6dea702bb084cf8b130868a07f2ced84e40e48b41586d8af6/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/914522b59aaa66b6dea702bb084cf8b130868a07f2ced84e40e48b41586d8af6

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-06-20 08:33:01 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sfcsfnm2vjtlnxvhak5qqthyweyincqh6lhnqtsa4sfucwdnrl3a._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux

Link:

https://tria.ge/reports/250620-kxxzzacn5w/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

File and Directory Permissions Modification

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.12

Link:

https://yomi.yoroi.company/submissions/914522b59aaa66b6dea702bb084cf8b130868a07f2ced84e40e48b41586d8af6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.