MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b25b603427438fe93e5a6851c94cf877f4279dd093882c8e02189aa195d9d31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	9b25b603427438fe93e5a6851c94cf877f4279dd093882c8e02189aa195d9d31
SHA3-384 hash:	9fc4751d7e14f7724005b915190e512e76a33d8c0c2daa5f0346bc5d7c790b1f0a90b01c51a5ff8dffe5a0421b9a9e77
SHA1 hash:	5ed09f895d9b120dbdef0a5e0e1a75fb4ad76c8d
MD5 hash:	d89bf59edef54535a4ba5efd1204f894
humanhash:	xray-muppet-twelve-artist
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'834 bytes
First seen:	2025-10-11 15:44:34 UTC
Last seen:	2025-10-12 06:55:20 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ipJi2pID9jpZDZETWTpydpIFpGpfpsOsxEpRKAJpuR7LpD8UBJpUf5pW5PpTMEpJ:i+2W9jjAOif6EuAJq7LCKi5wPyEmwAPY
TLSH	T156519085188147396CFAD92A73F8A408B4F580C7B4DB6F16D8DC78E6808DD59BC40B8E
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.141.49/main_x86	f31b2a135b8ddcb9722663b8ec4520b8924a2c38b8dd3c99e6bf6d19544aa91e	Mirai	elf mirai ua-wget
http://176.65.141.49/main_mips	0ebf90fd660237531739c37f1425f2d4e5f6ff31d1bae5b5a98c935bc21867ad	Mirai	elf mirai ua-wget
http://176.65.141.49/vicious.arc	n/a	n/a	elf ua-wget
http://176.65.141.49/vicious.i468	n/a	n/a	elf ua-wget
http://176.65.141.49/vicious.i686	n/a	n/a	elf ua-wget
http://176.65.141.49/main_x86_64	ee7c32f57efb86a285514da96e2598f7d81688c177ec3de92e4f828cd23b47f7	Mirai	elf mirai ua-wget
http://176.65.141.49/main_mpsl	43eb865a957058c8def3999c593386106d5b29598233768cc051e88a1ab96508	Mirai	elf mirai ua-wget
http://176.65.141.49/main_arm	dd0d12712ab5d8e4b26dbd5a059bd53d7e064ec8db2f2cf2a42e043c8dea2b7f	Mirai	elf mirai ua-wget
http://176.65.141.49/main_arm5	b3ae8570a382da334ef90b15c0fa21202d5115d32e2c7031e15576d6824adf18	Mirai	elf mirai ua-wget
http://176.65.141.49/main_arm6	e742ad42f67f70b3affdc31018fdea67666ab740b48adf4d0488c08fe21db994	Mirai	elf mirai ua-wget
http://176.65.141.49/main_arm7	9783c5a5f2e0a5e430ad7a84a5ef5572eec1ee2600e00c24b69f7140ca96bb6b	Mirai	elf mirai ua-wget
http://176.65.141.49/main_ppc	94f74449bbff8ee640fa827d4eca9a376df175ddad43dbcda1a2a2372e588cd8	Mirai	elf mirai ua-wget
http://176.65.141.49/main_spc	n/a	n/a	elf ua-wget
http://176.65.141.49/main_m68k	042febd0f4564e3ee998b8e38962c58a73b41cf1caac748c3cd4f54122d6c281	Mirai	elf mirai ua-wget
http://176.65.141.49/main_sh4	9d89128c9ddd6b99a29bb271a8f5555dfd27dffde8a1bccff44661e9c84a4c3a	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-11T12:59:00Z UTC

Last seen:

2025-10-11T13:24:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/9b25b603427438fe93e5a6851c94cf877f4279dd093882c8e02189aa195d9d31/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/0f0e49be-1909-476b-8b15-7494b40cf54f

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9b25b603427438fe93e5a6851c94cf877f4279dd093882c8e02189aa195d9d31

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b25b603427438fe93e5a6851c94cf877f4279dd093882c8e02189aa195d9d31/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/9b25b603427438fe93e5a6851c94cf877f4279dd093882c8e02189aa195d9d31

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-11 15:45:43 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tms3ma2coq4p5e7fu2crzfgpq57ue6o5be4ifshaege2ugk5tuyq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251011-s7gdzavsdx/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Traces itself

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9b25b603427438fe93e5a6851c94cf877f4279dd093882c8e02189aa195d9d31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.