MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ee5066a1854ee15278b55e0a4cf9c58c2446f0f4599d1de85202c2341026bbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	9ee5066a1854ee15278b55e0a4cf9c58c2446f0f4599d1de85202c2341026bbb
SHA3-384 hash:	ec89fc2d7c7f87732215a491edb4822b38c037ac0fd6abb597cef068c91cd15ce156c45741904d289f0395dc81b1e2b7
SHA1 hash:	ddc4ab7285b8610d282554fdcf229179e43dad64
MD5 hash:	55a2a6b6527bc9e6e6906aedc09c3058
humanhash:	nuts-queen-double-echo
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'608 bytes
First seen:	2025-10-14 08:31:35 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ipJi2pID9jpe0e/a/qsp+hjpGpfpsOsxEpRKAJpuR7LpD8UBJpUf5pW5PpT5mEpJ:i+2W9jCIajif6EuAJq7LCKi5wP2EmwAQ
TLSH	T128518E8918954B396CF6D82E73A9A408B0F990CB74DB6F16DCDC74E6808ED55BC00B8E
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.141.49/main_x86	f31b2a135b8ddcb9722663b8ec4520b8924a2c38b8dd3c99e6bf6d19544aa91e	Mirai	elf mirai ua-wget
http://176.65.141.49/main_mips	0ebf90fd660237531739c37f1425f2d4e5f6ff31d1bae5b5a98c935bc21867ad	Mirai	elf mirai ua-wget
http://176.65.141.49/main_arc	n/a	n/a	elf ua-wget
http://176.65.141.49/main_i686	n/a	n/a	elf ua-wget
http://176.65.141.49/main_x86_64	ee7c32f57efb86a285514da96e2598f7d81688c177ec3de92e4f828cd23b47f7	Mirai	elf mirai ua-wget
http://176.65.141.49/main_mpsl	43eb865a957058c8def3999c593386106d5b29598233768cc051e88a1ab96508	Mirai	elf mirai ua-wget
http://176.65.141.49/main_arm	dd0d12712ab5d8e4b26dbd5a059bd53d7e064ec8db2f2cf2a42e043c8dea2b7f	Mirai	elf mirai ua-wget
http://176.65.141.49/main_arm5	b3ae8570a382da334ef90b15c0fa21202d5115d32e2c7031e15576d6824adf18	Mirai	elf mirai ua-wget
http://176.65.141.49/main_arm6	e742ad42f67f70b3affdc31018fdea67666ab740b48adf4d0488c08fe21db994	Mirai	elf mirai ua-wget
http://176.65.141.49/main_arm7	9783c5a5f2e0a5e430ad7a84a5ef5572eec1ee2600e00c24b69f7140ca96bb6b	Mirai	elf mirai ua-wget
http://176.65.141.49/main_ppc	94f74449bbff8ee640fa827d4eca9a376df175ddad43dbcda1a2a2372e588cd8	Mirai	elf mirai ua-wget
http://176.65.141.49/spmain_spcc	n/a	n/a	elf ua-wget
http://176.65.141.49/main_m68k	042febd0f4564e3ee998b8e38962c58a73b41cf1caac748c3cd4f54122d6c281	Mirai	elf mirai ua-wget
http://176.65.141.49/main_sh4	9d89128c9ddd6b99a29bb271a8f5555dfd27dffde8a1bccff44661e9c84a4c3a	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-14T06:20:00Z UTC

Last seen:

2025-10-14T07:38:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/9ee5066a1854ee15278b55e0a4cf9c58c2446f0f4599d1de85202c2341026bbb/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/1cb0df30-8f70-4386-9b14-4781e6fbbe8e

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9ee5066a1854ee15278b55e0a4cf9c58c2446f0f4599d1de85202c2341026bbb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ee5066a1854ee15278b55e0a4cf9c58c2446f0f4599d1de85202c2341026bbb/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-14 08:32:35 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t3sqm2qyktxbkj4lkxqkjt44ldbei3ypiwm5dxufeawcgqicno5q._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251014-ke4d2agk9t/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Traces itself

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ee5066a1854ee15278b55e0a4cf9c58c2446f0f4599d1de85202c2341026bbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.