MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1c00af6eb48ee80beaccd851b2fe0d742cf08fc8817c9a8b13b3c3f4786ad6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a1c00af6eb48ee80beaccd851b2fe0d742cf08fc8817c9a8b13b3c3f4786ad6c
SHA3-384 hash:	ff4d2ff61f6d41f1225a82c461f4809e939f260738f407a9b9c7faccfbc6e441469a92c9bec51a293100f7674ee1c1c0
SHA1 hash:	b045ae8b270841d2e5752f2f5845353d18b975a4
MD5 hash:	349a4f4d47eed0457ffbd50aab1c0f1e
humanhash:	friend-happy-may-michigan
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'314 bytes
First seen:	2025-11-04 08:24:41 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItmqbZsm7sbhm89kmPglfmJamsmRyTmQlQGgJmCj6m5qnLmGlGNIpKksm/wMEmpF:iAVu1Tb1y1U3LqJBRCz8BgJs5k
TLSH	T10161A5F7034245779CAA89E731B94804768548DF98CE0FBA9FDCB4B48E8CED87D46642
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://89.35.130.116/00101010101001/morte.x86	7d83bedfae9dc3589e2f63b3484b678b7c5b744df0bd0f97066af8614e604591	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.mips	6a78bceade236fc8a1d7e6a19aca8f3719970483b68f0914b15c81bb7e8006ee	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.arc	b81f142e47c3706ff91a9f570b4f513dfe99b053a5fd0235efe20b7dbb93cc94	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.i468	n/a	n/a	elf ua-wget
http://89.35.130.116/00101010101001/morte.i686	5e6870bff5900c04ca65a6bf766a609ef684154f2294d6be2f257aa3e9ca0bde	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.x86_64	e94fa4bf74ada4f4f30a756ee12752d05e64070f610e50bbd6958fd0d89f1b45	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.mpsl	054418bdc21446fb7401f48592fc7dd9e45688be4c35f6efd5818cf272f8a213	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.arm	11ef7882f84bc4c2bdd4af327dee278c147a32e681ba6857573bda4ef4b2a47e	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.arm5	019c9a8ef8f0fbce116735ad3c18ecbe441885bf10f0790c6fd1f16e8c5cdc95	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.arm6	cdd0883855da012ed5d7a16d538a8236a020234ab6cb385d30c441ab4067aadb	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.arm7	a81ad14543b5b5e44edf0fa361cd03ba4c6bdad13639fcf4ec9c3f05bcd98d4f	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.ppc	46e6066f23ac5c40ba2c4e106e9e34f65729b21e266e2a88c396310030928691	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.spc	badd72291b706cb7d9144ffecf105b574bd5601b85fe75e778c239d2376de3b0	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.m68k	ba6e7075016f44f15ec97991802a90a9dcac2d782d22160c56746d9f8f0e714a	Mirai	elf mirai
http://89.35.130.116/00101010101001/morte.sh4	a8edb89cf9f493571a51860d1ef077a4f81d72fc40eed7b08afacc95c71519f1	Mirai	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-03T15:51:00Z UTC

Last seen:

2025-11-04T10:24:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/a1c00af6eb48ee80beaccd851b2fe0d742cf08fc8817c9a8b13b3c3f4786ad6c/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/87954960-8bf5-4392-b369-83e5b969700e

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a1c00af6eb48ee80beaccd851b2fe0d742cf08fc8817c9a8b13b3c3f4786ad6c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a1c00af6eb48ee80beaccd851b2fe0d742cf08fc8817c9a8b13b3c3f4786ad6c/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/a1c00af6eb48ee80beaccd851b2fe0d742cf08fc8817c9a8b13b3c3f4786ad6c

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-03 20:49:46 UTC

File Type:

Text (Shell)

AV detection:

23 of 38 (60.53%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uhaav5xljdxibpvmzwcrwl7a25bm6ch4ral4tkfrhm6d6r4gvvwa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251104-kgkppsbp8t/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

api.mangawizard.lol

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a1c00af6eb48/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/a1c00af6eb48ee80beaccd851b2fe0d742cf08fc8817c9a8b13b3c3f4786ad6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.