MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3a751291d74fffa7077867087fe60a74796ed2d9741358c99ffdd4340f68ef4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a3a751291d74fffa7077867087fe60a74796ed2d9741358c99ffdd4340f68ef4
SHA3-384 hash:	dd6150ad511fee5de60144d46a3c8d626951fad4edc22f3a404c17e6cbe7705696db3c33c34a7efe2ece0a858f1841d2
SHA1 hash:	bd10500b29c9130c33db14490fde66c73fab5129
MD5 hash:	03b80a62fddd3ca87b7c58f3f99bb199
humanhash:	bacon-freddie-low-don
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'959 bytes
First seen:	2025-08-21 17:45:43 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:iJepJ0BJZbJ13J9F99fJ17JHCZJiXZJJjJMBJ/PJL9JTBJSlJHa:iiUbPnj9fjmw7AxL/ak
TLSH	T1D1513FD4331504B9BCE2AA53F2F7894832FBA055ACE53F41DDF83CA4828DE047890E4A
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://89.187.28.175/hiddenbin/Demon.arc	79becc0904014f35becdf6b819fa905b60d93c60c1bd780a45cba663fe8b3da2	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.x86	70ba6012d54158303f8a3e01e42bde46a95295dfbb3d9e3aeba31a8b5b56f538	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.x86_64	d5e51657f2eeca861c3a3858f336b43934a593bd8fa5fee583a0bbaa2bf4a681	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.i686	701a41e6e744fe9c4122873186d5fefe0e2d9e9035e84f08da40fa8deb5e2464	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.mips	1893d16e507b7a8de606e2db37e69a45b089047a3f24f6a22199c54ae27c82f3	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.mips64	n/a	n/a	elf ua-wget
http://89.187.28.175/hiddenbin/Demon.mpsl	160bd1b3dfa3f59efd02b57e40ed82b19fb923decd8bd03cf37a8c045166a985	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.arm	4d81de82c2ae6dabdf3504a06d3c7ccbc0e07be34453e931511e2474f62eca52	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.arm5	75d77cc7ba68d6bb5541da3d6a67b5bace6deb7e2d7ea45df882c0dba4375033	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.arm6	93041a578da415e05809b0265779ee0b157828adef9ae0f84dcb970fcfc35586	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.arm7	5b377d82f4861cb999d5b1a417c192c6fa4946d32e36b7daee44fdbe798ad372	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.ppc	7338225fb1576f5740f81c31452f21182e169d2dd1102eeaf734e5b1a10b72b3	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.sparc	n/a	n/a	elf ua-wget
http://89.187.28.175/hiddenbin/Demon.m68k	b865e5d1f36775f87a09fca955dd4d8d8d5149776261d6d8aaa9c9f1b68163ed	Mirai	mirai opendir
http://89.187.28.175/hiddenbin/Demon.sh4	5aa68a5cba0618bcda46a419047db88ab81f48098052ebc2218240d7c2cc34fe	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-08-21T15:37:00Z UTC

Last seen:

2025-08-21T15:37:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/a3a751291d74fffa7077867087fe60a74796ed2d9741358c99ffdd4340f68ef4/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/c8bb099c-9a08-4343-b979-080392a99d3a

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a3a751291d74fffa7077867087fe60a74796ed2d9741358c99ffdd4340f68ef4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a3a751291d74fffa7077867087fe60a74796ed2d9741358c99ffdd4340f68ef4/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/a3a751291d74fffa7077867087fe60a74796ed2d9741358c99ffdd4340f68ef4

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-08-21 17:49:40 UTC

File Type:

Text (Shell)

AV detection:

23 of 38 (60.53%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uotvcki5ot77u4dxqzyip7tau5dzn3jns5atldez77ougqhwr32a._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250821-wefhravxas/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a3a751291d74/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/a3a751291d74fffa7077867087fe60a74796ed2d9741358c99ffdd4340f68ef4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.