MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5cd680e63cdf65ea00876b76a9d6a5fc7e3d00edbb54656a854a5ed7e83481a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a5cd680e63cdf65ea00876b76a9d6a5fc7e3d00edbb54656a854a5ed7e83481a
SHA3-384 hash:	1542b2a25f7a8438306f0494f099d272c8000d7b4a708ddc61b2eb6d5980465bbf58b44dbc145db09f06ccd8c34276a4
SHA1 hash:	3b03808495f451cb1f2b3bec2beab84d004ec5f8
MD5 hash:	07e8b38d866b41a1210ef22dca5b76bb
humanhash:	arizona-papa-mars-bulldog
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'842 bytes
First seen:	2025-05-14 08:37:30 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItMP8nM1Y1IikM1nyMq7qBhMgIMk9+M/xY3MqWqM0QMRxAM2EMSvEMB2MpoMf2H:iNsI6n+wcayTtkl+/E7bD
TLSH	T14F51D0C527214A70BDE75D7263FB184D3492E4A11CD9DE88DAEC3CB49A8CD18708DB5B
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://160.187.246.174/dwrioej/neon.x86	n/a	n/a	n/a
http://160.187.246.174/dwrioej/neon.mips	ae4dd9e52d19fb43bd52329ed391b40f73b906dc6d454cf151f18a893cc3c4fd	Mirai	elf gafgyt mirai ua-wget
http://160.187.246.174/dwrioej/neon.arc	fbe1bc145c75887ae1d6617d874a91438f19eb77a103ce7d27af53343ddf42c3	Mirai	elf mirai ua-wget
http://160.187.246.174/dwrioej/neon.i468	n/a	n/a	n/a
http://160.187.246.174/dwrioej/neon.i686	563076b4551774011b7c5aab9a95ef08dd05b42cb0474ecc9366ef3d7252ae77	Mirai	elf mirai ua-wget
http://160.187.246.174/dwrioej/neon.x86_64	442ec3ce185bdd4db8be714001ef37dd4b76cc060f3793f10e2cdbcd263ecc4a	Mirai	elf mirai ua-wget
http://160.187.246.174/dwrioej/neon.mpsl	n/a	n/a	n/a
http://160.187.246.174/dwrioej/neon.arm	n/a	n/a	n/a
http://160.187.246.174/dwrioej/neon.arm5	n/a	n/a	n/a
http://160.187.246.174/dwrioej/neon.arm6	n/a	n/a	n/a
http://160.187.246.174/dwrioej/neon.arm7	n/a	n/a	n/a
http://160.187.246.174/dwrioej/neon.ppc	n/a	n/a	n/a
http://160.187.246.174/dwrioej/neon.spc	n/a	n/a	n/a
http://160.187.246.174/dwrioej/neon.m68k	933278ebb70eea318497489db852284950b7e2e5b825a519fe2ed3911b7fb393	Mirai	elf mirai ua-wget
http://160.187.246.174/dwrioej/neon.sh4	706eb26071fb107decadd1d3cbf4a0b54b5c8742459738d832bab07f5c607437	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=682457434a59e5a2ce046f24linux22vpnfull_triage

Tags:

downloader backdoor agent

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

busybox

Link:

https://www.filescan.io/uploads/68245671322922535cb168f4/reports/9826b1e1-e5f8-44d3-8afb-132ce9097207/overview

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a5cd680e63cdf65ea00876b76a9d6a5fc7e3d00edbb54656a854a5ed7e83481a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a5cd680e63cdf65ea00876b76a9d6a5fc7e3d00edbb54656a854a5ed7e83481a/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-05-14 08:07:06 UTC

File Type:

Text (Shell)

AV detection:

23 of 37 (62.16%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uxgwqdtdzx3f5iaio23wvhlkl7d6huao3o2umvvikss627udjana._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250514-kjq99swvds/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

Reads system network configuration

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

traxanhc2.duckdns.org

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a5cd680e63cd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.42

Link:

https://yomi.yoroi.company/submissions/a5cd680e63cdf65ea00876b76a9d6a5fc7e3d00edbb54656a854a5ed7e83481a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.