MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3d0aeabcaf687d25e611b701068516cebf074cb8bcc35a2454618d558f423d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	b3d0aeabcaf687d25e611b701068516cebf074cb8bcc35a2454618d558f423d3
SHA3-384 hash:	e44df115d6d79e755568b5a0d5e0a6609f48e205f63fd65671ea0264a9666dec81b4e74ef65d19b19cb0396b91cd9bf3
SHA1 hash:	2f540a5aa07e70cbd089e2ced792cd74630301ef
MD5 hash:	2579f523a24ebebe9b97f064c044de5e
humanhash:	avocado-bakerloo-lactose-montana
File name:	and
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'284 bytes
First seen:	2025-07-09 08:50:20 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItKmbZsKNsbhK49kK5glfKjamsKbyTKQnQGgJKOj6KTqnLKGnGNIpKksKpwMEKD9:iWFUdbDZQ1i/LkJRBwP6BgJspk
TLSH	T1ED615DFE33410633ADB6C9E37AA8C40462C4419B58CE3F755BEC68B58D8CEC93D41A5A
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://87.121.84.44/00101010101001/morte.x86	2640512201ae2a0f515b0cc9d8cb8bba20c440aef5c91d0f7632d5f12b1bc01e	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.mips	b3211943b1a91fb0f11eb32a0d5e74ae9eb4ae7df45daf3f368ba6216c63a739	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.arc	ac411a17498b1006b712d89d16ab8b0c863435addd667aac4000dff0100bf23a	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.i468	ac5c338c558a7b2679876efa6965ad0fa2868cd2d42288e2492113c619622134	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.i686	bb0a72d9394c27afafbe882da58449ad8bb538e05ed478897028db9efb1837bb	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.x86_64	4fa0b919f29ce04e492564cdc7fd04493f3c0fe4936f540b832fbbbb91ebd224	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.mpsl	388fca18d135e0355f1d8f0b6d72583d868fdedfd94e4433c13cabf2e22293ac	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.arm	c323ffb320b490e697419b50310aa8c2ac72447123f637404aab870431f2af02	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.arm5	0af60479a4f52295d54a989ef3857f327e29129759094bd299d232f6b7b27396	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.arm6	c0a05e039d5c3eb2be10b4bf48a58684466b52387506db4ca927b34220777c49	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.arm7	aa7a00f2e8fa6079833b368bb53e0379df669d09f5490e578568e00c3b486f17	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.ppc	b05136041ee5e91d5a13ef2e542bd5e2a99a7c671a7b223db60edfc83e0ed94c	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.spc	a5096a6f6f1d1a3a6cec37e9739eec6a57b20cb9a36cc36c36b6ad5b5876b953	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.m68k	ac5c338c558a7b2679876efa6965ad0fa2868cd2d42288e2492113c619622134	Mirai	elf mirai ua-wget
http://87.121.84.44/00101010101001/morte.sh4	ba212c7156c961b97874657e81393cb6b94eef969c3e0b6e744956770d8f394a	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686e2d5f900df8e7f868eebalinux22vpnfull_triage

Tags:

downloader ransomware agent

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/c869b209-5788-4633-b2d9-92d69eacae0b

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/b3d0aeabcaf687d25e611b701068516cebf074cb8bcc35a2454618d558f423d3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b3d0aeabcaf687d25e611b701068516cebf074cb8bcc35a2454618d558f423d3/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-08 21:37:35 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wpik5k6k62d5extbdnyba2crntv7a5glrpgdlisfiymnkwhuepjq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250709-krvmnawtgy/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b3d0aeabcaf687d25e611b701068516cebf074cb8bcc35a2454618d558f423d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.