MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b63483689d2533e0583b7f7a93033143d2532f87482df48654fceb5b9af314ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	b63483689d2533e0583b7f7a93033143d2532f87482df48654fceb5b9af314ad
SHA3-384 hash:	900898c3d9281f6a6d1416e3613f56ee79961aa68e63e73e017ff3e1ba3a7051f2eac999170a5d4e6ab248c910cb0df7
SHA1 hash:	3a8eefdb7ef6835149b7ac03899d990c0c3e9f71
MD5 hash:	9a2a42a250f86964815c4e45cb50868a
humanhash:	alanine-mars-emma-six
File name:	thefuiodaas
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'333 bytes
First seen:	2025-11-25 08:07:44 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:ibnWbgUbpKbGwbuYbjKbfOb2OLbZSbMMbmgbxs3bjGb6E2:enCgspWGouAjWfq24ZOM0mYxsrjy6z
TLSH	T1A96184F6C2C282609EA1D532B3698A047C49F5F3F4C67E145DFA25AEF48DE443025E4B
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.x86	a6d331329e20d8b21c5dadfb92da75d046f1ac0d128dea8e58272e11043a83cc	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.mips	e4fb13d2b1039326615b6ea97cc2418b73d3dc532aeaa2273a191d3433f9f3f6	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.arc	49b987b7e71921dbeaa61d49dfd8f5f4b9e5fddd3c347925ae42763657960e75	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.i686	c9a0db8b4b1a657625526fd09ffd9773c757a76d2fa465b10f751ca11abb36b7	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.x86_64	83e12a989f190473be130ff7fa6f5ae86e2eabbe6aa789f643c2b80add1596f0	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.mpsl	3d404058829b47f37e70e35e2835ef6033dc61254cca44318056ad755008ec41	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.arm	77c95a977bc212cfc3c0c5e918a94b1925df9a086e291e7f84f315573f901577	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.arm5	2c435aa90ca3e34078572097627afd1610f64fcec5e8cc08dad41df8762ef2e3	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.arm6	fce2a09a5e4f12d48fd9c2232cac167069ee072a9613a1462fe0c0893156b00c	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.arm7	fe81c5cd324b6e4214cd4508a03a773e4a5f8a94bdc7fb8b124d48c818c738d1	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.ppc	ea59147e911f1056f8bae2e426054ad996f4b7ff053a8917fe02bb5c5eab74f9	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.spc	3cb48d24602d099c3d56eb628427e45e14d98d714e8640faadb04b2be719748a	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.m68k	e8d3cf36f0a1d65447fad7d8da173f2f9f9767b9ed96443f86eae34e60c4be5b	Mirai	elf mirai ua-wget
http://178.239.149.17/x7k2m9v8b/m9x7k2v8b3.sh4	5a4f236030744f7284ea200a1eb67ac8e041f7bb6bfa32513d8a3af3b44dc46a	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive medusa mirai obfuscated

Link:

https://www.filescan.io/uploads/692563f2c4bd66164273eaa7/reports/a481ed11-3388-46a4-bd3a-2d3c4c487570/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-25T05:47:00Z UTC

Last seen:

2025-11-26T12:15:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/b63483689d2533e0583b7f7a93033143d2532f87482df48654fceb5b9af314ad/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/df1824b1-28f3-44b6-b2c7-b83e21cbe2fe

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/b63483689d2533e0583b7f7a93033143d2532f87482df48654fceb5b9af314ad

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b63483689d2533e0583b7f7a93033143d2532f87482df48654fceb5b9af314ad/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-25 08:08:25 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wy2ig2e5euz6awb3p55jgazripjfgl4hjaw7jbsu7tvvxgxtcswq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251125-j1p8vsap91/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b63483689d25/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/b63483689d2533e0583b7f7a93033143d2532f87482df48654fceb5b9af314ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.