MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b80c304c154e78c442f468a2d986124c4e14222c343aff4cdd3d332c9ac3822f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	b80c304c154e78c442f468a2d986124c4e14222c343aff4cdd3d332c9ac3822f
SHA3-384 hash:	c810f58a8ee65e99810be1668cc796efbc3f2a1f0893f835d556d097c5949ac71fb12229b09d44d0017f57be8e22858e
SHA1 hash:	cc688571a5cd955fce8cf47f2e3e2c129498dcf9
MD5 hash:	bb6223f3ecf0b937268b4bda5ba6bc6a
humanhash:	dakota-louisiana-utah-asparagus
File name:	bin
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'751 bytes
First seen:	2025-12-21 15:23:45 UTC
Last seen:	2025-12-22 01:55:00 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:NB7+xh7oU8BI1ChwG7rsyj+HjKCbdUBAz82U7Xg5:NBQn1ChwGHaDKCbdUGz82UM
TLSH	T12A71F0CD22B020367CA18ABEB2A786577BCFD376DCC51D8454EB34E864BDE4924D0B52
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://81.88.18.108/bins/shadow.x86	6e01176ce19a409441cadb631f5f0c9b51705a99ebeac50cfae65de383b2e4d4	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.mips	7a84fe422301a21cbbb8dd3cdc0e643ee0b9c1aadffa8c57398fd62ea4b58c4b	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.mpsl	7a1849017c0684337d85b2aa8a730c4fee62486f444c675e8414b97c50cfb5a8	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.arm	eb9e1cf68eb14e4adcdfa704496393a5650750460d44a27fc6810a8fb943c18d	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.arm5	4d5a9a2f2e81daf2490c91bbc8f8a9363cea14da81749fa0131ba80512542b30	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.arm6	01a6e4d8e80b7090e1287238fce08de7bf135d537438845cbb3283f0c17f2d95	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.arm7	a9e36e6d5c7b89b86270b0ea4d1363cd83e1f8efdabd7331c76ce3e1c64a3539	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.ppc	72f8dcac376fa2861c1a6591953d2c4ad3eed9c634938b3a04388603121ac424	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.m68k	5442e5301eab8ab38d0957494067d4b1e5f0df7123945e9fc2a19ca0e82eb502	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.sh4	9db2cdc377de44600f2bd4ea70114ef56ca00c876e0577899288782fd8b11fbd	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.spc	c9b7e82f11bbb447ffd558b840e98e8d4472371545b80b35432b0502447e81fe	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.x86_64	7c4d404b0e75f2e8a13e6d396544a04667a28b0d73f2baf2ee11d715d09c52e1	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.i686	n/a	n/a	elf ua-wget
http://81.88.18.108/bins/shadow.i586	6e01176ce19a409441cadb631f5f0c9b51705a99ebeac50cfae65de383b2e4d4	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.i486	0e96a2b051308669018d8a9270e18b63d79348e962a920e4dc25025baac3a753	Mirai	elf mirai opendir ua-wget
http://81.88.18.108/bins/shadow.armv5l	n/a	n/a	elf ua-wget
http://81.88.18.108/bins/shadow.armv7l	n/a	n/a	elf ua-wget
http://81.88.18.108/bins/shadow.powerpc	n/a	n/a	elf ua-wget
http://81.88.18.108/bins/shadow.mipsel	n/a	n/a	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox

Link:

https://www.filescan.io/uploads/6948146b3f8fdbf8e94da2e2/reports/285902d9-d7c6-4f24-b72d-972842e002ec/overview

Verdict:

Malicious

Labled as:

Linux.Medusa.C.Generic

Link:

https://www.hybrid-analysis.com/sample/b80c304c154e78c442f468a2d986124c4e14222c343aff4cdd3d332c9ac3822f

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-21T12:43:00Z UTC

Last seen:

2025-12-22T12:28:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/b80c304c154e78c442f468a2d986124c4e14222c343aff4cdd3d332c9ac3822f/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/ce24a0e8-4c13-4bb9-8666-dcb6d8a2d881

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/b80c304c154e78c442f468a2d986124c4e14222c343aff4cdd3d332c9ac3822f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b80c304c154e78c442f468a2d986124c4e14222c343aff4cdd3d332c9ac3822f/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/b80c304c154e78c442f468a2d986124c4e14222c343aff4cdd3d332c9ac3822f

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-12-21 15:36:13 UTC

File Type:

Text (Shell)

AV detection:

15 of 24 (62.50%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xagdatavjz4miqxuncrntbqsjrhbiirmgq5p6tg5huzszgwdqixq._file

Result

Malware family:

n/a

Score:

9/10

Tags:

antivm defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251221-s3aevswmbp/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Modifies Watchdog functionality

Unexpected DNS network traffic destination

Creates a large amount of network flows

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b80c304c154e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh