MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba00792f880e3821207ce96396089fa0213bff59a549e44879315582cbdc60c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	ba00792f880e3821207ce96396089fa0213bff59a549e44879315582cbdc60c2
SHA3-384 hash:	3a79705738ba9f97a39c09dfed14554b274321057d7f4e4d487996c57ee21c86f2752dac423e159b33dea2799a15e502
SHA1 hash:	efcd9737ed3abece72e9fd00f12b9c98b8105265
MD5 hash:	e30e0155f6b5e621a369525e03b0b070
humanhash:	kitten-lemon-yankee-colorado
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'077 bytes
First seen:	2025-07-22 05:48:27 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:Y/ZsnbhTkzlfbmsvToLGgJv63nLONNIpKks/ME5hzsoncGgJsYApk:YqlAxT7oL1SXLCJ5bIonBgJsvk
TLSH	T1925183E663814AB32CBA8DDB36A84884735D50DFE4AF9F3AD5D8F4E9028EF187440741
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.213.240.242/bins/morte.x86	6b89288f82c10313cc04d6801994f61ae0f454a8e49ae902416549475d22563e	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.mips	db7c3f4a4d9955f60e2428d33081b7516d2b05a554549ef7435ad5f0da26aebc	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.arc	bc7ba0be21d0bd4d5f8ffba11fb517a6128ed67aaee485f4e9ad55ebb206dfd7	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.i468	n/a	n/a	elf opendir ua-wget
http://185.213.240.242/bins/morte.i686	ec6877d780e5c08a52316ed53c1e24688df1bb77573a73552807b446682303e1	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.x86_64	0f3d5843dbea20320950015e6b16d397ead64d3a0cc0c0c9d236ab0c329e5c3c	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.mpsl	6a381680badfe72a680a7ebbac5a87b69b92bef8cf495dea18c08768ae4a8104	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.arm	1e084f768e6f712bd7a6550bfd1d6651475110be15afdaf20ea165035e41825b	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.arm5	bb58685e750ea7ea86ef5e8e0272309259225751e891a8180edeb43f00e12237	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.arm6	fc5cd925ce297000ca57784ead53c74be59b7f1947fe30fc596b8288b58e34ac	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.arm7	f668ad9e7208fb93503504745e844534c2f1cd03bb8be6580ceb107b2f3e5c1f	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.ppc	4c2307922752b1dda4168efb06f7f577df1e1a6b559b16e290533fa875bbfb67	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.spc	600fc077b364f1e19774afc961c350ca78168a7c89985b8d649d18a784bb54ca	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.m68k	b34ab7b3235520d509129dbf8ce61fa4aaf07c689caf1086678d209c2bdfb15f	Mirai	elf mirai opendir ua-wget
http://185.213.240.242/bins/morte.sh4	aeaca0a823b1c1ba1fef65021e4435d355d8da6763b976bfecfe002a17023b80	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/80fe5e23-bd69-408a-bc0a-76560f20ac97

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/ba00792f880e3821207ce96396089fa0213bff59a549e44879315582cbdc60c2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ba00792f880e3821207ce96396089fa0213bff59a549e44879315582cbdc60c2/

Verdict:

Malicious

Threat:

HEUR:Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/ba00792f880e3821207ce96396089fa0213bff59a549e44879315582cbdc60c2

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-22 05:49:20 UTC

File Type:

Text (Shell)

AV detection:

20 of 36 (55.56%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xiahsl4iby4ccid45frzmce7uaqtx72zuve6isdzgfkyfs64mdba._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence upx

Link:

https://tria.ge/reports/250722-gh559asvgx/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/ba00792f880e3821207ce96396089fa0213bff59a549e44879315582cbdc60c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.