MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbdfa157a11857424d0b0adb3a66e863b0ea8441e2a0c92cb739e5d8ebc81516. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	bbdfa157a11857424d0b0adb3a66e863b0ea8441e2a0c92cb739e5d8ebc81516
SHA3-384 hash:	fca6212d110b8b86975a90c1a7fc30448fba426e2e4c888a860f61d671925eefa19a157177af39c13ee8cdb2c1da460f
SHA1 hash:	004d677bce7e4cbea662eb5db930bd1d0be21309
MD5 hash:	48d064120fdd364bc7abaf9dae4fce41
humanhash:	emma-equal-east-moon
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'344 bytes
First seen:	2025-07-27 17:46:00 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItduYZsdv1bhdsSkd/llfd5zmsd1PTdvgvGgJdi86dlfnLdBgBNIpKksdHdMEd7s:iSVk9Hfx81WbL4JpBY3iBgJsRk
TLSH	T16161B0FA03A0A6336DEA8DD7B2AC0505754069BB15FE8F724FDC28E40C8DED86C85642
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://103.212.227.29/00101010101001/morte.x86	bb8411d88ccf2db0b973f2b5ae42b296e00db8663086bc1ad571ec63290630a2	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.mips	de44217ea506f4a91125400520dca46e97606f1ce7c7ed81f8a1a3e561cb6ef3	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.arc	3a9882d40e0fbe51fc065949f2a77d07bd26fb9cd7cceec5f805b6c48e4ac41c	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.i468	n/a	n/a	n/a
http://103.212.227.29/00101010101001/morte.i686	bce821858a5bac9383451287522111603041d22adef3c62ec826f59646fab712	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.x86_64	15f675f733bf02b6202275a5085b1359fb614dc32dca5e0df6cefbc0c98b6cf3	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.mpsl	9bcc387304f55d5c2592245d1aeb30e57349a14f33d77cc4d47f083e6fb35895	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.arm	9c94452fe22fcb3462dc53acd40e31b019dd22ac2db55d314e0f526f9e3e5865	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.arm5	f604378df57c92885d6ffddd225b35e8d640fcd4c7e4cb1821655cf0fa053018	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.arm6	308bde152ec169241339f441958eca0760af29a79c0462dd8721a787e50b38b9	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.arm7	d83bbd67e42d4ed4de290cb93e5b7b4ccd47b25955e063fc8068d37bfdc9526f	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.ppc	fab8e909ac5bcbad2fd909a0c2554d8000574d4745c5b9415e9a4189681e3e01	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.spc	ff94f9812c5d5b49ced4a1f488d8fe738921ef699b301321e1161feb448e8f24	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.m68k	0edff82ad6363057e418ebd4be09fb0ab2bc881356c7f7bda9fd0f04493fb74f	Mirai	mirai opendir
http://103.212.227.29/00101010101001/morte.sh4	ecc6005560c69e83d965683f2d1deb800a801bfca69a45067e7b3fd307393e1b	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/9737bfc4-b63d-4944-af2f-9d35cd40b961

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/bbdfa157a11857424d0b0adb3a66e863b0ea8441e2a0c92cb739e5d8ebc81516

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bbdfa157a11857424d0b0adb3a66e863b0ea8441e2a0c92cb739e5d8ebc81516/

Verdict:

Malicious

Threat:

HEUR:Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/bbdfa157a11857424d0b0adb3a66e863b0ea8441e2a0c92cb739e5d8ebc81516

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-07-27 17:46:38 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xpp2cv5bdbluetilblntuzximoyovbcb4kqmslfxhhs5r26icula._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence upx

Link:

https://tria.ge/reports/250727-wcj36azzfy/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Malware Config

C2 Extraction:

as.ddos678.com

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.