MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf524afed3a4c56766d617b3909089d3193c65f7a62ebd13af2a49be8270ccdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	bf524afed3a4c56766d617b3909089d3193c65f7a62ebd13af2a49be8270ccdc
SHA3-384 hash:	521b5a09134e55411ce01b655228e318a494ce9b384b7ddc6ca07f160f320d4d681ab551070f66d62abe1ae8ca8baa2a
SHA1 hash:	3c3a89b1a5982523d1c64131bf4cd61301a7e558
MD5 hash:	e79703d5f9e4238205753a99ca98f515
humanhash:	mirror-foxtrot-monkey-mockingbird
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'738 bytes
First seen:	2025-12-30 21:19:27 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:iE269jOJra/qssrLA7sijSfcfE0AJS7L8UBJ+5MPAEcw8P45:iE269jQIoxijSfME0AJS7L8K+5MPAEcq
TLSH	T1AD51CF8A20414F393CFA986E33F91448B4F084AB25D75F649CE834E7418EE547F88A6E
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://130.12.180.2/main_x86	0d7faa61a016d1ddbba591a09ce005623faced2ec2750b1f3148950f877a5b2a	Mirai	elf mirai ua-wget
http://130.12.180.2/main_mips	b870b0c66e5cdbab21bc4d28c3e5e66a557f6d03ab30857312d445e6624d8894	Mirai	elf mirai ua-wget
http://130.12.180.2/main_arc	n/a	n/a	elf ua-wget
http://130.12.180.2/main_i468	n/a	n/a	elf ua-wget
http://130.12.180.2/main_i686	n/a	n/a	elf ua-wget
http://130.12.180.2/main_x86_64	70653f2079ed5ad5982aa4fbff4ac49c79a54b5ad6a0240fed2848897c00b17c	Mirai	elf mirai ua-wget
http://130.12.180.2/main_mpsl	36a37ced893b0ab6400b785e14ee1c63e03f39cbb5bb18399b635ef59ffc3b14	Mirai	elf mirai ua-wget
http://130.12.180.2/main_arm	f0492645461def1452f4eb2d9ae14b218869b4dbc2093199042752b723a43bb7	Mirai	elf mirai ua-wget
http://130.12.180.2/main_arm5	e4c4775ebf8858e632497092e578940b33228349fadef0207aed99a7fb14d37b	Mirai	elf mirai ua-wget
http://130.12.180.2/main_arm6	dabf196b20d87c5b615e6b4ba7b5a73caf04caed60f032d9454b61fd7d34fca6	Mirai	elf mirai ua-wget
http://130.12.180.2/main_arm7	8fa63cf16bd8b5f0c267c99c6d62004db560a66360695c949b498231836df8ff	Mirai	elf mirai ua-wget
http://130.12.180.2/main_ppc	0c84dd5e63104cb7ab0194b28f5c41adee4c460b54cfaa9f9dd855ebe589e18a	Mirai	elf mirai ua-wget
http://130.12.180.2/main_spc	n/a	n/a	elf ua-wget
http://130.12.180.2/main_m68k	e4c9bb581e89de0ccdc2d33b90c2c3833492f4b6d238b0428ba5dfae94a348a4	Mirai	elf mirai ua-wget
http://130.12.180.2/main_sh4	5c8b91b9f5f0bcd72fd1ad5a8229396bfba43ecf1ce1f2eb3a483347652a876a	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bash busybox evasive lolbin mirai

Link:

https://www.filescan.io/uploads/695442132fb7bb52ca829d92/reports/e434d644-eb64-4402-97ed-91f97650cdee/overview

Result

Gathering data

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/475e38eb-6b0d-46b4-933b-47ec5e4b674e

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/bf524afed3a4c56766d617b3909089d3193c65f7a62ebd13af2a49be8270ccdc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bf524afed3a4c56766d617b3909089d3193c65f7a62ebd13af2a49be8270ccdc/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/bf524afed3a4c56766d617b3909089d3193c65f7a62ebd13af2a49be8270ccdc

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-12-30 21:20:19 UTC

File Type:

Text (Shell)

AV detection:

21 of 36 (58.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x5jev7wtutcwozwwc6zzbeej2mmtyzpxuyxl2e5pfje35atqztoa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/251230-z6k44ahl31/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Traces itself

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh