MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bff314fbbc14981c43feaa5ddf2e48c926cf7902aa030de80a29ccbcd3556ce9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	bff314fbbc14981c43feaa5ddf2e48c926cf7902aa030de80a29ccbcd3556ce9
SHA3-384 hash:	c81b13adb78eaeb3e5307a82d89a840cc8c140d2d5bf4ece57f72c65a16388346819844f08a85e2324b365e015151dd1
SHA1 hash:	f80858e51076efaa8808340a7dd7960430432a00
MD5 hash:	7453c66820255cbdac7be036f86f7cb4
humanhash:	mobile-edward-thirteen-friend
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'044 bytes
First seen:	2025-08-27 06:14:55 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:Itf+W+qZsf+L+Lbhf+0+4kf+b+7lff+l+Vmsf+d+NTf+Va+VGgJf+a+G6f+l+VnD:iCbcXVloJ1qBLmJ3tkoZBgJsVk
TLSH	T1945166EF238246335CBAEEE77AA98458B35550EBE4CE5F7554ECBCF9404CE086440A63
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.87.166/bins/morte.x86	224bb391451b00c3c44269f7d9d94caa59623c65e08e24de22420f4f21686440	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.mips	898f7f84f9ad51ae37a565893e4f72b6ebce2691d529f8744d7d3fb32ed4c4ca	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.arc	570791184ff5faa904839758cc51c3419e3802e8abe9d347e5928915e17d7ffe	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.i468	n/a	n/a	elf ua-wget
http://196.251.87.166/bins/morte.i686	63021604b19c822d162cb1ff2e65a49e51c792fecfb2975f068ab5acb805a04f	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.x86_64	f904c5dbb0f0346f55ca3667fbe2f97aaac07b320ae16e4fcf718c34f23de2cd	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.mpsl	c7121493e6e7e2c519dfaf688d1be09d07d06d46ac3984cc513d52d190169c9a	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.arm	abb79091e35cd813de2d50e02ec355d6fc309d704ab8bc6d4354bbda531ca615	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.arm5	c8ae7fee6b607a59a8a76bdf0026a987c118b01d7843cc01c3e4cd7182e67fd5	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.arm6	b5ff3d5b1158f4cb6bffa6e8a1a4c25af0ee8655c31b0b8084c50e2f913daa5c	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.arm7	54f3f6d1330b4c9667d1113ee3329c2a023cab9a71de20ba55dbed869a38a6b2	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.ppc	8ba34509d086573760aa8f7677c3d828c0cf477bd4342a9f743c7ba9b81051f5	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.spc	9d717775b3a0461cc62c5a8fbfd6027e62fb8f8ff47e5d1dc28a12db816cdcf3	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.m68k	6ceddf85002197439346890d29eda288c11ab7e11c27deb86a953bd96dd03096	Mirai	elf mirai ua-wget
http://196.251.87.166/bins/morte.sh4	e98333b12e1353d142e9b467839d4f21a7640294f4b7cd9bd9a6029d93b806b3	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-08-26T09:31:00Z UTC

Last seen:

2025-08-26T09:31:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/bff314fbbc14981c43feaa5ddf2e48c926cf7902aa030de80a29ccbcd3556ce9/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/b581e791-9820-44db-b977-db314afcc24e

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/bff314fbbc14981c43feaa5ddf2e48c926cf7902aa030de80a29ccbcd3556ce9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bff314fbbc14981c43feaa5ddf2e48c926cf7902aa030de80a29ccbcd3556ce9/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-08-26 21:01:42 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x7zrj654csmbyq76vjo56lsizetm66icvibq32akfhglzu2vntuq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence upx

Link:

https://tria.ge/reports/250827-g1fcjswxex/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bff314fbbc14/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bff314fbbc14981c43feaa5ddf2e48c926cf7902aa030de80a29ccbcd3556ce9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.