MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0f6c60c75d45392834ea111f293597edb213948af8d968d87d2e9378d594c36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0f6c60c75d45392834ea111f293597edb213948af8d968d87d2e9378d594c36
SHA3-384 hash: 93b1cc47569b8cdca6fdb5226c29898d3cc2e225235251fd543e2b73d9326325bb6b4feaebd1501afc71f0a5766ce23f
SHA1 hash: b4298c463bfdeffee69eb2f9feda84854673bd50
MD5 hash: a01ebf4b145561dab4cc4f7c0338f5b6
humanhash: nineteen-eight-potato-charlie
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'989 bytes
First seen:2025-11-28 19:54:16 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:ix0pxeBxBbxt3x9999fxt7xHoZxi7Zxxjx2BxDPxf9xHBx4lxra:icKvDPb9f3YGPGhrfEk
TLSH T18F5155C831221D717DA7AA17F2F68D8871F9F0553CE2AE51D9EE3CB8418ED05B040E42
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://151.245.104.90/hiddenbin/Demon.arc7757d820b63753b4c6ba8f25ac21d4704de858cb765d442f28cd4f019f1b2d89 Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.x86663fe97c9d4d16c6d3b2de5a629df6a28571fd36f4109b4e486208fe383900fd Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.x86_64faef5868e082147e3038c4d5a3a26b34b0da448b52d0a3b5b8ccfe3e7dc5a378 Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.i686186ac75478027b00feff0a6c2900bfa8ef60b5ae1fc9f44d3d5aeb590d8fca92 Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.mips638fe64dbcfefd6318e574a501ec9c763cfd92d2f158b4cb0a2b678daaeaab2d Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.mips64n/an/aelf ua-wget
http://151.245.104.90/hiddenbin/Demon.mpsl754080e83452f2dc55f6e19301473dfc2ae8ef253692a32d70316145288d295b Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.armd14e7fe75cfbb2dd5f9f06889c39a06795575a7f1abf0e597fe16f8843c2e8d3 Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.arm53bf70915c18b7ee5ddf59f106728e9e880c536751b9532e48676655881c69e7b Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.arm6ca054b8ec151d990a22ab02e9279012d219843039483715a7fb119390419520f Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.arm76c0c76f3131e67a5b3f08d7d07ec219faee0e11ba7d396512bad227dde318446 Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.ppc794eba2b992452856e3c0d6485cbcf5d3fe7e6fced1483e51a6e5bf2d36a6828 Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.sparcn/an/aelf ua-wget
http://151.245.104.90/hiddenbin/Demon.m68k0d9682c493f9d1a97db6ea50e7fa329eb2d54cb242c6f70f20d0112bb0dc0482 Miraimirai opendir
http://151.245.104.90/hiddenbin/Demon.sh4419a732421be6c85eab2a91bd69abfe03a46bbdeb750d34f9afbc1c70baecafa Miraimirai opendir

Intelligence

File Origin
# of uploads :
1
# of downloads :
36
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-28T17:06:00Z UTC
Last seen:
2025-11-29T00:59:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/c0f6c60c75d45392834ea111f293597edb213948af8d968d87d2e9378d594c36/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c0f6c60c75d45392834ea111f293597edb213948af8d968d87d2e9378d594c36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0f6c60c75d45392834ea111f293597edb213948af8d968d87d2e9378d594c36/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-11-28 19:55:45 UTC
File Type:
Text (Shell)
AV detection:
22 of 36 (61.11%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yd3mmddv2rjzfa2ouei7fe2zp3nscokiv6gzndmh2lutpdkzjq3a._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251128-ym1vrs1jcl/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c0f6c60c75d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/c0f6c60c75d45392834ea111f293597edb213948af8d968d87d2e9378d594c36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh c0f6c60c75d45392834ea111f293597edb213948af8d968d87d2e9378d594c36

(this sample)

Mirai

elf 7757d820b63753b4c6ba8f25ac21d4704de858cb765d442f28cd4f019f1b2d89

  
URLhaus
https://urlhaus.abuse.ch/url/3719108/
  
Delivery method
Distributed via web download
  
Dropping
MD5 f89e9bb393c81ad18cbf0a8552550268
  
Dropping
SHA256 7757d820b63753b4c6ba8f25ac21d4704de858cb765d442f28cd4f019f1b2d89

Comments