MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5e57de6be03d75eba3e9aeab131829a353b660d0dbcbcec8e542203994840cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	c5e57de6be03d75eba3e9aeab131829a353b660d0dbcbcec8e542203994840cc
SHA3-384 hash:	68bd1da04664cecfffc292d0216ce66c9d55fb173babc39dcd92e0c72f8adc0805d86fa11644972f9586164e7bef0ab4
SHA1 hash:	9cb0859d6f0e634dd42a053f3a672e42579aa74f
MD5 hash:	6fc370abb4840bbef39dd08790560195
humanhash:	mobile-juliet-mars-oranges
File name:	weed
Download:	download sample
Signature	Mirai Create hunting rule
File size:	4'621 bytes
First seen:	2025-02-04 17:11:34 UTC
Last seen:	2025-02-09 14:41:02 UTC
File type:	sh
MIME type:	text/plain
ssdeep	48:1tLOBLGmLxRdL6GLqYqLtDL6NtA15iNyUFRhO0uYgZHONNJRfCYhNirwu2QrzO51:1xwhxLPZc56k54FFzTFgdOBX70AVTFv
TLSH	T17191218C3F614B3A0D12DF9DF2228AA2745BD4C709914FE964ED70BCE8FEC44A52154B
Magika	shell
Reporter	abuse_ch
Tags:	Hailbot sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://103.188.83.11/mips	4bdcfa4fdf3a5973f0769c3c3f91a884c0ffc5864c9899bd7ee11be95247e479	Mirai	404 censys elf mirai
http://103.188.83.11/mpsl	3d19066949ebfd287907986918e5eedbd812612939010006fc6d8b0f17b9c69e	Mirai	404 censys elf mirai
http://103.188.83.11/x86	ce5797cd8b13c2f33236d3a9a3bc06cd8812b418b8b52d8bc48de1d851c5bd4b	Mirai	404 censys elf mirai
http://103.188.83.11/arm4	b05c179f2de94587825897a488435e73ccb35b635ba835e696186d0c64d6baac	Mirai	404 censys elf mirai
http://103.188.83.11/arm5	1f2104c71f9224fb0fe7a16fd4d23f1e4ac4a7c515f23d0313361844b58fd9e8	Mirai	404 censys elf mirai
http://103.188.83.11/arm6	4852934e3236386fdfd9c06d744a470061d32c03fe747cb25af20473b6b971d3	Mirai	404 censys elf mirai
http://103.188.83.11/arm7	d1d4cbbd012a7f0e277c8f0b282deed56cb5dea53897f9c415c8f71862fcb38c	Mirai	404 censys elf mirai
ftp://3.188.83.11:8021/mips	n/a	n/a	n/a
ftp://3.188.83.11:8021/mpsl	n/a	n/a	n/a
ftp://3.188.83.11:8021/x86	n/a	n/a	n/a
ftp://3.188.83.11:8021/arm4	n/a	n/a	n/a
ftp://3.188.83.11:8021/arm5	n/a	n/a	n/a
ftp://3.188.83.11:8021/arm7	n/a	n/a	n/a
ftp://3.188.83.11:8021/arm6	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67a25dcb51193558eb1960c6linux22vpnfull_triage

Tags:

medusa agent virus

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

busybox lolbin remote

Link:

https://www.filescan.io/uploads/67a24a6dfeedc20a1572f95f/reports/de9cd6b5-13f2-4865-9c8c-3342c9541222/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/c5e57de6be03d75eba3e9aeab131829a353b660d0dbcbcec8e542203994840cc

Result

Verdict:

MALICIOUS

Score:

32%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/c5e57de6be03d75eba3e9aeab131829a353b660d0dbcbcec8e542203994840cc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c5e57de6be03d75eba3e9aeab131829a353b660d0dbcbcec8e542203994840cc/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2025-02-04 18:30:13 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yxsx3zv6aplv5or6tlvlcmmcti2twzqnbw6lz3eokqrahgkiidga._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250204-w5kkdswmhy/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c5e57de6be03d75eba3e9aeab131829a353b660d0dbcbcec8e542203994840cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.