MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7d699759cce2042dc3933c898cfbff866a0872657de44de4efa1b5c96d63b66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	c7d699759cce2042dc3933c898cfbff866a0872657de44de4efa1b5c96d63b66
SHA3-384 hash:	acd7088d63e064a105c437093c64eee70084b9cb402df7c42be4cbb68c4abc0bda8f315db269a54a0cabf944a752a47d
SHA1 hash:	05e9f8af98fdc2a2cf1b18554c57d528a92cb687
MD5 hash:	c28214b9e962906bd44533eeadb2df33
humanhash:	sodium-autumn-lactose-video
File name:	matrix.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'884 bytes
First seen:	2026-02-16 09:59:10 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:iorXo5roXLoTBTO9TDEoTIT9RloTIT9ploSNosZojLLoaRoJTo7joNzN9opsp3ol:frY5kXETBTO9ndTIT9RaTIT9paSCsmj5
TLSH	T19B8152B652F20B325C629DF7B7A950277042808994C7BF06EBD968F961FDD4C304865F
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	juroots
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://45.144.64.166:81/epshteyn_x86_64	354b42ba644a621b2d7c63da4fc4b62b93bcfed1962a761826e5a4d6d02db84a	Mirai	mirai
http://45.144.64.166:81/epshteyn_i486	8c252a0623638c441aa90a97e7df42a95281028630c578b24dade116955b72f0	Mirai	mirai
http://45.144.64.166:81/epshteyn_aarch64	fa74adf19d58fd9dc812cdbbf22a1951de69ab9dbe21aec87389d507ad1f3146	Mirai	mirai
http://45.144.64.166:81/epshteyn_mips	8281588e04600cbf3cece7261b73873618d8bb2fc451d81fd4bb34ad4f9e639d	Mirai	mirai
http://45.144.64.166:81/epshteyn_mpsl	d5a387b1fa9e3b03ae0a055aebb844e73c8e1ed1728ba775bb74d918a015c5ef	Mirai	mirai
http://45.144.64.166:81/epshteyn_mips32	232d1fbbbc8d0807bfc4c3d236468687adbc92635be4969508d78e029561a10e	Mirai	mirai
http://45.144.64.166:81/epshteyn_arc	9a372e6e294b69861d246f5f316047e8fa27e2e970ebb6de1004b105dd9ecfb6	Mirai	mirai
http://45.144.64.166:81/epshteyn_arm4	800a02b006e274ae455ae5f231cfcacfc69cdab5a99870c9adeed76c2fa298b5	Mirai	mirai
http://45.144.64.166:81/epshteyn_arm5	9ee3f6e4412df6a836e74081fcc01b5046d5bf3d07f7a97ca108867429730c82	Mirai	mirai
http://45.144.64.166:81/epshteyn_arm6	cb5c01163888125d43f063b02c1a19cdf0a7aecfe8b175f8fbefde50db11232c	Mirai	mirai
http://45.144.64.166:81/epshteyn_arm7	918ca73a9ad98ae6b7d9129e22d4e8eae6841d54abadc76925af111aacfe6d00	Mirai	mirai
http://45.144.64.166:81/epshteyn_ppc	07f0056010295dd01ef7292975d3738fdaaa4cf66e909a48fa3eff96aee53d1b	Mirai	mirai
http://45.144.64.166:81/epshteyn_ppc440	fe44ed151419ee10d36cbd20f0a7b6fae542b03ecae99ec215279ea39f0c049f	Mirai	mirai
http://45.144.64.166:81/epshteyn_spc	876e0e1290b19d3f26a7fcd4ee7c36239902009de02135e6cfbfca8269d95d2f	Mirai	mirai
http://45.144.64.166:81/epshteyn_m68k	3ecda2a7a6d13bafea629c41b5b8a35d8e129d873db178d17e1c69adc48a7540	Mirai	mirai
http://45.144.64.166:81/epshteyn_sh4	b7588bde89df4af3e0e90f7fa0e4ae44e6fd4b9efcd515d6f76f1cd5ae70dfb6	Mirai	mirai
http://45.144.64.166:81/epshteyn_riscv32	0eb96a804a6097bc1827094043f6388d05f0b1920ad558de7024aa0941967402	Mirai	mirai
http://45.144.64.166:81/epshteyn_riscv64	e648ddd49dcb88cc435bfa0bcdf643d39ccc27c21f901cbd472dd831f4ed317a	Mirai	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Result

Gathering data

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/048a65a7-226c-4b42-a948-9c0357d518cb

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c7d699759cce2042dc3933c898cfbff866a0872657de44de4efa1b5c96d63b66

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c7d699759cce2042dc3933c898cfbff866a0872657de44de4efa1b5c96d63b66/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/c7d699759cce2042dc3933c898cfbff866a0872657de44de4efa1b5c96d63b66

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-02-16 10:00:37 UTC

File Type:

Text (Shell)

AV detection:

19 of 35 (54.29%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y7ljs5m4zyqefxbzgpejrt577btkbbzgk7pejxso7invzfwwhnta._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux

Link:

https://tria.ge/reports/260216-l1kdqabv2a/

Behaviour

Reads runtime system information

Writes file to tmp directory

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c7d699759cce/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.37

Link:

https://yomi.yoroi.company/submissions/c7d699759cce2042dc3933c898cfbff866a0872657de44de4efa1b5c96d63b66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh