MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c853c6f5a73ef2bd209cb9396addf14102967c9fefaa7221de69479c4c107ae5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c853c6f5a73ef2bd209cb9396addf14102967c9fefaa7221de69479c4c107ae5
SHA3-384 hash: 0acb8a25e805004ca08d1931b32da74980ab142d3a10206cd6a0028e7af6d25e5b906e2990df2d75888041d6edc486a6
SHA1 hash: bb344029e1c82049e1245cf7e0824d2d1d8ad12d
MD5 hash: 6bcece2fc8387d14f5e888b5df62855c
humanhash: low-eight-idaho-pip
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'014 bytes
First seen:2025-10-06 19:04:07 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:ipUGpBdBeNpm6pzWp5GpVupjOKpmnFcpFkLps4Jp7epncTBpaypKtUpT/9:i3rfeNVU6ahLoLTYIJqUl9
TLSH T18B51818512A19331ADA5ED7673AB8009758080675CDB2E0ADEEC38F4EDEDDCD740A743
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.132.16/dwrioej/neon.x865e8e48e72e0fb3fcf61be0077171f580610a30b319cfdd438ff6a2f173fa5a15 Miraimirai opendir
http://176.65.132.16/dwrioej/neon.mips0c2001d136e2bd39f13e3d9c68423f4bcf8a770bbc0cb61f7e997f8850fcb09b Miraimirai opendir
http://176.65.132.16/dwrioej/neon.arc346771797283f1e16ceb4ffd661782aa0bdedab71b8ca106dab08b1f0dc527a4 Miraimirai opendir
http://176.65.132.16/dwrioej/neon.i468n/an/aelf ua-wget
http://176.65.132.16/dwrioej/neon.i6860651c4eaaf4a5699c28de9ce2868f91bbea455f67400451f2156d8924f8a073a Miraimirai opendir
http://176.65.132.16/dwrioej/neon.x86_6481203fb0a5756844f3d4fc4708722d30a2ce35680891099093c06a614976d425 Miraimirai opendir
http://176.65.132.16/dwrioej/neon.mpsl84f940ec7372dcdfa72ccddb8f71ade234c5e948f302855ca91238eecbf4b8e4 Miraimirai opendir
http://176.65.132.16/dwrioej/neon.armc30ed74dea832c2f4d97a98c98d3f56e0929415ad255c5bf5a26f6967b81470c Miraimirai opendir
http://176.65.132.16/dwrioej/neon.arm5d39440e709f1bb54c5a4855cea190662248609b0eddc7e89400db31975d93ace Miraimirai opendir
http://176.65.132.16/dwrioej/neon.arm622985765fdd3c7b004ec9898877bef8bb445b0ae9693ad698905b4b1743d2182 Miraimirai opendir
http://176.65.132.16/dwrioej/neon.arm798836e4aa9005d46210120223e5b36868ecebdbe2e902440e24d0ef813d3a46e Miraimirai opendir
http://176.65.132.16/dwrioej/neon.ppcn/an/amirai opendir
http://176.65.132.16/dwrioej/neon.spc41cd53118ceeb012c0d1248e2ea8b0ef5dbafd79222d24039a9ab84a995865bf Miraimirai opendir
http://176.65.132.16/dwrioej/neon.m68k0867f58c6c598af907cbf4b087a1885dbb03d6330bf973acdb60a25748e81991 Miraimirai opendir
http://176.65.132.16/dwrioej/neon.sh4n/an/amirai opendir

Intelligence

File Origin
# of uploads :
1
# of downloads :
39
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-06T17:23:00Z UTC
Last seen:
2025-10-06T18:02:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/c853c6f5a73ef2bd209cb9396addf14102967c9fefaa7221de69479c4c107ae5/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9744cce1-703f-4f5c-976f-ae26bcc3d70e
Behavior Graph:
Download SVG
%3 guuid=1a6b1574-1c00-0000-68d2-6f129f0a0000 pid=2719 /usr/bin/sudo guuid=c251ca75-1c00-0000-68d2-6f12a60a0000 pid=2726 /tmp/sample.bin guuid=1a6b1574-1c00-0000-68d2-6f129f0a0000 pid=2719->guuid=c251ca75-1c00-0000-68d2-6f12a60a0000 pid=2726 execve guuid=aff91b76-1c00-0000-68d2-6f12a80a0000 pid=2728 /usr/bin/cp guuid=c251ca75-1c00-0000-68d2-6f12a60a0000 pid=2726->guuid=aff91b76-1c00-0000-68d2-6f12a80a0000 pid=2728 execve guuid=6e0f0e7b-1c00-0000-68d2-6f12b00a0000 pid=2736 /usr/bin/wget guuid=c251ca75-1c00-0000-68d2-6f12a60a0000 pid=2726->guuid=6e0f0e7b-1c00-0000-68d2-6f12b00a0000 pid=2736 execve
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c853c6f5a73ef2bd209cb9396addf14102967c9fefaa7221de69479c4c107ae5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c853c6f5a73ef2bd209cb9396addf14102967c9fefaa7221de69479c4c107ae5/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-10-06 19:17:43 UTC
File Type:
Text (Shell)
AV detection:
16 of 24 (66.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbj4n5nhh3zl2ie4xe4wvxpriebjm7e756vheio6nfdzytaqplsq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery linux
Link:
https://tria.ge/reports/251006-xwg9caem4v/
Behaviour
Reads runtime system information
Writes file to tmp directory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh c853c6f5a73ef2bd209cb9396addf14102967c9fefaa7221de69479c4c107ae5

(this sample)

Mirai

elf 5e8e48e72e0fb3fcf61be0077171f580610a30b319cfdd438ff6a2f173fa5a15

  
URLhaus
https://urlhaus.abuse.ch/url/3660801/
  
Delivery method
Distributed via web download
  
Dropping
MD5 548cf958faae4a5767f9d413a8810f9f
  
Dropping
SHA256 5e8e48e72e0fb3fcf61be0077171f580610a30b319cfdd438ff6a2f173fa5a15

Comments