MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8683aa92be8e11b83e8456459c798d2d12f8d036954d42c3d0261d783d63087. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	c8683aa92be8e11b83e8456459c798d2d12f8d036954d42c3d0261d783d63087
SHA3-384 hash:	e8663d69f57eda7ae4cb6e870791edd1f3f569ff253a7420f65ceeffeb441e1696d6cdcdc834c399280e5e6b45bb1809
SHA1 hash:	24265996b2eb96e5d2a43405eab7364422d2202a
MD5 hash:	5263957f0fb57c4b181281cd2310558b
humanhash:	artist-north-quebec-johnny
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'194 bytes
First seen:	2025-12-08 12:22:15 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:i5Wy5hthK95s+5H45JU5FM5gh05Ky5VKL5uK5Pg5r45Qu5gxU5nj/:wWAfGskH2JaFCg4KAVyuIPur2QUgEnT
TLSH	T150616B8A05B146343CD59997AAEFC00931A0C19670E69FCFABFC3CEDA04CD1DF480692
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	juroots
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://165.227.188.95/johenlove/johen.x86	a3e0b5b2818d8ecf9b1a356c07bfe332d822304bf3d26cd9145db59b6a338a41	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.mips	fec40ea604740a6b5736c71a7fc911b5894be0b1333b5423ff2060be0cd1f1f4	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.arc	26513393f257f19316849bf5a6790859ddc216f55eb65c099ad1c07d44c0d624	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.i468	n/a	n/a	elf ua-wget
http://165.227.188.95/johenlove/johen.i686	f6b6d2dfc082e1f6a95f1896ecc01d7ebbea1dfa39293d3c508bd40d8bf893f1	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.x86_64	16bf0b9d03c01c9e12b0e32e7a52d243b0ae6c2b040d0a5da3124d2e8eea3e9b	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.mpsl	5c2cd34ced367347680992b2aa1a6259abb10deb80175fc5197b5a9367c0056c	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.arm	5d49aa085b5232c9b04c1a32aeb84aff1f337749e2f259549345f9fbfd8ae521	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.arm5	487df4b14fa6a2178d2ea5019db86837a2c44fbee2d376a68d2ec72c1fdbb3e3	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.arm6	694b25cc4b7ccbf5eb6d13ea7287f382ac84f7becbbdea51751882dc58f6c07c	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.arm7	6d3f2997fbe8d3b745ffade257af7c2cccbc69d73016bd17cf16c831476863dd	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.ppc	34c52bb661bc52286fe6008684c26c89c7de75fc155577f57ed944cde816fe0b	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.spc	1b498df449f41ee52b0b6c593bcb33b4e03cdb55a586b69e6f3db148798b6a57	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.m68k	d133daee71e2dcb728c7387f61dd774ec6cf0c602b1b1dfbc8fba96f84e6d78a	Mirai	mirai opendir
http://165.227.188.95/johenlove/johen.sh4	14632c23688643d6deec0e1ec1df3a42c0f92040c4bad740bc29e35ec7698fdb	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-12-07T22:14:00Z UTC

Last seen:

2025-12-08T09:28:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/c8683aa92be8e11b83e8456459c798d2d12f8d036954d42c3d0261d783d63087/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c8683aa92be8e11b83e8456459c798d2d12f8d036954d42c3d0261d783d63087

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c8683aa92be8e11b83e8456459c798d2d12f8d036954d42c3d0261d783d63087/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-12-08 00:35:37 UTC

File Type:

Text (Shell)

AV detection:

21 of 36 (58.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zbudvkjl5dqrxa7iivsftr4y2lis7didnfknilb5ajq5pa6wgcdq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251208-pj56msvpb1/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/c8683aa92be8e11b83e8456459c798d2d12f8d036954d42c3d0261d783d63087

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.