MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf06e258e721169d18401a20085bd449c39dacea2b2da351703394f83a604d5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf06e258e721169d18401a20085bd449c39dacea2b2da351703394f83a604d5e
SHA3-384 hash: effea74cbf629e79de2ce9c54210d8b421f2415e6c1b5a7ebe8bee022ae3ba50fd7677bd6262e5f52b6ad937b56d9017
SHA1 hash: f3497c35d06d28d1239af328e384551ea298c17f
MD5 hash: e900f815668a173e9ef34f9a88592ff5
humanhash: emma-paris-vermont-iowa
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:4'023 bytes
First seen:2025-10-11 04:25:22 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 96:SiM6M5iMZMyiMIMviM7M23iMDMciM+MRiMCMBiM7MMiMwMHiMlMyiMzM2iMAMnij:vM6MEMZMPMIMKM7MhMDMZM+McMCMMM7M
TLSH T1A88119F9F081463EEEDFC677B2A5810CA44046E761DA9F08DBBE65AA9C4CFCC2C40641
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.x86438a75aad3f2b6291e1f978af12db06792b3e1a32c621e2c150007142a17b3d3 Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.mips9ed2a0bcc122830f6902330273c7ca22555e8232c65dea8f5a3242f8d5687d4e Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.arce20bffb36fdbfffd8897e19575e95586fbd7a4783c5faff730dbab21420f531a Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.i686a8b816e56772fb6afee6c99622c5014b7fa75e4c7f3deb6863dcde1a3f1f6de4 Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.x86_64fe9608ecb6c6f60cce0eef72f1aedf2946b08b38ac5259f703b220abb644ea33 Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.mpsl12b6a76c25cb5fdad031d560625f684a4c655a7ec17efc715f52f3b2b79aa8e4 Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.arm640b87b7f1b7a2558524b6ce7e72a10024e7459042c774b92336313291914a0d Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.arm5e2af7cefb0397ff9e69cef3887db75c011ebce3b1e584ce972528ca0af3d622a Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.arm6967a9ea67a85c460d02f93ab148b5ac551b30fd9d98949481e2a2a3c9181415b Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.arm723f215e1189d2aba1d02309368e171f7447fd08b337c1c5ff689b1836d37dd0b Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.ppc5d6fc93b2e1e408647d7659bf6c4f6b5d26f65d05c1c6c295f38831d593ad92f Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.spcb9ef383422aee43ac2f38c74e1886267c6c0ca092bdd9717d1a2b9acb24ebe92 Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.m68k99852a7c5c16f91c2abf2a0375140d5a506217e8753c89a1a75695232f72555a Miraielf mirai ua-wget
http://103.252.89.75/001010101010010110101011101010101101010111010101/Labello.sh43dac5f69c40e807354f00fb54c264120834d7d04a06da1c2a7d52f2a2ab2c6d3 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-11T01:36:00Z UTC
Last seen:
2025-10-12T12:40:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/cf06e258e721169d18401a20085bd449c39dacea2b2da351703394f83a604d5e/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/cf06e258e721169d18401a20085bd449c39dacea2b2da351703394f83a604d5e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf06e258e721169d18401a20085bd449c39dacea2b2da351703394f83a604d5e/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/cf06e258e721169d18401a20085bd449c39dacea2b2da351703394f83a604d5e
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-10-11 04:26:21 UTC
File Type:
Text (Shell)
AV detection:
14 of 24 (58.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4doewhheelj2gcadiqaqw6ujhbz3lhkfmw2gulqgokpqotajvpa._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251011-e19v2sdk61/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
UPX packed file
Deletes log files
Enumerates running processes
File and Directory Permissions Modification
Deletes Audit logs
Deletes journal logs
Deletes system logs
Executes dropped EXE
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf06e258e721/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/cf06e258e721169d18401a20085bd449c39dacea2b2da351703394f83a604d5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh cf06e258e721169d18401a20085bd449c39dacea2b2da351703394f83a604d5e

(this sample)

Mirai

elf 438a75aad3f2b6291e1f978af12db06792b3e1a32c621e2c150007142a17b3d3

  
URLhaus
https://urlhaus.abuse.ch/url/3660290/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3667750/
  
Dropping
MD5 dee0aacf2a936ec0dca03d367e4025e9
  
Dropping
SHA256 438a75aad3f2b6291e1f978af12db06792b3e1a32c621e2c150007142a17b3d3

Comments