MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d32ab9e6756ee5eb17accd106ccc544280784d1b4e0da4a6ae32889c478d3da2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	d32ab9e6756ee5eb17accd106ccc544280784d1b4e0da4a6ae32889c478d3da2
SHA3-384 hash:	cbf25e334a1d8936fcba8d871de898c5df260ce2b7a00231ada078f8fad17b0f68020224cf38e7b9bfe68faf302af0c3
SHA1 hash:	db33d8c01d8d6b0f9ce3b51202210ef412f0560b
MD5 hash:	31b2f89f95157b0e4f3eaf2ce1ee9b5a
humanhash:	princess-spaghetti-violet-texas
File name:	goahead
Download:	download sample
Signature	Mirai Create hunting rule
File size:	4'914 bytes
First seen:	2025-08-07 13:39:38 UTC
Last seen:	2025-08-08 11:20:05 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vIZMV4kUnIu1V4gnIrHrWV41nIVoV43nIEBEEV4EbnIhkV47nIu1V4gnIiZV4snT:vb0dTfYLMfWEprbqt331zI7yBF/x7aNa
TLSH	T1F4A1C0F6642997BE2DA0AD7361DAC642B15125B6E5D84C0AE3D2F0E40D9CF71F890E83
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86	n/a	n/a	elf geofenced mirai ua-wget USA x86
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips	n/a	n/a	elf geofenced mips mirai ua-wget USA
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl	n/a	n/a	elf geofenced mips mirai ua-wget USA
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm	236fa5092bd06813996532ef793834e31a69ed1e576599eaa97bcf8fb7db9b61	Mirai	arm elf geofenced mirai ua-wget USA
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5	dc06d5d4daab1b23eef11b6eac8da75bafa7e75a7e44d60fb14c9db8199c7553	Mirai	arm elf geofenced mirai ua-wget USA
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6	41e5adc3527479d2bee1a3bb4c590899d40713df8fd20e0871a8f2e46a7afedd	Mirai	arm elf geofenced mirai ua-wget USA
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7	6d65317a9d29fdfee8ff125c78705186155fdb0162f3d13890c43b971bdf6586	Mirai	arm elf geofenced mirai ua-wget USA
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc	n/a	n/a	elf geofenced mirai PowerPC ua-wget USA
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k	n/a	n/a	elf geofenced m68k mirai ua-wget USA
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc	n/a	n/a	elf geofenced mirai sparc ua-wget USA
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686	n/a	n/a	elf geofenced mirai ua-wget USA x86
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4	n/a	n/a	elf geofenced mirai SuperH ua-wget USA
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc	n/a	n/a	arc elf geofenced mirai ua-wget USA
http://213.209.150.159/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_64	n/a	n/a	elf geofenced mirai ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/7d2b6df6-6940-4de9-9ee2-f591640e8ead

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/d32ab9e6756ee5eb17accd106ccc544280784d1b4e0da4a6ae32889c478d3da2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d32ab9e6756ee5eb17accd106ccc544280784d1b4e0da4a6ae32889c478d3da2/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-08-07 13:30:49 UTC

File Type:

Text (Shell)

AV detection:

18 of 24 (75.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2mvltztvn3s6wf5mzuigztcuikahqti3jyg2jjvogkejyr4nhwra._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:unstable antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250807-qzmjxaan7y/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Contacts a large (187811) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d32ab9e6756e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Mirai

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/d32ab9e6756ee5eb17accd106ccc544280784d1b4e0da4a6ae32889c478d3da2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.