MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de98a164fbccaa9dfae7c798e7234976a669ef257fbd21434ec6459c67383432. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de98a164fbccaa9dfae7c798e7234976a669ef257fbd21434ec6459c67383432
SHA3-384 hash: 404d2135a710412cfda39c47d1e0557539ae139cf0dffe984ef48f122cec56826c2444071c244e2ca9fd03aa93724a08
SHA1 hash: b389a0c8ce7ef2142859e210028a395955d34ba7
MD5 hash: ec83c959dbfb657ee663860f9653e962
humanhash: march-river-orange-arizona
File name:w.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:4'621 bytes
First seen:2025-02-25 17:17:45 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 48:1tLgBLomLvRdLkGLAYqL7DLcR7qP5MNMULRhg08YgPHYf/nRBYY3PK1+ovNQ0ePB:1xefvLFjcLca527LzpngvY3H/umHTFv
TLSH T1C491469C3B214B320C96EFD6F22186716243D4E9C4DACFD966AD70BCB8BEE44B114647
Magika shell
Reporter abuse_ch
Tags:Hailbot sh
URLMalware sample (SHA256 hash)SignatureTags
http://193.143.1.123/mips69955124ad9ed026da5d2595b5ede417fc62713e26146f29e9e0e34573bfcbbe Miraielf mirai ua-wget
http://193.143.1.123/mpsle6d98df7336a2a420ae36cb76a6638a3278eda71a81c4909afc18d2f91ada3b8 Miraielf mirai ua-wget
http://193.143.1.123/x860a621699bcc4da7e8c64dcbdc092ecd135fbdcc15031f39cad595e2f9848c690 Miraielf mirai ua-wget
http://193.143.1.123/arm4b23b2497626e7817cb706bb46a37e7e7842a7f41196f5177ad75680ecbd8d441 Miraielf mirai ua-wget
http://193.143.1.123/arm5337ba0b5d40387f0e2dc8526e12771822621bd4dd5d16bfe3eaf7c4b842d1fc4 Miraielf mirai ua-wget
http://193.143.1.123/arm6a581f32dddb28b1b55fddf2d2195878e48a0d0000e9960743e2bc8cb1196967a Miraielf mirai ua-wget
http://193.143.1.123/arm7e95fa992e91a105c639ed19bc3c56516ba0f51be21cb3ec93e6fe19af434085e Miraielf mirai ua-wget
ftp://3.143.1.123:8021/mipsn/an/an/a
ftp://3.143.1.123:8021/mpsln/an/an/a
ftp://3.143.1.123:8021/x86n/an/an/a
ftp://3.143.1.123:8021/arm4n/an/an/a
ftp://3.143.1.123:8021/arm5n/an/an/a
ftp://3.143.1.123:8021/arm7n/an/an/a
ftp://3.143.1.123:8021/arm6n/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bdfba5a0fd713c335cbe68linux22vpnfull_triage
Tags:
phishing botnet agent overt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
busybox
Link:
https://www.filescan.io/uploads/67bdfb58f8ac7ec59ae4f96a/reports/786e21e6-8925-45a6-bb9e-a5a999c702d4/overview
Result
Verdict:
MALICIOUS
Score:
40%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/de98a164fbccaa9dfae7c798e7234976a669ef257fbd21434ec6459c67383432
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de98a164fbccaa9dfae7c798e7234976a669ef257fbd21434ec6459c67383432/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-02-25 17:18:14 UTC
File Type:
Text (Shell)
AV detection:
13 of 24 (54.17%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=32mkczh3zsvj36xhy6mooi2jo2tgt3zfp66scq2oyzczyzzygqza._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250225-vvcalaymw7/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de98a164fbccaa9dfae7c798e7234976a669ef257fbd21434ec6459c67383432

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_sh_hailbot
Create hunting rule
Author:abuse.ch
Description:Detects HailBot shell scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh de98a164fbccaa9dfae7c798e7234976a669ef257fbd21434ec6459c67383432

(this sample)

Mirai

elf 69955124ad9ed026da5d2595b5ede417fc62713e26146f29e9e0e34573bfcbbe

  
URLhaus
https://urlhaus.abuse.ch/url/3452116/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3452101/
  
URLhaus
https://urlhaus.abuse.ch/url/3452100/
  
URLhaus
https://urlhaus.abuse.ch/url/3452103/
  
URLhaus
https://urlhaus.abuse.ch/url/3452109/
  
URLhaus
https://urlhaus.abuse.ch/url/3452110/
  
URLhaus
https://urlhaus.abuse.ch/url/3452113/
  
URLhaus
https://urlhaus.abuse.ch/url/3452126/
  
URLhaus
https://urlhaus.abuse.ch/url/3452129/
  
URLhaus
https://urlhaus.abuse.ch/url/3452118/
  
URLhaus
https://urlhaus.abuse.ch/url/3452124/
  
URLhaus
https://urlhaus.abuse.ch/url/3452102/
  
URLhaus
https://urlhaus.abuse.ch/url/3452108/
  
URLhaus
https://urlhaus.abuse.ch/url/3452107/
  
URLhaus
https://urlhaus.abuse.ch/url/3452111/
  
URLhaus
https://urlhaus.abuse.ch/url/3452117/
  
URLhaus
https://urlhaus.abuse.ch/url/3452130/
  
URLhaus
https://urlhaus.abuse.ch/url/3452127/
  
URLhaus
https://urlhaus.abuse.ch/url/3452131/
  
URLhaus
https://urlhaus.abuse.ch/url/3452137/
  
URLhaus
https://urlhaus.abuse.ch/url/3452138/
  
URLhaus
https://urlhaus.abuse.ch/url/3452140/
  
URLhaus
https://urlhaus.abuse.ch/url/3452139/
  
URLhaus
https://urlhaus.abuse.ch/url/3452141/
  
URLhaus
https://urlhaus.abuse.ch/url/3452144/
  
URLhaus
https://urlhaus.abuse.ch/url/3452143/
  
URLhaus
https://urlhaus.abuse.ch/url/3452142/
  
URLhaus
https://urlhaus.abuse.ch/url/3452145/
  
URLhaus
https://urlhaus.abuse.ch/url/3452147/
  
URLhaus
https://urlhaus.abuse.ch/url/3452148/
  
URLhaus
https://urlhaus.abuse.ch/url/3452151/
  
URLhaus
https://urlhaus.abuse.ch/url/3452150/
  
URLhaus
https://urlhaus.abuse.ch/url/3452152/
  
URLhaus
https://urlhaus.abuse.ch/url/3452146/
  
URLhaus
https://urlhaus.abuse.ch/url/3452149/
  
URLhaus
https://urlhaus.abuse.ch/url/3452165/
  
URLhaus
https://urlhaus.abuse.ch/url/3452166/
  
URLhaus
https://urlhaus.abuse.ch/url/3452167/
  
URLhaus
https://urlhaus.abuse.ch/url/3452264/
  
Dropping
MD5 d2c3a7599927c96d66b88043b7966144
  
Dropping
SHA256 69955124ad9ed026da5d2595b5ede417fc62713e26146f29e9e0e34573bfcbbe

Comments