MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e011e366a071eedc3182865d528cd3b3bffdd12d4f66a11a6f3c2389c28b6715. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	e011e366a071eedc3182865d528cd3b3bffdd12d4f66a11a6f3c2389c28b6715
SHA3-384 hash:	a6f1ebb303efd2e8f7d3b3d2d45ba1b0a2c6e96a1c759809eb782c1a7ba66b87e29d61fdb6fd37116790115633310d21
SHA1 hash:	e292ecb36f290793620822276fa9726b4dcb828a
MD5 hash:	048abc2e885a20ecd21570ef0dcae668
humanhash:	nebraska-summer-connecticut-seven
File name:	2.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'180 bytes
First seen:	2025-11-19 22:01:58 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:/oldGVVkDw+oUUPFy+8nJh+JRmHQqL1/2uNQ:/oldGVVkDw+oUUPFy+DJRmHQqL1DQ
TLSH	T1A26185BA014407716CE26BD7637D404C7092929748F6BF22A7ED28E88D8DFDCBC41667
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://41.216.189.88/00101010101001/S3o.x86	78ac4725a3fdeffee93d194062e4bb7a9bf6ade097e01c1f22879e66cb566641	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://41.216.189.88/00101010101001/S3o.mips	53615a4af4790950949ac8f23efef5cb59e337f45aec153bfd04300b0217d9e8	Mirai	elf geofenced mips mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.arc	5f5a706a8a71a3c575a9df6a3e8d1ba9675be972aa4c03b691a91c936a6ee1fd	Mirai	arc elf geofenced mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.i468	n/a	n/a	elf ua-wget
http://41.216.189.88/00101010101001/S3o.i686	700842323b582df5df7144083b602b167a94495e3f4343cecae383f9e2b2615d	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://41.216.189.88/00101010101001/S3o.x86_64	27c926168497fc949b918637fab95fbae3a28b88c0d73a253e7269ccef083966	Mirai	elf geofenced mirai opendir ua-wget USA x86
http://41.216.189.88/00101010101001/S3o.mpsl	e832159022295b596d98a6c399d989677a1c82d434bb5d6a9242fa8565ac9404	Mirai	elf geofenced mips mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.arm	129e34442b5de7efd65f32ebcc0d0e4b9bd07e232b397908a984768c89728663	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.arm5	cce677908eb66b3460c99b3815b208a059ecbd767fe7514a7a3be9663ceb935a	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.arm6	58606d11375eb108d5dc0a954304f94a104ae1e8f65565eb599b1cfc6706c465	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.arm7	4d4e8d719306083b2e363997de327259bc94a9309224615c7d6a95a6ed4fbfb6	Mirai	arm elf geofenced mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.ppc	fa18e6594fb0d483be81063eba7ec3a49a9e92c56596b7bc5c2d23ad9b144df1	Mirai	elf geofenced mirai opendir PowerPC ua-wget USA
http://41.216.189.88/00101010101001/S3o.spc	f1e6fa418e385868543ab24275555cec3a9dad61de3126acb0373a784d6172b3	Mirai	elf geofenced mirai opendir sparc ua-wget USA
http://41.216.189.88/00101010101001/S3o.m68k	dadbe7b48b5f1fe29e819d1acc513bf893ba9419131116c5e4a2ed1184746e1d	Mirai	elf geofenced m68k mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.sh4	0815843159c22179fac28607e3966124144f4395444540e03ead85e4d03b04cd	Mirai	elf geofenced mirai opendir SuperH ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox evasive

Link:

https://www.filescan.io/uploads/691e3e8f5bbff1003f0ae1d3/reports/06d3539f-e355-41e6-9045-5019d479ad4f/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-19T19:29:00Z UTC

Last seen:

2025-11-20T10:18:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/e011e366a071eedc3182865d528cd3b3bffdd12d4f66a11a6f3c2389c28b6715/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/4c3bdadb-4ff0-409e-9639-d8c389f66967

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e011e366a071eedc3182865d528cd3b3bffdd12d4f66a11a6f3c2389c28b6715

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e011e366a071eedc3182865d528cd3b3bffdd12d4f66a11a6f3c2389c28b6715/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-19 22:03:28 UTC

File Type:

Text (Shell)

AV detection:

20 of 36 (55.56%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ai6gzvaohxnymmcqzovfdgtwo773ujnj5tkcgtphqrytqulm4kq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/251119-1x9a1agn9y/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e011e366a071eedc3182865d528cd3b3bffdd12d4f66a11a6f3c2389c28b6715

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.