MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e27e02a9a90f4518343655216e610d8930672c8dc7e1944d7487a41589930b6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	e27e02a9a90f4518343655216e610d8930672c8dc7e1944d7487a41589930b6b
SHA3-384 hash:	4c5eb1a78ca6adae64b59f57fb76a03173181fb7f2ce7c1513c9982ac28f07fbadfbd1b0f0464206aeb2b6165adf16de
SHA1 hash:	7fbcdd0082713c84825f41e1d1f081482c63f98a
MD5 hash:	1d2267bd78ee932e51b8309107bb25e2
humanhash:	social-yellow-arkansas-east
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'064 bytes
First seen:	2025-04-10 12:03:23 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ipTgT+3pTSTlE3pTXTLE3pTPTo3pTHdTH03pTfTQ3pTlOTk3pTcnTIP3pTvT43p+:ipsMp6kpjGpbmpHFHqpLOpw6puwp7Wpi
TLSH	T1FA51E9C421511370ACBFAB67F2F9814831BDB067A8D73E00DDECA8E4829BF54B441E62
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.142.252/hiddenbin/vision.arc	dd213cc7f36addc3017d74e98839989588b448365f5c0124901f57285337de6a	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.x86	6c0e3f39a0a18f9597ac3d60e9aeb89f6cc49f21b99e28eb65c0bdb2be924a5d	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.x86_64	e9db29dcce2bd2d917030ce6e14432ae8faca0e2b70ee8166b7dc987244253ac	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.i686	41c575a197a93f430e1810bae69b514d40ed9138813ca95df10b12cfacaef045	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.mips	f708a5e5664107db56ca39f131d1728692cc996cea7b42ac56e3e6256cc5e574	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.mips64	n/a	n/a	elf mirai
http://176.65.142.252/hiddenbin/vision.mpsl	43c386a583b38d4418ee3d577e71369449598996d9d8674d1a1025a8afb29082	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.arm	2284e131206da4ed3235b84d5754d51bb637c2874826061414d83f30d6c97b90	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.arm5	3404cb30940dda84ad4ed39554f1671a5b86bc4df15c528e959584648025e823	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.arm6	f29e88c53f13ce99c6d9064af60ba2bcc0411bfcbaba5bf0ad1f646fb02c50d9	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.arm7	4c3bf27b5760eff85ece74577d476bd00a370c324028b1f0db8bbaa142be1a9f	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.ppc	042d40d68e55aa34b082caf0600a685d504ed436b3a0a6400870ea742a7eef2e	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.sparc	3aedb8634f876b7cd70bdd278959644b4d21a8db91517d12efb3e5129106a1c2	Mirai	condi mirai
http://176.65.142.252/hiddenbin/vision.m68k	59f56a506e77cd6ee73527189b045cdab147b6eac73f5aa45182b56d6b0f5994	Mirai	elf mirai opendir
http://176.65.142.252/hiddenbin/vision.sh4	dae3d0f2087194f325f9678457141a178ad500df010b0e6009d523ec3cea5e05	Mirai	elf mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67f7b8b4d6e7c3effacef2a5linux22vpnfull_triage

Tags:

downloader ransomware agent

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox lolbin remote

Link:

https://www.filescan.io/uploads/67f7b3c02d430c849e116ad9/reports/e1289de1-b0f7-4a93-b090-8e240b98ea20/overview

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e27e02a9a90f4518343655216e610d8930672c8dc7e1944d7487a41589930b6b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e27e02a9a90f4518343655216e610d8930672c8dc7e1944d7487a41589930b6b/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-04-10 12:04:16 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4j7afknjb5crqnbwkuqw4yinreygoleny7qzitluq6sblcmtbnvq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250410-n8m6pa1lx5/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e27e02a9a90f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e27e02a9a90f4518343655216e610d8930672c8dc7e1944d7487a41589930b6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.