MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7ed9467b9d9b83a6b707cf616b94ac1d063d11cb87dd584fbe61b0bb74e5cac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	e7ed9467b9d9b83a6b707cf616b94ac1d063d11cb87dd584fbe61b0bb74e5cac
SHA3-384 hash:	facf3f804f844303700611bf48894865ca8e51e742f73b0ef421f5abd9f0c4b01a8e5bae88349d32d21b9b80ad301eab
SHA1 hash:	a28370409f6df2df10c4313af92278eaa5e60d9c
MD5 hash:	a091b08340a39341d42cbaddbd18d034
humanhash:	bulldog-quebec-vegan-alpha
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'445 bytes
First seen:	2025-09-18 16:59:38 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItqkSsqntqeusqbGWq5/5OsqR6qqGzG8Jq8rq5nlLqgzgNILXksqfBqFkMqGZxqy:ib2t+QZq1CGHolLxXJyWvx1Ff
TLSH	T16751D4CA21534A792DAFD923F3B9461875809CE710CB9F94D9ED3CF85C8DD0830A6A42
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://103.153.69.151/x86	56fb720aa04bb923a80712cd690510c2c532e5cc3fe0e32868eb4097cc3132bf	Mirai	32-bit elf mirai Mozi
http://103.153.69.151/mips	9bad584a9bcc3747c703d637720558a9f6389c636f7515c8e6cce8d31a91a8a2	Mirai	32-bit elf mirai Mozi
http://103.153.69.151/arc	n/a	n/a	elf ua-wget
http://103.153.69.151/i468	n/a	n/a	elf ua-wget
http://103.153.69.151/i686	n/a	n/a	elf ua-wget
http://103.153.69.151/x86_64	n/a	n/a	elf ua-wget
http://103.153.69.151/mpsl	a974b7de7fff143231cceb4336d022192096f814e7512a7d246fef7235ccb606	Mirai	elf geofenced mips mirai ua-wget USA
http://103.153.69.151/arm	3e5ee85c900647af568d41076a3dc1a2600dbbd1355744895b89181ce44ca7f4	Mirai	32-bit elf mirai Mozi
http://103.153.69.151/arm5	f780dc09d326a38c0d712fea1243112d6148f81d323529bd726ffca0e8382805	Mirai	elf geofenced mirai ua-wget USA
http://103.153.69.151/arm6	dd7ef996397753a979ec93c81eb09ebb653a52311fad9d277a2c6bada7045b18	Mirai	elf geofenced mirai ua-wget USA
http://103.153.69.151/arm7	8499db38a52efc4646eb70e5b1a1e6c4cdea4c4811bd255559303cc002ac3593	Mirai	elf geofenced mirai ua-wget USA
http://103.153.69.151/ppc	e265dc0f30fe92f3aeb7c2722d4aff0a6310b3dd90a30ff10c3a77c507fcee56	Mirai	elf geofenced mirai ua-wget USA
http://103.153.69.151/spc	n/a	n/a	elf ua-wget
http://103.153.69.151/m68k	n/a	n/a	elf ua-wget
http://103.153.69.151/sh4	n/a	n/a	elf geofenced mirai ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-18T14:30:00Z UTC

Last seen:

2025-09-18T14:30:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.cx HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen

Link:

https://opentip.kaspersky.com/e7ed9467b9d9b83a6b707cf616b94ac1d063d11cb87dd584fbe61b0bb74e5cac/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/f416fdb1-8539-4fc7-893b-2225bceb636c

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e7ed9467b9d9b83a6b707cf616b94ac1d063d11cb87dd584fbe61b0bb74e5cac

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e7ed9467b9d9b83a6b707cf616b94ac1d063d11cb87dd584fbe61b0bb74e5cac/

Verdict:

Malicious

Threat:

Family.HAILBOT

Link:

https://tip.neiki.dev/file/e7ed9467b9d9b83a6b707cf616b94ac1d063d11cb87dd584fbe61b0bb74e5cac

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-09-18 17:04:42 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=47wziz5z3g4du23qpt3bnokkyhighui4xb65lbh34ynqxn2olswa._file

Result

Malware family:

hailbot

Score:

10/10

Tags:

family:hailbot antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/250918-vj8jnayth1/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Detect Hailbot Linux botnet

Hailbot

Hailbot family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e7ed9467b9d9b83a6b707cf616b94ac1d063d11cb87dd584fbe61b0bb74e5cac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.