MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecc9b6b2bfabae3e6a9025492815c4af334a9b7fd7547cf4a65a7953bf52f160. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	ecc9b6b2bfabae3e6a9025492815c4af334a9b7fd7547cf4a65a7953bf52f160
SHA3-384 hash:	8503af8a32b1a59ac052dbbc6b79722aa7c11aa779e48496db5e83d14683a37ec2f3d156e2b77da654f1204d0d2db53d
SHA1 hash:	39343cdc065ecdab2727396298244350fa78a6f0
MD5 hash:	288f142973e1b0ebeb048d966fac9de3
humanhash:	orange-saturn-music-oxygen
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'149 bytes
First seen:	2025-10-02 22:17:14 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:GB1LvR2M5pIiKMCmCQ3gSH4JU/fSWO6NX3Fe+:GsRQ3gSwa
TLSH	T10641E5F7A34BCA03D27D87CA3EA50406B015C36BB49FC735DCEAEAC90494E9C7255A85
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://157.20.32.209/bins/morte.arc	4704e07f48738bd7b4cd44cec97a7c5526a4419fa665fd425ba217425916024a	Mirai	mirai opendir
http://157.20.32.209/bins/morte.arm	f6d0afe358d658d05afad447734fee5a590e953c6c0f98cbd217a867521f8754	Mirai	mirai opendir
http://157.20.32.209/bins/morte.arm5	17bb63761f5c8c1601c331cf193c55c09d4619053f9572b3648ef69e49fd1a89	Mirai	mirai opendir
http://157.20.32.209/bins/morte.arm6	b3cd17f0afa885b377f8b04679e75f7f0827189f0b3f025a3814d156b4db1c38	Mirai	mirai opendir
http://157.20.32.209/bins/morte.arm7	09d4f358af13014b924279b5b4318a7da185db5a95b1175fac33a87e93f00b35	Mirai	mirai opendir
http://157.20.32.209/bins/morte.i686	a1617a2f4c04b81e7d8fa32fd63a09ed977cd7607b24b76055b36fdea3112c89	Mirai	mirai opendir
http://157.20.32.209/bins/morte.m68k	cdab74aed8c37c66f1370e839cd48ae264c4bda7f1aae193b516e1c9a52a93ea	Mirai	mirai opendir
http://157.20.32.209/bins/morte.mips	1cb41b9c1a9e8123336054934a6ade938b976b5dbb87e852c742ef3f1fa9cdbb	Mirai	mirai opendir
http://157.20.32.209/bins/morte.mpsl	9f142d179fbde485e13d3364d65180ee6d62449aff02e35d87447ca0f9417210	Mirai	mirai opendir
http://157.20.32.209/bins/morte.ppc	1dc7e464cdaabeaa49a759a198d6a69d7cfc69014337f7fe1881dc9f3efdb8dd	Mirai	mirai opendir
http://157.20.32.209/bins/morte.sh4	bb8425e14a2cc5ce0d44da49e2b28d19e081b6352f48c376c7b0f9b0c92e3054	Mirai	mirai opendir
http://157.20.32.209/bins/morte.spc	e43b10988feae69a629b29ad0826d88d485372dabbed9421f2e1094147da7c01	Mirai	mirai opendir
http://157.20.32.209/bins/morte.x86	20eec1f49d7ab9223b5d47b6f464aed12e418942570966eae401968088463f1a	Mirai	mirai opendir
http://157.20.32.209/bins/morte.x86_64	16ba16bf6f0d4de4341bf38820777755012f008554f5e482b88cd4a85e97eb8b	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox

Link:

https://www.filescan.io/uploads/68def9fa74e5a289899efa62/reports/32f2f0f5-2c1e-45db-8fab-8a95d4907ea5/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-02T19:24:00Z UTC

Last seen:

2025-10-03T01:58:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/ecc9b6b2bfabae3e6a9025492815c4af334a9b7fd7547cf4a65a7953bf52f160/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/422d759d-66ee-46be-9098-53afa5f3ee77

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/ecc9b6b2bfabae3e6a9025492815c4af334a9b7fd7547cf4a65a7953bf52f160

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ecc9b6b2bfabae3e6a9025492815c4af334a9b7fd7547cf4a65a7953bf52f160/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/ecc9b6b2bfabae3e6a9025492815c4af334a9b7fd7547cf4a65a7953bf52f160

Threat name:

Linux.Trojan.Vigorf

Status:

Malicious

First seen:

2025-10-02 22:18:42 UTC

File Type:

Text (Shell)

AV detection:

12 of 38 (31.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5te3nmv7voxd42uqevesqfoev4zuvg3725khz5fglj4vhp2s6fqa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence

Link:

https://tria.ge/reports/251002-17lyfsgj8s/

Behaviour

Command and Scripting Interpreter: Unix Shell

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

Reads process memory

Enumerates active TCP sockets

Enumerates running processes

Modifies init.d

Modifies rc script

File and Directory Permissions Modification

Executes dropped EXE

Mirai

Mirai family

Malware Config

C2 Extraction:

157.20.32.209

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/ecc9b6b2bfabae3e6a9025492815c4af334a9b7fd7547cf4a65a7953bf52f160

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh ecc9b6b2bfabae3e6a9025492815c4af334a9b7fd7547cf4a65a7953bf52f160

(this sample)

Mirai

elf 1981656374364ddf88987622b3b1a75cced37e7bcf4bf23cf994dfda818fa80e

URLhaus

https://urlhaus.abuse.ch/url/3632060/

Delivery method

Distributed via web download

Dropping

MD5 de871c5af41177ea446c86a30b0e874f

Dropping

SHA256 1981656374364ddf88987622b3b1a75cced37e7bcf4bf23cf994dfda818fa80e

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample