MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef009b82dbcbdb95990b28020b92df8a8fe3c969c9ea956ee7ec990efbe79c71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef009b82dbcbdb95990b28020b92df8a8fe3c969c9ea956ee7ec990efbe79c71
SHA3-384 hash: 07980100ff919b02d4338f5eb13793c83d4a9c045602399c53ce705d459fa93bb6d104ae10b3d9ffc97b37d1e3323592
SHA1 hash: 3eed5e3979ae22f2bf8d8305297cb1896394d795
MD5 hash: a206f30bd20ec7ba637b7a958f3c2227
humanhash: oscar-lactose-berlin-july
File name:sora.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:1'990 bytes
First seen:2025-07-31 11:34:36 UTC
Last seen:2025-07-31 19:10:16 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 24:Itv9SZi9SdT4TxVE9SZf9S5U9SXSa9SM9SK9S59S5Uf9l:ivsgs5MzEsZsesfsMsKs5suv
TLSH T1D94163C8721447317FA69D5AF6BE9528B481B4926FC19FC2D8ECB4BD944CF0834A0A62
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://103.20.102.84/bins/sora.x86877b4b5b9ea540fb6a3fdee4e44d2b579c49277b3f4e28d5fadb5672f6841bb7 Miraielf mirai ua-wget
http://103.20.102.84/bins/sora.mipsd904b5c7f561715cd4d060024980d678ecdd69f30d66ece39e3f2c3ac1a9e84d Miraielf mirai ua-wget
http://103.20.102.84/bins/sora.mpsl8f66bde2e12f0380b43ca106cf5e41924a4a3cad485441112f9a61640c684008 Miraielf mirai ua-wget
http://103.20.102.84/bins/sora.arm4n/an/an/a
http://103.20.102.84/bins/sora.arm592d37e8d6b1fd9beeb8f2c05d1e9287b781e155bfa3515608b356ccbceae1079 Miraielf mirai ua-wget
http://103.20.102.84/bins/sora.arm6414a8158720e6bbcd23670fb98fa6025f67d52a14c29b9c9ddd05d0d04c3dcf6 Miraielf mirai opendir ua-wget
http://103.20.102.84/bins/sora.arm737aafa311cb95ddca259fd24970dbc1e58f5db18609f403c69a7108077207f66 Miraielf mirai opendir ua-wget
http://103.20.102.84/bins/sora.ppc37bb654f62e62496548e00ba8761b3d47112d8a2bee7c5dff6d98384859386d9 Miraielf mirai ua-wget
http://103.20.102.84/bins/sora.m68ke5f2f93edbdcd1bed5d46ec70c5470e5fb362d35a60d8cbb6e26c68d8b29b338 Miraielf mirai opendir ua-wget
http://103.20.102.84/bins/sora.sh4a80ca00fa398af82f2ca8ffd5badea3a984ea5695f8b145ff4e525696d3d1476 Miraielf mirai opendir ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
30
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ef009b82dbcbdb95990b28020b92df8a8fe3c969c9ea956ee7ec990efbe79c71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef009b82dbcbdb95990b28020b92df8a8fe3c969c9ea956ee7ec990efbe79c71/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/ef009b82dbcbdb95990b28020b92df8a8fe3c969c9ea956ee7ec990efbe79c71
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-07-31 11:38:52 UTC
File Type:
Text (Shell)
AV detection:
23 of 37 (62.16%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=54ajxaw3zpnzlgilfabaxew7rkh6hsljzhvjk3xh5smq567htryq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:sora antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/250731-np7qzswjt5/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
UPX packed file
Enumerates active TCP sockets
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (525260) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ef009b82dbcb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh ef009b82dbcbdb95990b28020b92df8a8fe3c969c9ea956ee7ec990efbe79c71

(this sample)

Mirai

elf 877b4b5b9ea540fb6a3fdee4e44d2b579c49277b3f4e28d5fadb5672f6841bb7

  
URLhaus
https://urlhaus.abuse.ch/url/3593617/
  
Delivery method
Distributed via web download
  
Dropping
MD5 5a0ace73e8c8806ee3665718f3323387
  
Dropping
SHA256 877b4b5b9ea540fb6a3fdee4e44d2b579c49277b3f4e28d5fadb5672f6841bb7

Comments