MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0de4ca46293b5d0d5edfd37e69f866cfd506d5cc04dd3e39f330a6ccd93ead3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	f0de4ca46293b5d0d5edfd37e69f866cfd506d5cc04dd3e39f330a6ccd93ead3
SHA3-384 hash:	bb36769705f132ccb293675710a7446773ff3310805efac08f9f40a34af53c4b8b14df12aa69bfcb52b509e1ed69b1fe
SHA1 hash:	517b24ab83fe7649772e866650c6d9a1f8ca52aa
MD5 hash:	3c0000cc11b578270e94f8cc9b81574d
humanhash:	gee-idaho-carolina-pasta
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'969 bytes
First seen:	2025-10-31 22:04:48 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItZs/N3sFhB0sJGt5J9xaN9Lg7NI8ksbJnjXXOjCeUi:iS/N3sFLZJGtfK9L2JbJnjHOjCni
TLSH	T11651D6E538D103347D69E93AB3A4794C3A91B4D790E61FA768D838E4A0CFD05B5E0F82
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://209.141.49.229/Orbt/Orbt.x86	dd258a9497fc4af04f0420e4f98e852a6b544f5a253cea4f4109bf066a4b53e9	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.mips	6b654482488f83c862d46ab264c19be24ce7ca2c72534066db084473f31a94d7	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.arc	17dd5e8f0fbad1dff33178ae8378d2e6472cd421b08397ada166c6675f05d742	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.i468	n/a	n/a	elf ua-wget
http://209.141.49.229/Orbt/Orbt.i686	62e00dd7bfb4743a202f1fba715eee4f9c8b1b5c86481b5126bd28e01fcea5fb	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.x86_64	a3690d48dd05229e06a8de1d9ecac923919f395cc776bef22c15037f8b8e6c60	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.mpsl	1f138f89f62439f1cfba40065d45abbf2ecb3c2b3c8467beb5d297f99f8b90dc	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.arm	fd4edf1203ccea7414ea15042b577b4c4532e60cc29a291224457db5f5281b90	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.arm5	f9be88e2e0fefa32f2654c37b8a04e15dac0ddf1bb323f82179e48a90c00476a	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.arm6	76ed669c5c695512cdfc229798185cd98e72908945454f1ad21625c2f73386d5	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.arm7	b153642b892fb063f5e9290a0b01e0bf2f0774567f85d38653ac04ce287653a5	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.ppc	3334bfa7ebd9db0de552e059d47231d342cd77a035cd111087fc4aa7e5285974	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.spc	30d6e4fcbc22b9f14d8dcce2db53b9a75d95c1029ec426ccb6f1a9e8d4083bf6	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.m68k	482f2363c886e7c3ca46cd69869c60723a8df6332f07b45105bb56fed7239b8d	Mirai	mirai opendir
http://209.141.49.229/Orbt/Orbt.sh4	17bb39d2ca685bcfc9ba83713d0bd4198ce9f1ed7e2fad308da09ee343d3c1d1	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-31T19:27:00Z UTC

Last seen:

2025-11-01T16:00:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/f0de4ca46293b5d0d5edfd37e69f866cfd506d5cc04dd3e39f330a6ccd93ead3/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/7fbd9ec1-270a-45cc-bab4-b3e4733eba57

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f0de4ca46293b5d0d5edfd37e69f866cfd506d5cc04dd3e39f330a6ccd93ead3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f0de4ca46293b5d0d5edfd37e69f866cfd506d5cc04dd3e39f330a6ccd93ead3/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-31 22:18:11 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6dpezjdcso25bvpn7u36nh4gnt6va3k4ybg5hy47gmfgztmt5ljq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251031-11fsvsa16f/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

lolzzmortex.duckdns.org

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f0de4ca46293/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f0de4ca46293b5d0d5edfd37e69f866cfd506d5cc04dd3e39f330a6ccd93ead3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.