MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f194289631fe35021f88dd3daaee28e4b1e04f03a9697084c472e20330f51db8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	f194289631fe35021f88dd3daaee28e4b1e04f03a9697084c472e20330f51db8
SHA3-384 hash:	9492cf1c9fdb8322bf33efaae0292eff892f781d4e16b2e1d8d69603ddae63ea0f1c16a6b93dfe86dc3cf264627a852b
SHA1 hash:	8663c2d221a76f192252f5678cfd8789a809da44
MD5 hash:	3ddf6daad2ed3546ad44b2ff2fbf295a
humanhash:	cat-zulu-cold-earth
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'253 bytes
First seen:	2025-09-21 03:28:26 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:It3ZsvbhHkblfnmsXTyBGgJn6vnLcPNIpKksDMEVhXsCtcGgJsKOpa:iidEp3DyB16PLiJlH8CtBgJs7a
TLSH	T1A16170FB1341073BEDA68DE372A84404B284409BD4CEEF765BFC78A54EADEC92D41642
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://84.201.5.31/00101010101001/morte.x86	57c45b6b28433f72a53e439cd32cb99077386dcd497c5a6d7ff9ca9135e9be4c	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.mips	ea84573d28ba0d96bb3456e6dabbb4fe71368a7e34cf013e89071d3b7f5cbca3	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.arc	ee39075e53eb9454ea4e3fa1f1e13ceb1d79512e031068f637c0f51e7db7baa0	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.i468	n/a	n/a	elf ua-wget
http://84.201.5.31/00101010101001/morte.i686	9857a7f28670ebb79ecacebb9182264f7950db124033b4e0aed2b9c8e3819e28	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.x86_64	a20c81fff3c937e0c96bc4f00a847490c6fa5bf5f360fc208213e05dc5f2bfc1	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.mpsl	ada6c6994010559d659cff358dc24675164165c3918429d3f25348f2110d7401	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.arm	af6fb0c1a129cf01e1944423f9e03ee2db7baf59511b72752297790124dd32c6	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.arm5	913ee4326edeb5752b661023046c9bdd479450a744fa94fb8b702389369fa0fc	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.arm6	8b98da24cffb4a4409b3b2ba001a5b93d78d6bbe8df2878d71d24774ac6ceb53	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.arm7	a911945a1aa7d0113378f66d90d94b34f5561a19498188dfe5e045101a79aa4f	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.ppc	0061e7300d9c568ebd211a8af1583ba797abdcf89175553044660b4222401c88	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.spc	67a6972acf50ac27b5f7e1190edfc7cfb2946eb0185979a841960e446ab0b726	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.m68k	240d245f60e896a4aa332816226b0d23defcb95b0f99bd6ed1ad302465539582	Mirai	mirai opendir
http://84.201.5.31/00101010101001/morte.sh4	fd10c7fd9ea0f7fe3c8e91e31f009b079ff5f58556e83cd6f087d63e76bff751	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-21T00:42:00Z UTC

Last seen:

2025-09-21T00:42:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/f194289631fe35021f88dd3daaee28e4b1e04f03a9697084c472e20330f51db8/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/b73849bb-9370-4629-8c31-746ac0080d63

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f194289631fe35021f88dd3daaee28e4b1e04f03a9697084c472e20330f51db8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f194289631fe35021f88dd3daaee28e4b1e04f03a9697084c472e20330f51db8/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/f194289631fe35021f88dd3daaee28e4b1e04f03a9697084c472e20330f51db8

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-09-21 04:24:10 UTC

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6gkcrfrr7y2qeh4i3u62v3ri4sy6atydvfuxbbgeolragmhvdw4a._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250921-d13ajacl5z/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Unexpected DNS network traffic destination

Creates a large amount of network flows

Mirai

Mirai family

Malware Config

C2 Extraction:

uraniumc2.ddns.net

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/f194289631fe35021f88dd3daaee28e4b1e04f03a9697084c472e20330f51db8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.