MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4cd34574511fba95f796025862741c1ccd2375edd13e1a544ca0fd418098604. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	f4cd34574511fba95f796025862741c1ccd2375edd13e1a544ca0fd418098604
SHA3-384 hash:	fee2556906005f061cd608c8d4942fb2ead792ba209467073e76677d9596e8fd6969afa4d321fbca51790cd2794a20e8
SHA1 hash:	27d564bd544628239a10eb0c6ae97ed8ed7e48d4
MD5 hash:	3b1cce8bc659280f11143c4a50a03c8c
humanhash:	helium-fanta-yellow-single
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'344 bytes
First seen:	2025-11-06 08:30:54 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:Itf5RZsfKWbhfv3kf2KlffMwmsfo0TfiaiGgJfB56fw8nLfMaMNIpKksf6mMEfE9:iSHUr5Nqn16ZLyJvZsKrBgJsJk
TLSH	T12E6183FB134246379CAAEED332B888047145419BA5CE5FB55BEC39F51C8CECA6C41A62
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.87.155/00101010101001/morte.x86	70a64a2f61de16f7c53a206ccd45ffd05129d8e176cb69a1972923fbd720a3de	Mirai	elf mirai
http://196.251.87.155/00101010101001/morte.mips	4065b4d921d8cb95f14719930de61e4fbfbe57748c9a16979dbfb8b9e782ed6e	Mirai	elf mirai
http://196.251.87.155/00101010101001/morte.arc	b9a216ebff916091d3d22af2625b436d3e5e6998522a1685bb476191ef93e461	Mirai	DEU elf geofenced mirai ua-wget
http://196.251.87.155/00101010101001/morte.i468	n/a	n/a	elf ua-wget
http://196.251.87.155/00101010101001/morte.i686	4b24aaad6e9eb56539588110d4c50ae45c28b4647715796f090af6358e58afc7	Mirai	DEU elf geofenced mirai
http://196.251.87.155/00101010101001/morte.x86_64	8c3f3518f247f415ea5c839524c51773ee552aa5ee25fdfea6a3968ebb40d241	Mirai	DEU elf geofenced mirai
http://196.251.87.155/00101010101001/morte.mpsl	3e5ef3d1a707f0f935ed55136b433b6328b4c6984d1c5c020359f586b3932a73	Mirai	DEU elf geofenced mirai
http://196.251.87.155/00101010101001/morte.arm	70bd62673da4b4863a79b91bc5ba9a5636257685dbb981e669af123313def828	Mirai	elf gafgyt mirai
http://196.251.87.155/00101010101001/morte.arm5	df160fac5cfdece27ef21645ff664f2816187e034b0db7673f05af254a5f607e	Mirai	DEU elf geofenced mirai
http://196.251.87.155/00101010101001/morte.arm6	e0bf86191882649a3b163925144da7b9cdc8fbf359e20924f96807cae1e4a5de	Mirai	elf mirai
http://196.251.87.155/00101010101001/morte.arm7	677dad5e79d975f86cb2cfdfc7b82434289e599b01bb26b4e861aad5f903ad70	Mirai	elf mirai
http://196.251.87.155/00101010101001/morte.ppc	0d54c44eec3b371978542f5e81b0f377f1e2948cf081711fb2b798c1ccbf13dd	Mirai	elf mirai
http://196.251.87.155/00101010101001/morte.spc	581a67c0b870f72d922266e6110520db647d0bd0126f52265d4298be9d9177eb	Mirai	elf mirai ua-wget
http://196.251.87.155/00101010101001/morte.m68k	5a06b97b18f906092397e3531274f80d05bbba01a15e93ec47a6a504b0f34323	Mirai	DEU elf geofenced mirai
http://196.251.87.155/00101010101001/morte.sh4	66399f695954db7bf91e7e52e7e8f1331b4e0fb091610c5b22a4c1172b942531	Mirai	DEU elf geofenced mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-06T05:10:00Z UTC

Last seen:

2025-11-06T10:23:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/f4cd34574511fba95f796025862741c1ccd2375edd13e1a544ca0fd418098604/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/4c1860db-3eab-4902-b05c-4f1b7546b847

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f4cd34574511fba95f796025862741c1ccd2375edd13e1a544ca0fd418098604

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f4cd34574511fba95f796025862741c1ccd2375edd13e1a544ca0fd418098604/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-06 08:31:20 UTC

File Type:

Text (Shell)

AV detection:

23 of 38 (60.53%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6tgtiv2fch52sx3zmasymj2byhgnen263uj6djkezih5igajqyca._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251106-kevrwstmej/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

teamc2.duckdns.org

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f4cd34574511/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f4cd34574511fba95f796025862741c1ccd2375edd13e1a544ca0fd418098604

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.