MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f50adebc1607ea6e1c9e9248457c51bbd01664e81344a333fa8da2895cbe0ac4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	f50adebc1607ea6e1c9e9248457c51bbd01664e81344a333fa8da2895cbe0ac4
SHA3-384 hash:	11d7346242636ab7fc143a46ed9465ee363a0fec1f2c34a2554c19abd05c2ecc91999275dcbed3b0258984323340e1d4
SHA1 hash:	e96861f385b23a762bac28ac4618770ce81e70e2
MD5 hash:	6f9541bb3c14dc395f86b396659d07d7
humanhash:	arizona-minnesota-mississippi-kentucky
File name:	wget.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	4'621 bytes
First seen:	2025-02-17 14:32:19 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	96:1xVW2aVL71cEokXI556CmRzf5gQk4XEo7foMXQ0hTFv:NqDXI556hRzfuJ4XEQzXQ0hTFv
TLSH	T13C91F19D3A611B364D21DF17F37189B9A0A2E0C524A18F19F4ED70FCE5BED48E2205A7
Magika	shell
Reporter	abuse_ch
Tags:	Hailbot sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://45.125.66.139/mips	a7079e14e00a5bec895f7815c0e5b131027072741a9b670360ca963930d27ebf	Mirai	32-bit 404 elf mirai ua-wget
http://45.125.66.139/mpsl	acf9ab18f3e7a349cab3151f9548eb4ca24325bb2f7d0b0fb193ef253f11e291	Mirai	404 elf mirai ua-wget
http://45.125.66.139/x86	0eb3819d816e0aa581ca67a1132784edba549ac7cf60149706e54377fb4fe9f7	Mirai	404 elf mirai ua-wget
http://45.125.66.139/arm4	1debe1e4bd65c2f284ae3154a796377308658050d744faf0bfef380860c6324b	Mirai	404 elf mirai ua-wget
http://45.125.66.139/arm5	206d934f74507fba7aa75faa6397031b64a27f94637be1c611941eded265c444	Mirai	404 elf mirai ua-wget
http://45.125.66.139/arm6	3c60ea297fbde5f205cc2dcf0b2715a36451f8d23bb08b78a133d68c423f11e9	Mirai	404 elf mirai ua-wget
http://45.125.66.139/arm7	da39d3a3cb36b8ff3e732059488bbd21fffd83248aad7699172ee0e73b3c7379	Mirai	404 elf mirai ua-wget
ftp://5.125.66.139:8021/mips	n/a	n/a	n/a
ftp://5.125.66.139:8021/mpsl	n/a	n/a	n/a
ftp://5.125.66.139:8021/x86	n/a	n/a	n/a
ftp://5.125.66.139:8021/arm4	n/a	n/a	n/a
ftp://5.125.66.139:8021/arm5	n/a	n/a	n/a
ftp://5.125.66.139:8021/arm7	n/a	n/a	n/a
ftp://5.125.66.139:8021/arm6	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67b3496c28ab76d43a5b7c7flinux22vpnfull_triage

Tags:

trojan agent hype

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

busybox lolbin remote

Link:

https://www.filescan.io/uploads/67b348a8991985e0a95a8140/reports/a11c2d95-b980-40e1-9863-8d6a74c7aa71/overview

Result

Verdict:

MALICIOUS

Score:

49%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/f50adebc1607ea6e1c9e9248457c51bbd01664e81344a333fa8da2895cbe0ac4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f50adebc1607ea6e1c9e9248457c51bbd01664e81344a333fa8da2895cbe0ac4/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-02-17 14:29:57 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6ufn5pawa7vg4he6sjeek7crxpibmzhicnckgm72rwrisxf6blca._file

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery

Link:

https://tria.ge/reports/250217-rww5ls1j13/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Drops file in Program Files directory

Checks installed software on the system

Executes dropped EXE

Downloads MZ/PE file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f50adebc1607ea6e1c9e9248457c51bbd01664e81344a333fa8da2895cbe0ac4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.