MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6598af6eba48d415ed737e7ba54cd09075980f0d612cc891a3d7872b3c6a2f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	f6598af6eba48d415ed737e7ba54cd09075980f0d612cc891a3d7872b3c6a2f4
SHA3-384 hash:	bfe7e143190121278c8a482a9e47883fe9112f3e75299561e9fd61852c07f6cb72e0dfa5d44b6bc3c0c2b75c99d24891
SHA1 hash:	2758a38a0cebaca2dee0c62f431a4e9e7cb9e237
MD5 hash:	29a8896ca73efe49bc9c8086f1e913a1
humanhash:	friend-kitten-pip-autumn
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'047 bytes
First seen:	2025-08-21 17:21:48 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:YV9qVO8VHKVicV8EV0QVU0U1VVaV8eLV/YJVCIVEAVv6VMaMBgJsVAkk:YV9qVO8VHKVicV8EV0QV5GVVaV8eLV/l
TLSH	T1CA5194EB338286376CB9CED736A88404724955EBE88F5F7654E8F4F9008DE486442B92
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.81.210/bins/morte.x86	1e0a0173875c06a9ea592e15f54285a072e5f09912ff3267897e98fa84da0546	Mirai	mirai opendir
http://196.251.81.210/bins/morte.mips	b74962c88bd563c6b1982d72a6932bd159c87ec14ba790d056ae1909578b1e7e	Mirai	mirai opendir
http://196.251.81.210/bins/morte.arc	80d988bf67070753a76faa2cc19d96956907eca046abf09f0f0c83ac4ee168d7	Mirai	mirai opendir
http://196.251.81.210/bins/morte.i468	n/a	n/a	elf ua-wget
http://196.251.81.210/bins/morte.i686	97cd7c6d53e3b8126b0776e2896ef5235cdf3efedbfc206e6fcfb5bb044293e2	Mirai	mirai opendir
http://196.251.81.210/bins/morte.x86_64	5a85d5a30baa4186cedc8011b8f4cd3121f8a7e8c85385e0b595b0ef34d2dd35	Mirai	mirai opendir
http://196.251.81.210/bins/morte.mpsl	c7e0cc0c94dc563a5cb5c030401579b1b34a737fc7376283295635dd2eadb70b	Mirai	mirai opendir
http://196.251.81.210/bins/morte.arm	e4a41e5ce00dd681bf0dccf04187c9cd2af300613a14ab84c74c8cb7604c553e	Mirai	mirai opendir
http://196.251.81.210/bins/morte.arm5	db2af9aa7d2cf4c444d8f0b19b0c8607a94bc725e1b648089d0b059e4bf44567	Mirai	mirai opendir
http://196.251.81.210/bins/morte.arm6	f23a15dc7500793de0e84bb87c23811b5031060404aacd6b9e823bab3891bfa7	Mirai	mirai opendir
http://196.251.81.210/bins/morte.arm7	3a072928da5ee04b784d8cf6e94042f1be401ecd06849635fba7bdf8543aebb1	Mirai	mirai opendir
http://196.251.81.210/bins/morte.ppc	bba97b81e7bfd2d85ce9ab18360b37df0c0e9737d5df5ea470acd6ed426ae505	Mirai	mirai opendir
http://196.251.81.210/bins/morte.spc	98a935f9b27fa970ab10cccf1be23c4a4bd518ebcd88661c77ddf43e31ca3a58	Mirai	mirai opendir
http://196.251.81.210/bins/morte.m68k	f3a61b2979615927dd1522993fa076f0b217844e0e1862376d789c1e99383609	Mirai	mirai opendir
http://196.251.81.210/bins/morte.sh4	a44e620b1d09c269dc06ead50f046869fc616c6b68ba36078d10580db148f4f7	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-08-21T14:30:00Z UTC

Last seen:

2025-08-21T14:30:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/f6598af6eba48d415ed737e7ba54cd09075980f0d612cc891a3d7872b3c6a2f4/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/1efd046e-2ba5-4f8b-9464-db9690c84a7d

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f6598af6eba48d415ed737e7ba54cd09075980f0d612cc891a3d7872b3c6a2f4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f6598af6eba48d415ed737e7ba54cd09075980f0d612cc891a3d7872b3c6a2f4/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/f6598af6eba48d415ed737e7ba54cd09075980f0d612cc891a3d7872b3c6a2f4

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-08-21 17:22:41 UTC

File Type:

Text (Shell)

AV detection:

22 of 38 (57.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6zmyv5xlusgucxwxg7t3uvgnbedvtahq2yjmzci2hv4hfm6gul2a._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250821-vxv6gsvvhw/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

UPX packed file

Deletes log files

Enumerates running processes

File and Directory Permissions Modification

Deletes Audit logs

Deletes journal logs

Deletes system logs

Executes dropped EXE

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f6598af6eba4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/f6598af6eba48d415ed737e7ba54cd09075980f0d612cc891a3d7872b3c6a2f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.