MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f88aa064da17427cee044401a23918bb616950b2a1c9efb2bea5be89265aa0c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	f88aa064da17427cee044401a23918bb616950b2a1c9efb2bea5be89265aa0c6
SHA3-384 hash:	1d591da120654b74257ec3127107d65770ef1a96e5c99f97cb53d147cc1ddea57804d5c15f66bd0cd74bfcd08481a8c0
SHA1 hash:	f59818e67f2c5ccc5bd0e9ee0bf1af3c0201bcb2
MD5 hash:	91525cd9d85540e423902227ab5534d2
humanhash:	finch-nebraska-three-early
File name:	1.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'014 bytes
First seen:	2025-10-05 06:36:47 UTC
Last seen:	2025-10-05 21:37:50 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ipGspTdTeNpcAph8pTcpLkpZOYpInfcpzKLpeSJpdEppOTBp44pMrUpVh9:iLRNeNZg2C9voLXQ4dqUt9
TLSH	T195516F8516A99371ADA5DD3273AAB00976C080B79CDB2E06DCEC78F4D9CDD8DB481783
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.141.49/dwrioej/neon.x86	8d2356e5b40f3aae4e46dc078df27d0f64cedda93437bb49060f86fe924ad04d	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.mips	91ea6fecea25d987ecc69640245cccae87fffc17b00893a2bd9508da7aabfe52	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.arc	8a5a1d7d038b275ae0f3ef32ee3ae02f175c70695bb6d5d095a63b24fd0e3a11	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.i468	n/a	n/a	elf ua-wget
http://176.65.141.49/dwrioej/neon.i686	247b7fd27a2d99fc5b6e0d61a2fc777e41183ecae07c735ddafccb37963f537c	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.x86_64	6ba178c5fce37dd9cdbfde14c0a48074cdfaaaef4759adc5626428ff0052dd80	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.mpsl	9fa8f4359ba0abc85de6b120b71a93e377b09cdda73a3d98bde2e30964b92567	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.arm	9bcbd4a63cdfd9930754cee17b9df6d4fa3ee31bdb95c692e812f2b7af3ce089	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.arm5	100a75ae98b1ad4814c4136fce486ad5e45fac50f01614654eba2fe6b719386f	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.arm6	e1b891ecd33be851c68f1c87f3bb69aa218e5acdebb766841c7f6cbcecf11dfe	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.arm7	381c7b8f81a5b58f281f6d0679503bec60f6099fdf80f9997a3683e61d621a23	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.ppc	35d007f8166e8bc121e20461274616a8f45771cb43a98809f6b99fbaaebbd375	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.spc	8e14cec7ed92d6801c1a4043e84222606a6cdc3efea1effb103341c7c7adb85b	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.m68k	cb2e39d704f366f78f4f6e1b6156b791e32b2f7e2bf8d672101ffbf120dc81d2	Mirai	elf mirai ua-wget
http://176.65.141.49/dwrioej/neon.sh4	578617e362c6fc30110b98cee18d6f81675a0c6abdc644e11e08477750d4e3c4	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-05T03:54:00Z UTC

Last seen:

2025-10-07T00:05:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/f88aa064da17427cee044401a23918bb616950b2a1c9efb2bea5be89265aa0c6/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/93eefe67-dd60-42c4-8264-234af1e3ff77

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f88aa064da17427cee044401a23918bb616950b2a1c9efb2bea5be89265aa0c6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f88aa064da17427cee044401a23918bb616950b2a1c9efb2bea5be89265aa0c6/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-05 06:37:39 UTC

File Type:

Text (Shell)

AV detection:

22 of 37 (59.46%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7cfkazg2c5bhz3qeiqa2eoiyxnqwsufsuhe67mv6uw7isjs2udda._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251005-hdtgbscp9s/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f88aa064da17/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.36

Link:

https://yomi.yoroi.company/submissions/f88aa064da17427cee044401a23918bb616950b2a1c9efb2bea5be89265aa0c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.