MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbed589470c7a4a09825f63e2bea9c9218e0a5cbc0a3bf7003fc3465154422d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	fbed589470c7a4a09825f63e2bea9c9218e0a5cbc0a3bf7003fc3465154422d5
SHA3-384 hash:	588ff9a5fb4d30057af52f992c7da070b25d3b0faa073b69892b7b100f9a1eb32622fb5051577a681c6787b83832b04f
SHA1 hash:	a611707a3519d1c2bbc354605c6d6c9ab71c6037
MD5 hash:	5944c9bf2f90ff4a8865eb72f20f8a83
humanhash:	jersey-robert-edward-arizona
File name:	adb
Download:	download sample
Signature	Mirai Create hunting rule
File size:	4'572 bytes
First seen:	2025-02-05 23:36:11 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	96:1xrWcazLh/cOoQe5v64mPzNDgqk8gO5diIkQhTFv:jije5v6PPzN0T8gW7kQhTFv
TLSH	T1D391448C39708B325D61DF28F22A896A705BE1C508A84F1D38ED74BCF5FED44B51059B
Magika	shell
Reporter	abuse_ch
Tags:	Hailbot sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://31.57.102.67/mips	4fc73b02bd0cc4d44ee8da03ce5ab8b74fb67409fb223c3f36b06dc22dc0dd74	Gafgyt	32-bit elf gafgyt mirai
http://31.57.102.67/mpsl	18c99e6db38118a4d50a0bca8dd475f700d3ff172a73fb6a48bdd599d4abae95	Gafgyt	elf gafgyt mirai ua-wget
http://31.57.102.67/x86	ce5797cd8b13c2f33236d3a9a3bc06cd8812b418b8b52d8bc48de1d851c5bd4b	Mirai	elf mirai ua-wget
http://31.57.102.67/arm4	d61588f19991b7c9b60acd508ff38bbbfa4224a818db357afbd67d6109dcd4ac	Mirai	elf mirai ua-wget
http://31.57.102.67/arm5	0b051fb3621726c4525a268f2bb2c12456cc238b0b301c249feb2872177ae517	Mirai	elf mirai ua-wget
http://31.57.102.67/arm6	7789cc1cbd2719df2061b3189a2daef7dc87c0beeb40d54b6857a8e24d991c28	Mirai	elf mirai ua-wget
http://31.57.102.67/arm7	d2ea0eed1f82458ed76a956ca3fd1f72d1c1e29b40a6118d1e5f1e6d78418077	Mirai	elf mirai ua-wget
ftp://1.57.102.67:8021/mips	n/a	n/a	n/a
ftp://1.57.102.67:8021/mpsl	n/a	n/a	n/a
ftp://1.57.102.67:8021/x86	n/a	n/a	n/a
ftp://1.57.102.67:8021/arm4	n/a	n/a	n/a
ftp://1.57.102.67:8021/arm5	n/a	n/a	n/a
ftp://1.57.102.67:8021/arm7	n/a	n/a	n/a
ftp://1.57.102.67:8021/arm6	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67a450b72dcee78dd819ab11linux22vpnfull_triage

Tags:

trojan agent sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox lolbin remote

Link:

https://www.filescan.io/uploads/67a3f627139984df1125cc8e/reports/14690e38-f7a6-4133-92d5-b7a07b42e54e/overview

Verdict:

Malicious

Labled as:

Linux.Medusa.C.Generic

Link:

https://www.hybrid-analysis.com/sample/fbed589470c7a4a09825f63e2bea9c9218e0a5cbc0a3bf7003fc3465154422d5

Result

Verdict:

MALICIOUS

Score:

46%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/fbed589470c7a4a09825f63e2bea9c9218e0a5cbc0a3bf7003fc3465154422d5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fbed589470c7a4a09825f63e2bea9c9218e0a5cbc0a3bf7003fc3465154422d5/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2025-02-05 03:40:26 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7pwvrfdqy6skbgbf6y7cx2u4simobjolycr364ad7q2gkfkeelkq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fbed589470c7a4a09825f63e2bea9c9218e0a5cbc0a3bf7003fc3465154422d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.