MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33
SHA3-384 hash: 6fd2f4614ccb3ef50383c161bf96db3bf2408910ad77f8673e8048837d850dda6970d30b7ee0017b8fbe48cf3346314d
SHA1 hash: 7473b9deec53e21fc2df61eebb70adf37abc13ef
MD5 hash: 3b22805fe7dac258606f952e8dc42754
humanhash: arizona-edward-bravo-carolina
File name:pulse
Download: download sample
Signature Mirai
Create hunting rule
File size:4'830 bytes
First seen:2025-11-24 18:02:49 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vUhMV4kIUq1V4cUrHrWV4TUNoV45UEpEEV4ElUJkV4FUq1V4cUOZV4AUzSV4jUDH:vbmp9PiLuzOEplbQZ5b7DyjI1rDvDgRI
TLSH T1D1A10BE675B5977A6DB0ED7371D6C642B18070A6E0D68D0BF2D1F0E8084EFA1F484B82
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x869496e75825c687aa533f45c1ace274e64e66ff6868dc3629c1c31d77cd5b4d5e Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mipsece764c509c51eedfa0ed53ab67d87e512dcbe1acff45b6247e9a037242a6b8d Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl7a86507ef169415f0bc011136fb986505be54059fd21bdc464d9be3763554f85 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm9e8dc9042adf0ff04fd4ac0bd174648832d86913a2353683d43898a5e9373a5e Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm543119fe04a59af3be2b8c053edd3acda80a8ad02216d18fedc6e3188155fb2a4 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm67f7f5e0d1e098605dcb72f6b368bbf99e6dc60ab3b5606fce113296d8f2084ad Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm748f191a4ec10e726a6c1e0fc607d130b3f16191c85640b38b14a487b37039005 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppcefc89383d6e3e80a443673df5c538acfb8238846c67756caa924fd51ea442201 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k2ff7d666206bcb9e440f017a8538337330826fcf9dc1f0542ee062ebd148387d Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc4b0886c739672baa51a2b187f93271e1c15b56450a29a4d39d6b7709152aa645 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i6865890413dd450f04adabe3a0c4c7b0794ecbf53740489b3c049f4653902cd39d3 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4d0f0ed32a8d834ef6c4aeaa382275e0a26f90898dd304f00fbffab51d964ec0e Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc62740c7d5c2cbaed0adbbba12ed865ee2136fae9528a50f296dee8365b488bb9 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_648df69a4bbd21d9f80b80204e56fb586221ef559303b64eb2c443b93ea234d957 Miraimirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
medusa mirai
Link:
https://www.filescan.io/uploads/69249de7e5743ce589e83300/reports/9c4d6835-d2ef-44c7-a60c-2e72aaf7eb6d/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-24T15:10:00Z UTC
Last seen:
2025-11-25T00:57:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/72d09c34-e045-4d97-b51e-1c7b28297684
Behavior Graph:
Download SVG
%3 guuid=0fba1f85-1600-0000-56d4-bfb7fb0b0000 pid=3067 /usr/bin/sudo guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072 /tmp/sample.bin guuid=0fba1f85-1600-0000-56d4-bfb7fb0b0000 pid=3067->guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072 execve guuid=dfdf4687-1600-0000-56d4-bfb7020c0000 pid=3074 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=dfdf4687-1600-0000-56d4-bfb7020c0000 pid=3074 execve guuid=f6409d8f-1600-0000-56d4-bfb71d0c0000 pid=3101 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=f6409d8f-1600-0000-56d4-bfb71d0c0000 pid=3101 execve guuid=f938cf9a-1600-0000-56d4-bfb73d0c0000 pid=3133 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=f938cf9a-1600-0000-56d4-bfb73d0c0000 pid=3133 execve guuid=e562289b-1600-0000-56d4-bfb73e0c0000 pid=3134 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=e562289b-1600-0000-56d4-bfb73e0c0000 pid=3134 execve guuid=c7b5729b-1600-0000-56d4-bfb7400c0000 pid=3136 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=c7b5729b-1600-0000-56d4-bfb7400c0000 pid=3136 clone guuid=9815b09b-1600-0000-56d4-bfb7420c0000 pid=3138 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=9815b09b-1600-0000-56d4-bfb7420c0000 pid=3138 execve guuid=0b71cda1-1600-0000-56d4-bfb7500c0000 pid=3152 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=0b71cda1-1600-0000-56d4-bfb7500c0000 pid=3152 execve guuid=ceb990a9-1600-0000-56d4-bfb75b0c0000 pid=3163 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=ceb990a9-1600-0000-56d4-bfb75b0c0000 pid=3163 execve guuid=7c24e5a9-1600-0000-56d4-bfb75d0c0000 pid=3165 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=7c24e5a9-1600-0000-56d4-bfb75d0c0000 pid=3165 execve guuid=deee4eaa-1600-0000-56d4-bfb75f0c0000 pid=3167 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=deee4eaa-1600-0000-56d4-bfb75f0c0000 pid=3167 clone guuid=88847eaa-1600-0000-56d4-bfb7600c0000 pid=3168 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=88847eaa-1600-0000-56d4-bfb7600c0000 pid=3168 execve guuid=5da3cdb0-1600-0000-56d4-bfb76a0c0000 pid=3178 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=5da3cdb0-1600-0000-56d4-bfb76a0c0000 pid=3178 execve guuid=16793dba-1600-0000-56d4-bfb76b0c0000 pid=3179 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=16793dba-1600-0000-56d4-bfb76b0c0000 pid=3179 execve guuid=ab949aba-1600-0000-56d4-bfb76c0c0000 pid=3180 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=ab949aba-1600-0000-56d4-bfb76c0c0000 pid=3180 execve guuid=5aa2e8ba-1600-0000-56d4-bfb76d0c0000 pid=3181 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=5aa2e8ba-1600-0000-56d4-bfb76d0c0000 pid=3181 clone guuid=ca6910bb-1600-0000-56d4-bfb76e0c0000 pid=3182 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=ca6910bb-1600-0000-56d4-bfb76e0c0000 pid=3182 execve guuid=a1bcb9c1-1600-0000-56d4-bfb7780c0000 pid=3192 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=a1bcb9c1-1600-0000-56d4-bfb7780c0000 pid=3192 execve guuid=8da859cb-1600-0000-56d4-bfb7890c0000 pid=3209 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=8da859cb-1600-0000-56d4-bfb7890c0000 pid=3209 execve guuid=a42deccb-1600-0000-56d4-bfb78a0c0000 pid=3210 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=a42deccb-1600-0000-56d4-bfb78a0c0000 pid=3210 execve guuid=f8a55ccc-1600-0000-56d4-bfb78c0c0000 pid=3212 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=f8a55ccc-1600-0000-56d4-bfb78c0c0000 pid=3212 clone guuid=b2ad96cc-1600-0000-56d4-bfb78d0c0000 pid=3213 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=b2ad96cc-1600-0000-56d4-bfb78d0c0000 pid=3213 execve guuid=33e0ecd3-1600-0000-56d4-bfb7980c0000 pid=3224 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=33e0ecd3-1600-0000-56d4-bfb7980c0000 pid=3224 execve guuid=dcd9b9dd-1600-0000-56d4-bfb7990c0000 pid=3225 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=dcd9b9dd-1600-0000-56d4-bfb7990c0000 pid=3225 execve guuid=2b5330de-1600-0000-56d4-bfb79a0c0000 pid=3226 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=2b5330de-1600-0000-56d4-bfb79a0c0000 pid=3226 execve guuid=d7b492de-1600-0000-56d4-bfb79b0c0000 pid=3227 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=d7b492de-1600-0000-56d4-bfb79b0c0000 pid=3227 clone guuid=a90be8de-1600-0000-56d4-bfb79c0c0000 pid=3228 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=a90be8de-1600-0000-56d4-bfb79c0c0000 pid=3228 execve guuid=a7e594e5-1600-0000-56d4-bfb7a40c0000 pid=3236 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=a7e594e5-1600-0000-56d4-bfb7a40c0000 pid=3236 execve guuid=51fb3bf0-1600-0000-56d4-bfb7b30c0000 pid=3251 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=51fb3bf0-1600-0000-56d4-bfb7b30c0000 pid=3251 execve guuid=e2cdf5f0-1600-0000-56d4-bfb7b40c0000 pid=3252 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=e2cdf5f0-1600-0000-56d4-bfb7b40c0000 pid=3252 execve guuid=f059aef1-1600-0000-56d4-bfb7b50c0000 pid=3253 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=f059aef1-1600-0000-56d4-bfb7b50c0000 pid=3253 clone guuid=dad5f6f1-1600-0000-56d4-bfb7b60c0000 pid=3254 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=dad5f6f1-1600-0000-56d4-bfb7b60c0000 pid=3254 execve guuid=729e07f9-1600-0000-56d4-bfb7b80c0000 pid=3256 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=729e07f9-1600-0000-56d4-bfb7b80c0000 pid=3256 execve guuid=281b1202-1700-0000-56d4-bfb7c70c0000 pid=3271 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=281b1202-1700-0000-56d4-bfb7c70c0000 pid=3271 execve guuid=fe0a9202-1700-0000-56d4-bfb7c80c0000 pid=3272 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=fe0a9202-1700-0000-56d4-bfb7c80c0000 pid=3272 execve guuid=a423fe02-1700-0000-56d4-bfb7c90c0000 pid=3273 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=a423fe02-1700-0000-56d4-bfb7c90c0000 pid=3273 clone guuid=20933203-1700-0000-56d4-bfb7ca0c0000 pid=3274 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=20933203-1700-0000-56d4-bfb7ca0c0000 pid=3274 execve guuid=b3c95c0b-1700-0000-56d4-bfb7d50c0000 pid=3285 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=b3c95c0b-1700-0000-56d4-bfb7d50c0000 pid=3285 execve guuid=153c1415-1700-0000-56d4-bfb7f10c0000 pid=3313 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=153c1415-1700-0000-56d4-bfb7f10c0000 pid=3313 execve guuid=e96bc415-1700-0000-56d4-bfb7f40c0000 pid=3316 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=e96bc415-1700-0000-56d4-bfb7f40c0000 pid=3316 execve guuid=9b892116-1700-0000-56d4-bfb7f50c0000 pid=3317 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=9b892116-1700-0000-56d4-bfb7f50c0000 pid=3317 clone guuid=2fd77016-1700-0000-56d4-bfb7f70c0000 pid=3319 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=2fd77016-1700-0000-56d4-bfb7f70c0000 pid=3319 execve guuid=fdd23f1d-1700-0000-56d4-bfb7060d0000 pid=3334 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=fdd23f1d-1700-0000-56d4-bfb7060d0000 pid=3334 execve guuid=9616c125-1700-0000-56d4-bfb7190d0000 pid=3353 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=9616c125-1700-0000-56d4-bfb7190d0000 pid=3353 execve guuid=e19e7d26-1700-0000-56d4-bfb71c0d0000 pid=3356 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=e19e7d26-1700-0000-56d4-bfb71c0d0000 pid=3356 execve guuid=9e170327-1700-0000-56d4-bfb71f0d0000 pid=3359 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=9e170327-1700-0000-56d4-bfb71f0d0000 pid=3359 clone guuid=23f44a27-1700-0000-56d4-bfb7210d0000 pid=3361 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=23f44a27-1700-0000-56d4-bfb7210d0000 pid=3361 execve guuid=3c257d2e-1700-0000-56d4-bfb7320d0000 pid=3378 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=3c257d2e-1700-0000-56d4-bfb7320d0000 pid=3378 execve guuid=b79e2236-1700-0000-56d4-bfb7470d0000 pid=3399 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=b79e2236-1700-0000-56d4-bfb7470d0000 pid=3399 execve guuid=3e128d36-1700-0000-56d4-bfb7490d0000 pid=3401 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=3e128d36-1700-0000-56d4-bfb7490d0000 pid=3401 execve guuid=55e3ed36-1700-0000-56d4-bfb74b0d0000 pid=3403 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=55e3ed36-1700-0000-56d4-bfb74b0d0000 pid=3403 clone guuid=4c7c1c37-1700-0000-56d4-bfb74c0d0000 pid=3404 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=4c7c1c37-1700-0000-56d4-bfb74c0d0000 pid=3404 execve guuid=78555c3e-1700-0000-56d4-bfb75e0d0000 pid=3422 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=78555c3e-1700-0000-56d4-bfb75e0d0000 pid=3422 execve guuid=8f428c46-1700-0000-56d4-bfb76e0d0000 pid=3438 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=8f428c46-1700-0000-56d4-bfb76e0d0000 pid=3438 execve guuid=7c900447-1700-0000-56d4-bfb7700d0000 pid=3440 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=7c900447-1700-0000-56d4-bfb7700d0000 pid=3440 execve guuid=d1db6947-1700-0000-56d4-bfb7720d0000 pid=3442 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=d1db6947-1700-0000-56d4-bfb7720d0000 pid=3442 clone guuid=d9589f47-1700-0000-56d4-bfb7740d0000 pid=3444 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=d9589f47-1700-0000-56d4-bfb7740d0000 pid=3444 execve guuid=57eb7f4e-1700-0000-56d4-bfb7810d0000 pid=3457 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=57eb7f4e-1700-0000-56d4-bfb7810d0000 pid=3457 execve guuid=cfee2956-1700-0000-56d4-bfb7920d0000 pid=3474 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=cfee2956-1700-0000-56d4-bfb7920d0000 pid=3474 execve guuid=74369756-1700-0000-56d4-bfb7940d0000 pid=3476 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=74369756-1700-0000-56d4-bfb7940d0000 pid=3476 execve guuid=426bf856-1700-0000-56d4-bfb7950d0000 pid=3477 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=426bf856-1700-0000-56d4-bfb7950d0000 pid=3477 clone guuid=10e92957-1700-0000-56d4-bfb7970d0000 pid=3479 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=10e92957-1700-0000-56d4-bfb7970d0000 pid=3479 execve guuid=ad44d25d-1700-0000-56d4-bfb7a60d0000 pid=3494 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=ad44d25d-1700-0000-56d4-bfb7a60d0000 pid=3494 execve guuid=b0eff265-1700-0000-56d4-bfb7b70d0000 pid=3511 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=b0eff265-1700-0000-56d4-bfb7b70d0000 pid=3511 execve guuid=705ab766-1700-0000-56d4-bfb7ba0d0000 pid=3514 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=705ab766-1700-0000-56d4-bfb7ba0d0000 pid=3514 execve guuid=4bd52767-1700-0000-56d4-bfb7bc0d0000 pid=3516 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=4bd52767-1700-0000-56d4-bfb7bc0d0000 pid=3516 clone guuid=e2325c67-1700-0000-56d4-bfb7bd0d0000 pid=3517 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=e2325c67-1700-0000-56d4-bfb7bd0d0000 pid=3517 execve guuid=5eb4696e-1700-0000-56d4-bfb7cc0d0000 pid=3532 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=5eb4696e-1700-0000-56d4-bfb7cc0d0000 pid=3532 execve guuid=94673a76-1700-0000-56d4-bfb7da0d0000 pid=3546 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=94673a76-1700-0000-56d4-bfb7da0d0000 pid=3546 execve guuid=13a67576-1700-0000-56d4-bfb7db0d0000 pid=3547 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=13a67576-1700-0000-56d4-bfb7db0d0000 pid=3547 execve guuid=6c99b076-1700-0000-56d4-bfb7dc0d0000 pid=3548 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=6c99b076-1700-0000-56d4-bfb7dc0d0000 pid=3548 clone 28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 158.94.210.88:80 guuid=dfdf4687-1600-0000-56d4-bfb7020c0000 pid=3074->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=f6409d8f-1600-0000-56d4-bfb71d0c0000 pid=3101->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=9815b09b-1600-0000-56d4-bfb7420c0000 pid=3138->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=0b71cda1-1600-0000-56d4-bfb7500c0000 pid=3152->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=88847eaa-1600-0000-56d4-bfb7600c0000 pid=3168->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=5da3cdb0-1600-0000-56d4-bfb76a0c0000 pid=3178->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=ca6910bb-1600-0000-56d4-bfb76e0c0000 pid=3182->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=a1bcb9c1-1600-0000-56d4-bfb7780c0000 pid=3192->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=b2ad96cc-1600-0000-56d4-bfb78d0c0000 pid=3213->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=33e0ecd3-1600-0000-56d4-bfb7980c0000 pid=3224->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=a90be8de-1600-0000-56d4-bfb79c0c0000 pid=3228->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=a7e594e5-1600-0000-56d4-bfb7a40c0000 pid=3236->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=dad5f6f1-1600-0000-56d4-bfb7b60c0000 pid=3254->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=729e07f9-1600-0000-56d4-bfb7b80c0000 pid=3256->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=20933203-1700-0000-56d4-bfb7ca0c0000 pid=3274->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=b3c95c0b-1700-0000-56d4-bfb7d50c0000 pid=3285->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=2fd77016-1700-0000-56d4-bfb7f70c0000 pid=3319->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=fdd23f1d-1700-0000-56d4-bfb7060d0000 pid=3334->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=23f44a27-1700-0000-56d4-bfb7210d0000 pid=3361->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=3c257d2e-1700-0000-56d4-bfb7320d0000 pid=3378->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=4c7c1c37-1700-0000-56d4-bfb74c0d0000 pid=3404->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=78555c3e-1700-0000-56d4-bfb75e0d0000 pid=3422->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=d9589f47-1700-0000-56d4-bfb7740d0000 pid=3444->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=57eb7f4e-1700-0000-56d4-bfb7810d0000 pid=3457->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=10e92957-1700-0000-56d4-bfb7970d0000 pid=3479->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=ad44d25d-1700-0000-56d4-bfb7a60d0000 pid=3494->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=e2325c67-1700-0000-56d4-bfb7bd0d0000 pid=3517->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 200B guuid=5eb4696e-1700-0000-56d4-bfb7cc0d0000 pid=3532->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 149B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-11-24 18:03:23 UTC
File Type:
Text (Shell)
AV detection:
24 of 38 (63.16%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b226mrewvw7jjnh7ybrhu5x4en2d7xlkrwmj23ufvxnmogmaxyzq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux
Link:
https://tria.ge/reports/251124-wm7bfaam9w/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
File and Directory Permissions Modification
Executes dropped EXE
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0eb5e64496ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33

(this sample)

Mirai

elf 4659da87326851decd5d67b743d9924f09ef8b000c91c63f15ede42a45919120

Mirai

elf 06f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97

  
URLhaus
https://urlhaus.abuse.ch/url/3669714/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3669694/
  
Dropping
MD5 d890af588619b95e8c751535bc58ac46
  
Dropping
SHA256 06f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97

Comments