MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33
SHA3-384 hash: 6fd2f4614ccb3ef50383c161bf96db3bf2408910ad77f8673e8048837d850dda6970d30b7ee0017b8fbe48cf3346314d
SHA1 hash: 7473b9deec53e21fc2df61eebb70adf37abc13ef
MD5 hash: 3b22805fe7dac258606f952e8dc42754
humanhash: arizona-edward-bravo-carolina
File name:pulse
Download: download sample
Signature Mirai
Create hunting rule
File size:4'830 bytes
First seen:2025-11-24 18:02:49 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vUhMV4kIUq1V4cUrHrWV4TUNoV45UEpEEV4ElUJkV4FUq1V4cUOZV4AUzSV4jUDH:vbmp9PiLuzOEplbQZ5b7DyjI1rDvDgRI
TLSH T1D1A10BE675B5977A6DB0ED7371D6C642B18070A6E0D68D0BF2D1F0E8084EFA1F484B82
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x8606f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mipsabb44bb778d3eb33722c8ff7858138a4353d8f46c73995602d2d84715e295b18 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl9e715465d9cc0b6987d27bc3bdc7abe122bca168ff708d2ec0c2441263ad70fe Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm2de20b3347d90622f88ecd1675c009ab4b3a00eb12b454f72bc30d8f37511c26 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm52e1e849fc65cd435d469dcfea490d2481eff33e553e0960cd9e0456ae50c0bf9 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm619f25bc863a4691eae2074524c2f6624e9a735920f19d0adb745870addce4aa0 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7da87a874b834cfb9fc525ce39cd6c8ac65e118c0f401a9fbe9107bdc9c61dbe2 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc961a10b6fcdd3bf9cb2eb496ea4458bac31b6891f1cdce4af92b3aa6dfa9e93f Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68kf4b928db067a0faa140e8fa79a2338315d998130414088617eaac7cc216872f7 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc44ab9070ccf7753d5e0cd3eba8625f2eed3e4f382bcb5789049efd299d84e633 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686f9d11add2e36cc30580e4e9ff6886a4235188b9132ce02f127ed02b06b578eee Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh479e05b52966b9df23bd75d3b953b346c354916469522876a7f1bc653f8146261 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc294e36334bce82e0ea0289773fb352aa6ebc5d3572d2d15839846a953c9469c4 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_64n/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
medusa mirai
Link:
https://www.filescan.io/uploads/69249de7e5743ce589e83300/reports/9c4d6835-d2ef-44c7-a60c-2e72aaf7eb6d/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-24T15:10:00Z UTC
Last seen:
2025-11-25T00:57:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/72d09c34-e045-4d97-b51e-1c7b28297684
Behavior Graph:
Download SVG
%3 guuid=0fba1f85-1600-0000-56d4-bfb7fb0b0000 pid=3067 /usr/bin/sudo guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072 /tmp/sample.bin guuid=0fba1f85-1600-0000-56d4-bfb7fb0b0000 pid=3067->guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072 execve guuid=dfdf4687-1600-0000-56d4-bfb7020c0000 pid=3074 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=dfdf4687-1600-0000-56d4-bfb7020c0000 pid=3074 execve guuid=f6409d8f-1600-0000-56d4-bfb71d0c0000 pid=3101 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=f6409d8f-1600-0000-56d4-bfb71d0c0000 pid=3101 execve guuid=f938cf9a-1600-0000-56d4-bfb73d0c0000 pid=3133 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=f938cf9a-1600-0000-56d4-bfb73d0c0000 pid=3133 execve guuid=e562289b-1600-0000-56d4-bfb73e0c0000 pid=3134 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=e562289b-1600-0000-56d4-bfb73e0c0000 pid=3134 execve guuid=c7b5729b-1600-0000-56d4-bfb7400c0000 pid=3136 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=c7b5729b-1600-0000-56d4-bfb7400c0000 pid=3136 clone guuid=9815b09b-1600-0000-56d4-bfb7420c0000 pid=3138 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=9815b09b-1600-0000-56d4-bfb7420c0000 pid=3138 execve guuid=0b71cda1-1600-0000-56d4-bfb7500c0000 pid=3152 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=0b71cda1-1600-0000-56d4-bfb7500c0000 pid=3152 execve guuid=ceb990a9-1600-0000-56d4-bfb75b0c0000 pid=3163 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=ceb990a9-1600-0000-56d4-bfb75b0c0000 pid=3163 execve guuid=7c24e5a9-1600-0000-56d4-bfb75d0c0000 pid=3165 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=7c24e5a9-1600-0000-56d4-bfb75d0c0000 pid=3165 execve guuid=deee4eaa-1600-0000-56d4-bfb75f0c0000 pid=3167 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=deee4eaa-1600-0000-56d4-bfb75f0c0000 pid=3167 clone guuid=88847eaa-1600-0000-56d4-bfb7600c0000 pid=3168 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=88847eaa-1600-0000-56d4-bfb7600c0000 pid=3168 execve guuid=5da3cdb0-1600-0000-56d4-bfb76a0c0000 pid=3178 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=5da3cdb0-1600-0000-56d4-bfb76a0c0000 pid=3178 execve guuid=16793dba-1600-0000-56d4-bfb76b0c0000 pid=3179 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=16793dba-1600-0000-56d4-bfb76b0c0000 pid=3179 execve guuid=ab949aba-1600-0000-56d4-bfb76c0c0000 pid=3180 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=ab949aba-1600-0000-56d4-bfb76c0c0000 pid=3180 execve guuid=5aa2e8ba-1600-0000-56d4-bfb76d0c0000 pid=3181 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=5aa2e8ba-1600-0000-56d4-bfb76d0c0000 pid=3181 clone guuid=ca6910bb-1600-0000-56d4-bfb76e0c0000 pid=3182 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=ca6910bb-1600-0000-56d4-bfb76e0c0000 pid=3182 execve guuid=a1bcb9c1-1600-0000-56d4-bfb7780c0000 pid=3192 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=a1bcb9c1-1600-0000-56d4-bfb7780c0000 pid=3192 execve guuid=8da859cb-1600-0000-56d4-bfb7890c0000 pid=3209 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=8da859cb-1600-0000-56d4-bfb7890c0000 pid=3209 execve guuid=a42deccb-1600-0000-56d4-bfb78a0c0000 pid=3210 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=a42deccb-1600-0000-56d4-bfb78a0c0000 pid=3210 execve guuid=f8a55ccc-1600-0000-56d4-bfb78c0c0000 pid=3212 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=f8a55ccc-1600-0000-56d4-bfb78c0c0000 pid=3212 clone guuid=b2ad96cc-1600-0000-56d4-bfb78d0c0000 pid=3213 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=b2ad96cc-1600-0000-56d4-bfb78d0c0000 pid=3213 execve guuid=33e0ecd3-1600-0000-56d4-bfb7980c0000 pid=3224 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=33e0ecd3-1600-0000-56d4-bfb7980c0000 pid=3224 execve guuid=dcd9b9dd-1600-0000-56d4-bfb7990c0000 pid=3225 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=dcd9b9dd-1600-0000-56d4-bfb7990c0000 pid=3225 execve guuid=2b5330de-1600-0000-56d4-bfb79a0c0000 pid=3226 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=2b5330de-1600-0000-56d4-bfb79a0c0000 pid=3226 execve guuid=d7b492de-1600-0000-56d4-bfb79b0c0000 pid=3227 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=d7b492de-1600-0000-56d4-bfb79b0c0000 pid=3227 clone guuid=a90be8de-1600-0000-56d4-bfb79c0c0000 pid=3228 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=a90be8de-1600-0000-56d4-bfb79c0c0000 pid=3228 execve guuid=a7e594e5-1600-0000-56d4-bfb7a40c0000 pid=3236 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=a7e594e5-1600-0000-56d4-bfb7a40c0000 pid=3236 execve guuid=51fb3bf0-1600-0000-56d4-bfb7b30c0000 pid=3251 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=51fb3bf0-1600-0000-56d4-bfb7b30c0000 pid=3251 execve guuid=e2cdf5f0-1600-0000-56d4-bfb7b40c0000 pid=3252 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=e2cdf5f0-1600-0000-56d4-bfb7b40c0000 pid=3252 execve guuid=f059aef1-1600-0000-56d4-bfb7b50c0000 pid=3253 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=f059aef1-1600-0000-56d4-bfb7b50c0000 pid=3253 clone guuid=dad5f6f1-1600-0000-56d4-bfb7b60c0000 pid=3254 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=dad5f6f1-1600-0000-56d4-bfb7b60c0000 pid=3254 execve guuid=729e07f9-1600-0000-56d4-bfb7b80c0000 pid=3256 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=729e07f9-1600-0000-56d4-bfb7b80c0000 pid=3256 execve guuid=281b1202-1700-0000-56d4-bfb7c70c0000 pid=3271 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=281b1202-1700-0000-56d4-bfb7c70c0000 pid=3271 execve guuid=fe0a9202-1700-0000-56d4-bfb7c80c0000 pid=3272 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=fe0a9202-1700-0000-56d4-bfb7c80c0000 pid=3272 execve guuid=a423fe02-1700-0000-56d4-bfb7c90c0000 pid=3273 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=a423fe02-1700-0000-56d4-bfb7c90c0000 pid=3273 clone guuid=20933203-1700-0000-56d4-bfb7ca0c0000 pid=3274 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=20933203-1700-0000-56d4-bfb7ca0c0000 pid=3274 execve guuid=b3c95c0b-1700-0000-56d4-bfb7d50c0000 pid=3285 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=b3c95c0b-1700-0000-56d4-bfb7d50c0000 pid=3285 execve guuid=153c1415-1700-0000-56d4-bfb7f10c0000 pid=3313 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=153c1415-1700-0000-56d4-bfb7f10c0000 pid=3313 execve guuid=e96bc415-1700-0000-56d4-bfb7f40c0000 pid=3316 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=e96bc415-1700-0000-56d4-bfb7f40c0000 pid=3316 execve guuid=9b892116-1700-0000-56d4-bfb7f50c0000 pid=3317 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=9b892116-1700-0000-56d4-bfb7f50c0000 pid=3317 clone guuid=2fd77016-1700-0000-56d4-bfb7f70c0000 pid=3319 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=2fd77016-1700-0000-56d4-bfb7f70c0000 pid=3319 execve guuid=fdd23f1d-1700-0000-56d4-bfb7060d0000 pid=3334 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=fdd23f1d-1700-0000-56d4-bfb7060d0000 pid=3334 execve guuid=9616c125-1700-0000-56d4-bfb7190d0000 pid=3353 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=9616c125-1700-0000-56d4-bfb7190d0000 pid=3353 execve guuid=e19e7d26-1700-0000-56d4-bfb71c0d0000 pid=3356 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=e19e7d26-1700-0000-56d4-bfb71c0d0000 pid=3356 execve guuid=9e170327-1700-0000-56d4-bfb71f0d0000 pid=3359 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=9e170327-1700-0000-56d4-bfb71f0d0000 pid=3359 clone guuid=23f44a27-1700-0000-56d4-bfb7210d0000 pid=3361 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=23f44a27-1700-0000-56d4-bfb7210d0000 pid=3361 execve guuid=3c257d2e-1700-0000-56d4-bfb7320d0000 pid=3378 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=3c257d2e-1700-0000-56d4-bfb7320d0000 pid=3378 execve guuid=b79e2236-1700-0000-56d4-bfb7470d0000 pid=3399 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=b79e2236-1700-0000-56d4-bfb7470d0000 pid=3399 execve guuid=3e128d36-1700-0000-56d4-bfb7490d0000 pid=3401 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=3e128d36-1700-0000-56d4-bfb7490d0000 pid=3401 execve guuid=55e3ed36-1700-0000-56d4-bfb74b0d0000 pid=3403 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=55e3ed36-1700-0000-56d4-bfb74b0d0000 pid=3403 clone guuid=4c7c1c37-1700-0000-56d4-bfb74c0d0000 pid=3404 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=4c7c1c37-1700-0000-56d4-bfb74c0d0000 pid=3404 execve guuid=78555c3e-1700-0000-56d4-bfb75e0d0000 pid=3422 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=78555c3e-1700-0000-56d4-bfb75e0d0000 pid=3422 execve guuid=8f428c46-1700-0000-56d4-bfb76e0d0000 pid=3438 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=8f428c46-1700-0000-56d4-bfb76e0d0000 pid=3438 execve guuid=7c900447-1700-0000-56d4-bfb7700d0000 pid=3440 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=7c900447-1700-0000-56d4-bfb7700d0000 pid=3440 execve guuid=d1db6947-1700-0000-56d4-bfb7720d0000 pid=3442 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=d1db6947-1700-0000-56d4-bfb7720d0000 pid=3442 clone guuid=d9589f47-1700-0000-56d4-bfb7740d0000 pid=3444 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=d9589f47-1700-0000-56d4-bfb7740d0000 pid=3444 execve guuid=57eb7f4e-1700-0000-56d4-bfb7810d0000 pid=3457 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=57eb7f4e-1700-0000-56d4-bfb7810d0000 pid=3457 execve guuid=cfee2956-1700-0000-56d4-bfb7920d0000 pid=3474 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=cfee2956-1700-0000-56d4-bfb7920d0000 pid=3474 execve guuid=74369756-1700-0000-56d4-bfb7940d0000 pid=3476 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=74369756-1700-0000-56d4-bfb7940d0000 pid=3476 execve guuid=426bf856-1700-0000-56d4-bfb7950d0000 pid=3477 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=426bf856-1700-0000-56d4-bfb7950d0000 pid=3477 clone guuid=10e92957-1700-0000-56d4-bfb7970d0000 pid=3479 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=10e92957-1700-0000-56d4-bfb7970d0000 pid=3479 execve guuid=ad44d25d-1700-0000-56d4-bfb7a60d0000 pid=3494 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=ad44d25d-1700-0000-56d4-bfb7a60d0000 pid=3494 execve guuid=b0eff265-1700-0000-56d4-bfb7b70d0000 pid=3511 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=b0eff265-1700-0000-56d4-bfb7b70d0000 pid=3511 execve guuid=705ab766-1700-0000-56d4-bfb7ba0d0000 pid=3514 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=705ab766-1700-0000-56d4-bfb7ba0d0000 pid=3514 execve guuid=4bd52767-1700-0000-56d4-bfb7bc0d0000 pid=3516 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=4bd52767-1700-0000-56d4-bfb7bc0d0000 pid=3516 clone guuid=e2325c67-1700-0000-56d4-bfb7bd0d0000 pid=3517 /usr/bin/wget net send-data guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=e2325c67-1700-0000-56d4-bfb7bd0d0000 pid=3517 execve guuid=5eb4696e-1700-0000-56d4-bfb7cc0d0000 pid=3532 /usr/bin/curl net send-data write-file guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=5eb4696e-1700-0000-56d4-bfb7cc0d0000 pid=3532 execve guuid=94673a76-1700-0000-56d4-bfb7da0d0000 pid=3546 /usr/bin/cat guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=94673a76-1700-0000-56d4-bfb7da0d0000 pid=3546 execve guuid=13a67576-1700-0000-56d4-bfb7db0d0000 pid=3547 /usr/bin/chmod guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=13a67576-1700-0000-56d4-bfb7db0d0000 pid=3547 execve guuid=6c99b076-1700-0000-56d4-bfb7dc0d0000 pid=3548 /usr/bin/bash guuid=a3ded886-1600-0000-56d4-bfb7000c0000 pid=3072->guuid=6c99b076-1700-0000-56d4-bfb7dc0d0000 pid=3548 clone 28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 158.94.210.88:80 guuid=dfdf4687-1600-0000-56d4-bfb7020c0000 pid=3074->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=f6409d8f-1600-0000-56d4-bfb71d0c0000 pid=3101->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=9815b09b-1600-0000-56d4-bfb7420c0000 pid=3138->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=0b71cda1-1600-0000-56d4-bfb7500c0000 pid=3152->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=88847eaa-1600-0000-56d4-bfb7600c0000 pid=3168->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=5da3cdb0-1600-0000-56d4-bfb76a0c0000 pid=3178->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=ca6910bb-1600-0000-56d4-bfb76e0c0000 pid=3182->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=a1bcb9c1-1600-0000-56d4-bfb7780c0000 pid=3192->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=b2ad96cc-1600-0000-56d4-bfb78d0c0000 pid=3213->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=33e0ecd3-1600-0000-56d4-bfb7980c0000 pid=3224->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=a90be8de-1600-0000-56d4-bfb79c0c0000 pid=3228->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=a7e594e5-1600-0000-56d4-bfb7a40c0000 pid=3236->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=dad5f6f1-1600-0000-56d4-bfb7b60c0000 pid=3254->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=729e07f9-1600-0000-56d4-bfb7b80c0000 pid=3256->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=20933203-1700-0000-56d4-bfb7ca0c0000 pid=3274->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=b3c95c0b-1700-0000-56d4-bfb7d50c0000 pid=3285->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=2fd77016-1700-0000-56d4-bfb7f70c0000 pid=3319->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=fdd23f1d-1700-0000-56d4-bfb7060d0000 pid=3334->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=23f44a27-1700-0000-56d4-bfb7210d0000 pid=3361->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=3c257d2e-1700-0000-56d4-bfb7320d0000 pid=3378->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=4c7c1c37-1700-0000-56d4-bfb74c0d0000 pid=3404->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=78555c3e-1700-0000-56d4-bfb75e0d0000 pid=3422->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=d9589f47-1700-0000-56d4-bfb7740d0000 pid=3444->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=57eb7f4e-1700-0000-56d4-bfb7810d0000 pid=3457->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=10e92957-1700-0000-56d4-bfb7970d0000 pid=3479->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=ad44d25d-1700-0000-56d4-bfb7a60d0000 pid=3494->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=e2325c67-1700-0000-56d4-bfb7bd0d0000 pid=3517->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 200B guuid=5eb4696e-1700-0000-56d4-bfb7cc0d0000 pid=3532->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 149B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-11-24 18:03:23 UTC
File Type:
Text (Shell)
AV detection:
18 of 24 (75.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b226mrewvw7jjnh7ybrhu5x4en2d7xlkrwmj23ufvxnmogmaxyzq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux
Link:
https://tria.ge/reports/251124-wm7bfaam9w/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
File and Directory Permissions Modification
Executes dropped EXE
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0eb5e64496ad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 0eb5e64496adbe94b4ffc0627a76fc23743fdd6a8d989d6e85addac71980be33

(this sample)

Mirai

elf 4659da87326851decd5d67b743d9924f09ef8b000c91c63f15ede42a45919120

Mirai

elf 06f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97

  
URLhaus
https://urlhaus.abuse.ch/url/3669714/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3669694/
  
Dropping
MD5 d890af588619b95e8c751535bc58ac46
  
Dropping
SHA256 06f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97

Comments