MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2
SHA3-384 hash: 8d62f85c564de61de2bd647083faca6c6b0bbb9d0e84867963070481ad662a53b4ec4e414b4d5ac6003bc43ba8490a64
SHA1 hash: 74be0dabbcbc5ca2267090ca35eeaa061dfecb01
MD5 hash: b9ac06a1df6f5d60b5338406bd3699d2
humanhash: stairway-mars-diet-early
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'754 bytes
First seen:2026-01-13 17:48:25 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 96:i4Pc34dc34okx340e34ey340AB34TtE34JY344e34V234m+34Sm346W34jC34u+W:XPcIdcIokxI0eIeyI0ABITiIJYI4eIVr
TLSH T1F8714FA6CA0211781C5557B2BDBA11BAF149E3E334E7FB0FBA982CF4618DF015485DD2
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc6c1eb958d98d7ed84163cb9ebbd01f6951d1a08cab6447c803e3774d0ce15f29 Miraiarc elf geofenced mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.x8644416a0e03e3023fbbe9fe9902b88fb7e91e220ba51d66e84f6e8b36b00cbe31 Mirai32-bit elf mirai x86-32
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_6443f061b3363390f9a18c45ebfa7e1ecf5b816b8c89c3bab854c1949e66308f59 Miraielf geofenced mirai opendir ua-wget USA x86
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.i6867e9f6d938f9a646812f5689172c76d7268fa6408b4014dc5f0c3039dd5dcb43c Miraielf geofenced mirai opendir ua-wget USA x86
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips38f5e2dcbc7636ea968e7765c2ec2b8e9ace6faae5f3c067a32cbd7e151c2e21 Miraielf geofenced mips mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64n/an/aua-wget
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpslc2f74d83d6ea88ea9275391cff7d6abebc1689e562aa00a0f083aae191bbae86 Miraielf geofenced mips mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.armc22b631e109685d77cef7c70e083ed02aefed9e50aed1d37a440a36e989c2b76 Miraiarm elf geofenced mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm578b30c10048387bf7255a785339d1f6001b8e67d2a63ce8781a45ae6fc784c82 Miraiarm elf geofenced mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm64409752a9a014c5699614f0f834392292cb14f889d55bd63b332a50af4c04220 Miraiarm elf geofenced mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7f0c00c47ab00f051efa5776deaac34d0ccd2ebb8a9fff90db83cb877c50732b1 Miraiarm elf geofenced mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc0a7afbd3962c111e783484d2073f8bde630d03626c55d7ebf32dda6982d692de Miraielf geofenced mirai opendir PowerPC ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparcn/an/aua-wget
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k702c5ff22698a3df5ba6e08e8325fb311726df2408e85e9bfbf07058a23fcfb4 Miraielf geofenced m68k mirai opendir ua-wget USA
http://45.83.207.173/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh40a0565a2216f09fa039902f24f4e1c7ef05fadd5f338109d518e7007135bd09a Miraielf geofenced mirai opendir SuperH ua-wget USA

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox medusa mirai
Link:
https://www.filescan.io/uploads/696685a43827c9e1249ba9d9/reports/f5e563e4-a377-406a-a5dc-f39f5000ace8/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-08T19:25:00Z UTC
Last seen:
2026-01-14T12:48:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen
Link:
https://opentip.kaspersky.com/101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ba2508fe-a601-497c-b75d-a5e164f0d2eb
Behavior Graph:
Download SVG
%3 guuid=83cd165e-1a00-0000-f04a-026d430b0000 pid=2883 /usr/bin/sudo guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888 /tmp/sample.bin guuid=83cd165e-1a00-0000-f04a-026d430b0000 pid=2883->guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888 execve guuid=1c56a460-1a00-0000-f04a-026d4b0b0000 pid=2891 /usr/bin/cp guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=1c56a460-1a00-0000-f04a-026d4b0b0000 pid=2891 execve guuid=17983165-1a00-0000-f04a-026d550b0000 pid=2901 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=17983165-1a00-0000-f04a-026d550b0000 pid=2901 execve guuid=f031ffbe-1a00-0000-f04a-026db40b0000 pid=2996 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=f031ffbe-1a00-0000-f04a-026db40b0000 pid=2996 execve guuid=e71df887-1b00-0000-f04a-026d000d0000 pid=3328 /usr/bin/cat guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=e71df887-1b00-0000-f04a-026d000d0000 pid=3328 execve guuid=ac8f6c88-1b00-0000-f04a-026d020d0000 pid=3330 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=ac8f6c88-1b00-0000-f04a-026d020d0000 pid=3330 execve guuid=1eb50489-1b00-0000-f04a-026d040d0000 pid=3332 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=1eb50489-1b00-0000-f04a-026d040d0000 pid=3332 clone guuid=acd4ee89-1b00-0000-f04a-026d080d0000 pid=3336 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=acd4ee89-1b00-0000-f04a-026d080d0000 pid=3336 execve guuid=ffa554e9-1b00-0000-f04a-026dbf0d0000 pid=3519 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=ffa554e9-1b00-0000-f04a-026dbf0d0000 pid=3519 execve guuid=d4e8eb4b-1c00-0000-f04a-026ddd0e0000 pid=3805 /usr/bin/cat guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=d4e8eb4b-1c00-0000-f04a-026ddd0e0000 pid=3805 execve guuid=8276514c-1c00-0000-f04a-026de00e0000 pid=3808 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=8276514c-1c00-0000-f04a-026de00e0000 pid=3808 execve guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811 execve guuid=2b7d3409-1d00-0000-f04a-026d55110000 pid=4437 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=2b7d3409-1d00-0000-f04a-026d55110000 pid=4437 execve guuid=2713f366-1d00-0000-f04a-026d8f120000 pid=4751 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=2713f366-1d00-0000-f04a-026d8f120000 pid=4751 execve guuid=cfdbd4b1-1d00-0000-f04a-026d80130000 pid=4992 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=cfdbd4b1-1d00-0000-f04a-026d80130000 pid=4992 clone guuid=d868f2b1-1d00-0000-f04a-026d81130000 pid=4993 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=d868f2b1-1d00-0000-f04a-026d81130000 pid=4993 execve guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996 /tmp/Chaotic net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996 execve guuid=02756066-1e00-0000-f04a-026d88140000 pid=5256 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=02756066-1e00-0000-f04a-026d88140000 pid=5256 execve guuid=1c3651cc-1f00-0000-f04a-026d90140000 pid=5264 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=1c3651cc-1f00-0000-f04a-026d90140000 pid=5264 execve guuid=3d4dcd23-2000-0000-f04a-026d97140000 pid=5271 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=3d4dcd23-2000-0000-f04a-026d97140000 pid=5271 clone guuid=f84ee823-2000-0000-f04a-026d98140000 pid=5272 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=f84ee823-2000-0000-f04a-026d98140000 pid=5272 execve guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273 execve guuid=c2e3f8d7-2000-0000-f04a-026db9140000 pid=5305 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=c2e3f8d7-2000-0000-f04a-026db9140000 pid=5305 execve guuid=db8a6d47-2100-0000-f04a-026dba140000 pid=5306 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=db8a6d47-2100-0000-f04a-026dba140000 pid=5306 execve guuid=e33f138f-2100-0000-f04a-026dbb140000 pid=5307 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=e33f138f-2100-0000-f04a-026dbb140000 pid=5307 clone guuid=e607388f-2100-0000-f04a-026dbc140000 pid=5308 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=e607388f-2100-0000-f04a-026dbc140000 pid=5308 execve guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309 execve guuid=2f038f43-2200-0000-f04a-026dc3140000 pid=5315 /usr/bin/wget net send-data guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=2f038f43-2200-0000-f04a-026dc3140000 pid=5315 execve guuid=8d1d4d6a-2200-0000-f04a-026dc4140000 pid=5316 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=8d1d4d6a-2200-0000-f04a-026dc4140000 pid=5316 execve guuid=58d7f5ce-2200-0000-f04a-026dc5140000 pid=5317 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=58d7f5ce-2200-0000-f04a-026dc5140000 pid=5317 clone guuid=6b761bcf-2200-0000-f04a-026dc6140000 pid=5318 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=6b761bcf-2200-0000-f04a-026dc6140000 pid=5318 execve guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319 execve guuid=538e1584-2300-0000-f04a-026dcd140000 pid=5325 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=538e1584-2300-0000-f04a-026dcd140000 pid=5325 execve guuid=7d4105dc-2300-0000-f04a-026dce140000 pid=5326 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=7d4105dc-2300-0000-f04a-026dce140000 pid=5326 execve guuid=a21d032a-2400-0000-f04a-026dcf140000 pid=5327 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=a21d032a-2400-0000-f04a-026dcf140000 pid=5327 clone guuid=53d7412a-2400-0000-f04a-026dd0140000 pid=5328 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=53d7412a-2400-0000-f04a-026dd0140000 pid=5328 execve guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329 /tmp/Chaotic net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329 execve guuid=802e5adf-2400-0000-f04a-026dd7140000 pid=5335 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=802e5adf-2400-0000-f04a-026dd7140000 pid=5335 execve guuid=58dfc323-2500-0000-f04a-026dd8140000 pid=5336 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=58dfc323-2500-0000-f04a-026dd8140000 pid=5336 execve guuid=bbb31172-2500-0000-f04a-026dd9140000 pid=5337 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=bbb31172-2500-0000-f04a-026dd9140000 pid=5337 clone guuid=d0c64772-2500-0000-f04a-026dda140000 pid=5338 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=d0c64772-2500-0000-f04a-026dda140000 pid=5338 execve guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339 execve guuid=fe029a26-2600-0000-f04a-026de1140000 pid=5345 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=fe029a26-2600-0000-f04a-026de1140000 pid=5345 execve guuid=55aeeb6f-2600-0000-f04a-026de2140000 pid=5346 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=55aeeb6f-2600-0000-f04a-026de2140000 pid=5346 execve guuid=4c7ebda4-2600-0000-f04a-026de3140000 pid=5347 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=4c7ebda4-2600-0000-f04a-026de3140000 pid=5347 clone guuid=e894e2a4-2600-0000-f04a-026de4140000 pid=5348 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=e894e2a4-2600-0000-f04a-026de4140000 pid=5348 execve guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349 /tmp/Chaotic delete-file net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349 execve guuid=13547a59-2700-0000-f04a-026deb140000 pid=5355 /usr/bin/wget net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=13547a59-2700-0000-f04a-026deb140000 pid=5355 execve guuid=baaaaba0-2900-0000-f04a-026df6140000 pid=5366 /usr/bin/curl net send-data write-file guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=baaaaba0-2900-0000-f04a-026df6140000 pid=5366 execve guuid=e1aee4d8-2a00-0000-f04a-026df7140000 pid=5367 /usr/bin/bash guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=e1aee4d8-2a00-0000-f04a-026df7140000 pid=5367 clone guuid=acef24d9-2a00-0000-f04a-026df8140000 pid=5368 /usr/bin/chmod guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=acef24d9-2a00-0000-f04a-026df8140000 pid=5368 execve guuid=009974d9-2a00-0000-f04a-026df9140000 pid=5369 /tmp/Chaotic net guuid=36dce65f-1a00-0000-f04a-026d480b0000 pid=2888->guuid=009974d9-2a00-0000-f04a-026df9140000 pid=5369 execve 7aaffefd-71a9-5a82-9005-3d1c8abcbc1a 45.83.207.173:80 guuid=17983165-1a00-0000-f04a-026d550b0000 pid=2901->7aaffefd-71a9-5a82-9005-3d1c8abcbc1a send: 164B guuid=f031ffbe-1a00-0000-f04a-026db40b0000 pid=2996->7aaffefd-71a9-5a82-9005-3d1c8abcbc1a send: 113B guuid=acd4ee89-1b00-0000-f04a-026d080d0000 pid=3336->7aaffefd-71a9-5a82-9005-3d1c8abcbc1a send: 164B guuid=ffa554e9-1b00-0000-f04a-026dbf0d0000 pid=3519->7aaffefd-71a9-5a82-9005-3d1c8abcbc1a send: 113B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=51c8744d-1c00-0000-f04a-026dea0e0000 pid=3818 /tmp/Chaotic guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->guuid=51c8744d-1c00-0000-f04a-026dea0e0000 pid=3818 clone guuid=6b4b1f89-1c00-0000-f04a-026da90f0000 pid=4009 /tmp/Chaotic guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->guuid=6b4b1f89-1c00-0000-f04a-026da90f0000 pid=4009 clone guuid=3e22cbc4-1c00-0000-f04a-026d63100000 pid=4195 /tmp/Chaotic guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->guuid=3e22cbc4-1c00-0000-f04a-026d63100000 pid=4195 clone guuid=46397400-1d00-0000-f04a-026d3e110000 pid=4414 /tmp/Chaotic guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->guuid=46397400-1d00-0000-f04a-026d3e110000 pid=4414 clone guuid=3df17900-1d00-0000-f04a-026d3f110000 pid=4415 /tmp/Chaotic dns net send-data zombie guuid=9348a84c-1c00-0000-f04a-026de30e0000 pid=3811->guuid=3df17900-1d00-0000-f04a-026d3f110000 pid=4415 clone guuid=3df17900-1d00-0000-f04a-026d3f110000 pid=4415->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=3df17900-1d00-0000-f04a-026d3f110000 pid=4415->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 1368B 3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 weifang.serveftp.com:3778 guuid=3df17900-1d00-0000-f04a-026d3f110000 pid=4415->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 180B ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 weifang.serveftp.com:80 guuid=2b7d3409-1d00-0000-f04a-026d55110000 pid=4437->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 167B guuid=2713f366-1d00-0000-f04a-026d8f120000 pid=4751->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 116B guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=819609b3-1d00-0000-f04a-026d87130000 pid=4999 /tmp/Chaotic guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->guuid=819609b3-1d00-0000-f04a-026d87130000 pid=4999 clone guuid=6090b1ee-1d00-0000-f04a-026d46140000 pid=5190 /tmp/Chaotic guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->guuid=6090b1ee-1d00-0000-f04a-026d46140000 pid=5190 clone guuid=78d6572a-1e00-0000-f04a-026d7d140000 pid=5245 /tmp/Chaotic guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->guuid=78d6572a-1e00-0000-f04a-026d7d140000 pid=5245 clone guuid=7a720b66-1e00-0000-f04a-026d86140000 pid=5254 /tmp/Chaotic delete-file guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->guuid=7a720b66-1e00-0000-f04a-026d86140000 pid=5254 clone guuid=e22c1966-1e00-0000-f04a-026d87140000 pid=5255 /tmp/Chaotic dns net send-data zombie guuid=4cfb61b2-1d00-0000-f04a-026d84130000 pid=4996->guuid=e22c1966-1e00-0000-f04a-026d87140000 pid=5255 clone guuid=e22c1966-1e00-0000-f04a-026d87140000 pid=5255->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e22c1966-1e00-0000-f04a-026d87140000 pid=5255->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 1216B guuid=e22c1966-1e00-0000-f04a-026d87140000 pid=5255->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 160B guuid=02756066-1e00-0000-f04a-026d88140000 pid=5256->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 165B guuid=1c3651cc-1f00-0000-f04a-026d90140000 pid=5264->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 114B guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a7c8d524-2000-0000-f04a-026d9a140000 pid=5274 /tmp/Chaotic guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->guuid=a7c8d524-2000-0000-f04a-026d9a140000 pid=5274 clone guuid=c8967f60-2000-0000-f04a-026da8140000 pid=5288 /tmp/Chaotic guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->guuid=c8967f60-2000-0000-f04a-026da8140000 pid=5288 clone guuid=c1492c9c-2000-0000-f04a-026db6140000 pid=5302 /tmp/Chaotic guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->guuid=c1492c9c-2000-0000-f04a-026db6140000 pid=5302 clone guuid=02e0d9d7-2000-0000-f04a-026db7140000 pid=5303 /tmp/Chaotic guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->guuid=02e0d9d7-2000-0000-f04a-026db7140000 pid=5303 clone guuid=5857e1d7-2000-0000-f04a-026db8140000 pid=5304 /tmp/Chaotic dns net send-data zombie guuid=3ea23e24-2000-0000-f04a-026d99140000 pid=5273->guuid=5857e1d7-2000-0000-f04a-026db8140000 pid=5304 clone guuid=5857e1d7-2000-0000-f04a-026db8140000 pid=5304->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5857e1d7-2000-0000-f04a-026db8140000 pid=5304->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 912B guuid=5857e1d7-2000-0000-f04a-026db8140000 pid=5304->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 120B guuid=c2e3f8d7-2000-0000-f04a-026db9140000 pid=5305->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 165B guuid=db8a6d47-2100-0000-f04a-026dba140000 pid=5306->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 114B guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4ebd6e90-2100-0000-f04a-026dbe140000 pid=5310 /tmp/Chaotic guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->guuid=4ebd6e90-2100-0000-f04a-026dbe140000 pid=5310 clone guuid=f4ea19cc-2100-0000-f04a-026dbf140000 pid=5311 /tmp/Chaotic guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->guuid=f4ea19cc-2100-0000-f04a-026dbf140000 pid=5311 clone guuid=def7c107-2200-0000-f04a-026dc0140000 pid=5312 /tmp/Chaotic guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->guuid=def7c107-2200-0000-f04a-026dc0140000 pid=5312 clone guuid=1c866b43-2200-0000-f04a-026dc1140000 pid=5313 /tmp/Chaotic guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->guuid=1c866b43-2200-0000-f04a-026dc1140000 pid=5313 clone guuid=aad17343-2200-0000-f04a-026dc2140000 pid=5314 /tmp/Chaotic dns net send-data zombie guuid=df92c88f-2100-0000-f04a-026dbd140000 pid=5309->guuid=aad17343-2200-0000-f04a-026dc2140000 pid=5314 clone guuid=aad17343-2200-0000-f04a-026dc2140000 pid=5314->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=aad17343-2200-0000-f04a-026dc2140000 pid=5314->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 912B guuid=aad17343-2200-0000-f04a-026dc2140000 pid=5314->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 115B guuid=2f038f43-2200-0000-f04a-026dc3140000 pid=5315->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 167B guuid=8d1d4d6a-2200-0000-f04a-026dc4140000 pid=5316->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 116B guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ae49e7d0-2200-0000-f04a-026dc8140000 pid=5320 /tmp/Chaotic guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->guuid=ae49e7d0-2200-0000-f04a-026dc8140000 pid=5320 clone guuid=7910920c-2300-0000-f04a-026dc9140000 pid=5321 /tmp/Chaotic guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->guuid=7910920c-2300-0000-f04a-026dc9140000 pid=5321 clone guuid=a4564748-2300-0000-f04a-026dca140000 pid=5322 /tmp/Chaotic guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->guuid=a4564748-2300-0000-f04a-026dca140000 pid=5322 clone guuid=03f3f583-2300-0000-f04a-026dcb140000 pid=5323 /tmp/Chaotic guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->guuid=03f3f583-2300-0000-f04a-026dcb140000 pid=5323 clone guuid=f113fd83-2300-0000-f04a-026dcc140000 pid=5324 /tmp/Chaotic dns net send-data zombie guuid=a710accf-2200-0000-f04a-026dc7140000 pid=5319->guuid=f113fd83-2300-0000-f04a-026dcc140000 pid=5324 clone guuid=f113fd83-2300-0000-f04a-026dcc140000 pid=5324->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=f113fd83-2300-0000-f04a-026dcc140000 pid=5324->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 798B guuid=f113fd83-2300-0000-f04a-026dcc140000 pid=5324->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 105B guuid=538e1584-2300-0000-f04a-026dcd140000 pid=5325->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 165B guuid=7d4105dc-2300-0000-f04a-026dce140000 pid=5326->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 114B guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1af1d42b-2400-0000-f04a-026dd2140000 pid=5330 /tmp/Chaotic guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->guuid=1af1d42b-2400-0000-f04a-026dd2140000 pid=5330 clone guuid=eeb28667-2400-0000-f04a-026dd3140000 pid=5331 /tmp/Chaotic guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->guuid=eeb28667-2400-0000-f04a-026dd3140000 pid=5331 clone guuid=027a3ca3-2400-0000-f04a-026dd4140000 pid=5332 /tmp/Chaotic guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->guuid=027a3ca3-2400-0000-f04a-026dd4140000 pid=5332 clone guuid=42f2efde-2400-0000-f04a-026dd5140000 pid=5333 /tmp/Chaotic delete-file guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->guuid=42f2efde-2400-0000-f04a-026dd5140000 pid=5333 clone guuid=65cbfade-2400-0000-f04a-026dd6140000 pid=5334 /tmp/Chaotic dns net send-data zombie guuid=1e8ba52a-2400-0000-f04a-026dd1140000 pid=5329->guuid=65cbfade-2400-0000-f04a-026dd6140000 pid=5334 clone guuid=65cbfade-2400-0000-f04a-026dd6140000 pid=5334->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=65cbfade-2400-0000-f04a-026dd6140000 pid=5334->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 646B guuid=65cbfade-2400-0000-f04a-026dd6140000 pid=5334->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 85B guuid=802e5adf-2400-0000-f04a-026dd7140000 pid=5335->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 164B guuid=58dfc323-2500-0000-f04a-026dd8140000 pid=5336->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 113B guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=2a7a7073-2500-0000-f04a-026ddc140000 pid=5340 /tmp/Chaotic guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->guuid=2a7a7073-2500-0000-f04a-026ddc140000 pid=5340 clone guuid=0e421caf-2500-0000-f04a-026ddd140000 pid=5341 /tmp/Chaotic guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->guuid=0e421caf-2500-0000-f04a-026ddd140000 pid=5341 clone guuid=2f6fceea-2500-0000-f04a-026dde140000 pid=5342 /tmp/Chaotic guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->guuid=2f6fceea-2500-0000-f04a-026dde140000 pid=5342 clone guuid=a14a7c26-2600-0000-f04a-026ddf140000 pid=5343 /tmp/Chaotic guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->guuid=a14a7c26-2600-0000-f04a-026ddf140000 pid=5343 clone guuid=5c988126-2600-0000-f04a-026de0140000 pid=5344 /tmp/Chaotic dns net send-data zombie guuid=0e84de72-2500-0000-f04a-026ddb140000 pid=5339->guuid=5c988126-2600-0000-f04a-026de0140000 pid=5344 clone guuid=5c988126-2600-0000-f04a-026de0140000 pid=5344->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5c988126-2600-0000-f04a-026de0140000 pid=5344->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 494B guuid=5c988126-2600-0000-f04a-026de0140000 pid=5344->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 60B guuid=fe029a26-2600-0000-f04a-026de1140000 pid=5345->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 165B guuid=55aeeb6f-2600-0000-f04a-026de2140000 pid=5346->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 114B guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d6de13a6-2600-0000-f04a-026de6140000 pid=5350 /tmp/Chaotic guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->guuid=d6de13a6-2600-0000-f04a-026de6140000 pid=5350 clone guuid=2c08cfe1-2600-0000-f04a-026de7140000 pid=5351 /tmp/Chaotic guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->guuid=2c08cfe1-2600-0000-f04a-026de7140000 pid=5351 clone guuid=f673891d-2700-0000-f04a-026de8140000 pid=5352 /tmp/Chaotic guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->guuid=f673891d-2700-0000-f04a-026de8140000 pid=5352 clone guuid=32544759-2700-0000-f04a-026de9140000 pid=5353 /tmp/Chaotic guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->guuid=32544759-2700-0000-f04a-026de9140000 pid=5353 clone guuid=1f845259-2700-0000-f04a-026dea140000 pid=5354 /tmp/Chaotic dns net send-data zombie guuid=ba2e7ca5-2600-0000-f04a-026de5140000 pid=5349->guuid=1f845259-2700-0000-f04a-026dea140000 pid=5354 clone guuid=1f845259-2700-0000-f04a-026dea140000 pid=5354->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1f845259-2700-0000-f04a-026dea140000 pid=5354->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 380B guuid=1f845259-2700-0000-f04a-026dea140000 pid=5354->3ec2bfaf-8e71-5eeb-b8ce-6ffe78958b80 send: 50B guuid=13547a59-2700-0000-f04a-026deb140000 pid=5355->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 165B guuid=baaaaba0-2900-0000-f04a-026df6140000 pid=5366->ac95fc9c-d1d6-5e11-ae35-1b1f0a26f841 send: 114B guuid=009974d9-2a00-0000-f04a-026df9140000 pid=5369->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=237506da-2a00-0000-f04a-026dfa140000 pid=5370 /tmp/Chaotic guuid=009974d9-2a00-0000-f04a-026df9140000 pid=5369->guuid=237506da-2a00-0000-f04a-026dfa140000 pid=5370 clone
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-01-08 22:52:50 UTC
File Type:
Text (Shell)
AV detection:
22 of 36 (61.11%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=caoxid7pegz5r2bh7esfxs737vpxgjz6rnxpces2zgctty7y4dra._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260113-wd7wlsew2b/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
UPX packed file
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 101d740fef21b3d8e827f9245bcbfbfd5f73273e8b6ef1125ac98539e3f8e0e2

(this sample)

Mirai

elf e38049a1353607de8d03af1ec86f6b12730ddc5b0567122acd8f2d9b17eb1acf

  
URLhaus
https://urlhaus.abuse.ch/url/3757623/
  
Delivery method
Distributed via web download
  
Dropping
MD5 ad6ae78ca83127c3c3d8eed3c189ca19
  
Dropping
SHA256 e38049a1353607de8d03af1ec86f6b12730ddc5b0567122acd8f2d9b17eb1acf

Comments