MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c56ffe87500ec00101d008998df9e93bd0f640c1cb9624ef50a5ba0f112e601. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c56ffe87500ec00101d008998df9e93bd0f640c1cb9624ef50a5ba0f112e601
SHA3-384 hash: 2e7be3fe81b9de5209b806f1980c1884ef6960cacc8dbbe4c255b2e6938186ef1e3c5fae71f102e49d9016cc0f774976
SHA1 hash: 747a5762fe0840904ca4d4a1ef93c96b294abb22
MD5 hash: 14c1ab8b9a0f3b121c87d7cf87766d3e
humanhash: shade-solar-georgia-ack
File name:test.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'609 bytes
First seen:2025-08-15 21:29:59 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 48:UeGKGbse9wseGTGU/seh30seahserOsezSzBsepBp0seOnseCzseftYseZ2/se8j:UlRQEycqUcIK4qSmtEF
TLSH T16751A5CD2B215E74ED57DA33B1AB4408B1A0A4B374894F0759FD3CF8C89DF0532A5AA9
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://138.201.154.194/systemcl/arcn/an/aelf ua-wget
http://138.201.154.194/systemcl/arma2812bf91c1836b0749615f8c92f49b055ed1152a0cfcb03cffb4473388ae1f9 Mirai32-bit elf mirai Mozi
http://138.201.154.194/systemcl/arm5467ca3ecdb388a31f9687f3f93134ae992fbfbe2936cfbd700c3d198b3b65ecb Miraielf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/arm67a4627901da5e02ceacaf688cc103b4944a3cf75b4f1f4316ee638893eaa4104 Miraielf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/arm71745a1dc09e108e719186017f4d6f10e1835aa4ba3f74b50b8394e3268c66524 Miraielf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/m68k19abfca0200531ee5ddc2dd7bc4454af84d9ffe0ef2e12cd2a54fc828ebdc659 Miraielf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/mipsad42066092b60784e1579fb3742cf3a41450dacc13b254e9c3a0c5b84aaf0db4 Mirai32-bit elf mirai Mozi
http://138.201.154.194/systemcl/mpsl7365564e3fc5bc60caa91eb8b6b87a6d8da423389be87134899fcd0caaeb3242 Miraielf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/ppcabfd19ac36a02a8d3552a65a6e023b7499af427f7ea558cbc5064b8475bd955e Miraielf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/sh4b5d5a320320766751e9a1e31bc6ff850196e0c3f0b5baee15eee600b8a3cdae2 Miraielf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/spc2b4e44a8a37c63ce0a2c007bb22d903ae9d13b643b6b556f4d15199926cdd54c Miraielf geofenced mirai opendir ua-wget USA
http://138.201.154.194/systemcl/x862e9b4bb064c078485eab38389da45cfecd1f865d77cd5c199ae3c2fe195daf72 Mirai32-bit elf mirai Mozi
http://138.201.154.194/systemcl/x86_6447a0fa2b9aa3ebdb48324d5ad43903187a528176193716db81991191b3d3b230 Miraielf geofenced mirai opendir ua-wget USA

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/fbbb733c-936d-4060-a48a-cf61402d94f1
Behavior Graph:
Download SVG
%3 guuid=1171e341-2e00-0000-d391-acfd82140000 pid=5250 /usr/bin/sudo guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251 /tmp/sample.bin guuid=1171e341-2e00-0000-d391-acfd82140000 pid=5250->guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251 execve guuid=49d9f443-2e00-0000-d391-acfd84140000 pid=5252 /usr/bin/wget net send-data guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=49d9f443-2e00-0000-d391-acfd84140000 pid=5252 execve guuid=a744b048-2e00-0000-d391-acfd85140000 pid=5253 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=a744b048-2e00-0000-d391-acfd85140000 pid=5253 execve guuid=cce1de51-2e00-0000-d391-acfd86140000 pid=5254 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=cce1de51-2e00-0000-d391-acfd86140000 pid=5254 execve guuid=c1e41e52-2e00-0000-d391-acfd87140000 pid=5255 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=c1e41e52-2e00-0000-d391-acfd87140000 pid=5255 execve guuid=54316852-2e00-0000-d391-acfd88140000 pid=5256 /tmp/arc guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=54316852-2e00-0000-d391-acfd88140000 pid=5256 execve guuid=a51a9952-2e00-0000-d391-acfd89140000 pid=5257 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=a51a9952-2e00-0000-d391-acfd89140000 pid=5257 execve guuid=84bdeb52-2e00-0000-d391-acfd8a140000 pid=5258 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=84bdeb52-2e00-0000-d391-acfd8a140000 pid=5258 execve guuid=d828ef57-2e00-0000-d391-acfd8b140000 pid=5259 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=d828ef57-2e00-0000-d391-acfd8b140000 pid=5259 execve guuid=1642115e-2e00-0000-d391-acfd8c140000 pid=5260 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=1642115e-2e00-0000-d391-acfd8c140000 pid=5260 execve guuid=c1ed595e-2e00-0000-d391-acfd8d140000 pid=5261 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=c1ed595e-2e00-0000-d391-acfd8d140000 pid=5261 execve guuid=7df1995e-2e00-0000-d391-acfd8e140000 pid=5262 /usr/bin/dash guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=7df1995e-2e00-0000-d391-acfd8e140000 pid=5262 clone guuid=e3821d5f-2e00-0000-d391-acfd90140000 pid=5264 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=e3821d5f-2e00-0000-d391-acfd90140000 pid=5264 execve guuid=4b108165-2e00-0000-d391-acfd91140000 pid=5265 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=4b108165-2e00-0000-d391-acfd91140000 pid=5265 execve guuid=2e67d46a-2e00-0000-d391-acfd92140000 pid=5266 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=2e67d46a-2e00-0000-d391-acfd92140000 pid=5266 execve guuid=d9deb370-2e00-0000-d391-acfd93140000 pid=5267 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=d9deb370-2e00-0000-d391-acfd93140000 pid=5267 execve guuid=b841f870-2e00-0000-d391-acfd94140000 pid=5268 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=b841f870-2e00-0000-d391-acfd94140000 pid=5268 execve guuid=73dd3b71-2e00-0000-d391-acfd95140000 pid=5269 /usr/bin/dash guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=73dd3b71-2e00-0000-d391-acfd95140000 pid=5269 clone guuid=6acfc271-2e00-0000-d391-acfd97140000 pid=5271 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=6acfc271-2e00-0000-d391-acfd97140000 pid=5271 execve guuid=00660c72-2e00-0000-d391-acfd98140000 pid=5272 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=00660c72-2e00-0000-d391-acfd98140000 pid=5272 execve guuid=5a5d6678-2e00-0000-d391-acfd99140000 pid=5273 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=5a5d6678-2e00-0000-d391-acfd99140000 pid=5273 execve guuid=fa5ac97f-2e00-0000-d391-acfd9a140000 pid=5274 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=fa5ac97f-2e00-0000-d391-acfd9a140000 pid=5274 execve guuid=3e4b0880-2e00-0000-d391-acfd9b140000 pid=5275 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=3e4b0880-2e00-0000-d391-acfd9b140000 pid=5275 execve guuid=057d4b80-2e00-0000-d391-acfd9c140000 pid=5276 /usr/bin/dash guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=057d4b80-2e00-0000-d391-acfd9c140000 pid=5276 clone guuid=bee3cd80-2e00-0000-d391-acfd9e140000 pid=5278 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=bee3cd80-2e00-0000-d391-acfd9e140000 pid=5278 execve guuid=9814bb83-2e00-0000-d391-acfd9f140000 pid=5279 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=9814bb83-2e00-0000-d391-acfd9f140000 pid=5279 execve guuid=82ee0b8a-2e00-0000-d391-acfda0140000 pid=5280 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=82ee0b8a-2e00-0000-d391-acfda0140000 pid=5280 execve guuid=edfc6191-2e00-0000-d391-acfda1140000 pid=5281 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=edfc6191-2e00-0000-d391-acfda1140000 pid=5281 execve guuid=dd49a491-2e00-0000-d391-acfda2140000 pid=5282 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=dd49a491-2e00-0000-d391-acfda2140000 pid=5282 execve guuid=9465e591-2e00-0000-d391-acfda3140000 pid=5283 /usr/bin/dash guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=9465e591-2e00-0000-d391-acfda3140000 pid=5283 clone guuid=426e6a92-2e00-0000-d391-acfda5140000 pid=5285 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=426e6a92-2e00-0000-d391-acfda5140000 pid=5285 execve guuid=14a80494-2e00-0000-d391-acfda6140000 pid=5286 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=14a80494-2e00-0000-d391-acfda6140000 pid=5286 execve guuid=485a929a-2e00-0000-d391-acfda7140000 pid=5287 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=485a929a-2e00-0000-d391-acfda7140000 pid=5287 execve guuid=35b226a2-2e00-0000-d391-acfda8140000 pid=5288 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=35b226a2-2e00-0000-d391-acfda8140000 pid=5288 execve guuid=73b06ba2-2e00-0000-d391-acfda9140000 pid=5289 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=73b06ba2-2e00-0000-d391-acfda9140000 pid=5289 execve guuid=60d1c3a2-2e00-0000-d391-acfdaa140000 pid=5290 /usr/bin/dash guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=60d1c3a2-2e00-0000-d391-acfdaa140000 pid=5290 clone guuid=7fbecaa3-2e00-0000-d391-acfdac140000 pid=5292 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=7fbecaa3-2e00-0000-d391-acfdac140000 pid=5292 execve guuid=3fec11a4-2e00-0000-d391-acfdad140000 pid=5293 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=3fec11a4-2e00-0000-d391-acfdad140000 pid=5293 execve guuid=43350cab-2e00-0000-d391-acfdae140000 pid=5294 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=43350cab-2e00-0000-d391-acfdae140000 pid=5294 execve guuid=992854b2-2e00-0000-d391-acfdaf140000 pid=5295 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=992854b2-2e00-0000-d391-acfdaf140000 pid=5295 execve guuid=3be9c8b2-2e00-0000-d391-acfdb0140000 pid=5296 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=3be9c8b2-2e00-0000-d391-acfdb0140000 pid=5296 execve guuid=3a3054b3-2e00-0000-d391-acfdb1140000 pid=5297 /usr/bin/dash guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=3a3054b3-2e00-0000-d391-acfdb1140000 pid=5297 clone guuid=d26e4db4-2e00-0000-d391-acfdb3140000 pid=5299 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=d26e4db4-2e00-0000-d391-acfdb3140000 pid=5299 execve guuid=a717bfb4-2e00-0000-d391-acfdb4140000 pid=5300 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=a717bfb4-2e00-0000-d391-acfdb4140000 pid=5300 execve guuid=41b1c7bb-2e00-0000-d391-acfdb5140000 pid=5301 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=41b1c7bb-2e00-0000-d391-acfdb5140000 pid=5301 execve guuid=18e249c4-2e00-0000-d391-acfdb6140000 pid=5302 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=18e249c4-2e00-0000-d391-acfdb6140000 pid=5302 execve guuid=bac7aec4-2e00-0000-d391-acfdb7140000 pid=5303 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=bac7aec4-2e00-0000-d391-acfdb7140000 pid=5303 execve guuid=daf5ecc4-2e00-0000-d391-acfdb8140000 pid=5304 /usr/bin/dash guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=daf5ecc4-2e00-0000-d391-acfdb8140000 pid=5304 clone guuid=e24471c5-2e00-0000-d391-acfdba140000 pid=5306 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=e24471c5-2e00-0000-d391-acfdba140000 pid=5306 execve guuid=ce72bfc5-2e00-0000-d391-acfdbb140000 pid=5307 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=ce72bfc5-2e00-0000-d391-acfdbb140000 pid=5307 execve guuid=2b5495ca-2e00-0000-d391-acfdbc140000 pid=5308 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=2b5495ca-2e00-0000-d391-acfdbc140000 pid=5308 execve guuid=8094b3d0-2e00-0000-d391-acfdbd140000 pid=5309 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=8094b3d0-2e00-0000-d391-acfdbd140000 pid=5309 execve guuid=c882f3d0-2e00-0000-d391-acfdbe140000 pid=5310 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=c882f3d0-2e00-0000-d391-acfdbe140000 pid=5310 execve guuid=eb3b59d1-2e00-0000-d391-acfdbf140000 pid=5311 /usr/bin/dash guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=eb3b59d1-2e00-0000-d391-acfdbf140000 pid=5311 clone guuid=5042e2d1-2e00-0000-d391-acfdc1140000 pid=5313 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=5042e2d1-2e00-0000-d391-acfdc1140000 pid=5313 execve guuid=f9d829d2-2e00-0000-d391-acfdc2140000 pid=5314 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=f9d829d2-2e00-0000-d391-acfdc2140000 pid=5314 execve guuid=c114b7d8-2e00-0000-d391-acfdc3140000 pid=5315 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=c114b7d8-2e00-0000-d391-acfdc3140000 pid=5315 execve guuid=3e6183e0-2e00-0000-d391-acfdc4140000 pid=5316 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=3e6183e0-2e00-0000-d391-acfdc4140000 pid=5316 execve guuid=6be0d9e0-2e00-0000-d391-acfdc5140000 pid=5317 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=6be0d9e0-2e00-0000-d391-acfdc5140000 pid=5317 execve guuid=060930e1-2e00-0000-d391-acfdc6140000 pid=5318 /usr/bin/dash guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=060930e1-2e00-0000-d391-acfdc6140000 pid=5318 clone guuid=93d6cde1-2e00-0000-d391-acfdc8140000 pid=5320 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=93d6cde1-2e00-0000-d391-acfdc8140000 pid=5320 execve guuid=9f612be2-2e00-0000-d391-acfdc9140000 pid=5321 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=9f612be2-2e00-0000-d391-acfdc9140000 pid=5321 execve guuid=ffd8dbe8-2e00-0000-d391-acfdca140000 pid=5322 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=ffd8dbe8-2e00-0000-d391-acfdca140000 pid=5322 execve guuid=077b30f1-2e00-0000-d391-acfdcb140000 pid=5323 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=077b30f1-2e00-0000-d391-acfdcb140000 pid=5323 execve guuid=ee0775f1-2e00-0000-d391-acfdcc140000 pid=5324 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=ee0775f1-2e00-0000-d391-acfdcc140000 pid=5324 execve guuid=943ebff1-2e00-0000-d391-acfdcd140000 pid=5325 /usr/bin/dash guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=943ebff1-2e00-0000-d391-acfdcd140000 pid=5325 clone guuid=0c6b54f2-2e00-0000-d391-acfdcf140000 pid=5327 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=0c6b54f2-2e00-0000-d391-acfdcf140000 pid=5327 execve guuid=b165ad0a-2f00-0000-d391-acfdd0140000 pid=5328 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=b165ad0a-2f00-0000-d391-acfdd0140000 pid=5328 execve guuid=dc700510-2f00-0000-d391-acfdd1140000 pid=5329 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=dc700510-2f00-0000-d391-acfdd1140000 pid=5329 execve guuid=80caa116-2f00-0000-d391-acfdd2140000 pid=5330 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=80caa116-2f00-0000-d391-acfdd2140000 pid=5330 execve guuid=20a00117-2f00-0000-d391-acfdd3140000 pid=5331 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=20a00117-2f00-0000-d391-acfdd3140000 pid=5331 execve guuid=e3cc5517-2f00-0000-d391-acfdd4140000 pid=5332 /tmp/x86 net write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=e3cc5517-2f00-0000-d391-acfdd4140000 pid=5332 execve guuid=c41d5a24-2f00-0000-d391-acfdd7140000 pid=5335 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=c41d5a24-2f00-0000-d391-acfdd7140000 pid=5335 execve guuid=f079a124-2f00-0000-d391-acfdd8140000 pid=5336 /usr/bin/wget net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=f079a124-2f00-0000-d391-acfdd8140000 pid=5336 execve guuid=a5b60a2d-2f00-0000-d391-acfdd9140000 pid=5337 /usr/bin/curl net send-data write-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=a5b60a2d-2f00-0000-d391-acfdd9140000 pid=5337 execve guuid=38c8c135-2f00-0000-d391-acfdda140000 pid=5338 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=38c8c135-2f00-0000-d391-acfdda140000 pid=5338 execve guuid=746c0736-2f00-0000-d391-acfddb140000 pid=5339 /usr/bin/chmod guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=746c0736-2f00-0000-d391-acfddb140000 pid=5339 execve guuid=16c94936-2f00-0000-d391-acfddc140000 pid=5340 /usr/bin/dash guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=16c94936-2f00-0000-d391-acfddc140000 pid=5340 clone guuid=43eece36-2f00-0000-d391-acfdde140000 pid=5342 /usr/bin/rm delete-file guuid=67bac243-2e00-0000-d391-acfd83140000 pid=5251->guuid=43eece36-2f00-0000-d391-acfdde140000 pid=5342 execve 0d8bcf72-e418-554e-aa94-b31d69d8ccca 138.201.154.194:80 guuid=49d9f443-2e00-0000-d391-acfd84140000 pid=5252->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 142B guuid=a744b048-2e00-0000-d391-acfd85140000 pid=5253->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 91B guuid=84bdeb52-2e00-0000-d391-acfd8a140000 pid=5258->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 142B guuid=d828ef57-2e00-0000-d391-acfd8b140000 pid=5259->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 91B guuid=4b108165-2e00-0000-d391-acfd91140000 pid=5265->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 143B guuid=2e67d46a-2e00-0000-d391-acfd92140000 pid=5266->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 92B guuid=00660c72-2e00-0000-d391-acfd98140000 pid=5272->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 143B guuid=5a5d6678-2e00-0000-d391-acfd99140000 pid=5273->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 92B guuid=9814bb83-2e00-0000-d391-acfd9f140000 pid=5279->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 143B guuid=82ee0b8a-2e00-0000-d391-acfda0140000 pid=5280->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 92B guuid=14a80494-2e00-0000-d391-acfda6140000 pid=5286->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 143B guuid=485a929a-2e00-0000-d391-acfda7140000 pid=5287->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 92B guuid=3fec11a4-2e00-0000-d391-acfdad140000 pid=5293->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 143B guuid=43350cab-2e00-0000-d391-acfdae140000 pid=5294->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 92B guuid=a717bfb4-2e00-0000-d391-acfdb4140000 pid=5300->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 143B guuid=41b1c7bb-2e00-0000-d391-acfdb5140000 pid=5301->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 92B guuid=ce72bfc5-2e00-0000-d391-acfdbb140000 pid=5307->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 142B guuid=2b5495ca-2e00-0000-d391-acfdbc140000 pid=5308->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 91B guuid=f9d829d2-2e00-0000-d391-acfdc2140000 pid=5314->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 142B guuid=c114b7d8-2e00-0000-d391-acfdc3140000 pid=5315->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 91B guuid=9f612be2-2e00-0000-d391-acfdc9140000 pid=5321->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 142B guuid=ffd8dbe8-2e00-0000-d391-acfdca140000 pid=5322->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 91B guuid=b165ad0a-2f00-0000-d391-acfdd0140000 pid=5328->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 142B guuid=dc700510-2f00-0000-d391-acfdd1140000 pid=5329->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 91B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=e3cc5517-2f00-0000-d391-acfdd4140000 pid=5332->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=17f34924-2f00-0000-d391-acfdd5140000 pid=5333 /tmp/x86 guuid=e3cc5517-2f00-0000-d391-acfdd4140000 pid=5332->guuid=17f34924-2f00-0000-d391-acfdd5140000 pid=5333 clone guuid=1d214f24-2f00-0000-d391-acfdd6140000 pid=5334 /tmp/x86 net send-data zombie guuid=e3cc5517-2f00-0000-d391-acfdd4140000 pid=5332->guuid=1d214f24-2f00-0000-d391-acfdd6140000 pid=5334 clone guuid=1d214f24-2f00-0000-d391-acfdd6140000 pid=5334->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con dfbb6132-9b3a-5fcc-ae73-0a5bea22ee6b 87.121.84.220:61459 guuid=1d214f24-2f00-0000-d391-acfdd6140000 pid=5334->dfbb6132-9b3a-5fcc-ae73-0a5bea22ee6b send: 43B guuid=f079a124-2f00-0000-d391-acfdd8140000 pid=5336->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 145B guuid=a5b60a2d-2f00-0000-d391-acfdd9140000 pid=5337->0d8bcf72-e418-554e-aa94-b31d69d8ccca send: 94B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1c56ffe87500ec00101d008998df9e93bd0f640c1cb9624ef50a5ba0f112e601
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c56ffe87500ec00101d008998df9e93bd0f640c1cb9624ef50a5ba0f112e601/
Verdict:
Malicious
Threat:
HEUR:Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/1c56ffe87500ec00101d008998df9e93bd0f640c1cb9624ef50a5ba0f112e601
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-08-15 21:23:05 UTC
File Type:
Text (Shell)
AV detection:
21 of 37 (56.76%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=drlp72dvadwaaea5acezrx46so6q6zamds4wetxvbjn2b4is4yaq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250815-1csshsen61/
Behaviour
Suspicious use of SetWindowsHookEx
Modifies registry class
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1c56ffe87500ec00101d008998df9e93bd0f640c1cb9624ef50a5ba0f112e601

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:UNK_install_script
Create hunting rule
Author:evilcel3ri
Description:Detects a suspicious behaviour in an bash installation script

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 1c56ffe87500ec00101d008998df9e93bd0f640c1cb9624ef50a5ba0f112e601

(this sample)

Mirai

elf 54a7a9385c2b4ad70c88de9a4fa9a881534ffef1624eb7ae262b5cffcc56f0f5

Mirai

elf a2812bf91c1836b0749615f8c92f49b055ed1152a0cfcb03cffb4473388ae1f9

  
URLhaus
https://urlhaus.abuse.ch/url/3604316/
  
Delivery method
Distributed via web download
  
Dropping
MD5 6ae4f401306df7b289cbe99923b8b28d
  
Dropping
SHA256 a2812bf91c1836b0749615f8c92f49b055ed1152a0cfcb03cffb4473388ae1f9

Comments