MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d89432d9c4d27cb87145db6737ea4bb7d3c4ac8b4952b4e2c5b9e94faa7d05b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d89432d9c4d27cb87145db6737ea4bb7d3c4ac8b4952b4e2c5b9e94faa7d05b
SHA3-384 hash: 1fa0cfc0c41f4617e95dd91bee2d17fad2d82e255848527e69bb427b501af28e4cc4eaf542e8199e65e313db81d0e3d3
SHA1 hash: 5ef8672b028590b0f303ae8bacb1167aaa93ce62
MD5 hash: 5d6b435b49265454d0217efab4138884
humanhash: sink-jig-may-papa
File name:yarn
Download: download sample
Signature Mirai
Create hunting rule
File size:4'807 bytes
First seen:2026-03-27 20:29:52 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vpK8KMV4klpKDK1V4RpKrOKrWV4cpKQKoV4apKE0KEEV4EepKUKkV4+pKDK1V4RT:v37dWbPXDTGEpe7NFajEffjlt0rAjd/I
TLSH T1D8A182E974B4A36B2DA0ED7375D6CA42F14021A7E0C91C0FE6D6F0E9498CF61F494B86
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86c2255234f1a3d8b59014fd1b5bf43119aa164349f135d7c4a5595301e62d930e Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mipsc88e8314b162dd34a64a8486b16f532d1c49cd472b3445c9e5c9c78f2bbaf2f4 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpslf512aa138d45a334b5158b527ddeb2009d8192b007840a172f035b2f9c41a55f Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm962b3b3843cf7519d82f748d09ddbc63817ddc23418211281913fb25b54b391a Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5269a363ff2eb073049f31948d48086c4fd115d7942535a0f82d3ba6eb0baa4b2 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm67fec9a423202af508020fc2d69e5ee58ffe608f3950495b92bc1eea7a7e68e0c Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm70ba78d70d0dd96d14a2a0baaeecec89b5a6c1e3ac5bc6c5996b55efe3e37eb35 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc11c68617eaeaa09ac2f7842667db1dfd2e39d061a2e48352f26102b7dfb9c85a Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68kc990fae684b215cdedd79223ac1e0da674ae011cbd63caa8e7b0f67db871ebb1 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc55db943ff242b32de9dc9fa31473a4b849ca92dcee182a2d8265053f4bd67c74 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i68694da95cad09a71040570af0d28e8f7a02f759e2201133f83550dce6aacec3a3c Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh47d235334a669faa5d2b6e1c1b1bd59f38af7bc555a69e17c732617ed101ff055 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arcbaa57a1cc7595718da139ceba6afa34f4dbbcda23757c6139a9c15abfe024975 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x6443b395eaf6d796cec36c1c3999939022a705f91597c403ecf31b1adb0ec80cf7 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
medusa mirai
Link:
https://www.filescan.io/uploads/69c6e8e42346b9da57abf440/reports/413b75d7-ac9c-4355-b366-1b3cbe1bb656/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-03-27T17:39:00Z UTC
Last seen:
2026-03-28T08:09:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/1d89432d9c4d27cb87145db6737ea4bb7d3c4ac8b4952b4e2c5b9e94faa7d05b/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9875bbf6-29bc-4097-a3ec-8a9c3ae3bdb7
Behavior Graph:
Download SVG
%3 guuid=f0e3a489-1600-0000-bed8-b36a3f0e0000 pid=3647 /usr/bin/sudo guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655 /tmp/sample.bin guuid=f0e3a489-1600-0000-bed8-b36a3f0e0000 pid=3647->guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655 execve guuid=6cf4588c-1600-0000-bed8-b36a4a0e0000 pid=3658 /usr/bin/wget net send-data write-file guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=6cf4588c-1600-0000-bed8-b36a4a0e0000 pid=3658 execve guuid=cfaed792-1600-0000-bed8-b36a4b0e0000 pid=3659 /usr/bin/curl net send-data write-file guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=cfaed792-1600-0000-bed8-b36a4b0e0000 pid=3659 execve guuid=55a89c9d-1600-0000-bed8-b36a580e0000 pid=3672 /usr/bin/cat guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=55a89c9d-1600-0000-bed8-b36a580e0000 pid=3672 execve guuid=0b17089e-1600-0000-bed8-b36a590e0000 pid=3673 /usr/bin/chmod guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=0b17089e-1600-0000-bed8-b36a590e0000 pid=3673 execve guuid=b75f749e-1600-0000-bed8-b36a5a0e0000 pid=3674 /tmp/76d32be0 net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=b75f749e-1600-0000-bed8-b36a5a0e0000 pid=3674 execve guuid=7256ce9e-1600-0000-bed8-b36a5f0e0000 pid=3679 /usr/bin/wget net send-data write-file guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=7256ce9e-1600-0000-bed8-b36a5f0e0000 pid=3679 execve guuid=d9e806aa-1600-0000-bed8-b36a7e0e0000 pid=3710 /usr/bin/curl net send-data write-file guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=d9e806aa-1600-0000-bed8-b36a7e0e0000 pid=3710 execve guuid=10a458b0-1600-0000-bed8-b36a9d0e0000 pid=3741 /usr/bin/bash guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=10a458b0-1600-0000-bed8-b36a9d0e0000 pid=3741 clone guuid=620282b0-1600-0000-bed8-b36a9e0e0000 pid=3742 /usr/bin/chmod guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=620282b0-1600-0000-bed8-b36a9e0e0000 pid=3742 execve guuid=641ac7b0-1600-0000-bed8-b36aa00e0000 pid=3744 /tmp/76d32be0 net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=641ac7b0-1600-0000-bed8-b36aa00e0000 pid=3744 execve guuid=33c429e2-1700-0000-bed8-b36a8d120000 pid=4749 /usr/bin/wget net send-data write-file guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=33c429e2-1700-0000-bed8-b36a8d120000 pid=4749 execve guuid=6cdf0aec-1700-0000-bed8-b36ab0120000 pid=4784 /usr/bin/curl net send-data write-file guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=6cdf0aec-1700-0000-bed8-b36ab0120000 pid=4784 execve guuid=a31303f3-1700-0000-bed8-b36ac7120000 pid=4807 /usr/bin/bash guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=a31303f3-1700-0000-bed8-b36ac7120000 pid=4807 clone guuid=faf239f3-1700-0000-bed8-b36ac9120000 pid=4809 /usr/bin/chmod guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=faf239f3-1700-0000-bed8-b36ac9120000 pid=4809 execve guuid=49989df3-1700-0000-bed8-b36acb120000 pid=4811 /tmp/76d32be0 net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=49989df3-1700-0000-bed8-b36acb120000 pid=4811 execve guuid=2f9dad26-1900-0000-bed8-b36a81140000 pid=5249 /usr/bin/wget net send-data write-file guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=2f9dad26-1900-0000-bed8-b36a81140000 pid=5249 execve guuid=4150912e-1900-0000-bed8-b36a86140000 pid=5254 /usr/bin/curl net send-data write-file guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=4150912e-1900-0000-bed8-b36a86140000 pid=5254 execve guuid=250aa434-1900-0000-bed8-b36a87140000 pid=5255 /usr/bin/bash guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=250aa434-1900-0000-bed8-b36a87140000 pid=5255 clone guuid=b0fccf34-1900-0000-bed8-b36a88140000 pid=5256 /usr/bin/chmod guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=b0fccf34-1900-0000-bed8-b36a88140000 pid=5256 execve guuid=656c4635-1900-0000-bed8-b36a89140000 pid=5257 /tmp/76d32be0 net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=656c4635-1900-0000-bed8-b36a89140000 pid=5257 execve guuid=1bd66069-1a00-0000-bed8-b36a92140000 pid=5266 /usr/bin/wget net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=1bd66069-1a00-0000-bed8-b36a92140000 pid=5266 execve guuid=77b8a66d-1a00-0000-bed8-b36a97140000 pid=5271 /usr/bin/curl net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=77b8a66d-1a00-0000-bed8-b36a97140000 pid=5271 execve guuid=b29a8571-1a00-0000-bed8-b36a98140000 pid=5272 /usr/bin/bash guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=b29a8571-1a00-0000-bed8-b36a98140000 pid=5272 clone guuid=94eb9f71-1a00-0000-bed8-b36a99140000 pid=5273 /usr/bin/chmod guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=94eb9f71-1a00-0000-bed8-b36a99140000 pid=5273 execve guuid=677be171-1a00-0000-bed8-b36a9a140000 pid=5274 /tmp/76d32be0 net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=677be171-1a00-0000-bed8-b36a9a140000 pid=5274 execve guuid=6f6258a7-1b00-0000-bed8-b36abc140000 pid=5308 /usr/bin/wget net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=6f6258a7-1b00-0000-bed8-b36abc140000 pid=5308 execve guuid=0c44eaa8-1b00-0000-bed8-b36ac1140000 pid=5313 /usr/bin/curl net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=0c44eaa8-1b00-0000-bed8-b36ac1140000 pid=5313 execve guuid=131348ac-1b00-0000-bed8-b36ac2140000 pid=5314 /usr/bin/bash guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=131348ac-1b00-0000-bed8-b36ac2140000 pid=5314 clone guuid=24c762ac-1b00-0000-bed8-b36ac3140000 pid=5315 /usr/bin/chmod guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=24c762ac-1b00-0000-bed8-b36ac3140000 pid=5315 execve guuid=04fea7ac-1b00-0000-bed8-b36ac4140000 pid=5316 /tmp/76d32be0 net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=04fea7ac-1b00-0000-bed8-b36ac4140000 pid=5316 execve guuid=7efe59e2-1c00-0000-bed8-b36ac6140000 pid=5318 /usr/bin/wget net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=7efe59e2-1c00-0000-bed8-b36ac6140000 pid=5318 execve guuid=034f3ce3-1c00-0000-bed8-b36acb140000 pid=5323 /usr/bin/curl net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=034f3ce3-1c00-0000-bed8-b36acb140000 pid=5323 execve guuid=3c111be5-1c00-0000-bed8-b36acc140000 pid=5324 /usr/bin/bash guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=3c111be5-1c00-0000-bed8-b36acc140000 pid=5324 clone guuid=776734e5-1c00-0000-bed8-b36acd140000 pid=5325 /usr/bin/chmod guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=776734e5-1c00-0000-bed8-b36acd140000 pid=5325 execve guuid=5b057ce5-1c00-0000-bed8-b36ace140000 pid=5326 /tmp/76d32be0 net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=5b057ce5-1c00-0000-bed8-b36ace140000 pid=5326 execve guuid=6ad40f8f-2200-0000-bed8-b36ad0140000 pid=5328 /usr/bin/wget net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=6ad40f8f-2200-0000-bed8-b36ad0140000 pid=5328 execve guuid=eed78291-2200-0000-bed8-b36ad5140000 pid=5333 /usr/bin/curl net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=eed78291-2200-0000-bed8-b36ad5140000 pid=5333 execve guuid=5b6a3895-2200-0000-bed8-b36ad6140000 pid=5334 /usr/bin/bash guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=5b6a3895-2200-0000-bed8-b36ad6140000 pid=5334 clone guuid=e5135e95-2200-0000-bed8-b36ad7140000 pid=5335 /usr/bin/chmod guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=e5135e95-2200-0000-bed8-b36ad7140000 pid=5335 execve guuid=1e7fc495-2200-0000-bed8-b36ad8140000 pid=5336 /tmp/76d32be0 net guuid=1f67e78b-1600-0000-bed8-b36a470e0000 pid=3655->guuid=1e7fc495-2200-0000-bed8-b36ad8140000 pid=5336 execve 36b1b8f9-982a-5d21-ae66-55c270ae0d99 176.65.139.80:80 guuid=6cf4588c-1600-0000-bed8-b36a4a0e0000 pid=3658->36b1b8f9-982a-5d21-ae66-55c270ae0d99 send: 197B guuid=cfaed792-1600-0000-bed8-b36a4b0e0000 pid=3659->36b1b8f9-982a-5d21-ae66-55c270ae0d99 send: 146B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=b75f749e-1600-0000-bed8-b36a5a0e0000 pid=3674->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ba7aa79e-1600-0000-bed8-b36a5b0e0000 pid=3675 /tmp/76d32be0 dns net send-data zombie guuid=b75f749e-1600-0000-bed8-b36a5a0e0000 pid=3674->guuid=ba7aa79e-1600-0000-bed8-b36a5b0e0000 pid=3675 clone guuid=ba7aa79e-1600-0000-bed8-b36a5b0e0000 pid=3675->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 28B 2ac2249c-25bc-5019-a88f-33a6c2731b07 cnc.504.su:56999 guuid=ba7aa79e-1600-0000-bed8-b36a5b0e0000 pid=3675->2ac2249c-25bc-5019-a88f-33a6c2731b07 send: 17B guuid=5b66bf9e-1600-0000-bed8-b36a5c0e0000 pid=3676 /tmp/76d32be0 guuid=ba7aa79e-1600-0000-bed8-b36a5b0e0000 pid=3675->guuid=5b66bf9e-1600-0000-bed8-b36a5c0e0000 pid=3676 clone guuid=c9e6c39e-1600-0000-bed8-b36a5d0e0000 pid=3677 /tmp/76d32be0 net net-scan send-data guuid=ba7aa79e-1600-0000-bed8-b36a5b0e0000 pid=3675->guuid=c9e6c39e-1600-0000-bed8-b36a5d0e0000 pid=3677 clone guuid=3ed7cb9e-1600-0000-bed8-b36a5e0e0000 pid=3678 /tmp/76d32be0 net net-scan send-data guuid=ba7aa79e-1600-0000-bed8-b36a5b0e0000 pid=3675->guuid=3ed7cb9e-1600-0000-bed8-b36a5e0e0000 pid=3678 clone guuid=8622d09e-1600-0000-bed8-b36a600e0000 pid=3680 /tmp/76d32be0 guuid=ba7aa79e-1600-0000-bed8-b36a5b0e0000 pid=3675->guuid=8622d09e-1600-0000-bed8-b36a600e0000 pid=3680 clone guuid=c9e6c39e-1600-0000-bed8-b36a5d0e0000 pid=3677->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c9e6c39e-1600-0000-bed8-b36a5d0e0000 pid=3677|send-data send-data to 384 IP addresses review logs to see them all guuid=c9e6c39e-1600-0000-bed8-b36a5d0e0000 pid=3677->guuid=c9e6c39e-1600-0000-bed8-b36a5d0e0000 pid=3677|send-data send guuid=3ed7cb9e-1600-0000-bed8-b36a5e0e0000 pid=3678->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=3ed7cb9e-1600-0000-bed8-b36a5e0e0000 pid=3678|send-data send-data to 320 IP addresses review logs to see them all guuid=3ed7cb9e-1600-0000-bed8-b36a5e0e0000 pid=3678->guuid=3ed7cb9e-1600-0000-bed8-b36a5e0e0000 pid=3678|send-data send 4bcd05e0-7ebf-53bb-9cc8-c008d3256770 cnc.504.su:80 guuid=7256ce9e-1600-0000-bed8-b36a5f0e0000 pid=3679->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 198B guuid=d9e806aa-1600-0000-bed8-b36a7e0e0000 pid=3710->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 147B guuid=641ac7b0-1600-0000-bed8-b36aa00e0000 pid=3744->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 5fbefa0b-74db-5ddb-909f-7c8f89ca1384 0.0.0.0:46157 guuid=641ac7b0-1600-0000-bed8-b36aa00e0000 pid=3744->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=c1fe1be2-1700-0000-bed8-b36a8b120000 pid=4747 /tmp/76d32be0 dns net send-data zombie guuid=641ac7b0-1600-0000-bed8-b36aa00e0000 pid=3744->guuid=c1fe1be2-1700-0000-bed8-b36a8b120000 pid=4747 clone guuid=c1fe1be2-1700-0000-bed8-b36a8b120000 pid=4747->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 28B guuid=c1fe1be2-1700-0000-bed8-b36a8b120000 pid=4747->2ac2249c-25bc-5019-a88f-33a6c2731b07 send: 17B guuid=e1662be2-1700-0000-bed8-b36a8e120000 pid=4750 /tmp/76d32be0 guuid=c1fe1be2-1700-0000-bed8-b36a8b120000 pid=4747->guuid=e1662be2-1700-0000-bed8-b36a8e120000 pid=4750 clone guuid=13a230e2-1700-0000-bed8-b36a8f120000 pid=4751 /tmp/76d32be0 net net-scan send-data guuid=c1fe1be2-1700-0000-bed8-b36a8b120000 pid=4747->guuid=13a230e2-1700-0000-bed8-b36a8f120000 pid=4751 clone guuid=639436e2-1700-0000-bed8-b36a90120000 pid=4752 /tmp/76d32be0 net net-scan send-data guuid=c1fe1be2-1700-0000-bed8-b36a8b120000 pid=4747->guuid=639436e2-1700-0000-bed8-b36a90120000 pid=4752 clone guuid=601b3ee2-1700-0000-bed8-b36a91120000 pid=4753 /tmp/76d32be0 guuid=c1fe1be2-1700-0000-bed8-b36a8b120000 pid=4747->guuid=601b3ee2-1700-0000-bed8-b36a91120000 pid=4753 clone guuid=33c429e2-1700-0000-bed8-b36a8d120000 pid=4749->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 198B guuid=13a230e2-1700-0000-bed8-b36a8f120000 pid=4751->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=13a230e2-1700-0000-bed8-b36a8f120000 pid=4751|send-data send-data to 384 IP addresses review logs to see them all guuid=13a230e2-1700-0000-bed8-b36a8f120000 pid=4751->guuid=13a230e2-1700-0000-bed8-b36a8f120000 pid=4751|send-data send guuid=639436e2-1700-0000-bed8-b36a90120000 pid=4752->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=639436e2-1700-0000-bed8-b36a90120000 pid=4752|send-data send-data to 320 IP addresses review logs to see them all guuid=639436e2-1700-0000-bed8-b36a90120000 pid=4752->guuid=639436e2-1700-0000-bed8-b36a90120000 pid=4752|send-data send guuid=6cdf0aec-1700-0000-bed8-b36ab0120000 pid=4784->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 147B guuid=49989df3-1700-0000-bed8-b36acb120000 pid=4811->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=49989df3-1700-0000-bed8-b36acb120000 pid=4811->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=48de9f26-1900-0000-bed8-b36a80140000 pid=5248 /tmp/76d32be0 dns net send-data zombie guuid=49989df3-1700-0000-bed8-b36acb120000 pid=4811->guuid=48de9f26-1900-0000-bed8-b36a80140000 pid=5248 clone guuid=48de9f26-1900-0000-bed8-b36a80140000 pid=5248->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 28B guuid=48de9f26-1900-0000-bed8-b36a80140000 pid=5248->2ac2249c-25bc-5019-a88f-33a6c2731b07 send: 17B guuid=12c3b226-1900-0000-bed8-b36a82140000 pid=5250 /tmp/76d32be0 guuid=48de9f26-1900-0000-bed8-b36a80140000 pid=5248->guuid=12c3b226-1900-0000-bed8-b36a82140000 pid=5250 clone guuid=c0b3ba26-1900-0000-bed8-b36a83140000 pid=5251 /tmp/76d32be0 net net-scan send-data guuid=48de9f26-1900-0000-bed8-b36a80140000 pid=5248->guuid=c0b3ba26-1900-0000-bed8-b36a83140000 pid=5251 clone guuid=0b33c626-1900-0000-bed8-b36a84140000 pid=5252 /tmp/76d32be0 net net-scan send-data guuid=48de9f26-1900-0000-bed8-b36a80140000 pid=5248->guuid=0b33c626-1900-0000-bed8-b36a84140000 pid=5252 clone guuid=8132cf26-1900-0000-bed8-b36a85140000 pid=5253 /tmp/76d32be0 guuid=48de9f26-1900-0000-bed8-b36a80140000 pid=5248->guuid=8132cf26-1900-0000-bed8-b36a85140000 pid=5253 clone guuid=2f9dad26-1900-0000-bed8-b36a81140000 pid=5249->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 197B guuid=c0b3ba26-1900-0000-bed8-b36a83140000 pid=5251->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c0b3ba26-1900-0000-bed8-b36a83140000 pid=5251|send-data send-data to 384 IP addresses review logs to see them all guuid=c0b3ba26-1900-0000-bed8-b36a83140000 pid=5251->guuid=c0b3ba26-1900-0000-bed8-b36a83140000 pid=5251|send-data send guuid=0b33c626-1900-0000-bed8-b36a84140000 pid=5252->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=0b33c626-1900-0000-bed8-b36a84140000 pid=5252|send-data send-data to 320 IP addresses review logs to see them all guuid=0b33c626-1900-0000-bed8-b36a84140000 pid=5252->guuid=0b33c626-1900-0000-bed8-b36a84140000 pid=5252|send-data send guuid=4150912e-1900-0000-bed8-b36a86140000 pid=5254->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 146B guuid=656c4635-1900-0000-bed8-b36a89140000 pid=5257->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=656c4635-1900-0000-bed8-b36a89140000 pid=5257->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=99194d69-1a00-0000-bed8-b36a91140000 pid=5265 /tmp/76d32be0 dns net send-data zombie guuid=656c4635-1900-0000-bed8-b36a89140000 pid=5257->guuid=99194d69-1a00-0000-bed8-b36a91140000 pid=5265 clone guuid=99194d69-1a00-0000-bed8-b36a91140000 pid=5265->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=99194d69-1a00-0000-bed8-b36a91140000 pid=5265->2ac2249c-25bc-5019-a88f-33a6c2731b07 con guuid=ffa27469-1a00-0000-bed8-b36a93140000 pid=5267 /tmp/76d32be0 guuid=99194d69-1a00-0000-bed8-b36a91140000 pid=5265->guuid=ffa27469-1a00-0000-bed8-b36a93140000 pid=5267 clone guuid=e8e47869-1a00-0000-bed8-b36a94140000 pid=5268 /tmp/76d32be0 net net-scan send-data guuid=99194d69-1a00-0000-bed8-b36a91140000 pid=5265->guuid=e8e47869-1a00-0000-bed8-b36a94140000 pid=5268 clone guuid=c9c17d69-1a00-0000-bed8-b36a95140000 pid=5269 /tmp/76d32be0 net net-scan send-data guuid=99194d69-1a00-0000-bed8-b36a91140000 pid=5265->guuid=c9c17d69-1a00-0000-bed8-b36a95140000 pid=5269 clone guuid=9df08469-1a00-0000-bed8-b36a96140000 pid=5270 /tmp/76d32be0 guuid=99194d69-1a00-0000-bed8-b36a91140000 pid=5265->guuid=9df08469-1a00-0000-bed8-b36a96140000 pid=5270 clone guuid=1bd66069-1a00-0000-bed8-b36a92140000 pid=5266->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=e8e47869-1a00-0000-bed8-b36a94140000 pid=5268->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e8e47869-1a00-0000-bed8-b36a94140000 pid=5268|send-data send-data to 1920 IP addresses review logs to see them all guuid=e8e47869-1a00-0000-bed8-b36a94140000 pid=5268->guuid=e8e47869-1a00-0000-bed8-b36a94140000 pid=5268|send-data send guuid=c9c17d69-1a00-0000-bed8-b36a95140000 pid=5269->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c9c17d69-1a00-0000-bed8-b36a95140000 pid=5269|send-data send-data to 1600 IP addresses review logs to see them all guuid=c9c17d69-1a00-0000-bed8-b36a95140000 pid=5269->guuid=c9c17d69-1a00-0000-bed8-b36a95140000 pid=5269|send-data send guuid=77b8a66d-1a00-0000-bed8-b36a97140000 pid=5271->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=677be171-1a00-0000-bed8-b36a9a140000 pid=5274->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=677be171-1a00-0000-bed8-b36a9a140000 pid=5274->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=fa464da7-1b00-0000-bed8-b36abb140000 pid=5307 /tmp/76d32be0 dns net send-data zombie guuid=677be171-1a00-0000-bed8-b36a9a140000 pid=5274->guuid=fa464da7-1b00-0000-bed8-b36abb140000 pid=5307 clone guuid=fa464da7-1b00-0000-bed8-b36abb140000 pid=5307->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=fa464da7-1b00-0000-bed8-b36abb140000 pid=5307->2ac2249c-25bc-5019-a88f-33a6c2731b07 con guuid=4ace6aa7-1b00-0000-bed8-b36abd140000 pid=5309 /tmp/76d32be0 guuid=fa464da7-1b00-0000-bed8-b36abb140000 pid=5307->guuid=4ace6aa7-1b00-0000-bed8-b36abd140000 pid=5309 clone guuid=d24073a7-1b00-0000-bed8-b36abe140000 pid=5310 /tmp/76d32be0 net net-scan send-data guuid=fa464da7-1b00-0000-bed8-b36abb140000 pid=5307->guuid=d24073a7-1b00-0000-bed8-b36abe140000 pid=5310 clone guuid=ddc67aa7-1b00-0000-bed8-b36abf140000 pid=5311 /tmp/76d32be0 net net-scan send-data guuid=fa464da7-1b00-0000-bed8-b36abb140000 pid=5307->guuid=ddc67aa7-1b00-0000-bed8-b36abf140000 pid=5311 clone guuid=bbd587a7-1b00-0000-bed8-b36ac0140000 pid=5312 /tmp/76d32be0 guuid=fa464da7-1b00-0000-bed8-b36abb140000 pid=5307->guuid=bbd587a7-1b00-0000-bed8-b36ac0140000 pid=5312 clone guuid=6f6258a7-1b00-0000-bed8-b36abc140000 pid=5308->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=d24073a7-1b00-0000-bed8-b36abe140000 pid=5310->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d24073a7-1b00-0000-bed8-b36abe140000 pid=5310|send-data send-data to 1920 IP addresses review logs to see them all guuid=d24073a7-1b00-0000-bed8-b36abe140000 pid=5310->guuid=d24073a7-1b00-0000-bed8-b36abe140000 pid=5310|send-data send guuid=ddc67aa7-1b00-0000-bed8-b36abf140000 pid=5311->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ddc67aa7-1b00-0000-bed8-b36abf140000 pid=5311|send-data send-data to 1600 IP addresses review logs to see them all guuid=ddc67aa7-1b00-0000-bed8-b36abf140000 pid=5311->guuid=ddc67aa7-1b00-0000-bed8-b36abf140000 pid=5311|send-data send guuid=0c44eaa8-1b00-0000-bed8-b36ac1140000 pid=5313->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=04fea7ac-1b00-0000-bed8-b36ac4140000 pid=5316->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=04fea7ac-1b00-0000-bed8-b36ac4140000 pid=5316->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=73cb49e2-1c00-0000-bed8-b36ac5140000 pid=5317 /tmp/76d32be0 net send-data zombie guuid=04fea7ac-1b00-0000-bed8-b36ac4140000 pid=5316->guuid=73cb49e2-1c00-0000-bed8-b36ac5140000 pid=5317 clone guuid=73cb49e2-1c00-0000-bed8-b36ac5140000 pid=5317->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=5d6563e2-1c00-0000-bed8-b36ac7140000 pid=5319 /tmp/76d32be0 guuid=73cb49e2-1c00-0000-bed8-b36ac5140000 pid=5317->guuid=5d6563e2-1c00-0000-bed8-b36ac7140000 pid=5319 clone guuid=c61f6ce2-1c00-0000-bed8-b36ac8140000 pid=5320 /tmp/76d32be0 net net-scan send-data zombie guuid=73cb49e2-1c00-0000-bed8-b36ac5140000 pid=5317->guuid=c61f6ce2-1c00-0000-bed8-b36ac8140000 pid=5320 clone guuid=4f2e73e2-1c00-0000-bed8-b36ac9140000 pid=5321 /tmp/76d32be0 net net-scan send-data zombie guuid=73cb49e2-1c00-0000-bed8-b36ac5140000 pid=5317->guuid=4f2e73e2-1c00-0000-bed8-b36ac9140000 pid=5321 clone guuid=962b80e2-1c00-0000-bed8-b36aca140000 pid=5322 /tmp/76d32be0 guuid=73cb49e2-1c00-0000-bed8-b36ac5140000 pid=5317->guuid=962b80e2-1c00-0000-bed8-b36aca140000 pid=5322 clone guuid=7efe59e2-1c00-0000-bed8-b36ac6140000 pid=5318->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=c61f6ce2-1c00-0000-bed8-b36ac8140000 pid=5320->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c61f6ce2-1c00-0000-bed8-b36ac8140000 pid=5320|send-data send-data to 4097 IP addresses review logs to see them all guuid=c61f6ce2-1c00-0000-bed8-b36ac8140000 pid=5320->guuid=c61f6ce2-1c00-0000-bed8-b36ac8140000 pid=5320|send-data send guuid=4f2e73e2-1c00-0000-bed8-b36ac9140000 pid=5321->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4f2e73e2-1c00-0000-bed8-b36ac9140000 pid=5321|send-data send-data to 4097 IP addresses review logs to see them all guuid=4f2e73e2-1c00-0000-bed8-b36ac9140000 pid=5321->guuid=4f2e73e2-1c00-0000-bed8-b36ac9140000 pid=5321|send-data send guuid=034f3ce3-1c00-0000-bed8-b36acb140000 pid=5323->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=5b057ce5-1c00-0000-bed8-b36ace140000 pid=5326->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5b057ce5-1c00-0000-bed8-b36ace140000 pid=5326->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=18faf48e-2200-0000-bed8-b36acf140000 pid=5327 /tmp/76d32be0 net send-data zombie guuid=5b057ce5-1c00-0000-bed8-b36ace140000 pid=5326->guuid=18faf48e-2200-0000-bed8-b36acf140000 pid=5327 clone guuid=18faf48e-2200-0000-bed8-b36acf140000 pid=5327->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=dccd118f-2200-0000-bed8-b36ad1140000 pid=5329 /tmp/76d32be0 guuid=18faf48e-2200-0000-bed8-b36acf140000 pid=5327->guuid=dccd118f-2200-0000-bed8-b36ad1140000 pid=5329 clone guuid=8d25178f-2200-0000-bed8-b36ad2140000 pid=5330 /tmp/76d32be0 net net-scan send-data zombie guuid=18faf48e-2200-0000-bed8-b36acf140000 pid=5327->guuid=8d25178f-2200-0000-bed8-b36ad2140000 pid=5330 clone guuid=c418228f-2200-0000-bed8-b36ad3140000 pid=5331 /tmp/76d32be0 net net-scan send-data zombie guuid=18faf48e-2200-0000-bed8-b36acf140000 pid=5327->guuid=c418228f-2200-0000-bed8-b36ad3140000 pid=5331 clone guuid=9fdf288f-2200-0000-bed8-b36ad4140000 pid=5332 /tmp/76d32be0 guuid=18faf48e-2200-0000-bed8-b36acf140000 pid=5327->guuid=9fdf288f-2200-0000-bed8-b36ad4140000 pid=5332 clone guuid=6ad40f8f-2200-0000-bed8-b36ad0140000 pid=5328->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=8d25178f-2200-0000-bed8-b36ad2140000 pid=5330->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=8d25178f-2200-0000-bed8-b36ad2140000 pid=5330|send-data send-data to 4097 IP addresses review logs to see them all guuid=8d25178f-2200-0000-bed8-b36ad2140000 pid=5330->guuid=8d25178f-2200-0000-bed8-b36ad2140000 pid=5330|send-data send guuid=c418228f-2200-0000-bed8-b36ad3140000 pid=5331->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c418228f-2200-0000-bed8-b36ad3140000 pid=5331|send-data send-data to 4097 IP addresses review logs to see them all guuid=c418228f-2200-0000-bed8-b36ad3140000 pid=5331->guuid=c418228f-2200-0000-bed8-b36ad3140000 pid=5331|send-data send guuid=eed78291-2200-0000-bed8-b36ad5140000 pid=5333->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=1e7fc495-2200-0000-bed8-b36ad8140000 pid=5336->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1e7fc495-2200-0000-bed8-b36ad8140000 pid=5336->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1d89432d9c4d27cb87145db6737ea4bb7d3c4ac8b4952b4e2c5b9e94faa7d05b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d89432d9c4d27cb87145db6737ea4bb7d3c4ac8b4952b4e2c5b9e94faa7d05b/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/1d89432d9c4d27cb87145db6737ea4bb7d3c4ac8b4952b4e2c5b9e94faa7d05b
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-03-27 20:30:36 UTC
File Type:
Text (Shell)
AV detection:
18 of 24 (75.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dweuglm4jut4xbyulw3hg7vexn6tyswiwskswtrmlopjj6vh2bnq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:unstable antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/260327-zadedadx2x/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (63739) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware Config
C2 Extraction:
cnc.504.su
scan.504.su
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1d89432d9c4d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d89432d9c4d27cb87145db6737ea4bb7d3c4ac8b4952b4e2c5b9e94faa7d05b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 1d89432d9c4d27cb87145db6737ea4bb7d3c4ac8b4952b4e2c5b9e94faa7d05b

(this sample)

Mirai

elf c2255234f1a3d8b59014fd1b5bf43119aa164349f135d7c4a5595301e62d930e

  
URLhaus
https://urlhaus.abuse.ch/url/3669707/
  
Delivery method
Distributed via web download
  
Dropping
MD5 9ce495bf35e2be015a3a20e845e1b7dd
  
Dropping
SHA256 c2255234f1a3d8b59014fd1b5bf43119aa164349f135d7c4a5595301e62d930e

Comments