MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e2b81bdfe105501e7ea4375bd7dce670f368421e28cc820590d90d3796c953e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e2b81bdfe105501e7ea4375bd7dce670f368421e28cc820590d90d3796c953e
SHA3-384 hash: 5c04786a3e5fd8846efa338cbd93f29aed481d7a04f740881b9576266b29b2b075c32953b37d8e10b7b101b037980286
SHA1 hash: 03497edf5e1db0e71d4b2f3ea68fabeccff321d8
MD5 hash: 83e4fc6a53b77f1fe5537b37847be151
humanhash: princess-gee-bravo-oven
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'314 bytes
First seen:2025-07-04 22:36:40 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:ItfMwZsft9bhf2KkfdNlff7bmsffHTf3a3GgJf4k6fPXnLfZaZNIpKksfF1MEfRE:iwhuxfzPU1cHL6JhRatKBgJspk
TLSH T1926180FA03424633ADBACED7B2A8C404615D40DBE5CE5FB95BED28F40C8CEC96C45A52
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://196.251.86.61/00101010101001/morte.x864fef063a9f02ba436aa8231ae6e68833cc7007d4acd4c911b0742fc6edb7f3e0 Miraimirai opendir
http://196.251.86.61/00101010101001/morte.mipsa81cd95a99e545fa8df1f913d95d4609dcae0c7933e1b5012a728b9ea9f4e46c Miraimirai opendir
http://196.251.86.61/00101010101001/morte.arc475367b6e70877052c1d83cb21a6542e9e023667e8a669b3983a9f7c70febacb Miraimirai opendir
http://196.251.86.61/00101010101001/morte.i468n/an/an/a
http://196.251.86.61/00101010101001/morte.i686502887af7e3bae97358328e359486004ac2e72a31500b26fb98b6a672d75fef9 Miraimirai opendir
http://196.251.86.61/00101010101001/morte.x86_645f40e73a84e77e83a454da3ee487429836e3bdec4ceffc19d0d26c4901a911dd Miraimirai opendir
http://196.251.86.61/00101010101001/morte.mpslf4d2edf5cb22fd836842fb0c277395557f3a1329cc90c280cc12839c3e6fd72c Miraimirai opendir
http://196.251.86.61/00101010101001/morte.arm0e1c862fb7b3927bbf3f71b5c83949151be2dfedd584eb482c173ce2e851dd3f Miraimirai opendir
http://196.251.86.61/00101010101001/morte.arm5a67885abc3a05d82c9083e3df77c227e91f38aa242bc9988caf35b3a447ca596 Miraimirai opendir
http://196.251.86.61/00101010101001/morte.arm661dfc5c73839259cb55254701e29c43307b89acaecf4c14b51be5d209ce80d5b Miraimirai opendir
http://196.251.86.61/00101010101001/morte.arm795d5407a92ac4b36ed3d0f10b3fb494fed6ae21491b9f5fce152b85b78fb2e12 Miraimirai opendir
http://196.251.86.61/00101010101001/morte.ppc437732d5bde3a06c54a001342f0ad3735088bc10d3aaeb69d038520c3a00a9db Miraimirai opendir
http://196.251.86.61/00101010101001/morte.spcb98844c282ecfff203dabee396106d9726de54c4821bd35208239f7621d774b9 Miraimirai opendir
http://196.251.86.61/00101010101001/morte.m68k7c5e6035418ce9f52bdb00eaff5e23d3d7a41f7a75554249c6cf6e44ce34ae3f Miraimirai opendir
http://196.251.86.61/00101010101001/morte.sh4e0fadfca7d4f0704722720c739c817d05fa639fdbb6edbd961d0083f73342c80 Miraimirai opendir

Intelligence

File Origin
# of uploads :
1
# of downloads :
18
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6868579fc9eb97473766658blinux22vpnfull_triage
Tags:
downloader trojan agent
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/08ff4873-b66d-47cf-8d35-ea703fc5e34b
Behavior Graph:
Download SVG
%3 guuid=87ac2bbd-1900-0000-cf11-3700d00a0000 pid=2768 /usr/bin/sudo guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773 /tmp/sample.bin guuid=87ac2bbd-1900-0000-cf11-3700d00a0000 pid=2768->guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773 execve guuid=b8a1f1bf-1900-0000-cf11-3700d70a0000 pid=2775 /usr/bin/cp guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=b8a1f1bf-1900-0000-cf11-3700d70a0000 pid=2775 execve guuid=541aacc5-1900-0000-cf11-3700e10a0000 pid=2785 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=541aacc5-1900-0000-cf11-3700e10a0000 pid=2785 execve guuid=990839cb-1900-0000-cf11-3700e90a0000 pid=2793 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=990839cb-1900-0000-cf11-3700e90a0000 pid=2793 execve guuid=1a3ce8d9-1900-0000-cf11-3700fd0a0000 pid=2813 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=1a3ce8d9-1900-0000-cf11-3700fd0a0000 pid=2813 execve guuid=1d577bda-1900-0000-cf11-3700ff0a0000 pid=2815 /tmp/morte.x86 net guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=1d577bda-1900-0000-cf11-3700ff0a0000 pid=2815 execve guuid=29c426db-1900-0000-cf11-3700040b0000 pid=2820 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=29c426db-1900-0000-cf11-3700040b0000 pid=2820 execve guuid=16fe8cdb-1900-0000-cf11-3700060b0000 pid=2822 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=16fe8cdb-1900-0000-cf11-3700060b0000 pid=2822 execve guuid=a19cbce0-1900-0000-cf11-3700110b0000 pid=2833 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=a19cbce0-1900-0000-cf11-3700110b0000 pid=2833 execve guuid=9f7e77e8-1900-0000-cf11-37001b0b0000 pid=2843 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=9f7e77e8-1900-0000-cf11-37001b0b0000 pid=2843 execve guuid=114cc8e8-1900-0000-cf11-37001c0b0000 pid=2844 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=114cc8e8-1900-0000-cf11-37001c0b0000 pid=2844 clone guuid=ebe36ae9-1900-0000-cf11-37001e0b0000 pid=2846 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=ebe36ae9-1900-0000-cf11-37001e0b0000 pid=2846 execve guuid=684bb7e9-1900-0000-cf11-37001f0b0000 pid=2847 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=684bb7e9-1900-0000-cf11-37001f0b0000 pid=2847 execve guuid=2f4767ee-1900-0000-cf11-37002d0b0000 pid=2861 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=2f4767ee-1900-0000-cf11-37002d0b0000 pid=2861 execve guuid=bd8a52f5-1900-0000-cf11-3700420b0000 pid=2882 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=bd8a52f5-1900-0000-cf11-3700420b0000 pid=2882 execve guuid=712d99f5-1900-0000-cf11-3700440b0000 pid=2884 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=712d99f5-1900-0000-cf11-3700440b0000 pid=2884 clone guuid=51bd17f6-1900-0000-cf11-3700480b0000 pid=2888 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=51bd17f6-1900-0000-cf11-3700480b0000 pid=2888 execve guuid=04c537f8-1900-0000-cf11-3700510b0000 pid=2897 /usr/bin/wget net send-data guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=04c537f8-1900-0000-cf11-3700510b0000 pid=2897 execve guuid=f3d263fa-1900-0000-cf11-37005b0b0000 pid=2907 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=f3d263fa-1900-0000-cf11-37005b0b0000 pid=2907 execve guuid=59ff8000-1a00-0000-cf11-37006b0b0000 pid=2923 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=59ff8000-1a00-0000-cf11-37006b0b0000 pid=2923 execve guuid=0697ca00-1a00-0000-cf11-37006d0b0000 pid=2925 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=0697ca00-1a00-0000-cf11-37006d0b0000 pid=2925 clone guuid=3dfdfa00-1a00-0000-cf11-37006e0b0000 pid=2926 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=3dfdfa00-1a00-0000-cf11-37006e0b0000 pid=2926 execve guuid=c3935501-1a00-0000-cf11-3700700b0000 pid=2928 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=c3935501-1a00-0000-cf11-3700700b0000 pid=2928 execve guuid=67634104-1a00-0000-cf11-3700770b0000 pid=2935 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=67634104-1a00-0000-cf11-3700770b0000 pid=2935 execve guuid=6c7bb608-1a00-0000-cf11-3700820b0000 pid=2946 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=6c7bb608-1a00-0000-cf11-3700820b0000 pid=2946 execve guuid=86baf508-1a00-0000-cf11-3700840b0000 pid=2948 /tmp/morte.i686 net guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=86baf508-1a00-0000-cf11-3700840b0000 pid=2948 execve guuid=73a1d080-1a00-0000-cf11-37005f0c0000 pid=3167 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=73a1d080-1a00-0000-cf11-37005f0c0000 pid=3167 execve guuid=53652181-1a00-0000-cf11-3700610c0000 pid=3169 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=53652181-1a00-0000-cf11-3700610c0000 pid=3169 execve guuid=ee3c6585-1a00-0000-cf11-3700690c0000 pid=3177 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=ee3c6585-1a00-0000-cf11-3700690c0000 pid=3177 execve guuid=f6245b8a-1a00-0000-cf11-3700710c0000 pid=3185 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=f6245b8a-1a00-0000-cf11-3700710c0000 pid=3185 execve guuid=d8fac28a-1a00-0000-cf11-3700730c0000 pid=3187 /tmp/morte.x86_64 mprotect-exec net guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=d8fac28a-1a00-0000-cf11-3700730c0000 pid=3187 execve guuid=0ab7588b-1a00-0000-cf11-3700780c0000 pid=3192 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=0ab7588b-1a00-0000-cf11-3700780c0000 pid=3192 execve guuid=9de6a28b-1a00-0000-cf11-37007a0c0000 pid=3194 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=9de6a28b-1a00-0000-cf11-37007a0c0000 pid=3194 execve guuid=99b4a68f-1a00-0000-cf11-3700810c0000 pid=3201 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=99b4a68f-1a00-0000-cf11-3700810c0000 pid=3201 execve guuid=01871d96-1a00-0000-cf11-37008e0c0000 pid=3214 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=01871d96-1a00-0000-cf11-37008e0c0000 pid=3214 execve guuid=eed47f96-1a00-0000-cf11-37008f0c0000 pid=3215 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=eed47f96-1a00-0000-cf11-37008f0c0000 pid=3215 clone guuid=c4554797-1a00-0000-cf11-3700910c0000 pid=3217 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=c4554797-1a00-0000-cf11-3700910c0000 pid=3217 execve guuid=6d871498-1a00-0000-cf11-3700920c0000 pid=3218 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=6d871498-1a00-0000-cf11-3700920c0000 pid=3218 execve guuid=a5b2819d-1a00-0000-cf11-3700930c0000 pid=3219 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=a5b2819d-1a00-0000-cf11-3700930c0000 pid=3219 execve guuid=c46030a4-1a00-0000-cf11-3700940c0000 pid=3220 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=c46030a4-1a00-0000-cf11-3700940c0000 pid=3220 execve guuid=330ad5a4-1a00-0000-cf11-3700950c0000 pid=3221 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=330ad5a4-1a00-0000-cf11-3700950c0000 pid=3221 clone guuid=c92372a7-1a00-0000-cf11-3700970c0000 pid=3223 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=c92372a7-1a00-0000-cf11-3700970c0000 pid=3223 execve guuid=cedab3ab-1a00-0000-cf11-3700980c0000 pid=3224 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=cedab3ab-1a00-0000-cf11-3700980c0000 pid=3224 execve guuid=7d399daf-1a00-0000-cf11-37009d0c0000 pid=3229 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=7d399daf-1a00-0000-cf11-37009d0c0000 pid=3229 execve guuid=19f6b3b6-1a00-0000-cf11-3700af0c0000 pid=3247 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=19f6b3b6-1a00-0000-cf11-3700af0c0000 pid=3247 execve guuid=108a15b7-1a00-0000-cf11-3700b10c0000 pid=3249 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=108a15b7-1a00-0000-cf11-3700b10c0000 pid=3249 clone guuid=2c5a3fb8-1a00-0000-cf11-3700b60c0000 pid=3254 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=2c5a3fb8-1a00-0000-cf11-3700b60c0000 pid=3254 execve guuid=2178acb8-1a00-0000-cf11-3700b80c0000 pid=3256 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=2178acb8-1a00-0000-cf11-3700b80c0000 pid=3256 execve guuid=df5155bc-1a00-0000-cf11-3700c20c0000 pid=3266 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=df5155bc-1a00-0000-cf11-3700c20c0000 pid=3266 execve guuid=ec2a07c5-1a00-0000-cf11-3700c40c0000 pid=3268 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=ec2a07c5-1a00-0000-cf11-3700c40c0000 pid=3268 execve guuid=11c667c5-1a00-0000-cf11-3700c50c0000 pid=3269 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=11c667c5-1a00-0000-cf11-3700c50c0000 pid=3269 clone guuid=ae643fc6-1a00-0000-cf11-3700c70c0000 pid=3271 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=ae643fc6-1a00-0000-cf11-3700c70c0000 pid=3271 execve guuid=18a8aec6-1a00-0000-cf11-3700c80c0000 pid=3272 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=18a8aec6-1a00-0000-cf11-3700c80c0000 pid=3272 execve guuid=ba5f9bca-1a00-0000-cf11-3700c90c0000 pid=3273 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=ba5f9bca-1a00-0000-cf11-3700c90c0000 pid=3273 execve guuid=fbd35dd1-1a00-0000-cf11-3700cf0c0000 pid=3279 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=fbd35dd1-1a00-0000-cf11-3700cf0c0000 pid=3279 execve guuid=62f6a9d1-1a00-0000-cf11-3700d10c0000 pid=3281 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=62f6a9d1-1a00-0000-cf11-3700d10c0000 pid=3281 clone guuid=935356d2-1a00-0000-cf11-3700d40c0000 pid=3284 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=935356d2-1a00-0000-cf11-3700d40c0000 pid=3284 execve guuid=f557add3-1a00-0000-cf11-3700d50c0000 pid=3285 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=f557add3-1a00-0000-cf11-3700d50c0000 pid=3285 execve guuid=1e4f2dd7-1a00-0000-cf11-3700de0c0000 pid=3294 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=1e4f2dd7-1a00-0000-cf11-3700de0c0000 pid=3294 execve guuid=64c5bfdb-1a00-0000-cf11-3700e50c0000 pid=3301 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=64c5bfdb-1a00-0000-cf11-3700e50c0000 pid=3301 execve guuid=299342dc-1a00-0000-cf11-3700e60c0000 pid=3302 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=299342dc-1a00-0000-cf11-3700e60c0000 pid=3302 clone guuid=09d33ddd-1a00-0000-cf11-3700e80c0000 pid=3304 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=09d33ddd-1a00-0000-cf11-3700e80c0000 pid=3304 execve guuid=d615dedd-1a00-0000-cf11-3700e90c0000 pid=3305 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=d615dedd-1a00-0000-cf11-3700e90c0000 pid=3305 execve guuid=10e9bde1-1a00-0000-cf11-3700ea0c0000 pid=3306 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=10e9bde1-1a00-0000-cf11-3700ea0c0000 pid=3306 execve guuid=40fb8ce7-1a00-0000-cf11-3700f20c0000 pid=3314 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=40fb8ce7-1a00-0000-cf11-3700f20c0000 pid=3314 execve guuid=b5c5ffe7-1a00-0000-cf11-3700f30c0000 pid=3315 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=b5c5ffe7-1a00-0000-cf11-3700f30c0000 pid=3315 clone guuid=274db1e8-1a00-0000-cf11-3700f70c0000 pid=3319 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=274db1e8-1a00-0000-cf11-3700f70c0000 pid=3319 execve guuid=b35302e9-1a00-0000-cf11-3700f80c0000 pid=3320 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=b35302e9-1a00-0000-cf11-3700f80c0000 pid=3320 execve guuid=4bc44aed-1a00-0000-cf11-3700ff0c0000 pid=3327 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=4bc44aed-1a00-0000-cf11-3700ff0c0000 pid=3327 execve guuid=5a77f8f1-1a00-0000-cf11-3700060d0000 pid=3334 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=5a77f8f1-1a00-0000-cf11-3700060d0000 pid=3334 execve guuid=88f46cf2-1a00-0000-cf11-3700070d0000 pid=3335 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=88f46cf2-1a00-0000-cf11-3700070d0000 pid=3335 clone guuid=619e61f3-1a00-0000-cf11-3700090d0000 pid=3337 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=619e61f3-1a00-0000-cf11-3700090d0000 pid=3337 execve guuid=f1acc8f3-1a00-0000-cf11-37000a0d0000 pid=3338 /usr/bin/wget net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=f1acc8f3-1a00-0000-cf11-37000a0d0000 pid=3338 execve guuid=1f5810f7-1a00-0000-cf11-3700140d0000 pid=3348 /usr/bin/curl net send-data write-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=1f5810f7-1a00-0000-cf11-3700140d0000 pid=3348 execve guuid=e024b3fd-1a00-0000-cf11-3700250d0000 pid=3365 /usr/bin/chmod guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=e024b3fd-1a00-0000-cf11-3700250d0000 pid=3365 execve guuid=1fb62afe-1a00-0000-cf11-3700270d0000 pid=3367 /usr/bin/bash guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=1fb62afe-1a00-0000-cf11-3700270d0000 pid=3367 clone guuid=e002d1ff-1a00-0000-cf11-37002e0d0000 pid=3374 /usr/bin/rm delete-file guuid=59f265bf-1900-0000-cf11-3700d50a0000 pid=2773->guuid=e002d1ff-1a00-0000-cf11-37002e0d0000 pid=3374 execve 3d144578-f914-571c-924a-cde24580b79c 196.251.86.61:80 guuid=541aacc5-1900-0000-cf11-3700e10a0000 pid=2785->3d144578-f914-571c-924a-cde24580b79c send: 152B guuid=990839cb-1900-0000-cf11-3700e90a0000 pid=2793->3d144578-f914-571c-924a-cde24580b79c send: 101B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=1d577bda-1900-0000-cf11-3700ff0a0000 pid=2815->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=6b7306db-1900-0000-cf11-3700000b0000 pid=2816 /tmp/morte.x86 guuid=1d577bda-1900-0000-cf11-3700ff0a0000 pid=2815->guuid=6b7306db-1900-0000-cf11-3700000b0000 pid=2816 clone guuid=ed441cdb-1900-0000-cf11-3700020b0000 pid=2818 /tmp/morte.x86 delete-file dns net send-data zombie guuid=1d577bda-1900-0000-cf11-3700ff0a0000 pid=2815->guuid=ed441cdb-1900-0000-cf11-3700020b0000 pid=2818 clone guuid=ed441cdb-1900-0000-cf11-3700020b0000 pid=2818->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 32B 4fd94640-5d8c-5b00-9f19-551fe5384583 jbvpshosti.ink:12121 guuid=ed441cdb-1900-0000-cf11-3700020b0000 pid=2818->4fd94640-5d8c-5b00-9f19-551fe5384583 send: 15B guuid=e5a326db-1900-0000-cf11-3700030b0000 pid=2819 /tmp/morte.x86 guuid=ed441cdb-1900-0000-cf11-3700020b0000 pid=2818->guuid=e5a326db-1900-0000-cf11-3700030b0000 pid=2819 clone guuid=16fe8cdb-1900-0000-cf11-3700060b0000 pid=2822->3d144578-f914-571c-924a-cde24580b79c send: 153B guuid=a19cbce0-1900-0000-cf11-3700110b0000 pid=2833->3d144578-f914-571c-924a-cde24580b79c send: 102B guuid=684bb7e9-1900-0000-cf11-37001f0b0000 pid=2847->3d144578-f914-571c-924a-cde24580b79c send: 152B 1d5e78fb-61c0-5a0b-af35-1647e607815e jbvpshosti.ink:80 guuid=2f4767ee-1900-0000-cf11-37002d0b0000 pid=2861->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 101B guuid=04c537f8-1900-0000-cf11-3700510b0000 pid=2897->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 153B guuid=f3d263fa-1900-0000-cf11-37005b0b0000 pid=2907->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 102B guuid=c3935501-1a00-0000-cf11-3700700b0000 pid=2928->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 153B guuid=67634104-1a00-0000-cf11-3700770b0000 pid=2935->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 102B guuid=86baf508-1a00-0000-cf11-3700840b0000 pid=2948->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con f77ebf5e-2af7-5b09-86f4-388588a8b445 0.0.0.0:12121 guuid=86baf508-1a00-0000-cf11-3700840b0000 pid=2948->f77ebf5e-2af7-5b09-86f4-388588a8b445 con guuid=53652181-1a00-0000-cf11-3700610c0000 pid=3169->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 155B guuid=ee3c6585-1a00-0000-cf11-3700690c0000 pid=3177->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 104B guuid=d8fac28a-1a00-0000-cf11-3700730c0000 pid=3187->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=db543e8b-1a00-0000-cf11-3700740c0000 pid=3188 /tmp/morte.x86_64 guuid=d8fac28a-1a00-0000-cf11-3700730c0000 pid=3187->guuid=db543e8b-1a00-0000-cf11-3700740c0000 pid=3188 clone guuid=c692428b-1a00-0000-cf11-3700750c0000 pid=3189 /tmp/morte.x86_64 dns net send-data zombie guuid=d8fac28a-1a00-0000-cf11-3700730c0000 pid=3187->guuid=c692428b-1a00-0000-cf11-3700750c0000 pid=3189 clone guuid=c692428b-1a00-0000-cf11-3700750c0000 pid=3189->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 32B guuid=c692428b-1a00-0000-cf11-3700750c0000 pid=3189->4fd94640-5d8c-5b00-9f19-551fe5384583 send: 22B guuid=d9a74d8b-1a00-0000-cf11-3700760c0000 pid=3190 /tmp/morte.x86_64 guuid=c692428b-1a00-0000-cf11-3700750c0000 pid=3189->guuid=d9a74d8b-1a00-0000-cf11-3700760c0000 pid=3190 clone guuid=9de6a28b-1a00-0000-cf11-37007a0c0000 pid=3194->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 153B guuid=99b4a68f-1a00-0000-cf11-3700810c0000 pid=3201->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 102B guuid=6d871498-1a00-0000-cf11-3700920c0000 pid=3218->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 152B guuid=a5b2819d-1a00-0000-cf11-3700930c0000 pid=3219->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 101B guuid=cedab3ab-1a00-0000-cf11-3700980c0000 pid=3224->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 153B guuid=7d399daf-1a00-0000-cf11-37009d0c0000 pid=3229->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 102B guuid=2178acb8-1a00-0000-cf11-3700b80c0000 pid=3256->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 153B guuid=df5155bc-1a00-0000-cf11-3700c20c0000 pid=3266->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 102B guuid=18a8aec6-1a00-0000-cf11-3700c80c0000 pid=3272->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 153B guuid=ba5f9bca-1a00-0000-cf11-3700c90c0000 pid=3273->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 102B guuid=f557add3-1a00-0000-cf11-3700d50c0000 pid=3285->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 152B guuid=1e4f2dd7-1a00-0000-cf11-3700de0c0000 pid=3294->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 101B guuid=d615dedd-1a00-0000-cf11-3700e90c0000 pid=3305->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 152B guuid=10e9bde1-1a00-0000-cf11-3700ea0c0000 pid=3306->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 101B guuid=b35302e9-1a00-0000-cf11-3700f80c0000 pid=3320->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 153B guuid=4bc44aed-1a00-0000-cf11-3700ff0c0000 pid=3327->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 102B guuid=f1acc8f3-1a00-0000-cf11-37000a0d0000 pid=3338->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 152B guuid=1f5810f7-1a00-0000-cf11-3700140d0000 pid=3348->1d5e78fb-61c0-5a0b-af35-1647e607815e send: 101B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1e2b81bdfe105501e7ea4375bd7dce670f368421e28cc820590d90d3796c953e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e2b81bdfe105501e7ea4375bd7dce670f368421e28cc820590d90d3796c953e/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-07-04 22:37:17 UTC
File Type:
Text (Shell)
AV detection:
16 of 24 (66.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dyvydpp6cbkqdz7kin2327oom4htnbbb4kgmqiczbwing6lmsu7a._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet credential_access defense_evasion discovery linux upx
Link:
https://tria.ge/reports/250704-2jw9yszsev/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads process memory
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 1e2b81bdfe105501e7ea4375bd7dce670f368421e28cc820590d90d3796c953e

(this sample)

Mirai

elf 4fef063a9f02ba436aa8231ae6e68833cc7007d4acd4c911b0742fc6edb7f3e0

  
URLhaus
https://urlhaus.abuse.ch/url/3572921/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3573027/
  
URLhaus
https://urlhaus.abuse.ch/url/3572957/
  
Dropping
MD5 f5084d62ff39c1f663080cd7eaa91ece
  
Dropping
SHA256 4fef063a9f02ba436aa8231ae6e68833cc7007d4acd4c911b0742fc6edb7f3e0
  
URLhaus
https://urlhaus.abuse.ch/url/3574750/
  
URLhaus
https://urlhaus.abuse.ch/url/3571655/
  
URLhaus
https://urlhaus.abuse.ch/url/3571658/
  
URLhaus
https://urlhaus.abuse.ch/url/3572995/
  
URLhaus
https://urlhaus.abuse.ch/url/3572371/
  
URLhaus
https://urlhaus.abuse.ch/url/3574707/
  
URLhaus
https://urlhaus.abuse.ch/url/3576795/

Comments