MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ee89245c6dd3edd3e14f8bc52c866757ad98b97955b181d0cd5dc719004b893. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ee89245c6dd3edd3e14f8bc52c866757ad98b97955b181d0cd5dc719004b893
SHA3-384 hash: 1596fb7c5bb817002e8a8059888f8799b4725cd26ec0d880ed4aee6f45ac2269a7cbbc7913051201706181407b7ef292
SHA1 hash: 3baf171f6a9801539e7947cb2a6e6a6d84a240bd
MD5 hash: 9fbd8c89c715eb98f633f558951258be
humanhash: utah-uniform-lactose-snake
File name:nz.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'789 bytes
First seen:2026-03-30 00:28:58 UTC
Last seen:2026-03-30 06:56:46 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 24:ItOsDPIhOE93VArPs8NTYTGF7JY2GACLnyNINks0ryjlTzyUp17J:iPdE93CQ8NTYTGFljCLdJ0rulTzVHF
TLSH T1CD51B5C751015F723D52DE2276BD484830BEA89A6DD79FE558DCB8B4408CE0D3C4AE9E
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://38.83.138.59:25884/nz.x86d4d1ad2082e114d5ea577a5beaf8c45ae32fbc0cc3c1e02d56f66df9fec85f97 Miraielf mirai opendir ua-wget x86
http://38.83.138.59:25884/nz.mips9ba6aa186362628c27376cf42e8a6cdbb1b614910e05c87104c77bfa5413bbb7 Miraielf mips mirai opendir ua-wget
http://38.83.138.59:25884/nz.arcac6fd224364aeabcdda478aa1ac9098955bf22d0c9f58bee9238f116b6734ee8 Miraiarc elf mirai opendir ua-wget
http://38.83.138.59:25884/nz.i468n/an/aua-wget
http://38.83.138.59:25884/nz.i686855b9097543e9278ccb7fbaaa7c9f6b683284c07720a1d3d1313c7d035058696 Miraielf mirai opendir ua-wget x86
http://38.83.138.59:25884/nz.x86_64955dc8ad10b0a0785e2efe1327cd4bbd9fee4176e82537c3366ee04911785aa1 Miraielf mirai opendir ua-wget x86
http://38.83.138.59:25884/nz.mpsl27c8ce01234e093b4302eaab7c3fdc8033ab848fe36c727a218d430477443273 Miraielf mips mirai opendir ua-wget
http://38.83.138.59:25884/nz.arm530c362961621cd44eef36f02bcd6ab5d1fe45e78a883686b53aa2be7fb3456c Miraiarm elf mirai opendir ua-wget
http://38.83.138.59:25884/nz.arm595b5c0afbdea19f217e1d7d1c6ed85fda40d07e0ae90e089b5d872310b465ac1 Miraiarm elf mirai opendir ua-wget
http://38.83.138.59:25884/nz.arm663b36d9e77a05e324ce805274ef6c173dac5fd5043ecb52977e479a62c9f085e Miraiarm elf mirai opendir ua-wget
http://38.83.138.59:25884/nz.arm74b26846adb2ac4e7f5a17e7da697a36611b080ac77702ac3290faef6c8353b57 Miraiarm elf mirai opendir ua-wget
http://38.83.138.59:25884/nz.ppc5e7cc31353413f298326dd7c39c2831a627b1a83a9c127dd0909038f64f3c679 Miraielf mirai opendir PowerPC ua-wget
http://38.83.138.59:25884/nz.spcc1f1b6c1164278bc9c5feb1f5d7391efaec91b59e7bce4cb70ae2ef274e8ed0b Miraielf mirai opendir sparc ua-wget
http://38.83.138.59:25884/nz.m68kf98f9ae6fc927faeb11fa38c4fc8151a619debbe23da9931354466a2d8878b3c Miraielf m68k mirai opendir ua-wget
http://38.83.138.59:25884/nz.sh412c1e3598ad05e4d26c854e83088746c74851a2b06ea69af8d9c5c2f3d4a5e9f Miraielf mirai opendir SuperH ua-wget

Intelligence

File Origin
# of uploads :
3
# of downloads :
61
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2026-03-29T21:33:00Z UTC
Last seen:
2026-03-30T22:56:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/2ee89245c6dd3edd3e14f8bc52c866757ad98b97955b181d0cd5dc719004b893/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9b23aa6b-3a2d-4691-a895-6d67f452c49c
Behavior Graph:
Download SVG
%3 guuid=3d46aa8e-1a00-0000-9961-9c4c54080000 pid=2132 /usr/bin/sudo guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139 /tmp/sample.bin guuid=3d46aa8e-1a00-0000-9961-9c4c54080000 pid=2132->guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139 execve guuid=39cd0091-1a00-0000-9961-9c4c5d080000 pid=2141 /usr/bin/cp guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=39cd0091-1a00-0000-9961-9c4c5d080000 pid=2141 execve guuid=e89e0896-1a00-0000-9961-9c4c6c080000 pid=2156 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=e89e0896-1a00-0000-9961-9c4c6c080000 pid=2156 execve guuid=67a443b6-1a00-0000-9961-9c4cc4080000 pid=2244 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=67a443b6-1a00-0000-9961-9c4cc4080000 pid=2244 execve guuid=e2b319da-1a00-0000-9961-9c4c05090000 pid=2309 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=e2b319da-1a00-0000-9961-9c4c05090000 pid=2309 execve guuid=5c5899da-1a00-0000-9961-9c4c06090000 pid=2310 /tmp/nz.x86 net guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=5c5899da-1a00-0000-9961-9c4c06090000 pid=2310 execve guuid=c29b5208-1c00-0000-9961-9c4c210b0000 pid=2849 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=c29b5208-1c00-0000-9961-9c4c210b0000 pid=2849 execve guuid=d4f4a008-1c00-0000-9961-9c4c230b0000 pid=2851 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=d4f4a008-1c00-0000-9961-9c4c230b0000 pid=2851 execve guuid=47508525-1c00-0000-9961-9c4c660b0000 pid=2918 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=47508525-1c00-0000-9961-9c4c660b0000 pid=2918 execve guuid=d01c4846-1c00-0000-9961-9c4ca70b0000 pid=2983 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=d01c4846-1c00-0000-9961-9c4ca70b0000 pid=2983 execve guuid=b79dc346-1c00-0000-9961-9c4ca90b0000 pid=2985 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=b79dc346-1c00-0000-9961-9c4ca90b0000 pid=2985 clone guuid=a09e8648-1c00-0000-9961-9c4cad0b0000 pid=2989 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=a09e8648-1c00-0000-9961-9c4cad0b0000 pid=2989 execve guuid=926fe648-1c00-0000-9961-9c4caf0b0000 pid=2991 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=926fe648-1c00-0000-9961-9c4caf0b0000 pid=2991 execve guuid=c213d56e-1c00-0000-9961-9c4c070c0000 pid=3079 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=c213d56e-1c00-0000-9961-9c4c070c0000 pid=3079 execve guuid=35077d96-1c00-0000-9961-9c4c5c0c0000 pid=3164 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=35077d96-1c00-0000-9961-9c4c5c0c0000 pid=3164 execve guuid=aac7ce96-1c00-0000-9961-9c4c5d0c0000 pid=3165 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=aac7ce96-1c00-0000-9961-9c4c5d0c0000 pid=3165 clone guuid=695c8d97-1c00-0000-9961-9c4c610c0000 pid=3169 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=695c8d97-1c00-0000-9961-9c4c610c0000 pid=3169 execve guuid=2d39de97-1c00-0000-9961-9c4c630c0000 pid=3171 /usr/bin/wget net send-data guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=2d39de97-1c00-0000-9961-9c4c630c0000 pid=3171 execve guuid=60e24ba7-1c00-0000-9961-9c4c7d0c0000 pid=3197 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=60e24ba7-1c00-0000-9961-9c4c7d0c0000 pid=3197 execve guuid=fdab9bb9-1c00-0000-9961-9c4c840c0000 pid=3204 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=fdab9bb9-1c00-0000-9961-9c4c840c0000 pid=3204 execve guuid=6c47f2b9-1c00-0000-9961-9c4c860c0000 pid=3206 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=6c47f2b9-1c00-0000-9961-9c4c860c0000 pid=3206 clone guuid=c2d53eba-1c00-0000-9961-9c4c890c0000 pid=3209 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=c2d53eba-1c00-0000-9961-9c4c890c0000 pid=3209 execve guuid=af099bba-1c00-0000-9961-9c4c8b0c0000 pid=3211 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=af099bba-1c00-0000-9961-9c4c8b0c0000 pid=3211 execve guuid=7feb84d8-1c00-0000-9961-9c4caa0c0000 pid=3242 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=7feb84d8-1c00-0000-9961-9c4caa0c0000 pid=3242 execve guuid=0710a908-1d00-0000-9961-9c4cf00c0000 pid=3312 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=0710a908-1d00-0000-9961-9c4cf00c0000 pid=3312 execve guuid=60171109-1d00-0000-9961-9c4cf20c0000 pid=3314 /tmp/nz.i686 net guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=60171109-1d00-0000-9961-9c4cf20c0000 pid=3314 execve guuid=4a9a2c36-1e00-0000-9961-9c4cc80f0000 pid=4040 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=4a9a2c36-1e00-0000-9961-9c4cc80f0000 pid=4040 execve guuid=2fc19236-1e00-0000-9961-9c4cc90f0000 pid=4041 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=2fc19236-1e00-0000-9961-9c4cc90f0000 pid=4041 execve guuid=604acb55-1e00-0000-9961-9c4c1b100000 pid=4123 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=604acb55-1e00-0000-9961-9c4c1b100000 pid=4123 execve guuid=8670088d-1e00-0000-9961-9c4cb0100000 pid=4272 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=8670088d-1e00-0000-9961-9c4cb0100000 pid=4272 execve guuid=b8c3518d-1e00-0000-9961-9c4cb2100000 pid=4274 /tmp/nz.x86_64 mprotect-exec net guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=b8c3518d-1e00-0000-9961-9c4cb2100000 pid=4274 execve guuid=fe9441b8-1f00-0000-9961-9c4cf7130000 pid=5111 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=fe9441b8-1f00-0000-9961-9c4cf7130000 pid=5111 execve guuid=53d2b8b8-1f00-0000-9961-9c4cf9130000 pid=5113 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=53d2b8b8-1f00-0000-9961-9c4cf9130000 pid=5113 execve guuid=00e46bd5-1f00-0000-9961-9c4c3d140000 pid=5181 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=00e46bd5-1f00-0000-9961-9c4c3d140000 pid=5181 execve guuid=3ff60e0c-2000-0000-9961-9c4c8d140000 pid=5261 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=3ff60e0c-2000-0000-9961-9c4c8d140000 pid=5261 execve guuid=b9237e0c-2000-0000-9961-9c4c8e140000 pid=5262 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=b9237e0c-2000-0000-9961-9c4c8e140000 pid=5262 clone guuid=09003c0d-2000-0000-9961-9c4c90140000 pid=5264 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=09003c0d-2000-0000-9961-9c4c90140000 pid=5264 execve guuid=3f651d0f-2000-0000-9961-9c4c91140000 pid=5265 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=3f651d0f-2000-0000-9961-9c4c91140000 pid=5265 execve guuid=c558b62c-2000-0000-9961-9c4c9d140000 pid=5277 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=c558b62c-2000-0000-9961-9c4c9d140000 pid=5277 execve guuid=00dce34a-2000-0000-9961-9c4c9e140000 pid=5278 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=00dce34a-2000-0000-9961-9c4c9e140000 pid=5278 execve guuid=b8f7574b-2000-0000-9961-9c4c9f140000 pid=5279 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=b8f7574b-2000-0000-9961-9c4c9f140000 pid=5279 clone guuid=b0b6f14d-2000-0000-9961-9c4ca1140000 pid=5281 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=b0b6f14d-2000-0000-9961-9c4ca1140000 pid=5281 execve guuid=ddf6184f-2000-0000-9961-9c4ca2140000 pid=5282 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=ddf6184f-2000-0000-9961-9c4ca2140000 pid=5282 execve guuid=ca442166-2000-0000-9961-9c4ca3140000 pid=5283 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=ca442166-2000-0000-9961-9c4ca3140000 pid=5283 execve guuid=3148017f-2000-0000-9961-9c4ca4140000 pid=5284 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=3148017f-2000-0000-9961-9c4ca4140000 pid=5284 execve guuid=2f9c5e7f-2000-0000-9961-9c4ca5140000 pid=5285 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=2f9c5e7f-2000-0000-9961-9c4ca5140000 pid=5285 clone guuid=538e1580-2000-0000-9961-9c4ca7140000 pid=5287 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=538e1580-2000-0000-9961-9c4ca7140000 pid=5287 execve guuid=c34bfe81-2000-0000-9961-9c4ca8140000 pid=5288 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=c34bfe81-2000-0000-9961-9c4ca8140000 pid=5288 execve guuid=07e524a0-2000-0000-9961-9c4ca9140000 pid=5289 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=07e524a0-2000-0000-9961-9c4ca9140000 pid=5289 execve guuid=b7e06cbf-2000-0000-9961-9c4caa140000 pid=5290 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=b7e06cbf-2000-0000-9961-9c4caa140000 pid=5290 execve guuid=cf5fd1bf-2000-0000-9961-9c4cab140000 pid=5291 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=cf5fd1bf-2000-0000-9961-9c4cab140000 pid=5291 clone guuid=61e92bc2-2000-0000-9961-9c4cad140000 pid=5293 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=61e92bc2-2000-0000-9961-9c4cad140000 pid=5293 execve guuid=03da92c2-2000-0000-9961-9c4cae140000 pid=5294 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=03da92c2-2000-0000-9961-9c4cae140000 pid=5294 execve guuid=9da79ee0-2000-0000-9961-9c4caf140000 pid=5295 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=9da79ee0-2000-0000-9961-9c4caf140000 pid=5295 execve guuid=b0cd3000-2100-0000-9961-9c4cb1140000 pid=5297 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=b0cd3000-2100-0000-9961-9c4cb1140000 pid=5297 execve guuid=5faa8b00-2100-0000-9961-9c4cb8140000 pid=5304 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=5faa8b00-2100-0000-9961-9c4cb8140000 pid=5304 clone guuid=1ced0702-2100-0000-9961-9c4cba140000 pid=5306 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=1ced0702-2100-0000-9961-9c4cba140000 pid=5306 execve guuid=a15c7502-2100-0000-9961-9c4cbb140000 pid=5307 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=a15c7502-2100-0000-9961-9c4cbb140000 pid=5307 execve guuid=ed92a31f-2100-0000-9961-9c4cbc140000 pid=5308 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=ed92a31f-2100-0000-9961-9c4cbc140000 pid=5308 execve guuid=6f29a08d-2100-0000-9961-9c4cbd140000 pid=5309 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=6f29a08d-2100-0000-9961-9c4cbd140000 pid=5309 execve guuid=6d3bf48f-2100-0000-9961-9c4cbe140000 pid=5310 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=6d3bf48f-2100-0000-9961-9c4cbe140000 pid=5310 clone guuid=2aa07691-2100-0000-9961-9c4cc0140000 pid=5312 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=2aa07691-2100-0000-9961-9c4cc0140000 pid=5312 execve guuid=7dce6a92-2100-0000-9961-9c4cc1140000 pid=5313 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=7dce6a92-2100-0000-9961-9c4cc1140000 pid=5313 execve guuid=7b5b9ab7-2100-0000-9961-9c4cc2140000 pid=5314 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=7b5b9ab7-2100-0000-9961-9c4cc2140000 pid=5314 execve guuid=5073cddd-2100-0000-9961-9c4cc3140000 pid=5315 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=5073cddd-2100-0000-9961-9c4cc3140000 pid=5315 execve guuid=08a34ade-2100-0000-9961-9c4cc4140000 pid=5316 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=08a34ade-2100-0000-9961-9c4cc4140000 pid=5316 clone guuid=e4abe3de-2100-0000-9961-9c4cc6140000 pid=5318 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=e4abe3de-2100-0000-9961-9c4cc6140000 pid=5318 execve guuid=828133df-2100-0000-9961-9c4cc7140000 pid=5319 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=828133df-2100-0000-9961-9c4cc7140000 pid=5319 execve guuid=096d2204-2200-0000-9961-9c4cc8140000 pid=5320 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=096d2204-2200-0000-9961-9c4cc8140000 pid=5320 execve guuid=2af40e2a-2200-0000-9961-9c4ccc140000 pid=5324 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=2af40e2a-2200-0000-9961-9c4ccc140000 pid=5324 execve guuid=40e3672a-2200-0000-9961-9c4ccd140000 pid=5325 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=40e3672a-2200-0000-9961-9c4ccd140000 pid=5325 clone guuid=76093d2b-2200-0000-9961-9c4cd0140000 pid=5328 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=76093d2b-2200-0000-9961-9c4cd0140000 pid=5328 execve guuid=8d038e2b-2200-0000-9961-9c4cd2140000 pid=5330 /usr/bin/wget net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=8d038e2b-2200-0000-9961-9c4cd2140000 pid=5330 execve guuid=98aaa448-2200-0000-9961-9c4cd8140000 pid=5336 /usr/bin/curl net send-data write-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=98aaa448-2200-0000-9961-9c4cd8140000 pid=5336 execve guuid=6455ca6c-2200-0000-9961-9c4cdc140000 pid=5340 /usr/bin/chmod guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=6455ca6c-2200-0000-9961-9c4cdc140000 pid=5340 execve guuid=5a593f6d-2200-0000-9961-9c4cdd140000 pid=5341 /usr/bin/bash guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=5a593f6d-2200-0000-9961-9c4cdd140000 pid=5341 clone guuid=0ee3376f-2200-0000-9961-9c4cdf140000 pid=5343 /usr/bin/rm delete-file guuid=020b7a90-1a00-0000-9961-9c4c5b080000 pid=2139->guuid=0ee3376f-2200-0000-9961-9c4cdf140000 pid=5343 execve d006e2e7-4557-591f-aa10-0057092e708f 38.83.138.59:25884 guuid=e89e0896-1a00-0000-9961-9c4c6c080000 pid=2156->d006e2e7-4557-591f-aa10-0057092e708f send: 139B guuid=67a443b6-1a00-0000-9961-9c4cc4080000 pid=2244->d006e2e7-4557-591f-aa10-0057092e708f send: 88B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=5c5899da-1a00-0000-9961-9c4c06090000 pid=2310->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=823c66db-1a00-0000-9961-9c4c09090000 pid=2313 /tmp/nz.x86 guuid=5c5899da-1a00-0000-9961-9c4c06090000 pid=2310->guuid=823c66db-1a00-0000-9961-9c4c09090000 pid=2313 clone guuid=62b94408-1c00-0000-9961-9c4c1f0b0000 pid=2847 /tmp/nz.x86 guuid=5c5899da-1a00-0000-9961-9c4c06090000 pid=2310->guuid=62b94408-1c00-0000-9961-9c4c1f0b0000 pid=2847 clone guuid=87b04908-1c00-0000-9961-9c4c200b0000 pid=2848 /tmp/nz.x86 net send-data zombie guuid=5c5899da-1a00-0000-9961-9c4c06090000 pid=2310->guuid=87b04908-1c00-0000-9961-9c4c200b0000 pid=2848 clone guuid=29ce6fdb-1a00-0000-9961-9c4c0a090000 pid=2314 /tmp/nz.x86 guuid=823c66db-1a00-0000-9961-9c4c09090000 pid=2313->guuid=29ce6fdb-1a00-0000-9961-9c4c0a090000 pid=2314 clone guuid=cb337adb-1a00-0000-9961-9c4c0b090000 pid=2315 /tmp/nz.x86 dns net send-data zombie guuid=823c66db-1a00-0000-9961-9c4c09090000 pid=2313->guuid=cb337adb-1a00-0000-9961-9c4c0b090000 pid=2315 clone guuid=cb337adb-1a00-0000-9961-9c4c0b090000 pid=2315->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 270B 322cdf06-f1fc-5dbc-86e9-cf9cf3840d55 gdkdiebrhmn.narxz.dpdns.org:69 guuid=cb337adb-1a00-0000-9961-9c4c0b090000 pid=2315->322cdf06-f1fc-5dbc-86e9-cf9cf3840d55 send: 4B guuid=87b04908-1c00-0000-9961-9c4c200b0000 pid=2848->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 1150B 310a0ed0-c544-54ca-bf3f-fca55e459297 65.222.202.53:80 guuid=87b04908-1c00-0000-9961-9c4c200b0000 pid=2848->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 4B guuid=d4f4a008-1c00-0000-9961-9c4c230b0000 pid=2851->d006e2e7-4557-591f-aa10-0057092e708f send: 140B guuid=47508525-1c00-0000-9961-9c4c660b0000 pid=2918->d006e2e7-4557-591f-aa10-0057092e708f send: 89B guuid=926fe648-1c00-0000-9961-9c4caf0b0000 pid=2991->d006e2e7-4557-591f-aa10-0057092e708f send: 139B guuid=c213d56e-1c00-0000-9961-9c4c070c0000 pid=3079->d006e2e7-4557-591f-aa10-0057092e708f send: 88B guuid=2d39de97-1c00-0000-9961-9c4c630c0000 pid=3171->d006e2e7-4557-591f-aa10-0057092e708f send: 140B guuid=60e24ba7-1c00-0000-9961-9c4c7d0c0000 pid=3197->d006e2e7-4557-591f-aa10-0057092e708f send: 89B guuid=bfaf14ba-1c00-0000-9961-9c4c880c0000 pid=3208 /usr/bin/bash guuid=6c47f2b9-1c00-0000-9961-9c4c860c0000 pid=3206->guuid=bfaf14ba-1c00-0000-9961-9c4c880c0000 pid=3208 clone guuid=af099bba-1c00-0000-9961-9c4c8b0c0000 pid=3211->d006e2e7-4557-591f-aa10-0057092e708f send: 140B guuid=7feb84d8-1c00-0000-9961-9c4caa0c0000 pid=3242->d006e2e7-4557-591f-aa10-0057092e708f send: 89B guuid=60171109-1d00-0000-9961-9c4cf20c0000 pid=3314->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=811fb809-1d00-0000-9961-9c4cf50c0000 pid=3317 /tmp/nz.i686 guuid=60171109-1d00-0000-9961-9c4cf20c0000 pid=3314->guuid=811fb809-1d00-0000-9961-9c4cf50c0000 pid=3317 clone guuid=a14a1b36-1e00-0000-9961-9c4cc60f0000 pid=4038 /tmp/nz.i686 guuid=60171109-1d00-0000-9961-9c4cf20c0000 pid=3314->guuid=a14a1b36-1e00-0000-9961-9c4cc60f0000 pid=4038 clone guuid=74e82036-1e00-0000-9961-9c4cc70f0000 pid=4039 /tmp/nz.i686 net send-data zombie guuid=60171109-1d00-0000-9961-9c4cf20c0000 pid=3314->guuid=74e82036-1e00-0000-9961-9c4cc70f0000 pid=4039 clone guuid=d94cbf09-1d00-0000-9961-9c4cf60c0000 pid=3318 /tmp/nz.i686 guuid=811fb809-1d00-0000-9961-9c4cf50c0000 pid=3317->guuid=d94cbf09-1d00-0000-9961-9c4cf60c0000 pid=3318 clone guuid=cbe4c409-1d00-0000-9961-9c4cf70c0000 pid=3319 /tmp/nz.i686 dns net send-data zombie guuid=811fb809-1d00-0000-9961-9c4cf50c0000 pid=3317->guuid=cbe4c409-1d00-0000-9961-9c4cf70c0000 pid=3319 clone guuid=cbe4c409-1d00-0000-9961-9c4cf70c0000 pid=3319->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 225B guuid=cbe4c409-1d00-0000-9961-9c4cf70c0000 pid=3319->322cdf06-f1fc-5dbc-86e9-cf9cf3840d55 send: 2B guuid=74e82036-1e00-0000-9961-9c4cc70f0000 pid=4039->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 1150B guuid=74e82036-1e00-0000-9961-9c4cc70f0000 pid=4039->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=2fc19236-1e00-0000-9961-9c4cc90f0000 pid=4041->d006e2e7-4557-591f-aa10-0057092e708f send: 142B guuid=604acb55-1e00-0000-9961-9c4c1b100000 pid=4123->d006e2e7-4557-591f-aa10-0057092e708f send: 91B guuid=b8c3518d-1e00-0000-9961-9c4cb2100000 pid=4274->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=86dec08d-1e00-0000-9961-9c4cb5100000 pid=4277 /tmp/nz.x86_64 guuid=b8c3518d-1e00-0000-9961-9c4cb2100000 pid=4274->guuid=86dec08d-1e00-0000-9961-9c4cb5100000 pid=4277 clone guuid=844930b8-1f00-0000-9961-9c4cf5130000 pid=5109 /tmp/nz.x86_64 guuid=b8c3518d-1e00-0000-9961-9c4cb2100000 pid=4274->guuid=844930b8-1f00-0000-9961-9c4cf5130000 pid=5109 clone guuid=018836b8-1f00-0000-9961-9c4cf6130000 pid=5110 /tmp/nz.x86_64 net send-data zombie guuid=b8c3518d-1e00-0000-9961-9c4cb2100000 pid=4274->guuid=018836b8-1f00-0000-9961-9c4cf6130000 pid=5110 clone guuid=322bc98d-1e00-0000-9961-9c4cb6100000 pid=4278 /tmp/nz.x86_64 guuid=86dec08d-1e00-0000-9961-9c4cb5100000 pid=4277->guuid=322bc98d-1e00-0000-9961-9c4cb6100000 pid=4278 clone guuid=d1bbcf8d-1e00-0000-9961-9c4cb8100000 pid=4280 /tmp/nz.x86_64 net send-data zombie guuid=86dec08d-1e00-0000-9961-9c4cb5100000 pid=4277->guuid=d1bbcf8d-1e00-0000-9961-9c4cb8100000 pid=4280 clone guuid=d1bbcf8d-1e00-0000-9961-9c4cb8100000 pid=4280->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 900B guuid=d1bbcf8d-1e00-0000-9961-9c4cb8100000 pid=4280->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=018836b8-1f00-0000-9961-9c4cf6130000 pid=5110->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 920B guuid=018836b8-1f00-0000-9961-9c4cf6130000 pid=5110->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=53d2b8b8-1f00-0000-9961-9c4cf9130000 pid=5113->d006e2e7-4557-591f-aa10-0057092e708f send: 140B guuid=00e46bd5-1f00-0000-9961-9c4c3d140000 pid=5181->d006e2e7-4557-591f-aa10-0057092e708f send: 89B guuid=3f651d0f-2000-0000-9961-9c4c91140000 pid=5265->d006e2e7-4557-591f-aa10-0057092e708f send: 139B guuid=c558b62c-2000-0000-9961-9c4c9d140000 pid=5277->d006e2e7-4557-591f-aa10-0057092e708f send: 88B guuid=ddf6184f-2000-0000-9961-9c4ca2140000 pid=5282->d006e2e7-4557-591f-aa10-0057092e708f send: 140B guuid=ca442166-2000-0000-9961-9c4ca3140000 pid=5283->d006e2e7-4557-591f-aa10-0057092e708f send: 89B guuid=c34bfe81-2000-0000-9961-9c4ca8140000 pid=5288->d006e2e7-4557-591f-aa10-0057092e708f send: 140B guuid=07e524a0-2000-0000-9961-9c4ca9140000 pid=5289->d006e2e7-4557-591f-aa10-0057092e708f send: 89B guuid=03da92c2-2000-0000-9961-9c4cae140000 pid=5294->d006e2e7-4557-591f-aa10-0057092e708f send: 140B guuid=9da79ee0-2000-0000-9961-9c4caf140000 pid=5295->d006e2e7-4557-591f-aa10-0057092e708f send: 89B guuid=a15c7502-2100-0000-9961-9c4cbb140000 pid=5307->d006e2e7-4557-591f-aa10-0057092e708f send: 139B guuid=ed92a31f-2100-0000-9961-9c4cbc140000 pid=5308->d006e2e7-4557-591f-aa10-0057092e708f send: 88B guuid=7dce6a92-2100-0000-9961-9c4cc1140000 pid=5313->d006e2e7-4557-591f-aa10-0057092e708f send: 139B guuid=7b5b9ab7-2100-0000-9961-9c4cc2140000 pid=5314->d006e2e7-4557-591f-aa10-0057092e708f send: 88B guuid=828133df-2100-0000-9961-9c4cc7140000 pid=5319->d006e2e7-4557-591f-aa10-0057092e708f send: 140B guuid=096d2204-2200-0000-9961-9c4cc8140000 pid=5320->d006e2e7-4557-591f-aa10-0057092e708f send: 89B guuid=8d038e2b-2200-0000-9961-9c4cd2140000 pid=5330->d006e2e7-4557-591f-aa10-0057092e708f send: 139B guuid=98aaa448-2200-0000-9961-9c4cd8140000 pid=5336->d006e2e7-4557-591f-aa10-0057092e708f send: 88B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2ee89245c6dd3edd3e14f8bc52c866757ad98b97955b181d0cd5dc719004b893
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ee89245c6dd3edd3e14f8bc52c866757ad98b97955b181d0cd5dc719004b893/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/2ee89245c6dd3edd3e14f8bc52c866757ad98b97955b181d0cd5dc719004b893
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-03-30 00:29:40 UTC
File Type:
Text (Shell)
AV detection:
21 of 36 (58.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3ujerog3u7n2pqu7c6ffsdgov5ntc4xsvnrqhim2xohdeaexcjq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/260330-as4a3scs4t/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Modifies Watchdog functionality
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2ee89245c6dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.36
Link:
https://yomi.yoroi.company/submissions/2ee89245c6dd3edd3e14f8bc52c866757ad98b97955b181d0cd5dc719004b893

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 2ee89245c6dd3edd3e14f8bc52c866757ad98b97955b181d0cd5dc719004b893

(this sample)

Mirai

elf 3699ec23ec854c4eab8b6660bb944f9002e4230c1d3fbf7f387caba560f1a2bc

Mirai

elf d4d1ad2082e114d5ea577a5beaf8c45ae32fbc0cc3c1e02d56f66df9fec85f97

  
URLhaus
https://urlhaus.abuse.ch/url/3807985/
  
Delivery method
Distributed via web download
  
Dropping
MD5 f9b8515c61dc4db83bd231b47c190c9e
  
Dropping
SHA256 d4d1ad2082e114d5ea577a5beaf8c45ae32fbc0cc3c1e02d56f66df9fec85f97

Comments