MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39c16c4e55c36bae4d1444cddde77b8e8ba449a7be6528dda304f939d45cd775. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39c16c4e55c36bae4d1444cddde77b8e8ba449a7be6528dda304f939d45cd775
SHA3-384 hash: 148864cd302ce7e832a52e3f7fc0122ea80baa01c1cf9ea01c53747805c774001639bde4ea1602025c3ce01b38772e58
SHA1 hash: c9d6adf0d70b2cc722f3b8ae55974617208040e0
MD5 hash: 9fd6a5149f65e0c4c5093582e3294044
humanhash: michigan-carbon-violet-fourteen
File name:sora.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'723 bytes
First seen:2026-01-13 19:04:46 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:vSJnJXOSSJKJDaIOSSJkJvOSSJCJ3OSSJcJfOSSJlTnJlkaUoOSSJVJSoOSSJsJc:v+RXRhRnRRRAVRJoRxRsRHRTRk0RaRne
TLSH T12051468A730807326FF35EEE7E768498B1D0E1525DC4A906E5EC78B9C58FF087451563
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://41.216.188.162/bins/sora.x86ad0c39dff07834a302dd1f44bb682e26ceebcc77f31f124e955e7fc1f6d12bda Miraielf mirai ua-wget
http://41.216.188.162/bins/sora.mipsfd47ac5697fd193a1ba1a5c3fc6f1004a033ae0e9e71cc0538405376285c8873 Miraielf mirai ua-wget
http://41.216.188.162/bins/sora.x86_64n/an/an/a
http://41.216.188.162/bins/sora.i468n/an/an/a
http://41.216.188.162/bins/sora.i686n/an/an/a
http://41.216.188.162/bins/sora.mpslafd2a7cafac399a43b202588f912b1b139302cdf4ee6df73afbce91edbd4c6da Miraielf mirai ua-wget
http://41.216.188.162/bins/sora.arm4n/an/an/a
http://41.216.188.162/bins/sora.arm5d1eeae10cb0d111334401e509e60587ef0d47384211838e6613c0444c9139961 Miraielf mirai ua-wget
http://41.216.188.162/bins/sora.arm66697bc6b3dd7e0cad077af8503e4f95f63d16d11f6f8daa2ffd67c3685b4549b Miraielf mirai ua-wget
http://41.216.188.162/bins/sora.arm7n/an/an/a
http://41.216.188.162/bins/sora.ppc2b80d927771a7311165a27dbf92bc66f7360e892b2374d8dbb19ef8e43e591a0 Miraielf mirai ua-wget
http://41.216.188.162/bins/sora.ppc440fpn/an/an/a
http://41.216.188.162/bins/sora.m68kac7cf4dde0137453a2e97d321691555a36b3f738ff65a68053c12aeeae03fa91 Miraielf mirai ua-wget
http://41.216.188.162/bins/sora.sh4247ae5158b6a34148c244755e9aa2bb6fd7727719af000e8d7543b73dc87759d Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
medusa mirai
Link:
https://www.filescan.io/uploads/69669777b5214ecba5eed433/reports/82f2d10b-17d0-4c0c-8677-07b299c4d352/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-13T15:28:00Z UTC
Last seen:
2026-01-13T15:48:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.c HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/39c16c4e55c36bae4d1444cddde77b8e8ba449a7be6528dda304f939d45cd775/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/38e0fd84-9cfd-4efe-9be4-a95306ca7885
Behavior Graph:
Download SVG
%3 guuid=c9a57fe6-1800-0000-656f-2449fd120000 pid=4861 /usr/bin/sudo guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872 /tmp/sample.bin guuid=c9a57fe6-1800-0000-656f-2449fd120000 pid=4861->guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872 execve guuid=bd424be9-1800-0000-656f-24490a130000 pid=4874 /usr/bin/wget net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=bd424be9-1800-0000-656f-24490a130000 pid=4874 execve guuid=19e030ef-1800-0000-656f-244924130000 pid=4900 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=19e030ef-1800-0000-656f-244924130000 pid=4900 execve guuid=b15bebfa-1800-0000-656f-244944130000 pid=4932 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=b15bebfa-1800-0000-656f-244944130000 pid=4932 execve guuid=3b2369fb-1800-0000-656f-244946130000 pid=4934 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=3b2369fb-1800-0000-656f-244946130000 pid=4934 execve guuid=97cdeffb-1800-0000-656f-244949130000 pid=4937 /tmp/robben net guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=97cdeffb-1800-0000-656f-244949130000 pid=4937 execve guuid=2843ddff-1800-0000-656f-244957130000 pid=4951 /usr/bin/wget net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=2843ddff-1800-0000-656f-244957130000 pid=4951 execve guuid=4cee9f04-1900-0000-656f-24496b130000 pid=4971 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=4cee9f04-1900-0000-656f-24496b130000 pid=4971 execve guuid=eabdfd08-1900-0000-656f-24497a130000 pid=4986 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=eabdfd08-1900-0000-656f-24497a130000 pid=4986 execve guuid=6e3d4f09-1900-0000-656f-24497c130000 pid=4988 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=6e3d4f09-1900-0000-656f-24497c130000 pid=4988 execve guuid=2ff49109-1900-0000-656f-24497e130000 pid=4990 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=2ff49109-1900-0000-656f-24497e130000 pid=4990 clone guuid=2485250a-1900-0000-656f-244983130000 pid=4995 /usr/bin/wget net send-data guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=2485250a-1900-0000-656f-244983130000 pid=4995 execve guuid=4094840c-1900-0000-656f-24498a130000 pid=5002 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=4094840c-1900-0000-656f-24498a130000 pid=5002 execve guuid=2c1a2810-1900-0000-656f-244993130000 pid=5011 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=2c1a2810-1900-0000-656f-244993130000 pid=5011 execve guuid=44a6a110-1900-0000-656f-244994130000 pid=5012 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=44a6a110-1900-0000-656f-244994130000 pid=5012 execve guuid=18390a11-1900-0000-656f-244995130000 pid=5013 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=18390a11-1900-0000-656f-244995130000 pid=5013 clone guuid=78353d11-1900-0000-656f-244997130000 pid=5015 /usr/bin/wget net send-data guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=78353d11-1900-0000-656f-244997130000 pid=5015 execve guuid=ea527215-1900-0000-656f-2449aa130000 pid=5034 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=ea527215-1900-0000-656f-2449aa130000 pid=5034 execve guuid=f3c3d618-1900-0000-656f-2449b8130000 pid=5048 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=f3c3d618-1900-0000-656f-2449b8130000 pid=5048 execve guuid=a97e3619-1900-0000-656f-2449b9130000 pid=5049 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=a97e3619-1900-0000-656f-2449b9130000 pid=5049 execve guuid=ae558319-1900-0000-656f-2449bd130000 pid=5053 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=ae558319-1900-0000-656f-2449bd130000 pid=5053 clone guuid=b7fbaa19-1900-0000-656f-2449be130000 pid=5054 /usr/bin/wget net send-data guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=b7fbaa19-1900-0000-656f-2449be130000 pid=5054 execve guuid=ab64e81b-1900-0000-656f-2449ca130000 pid=5066 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=ab64e81b-1900-0000-656f-2449ca130000 pid=5066 execve guuid=e083861f-1900-0000-656f-2449de130000 pid=5086 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=e083861f-1900-0000-656f-2449de130000 pid=5086 execve guuid=1f55ce1f-1900-0000-656f-2449e0130000 pid=5088 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=1f55ce1f-1900-0000-656f-2449e0130000 pid=5088 execve guuid=14262420-1900-0000-656f-2449e2130000 pid=5090 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=14262420-1900-0000-656f-2449e2130000 pid=5090 clone guuid=73fa4e20-1900-0000-656f-2449e3130000 pid=5091 /usr/bin/wget net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=73fa4e20-1900-0000-656f-2449e3130000 pid=5091 execve guuid=4d365423-1900-0000-656f-2449ef130000 pid=5103 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=4d365423-1900-0000-656f-2449ef130000 pid=5103 execve guuid=3828dd27-1900-0000-656f-2449fe130000 pid=5118 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=3828dd27-1900-0000-656f-2449fe130000 pid=5118 execve guuid=29ec2928-1900-0000-656f-244900140000 pid=5120 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=29ec2928-1900-0000-656f-244900140000 pid=5120 execve guuid=a1a76f28-1900-0000-656f-244903140000 pid=5123 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=a1a76f28-1900-0000-656f-244903140000 pid=5123 clone guuid=cca7322a-1900-0000-656f-24490a140000 pid=5130 /usr/bin/wget net send-data guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=cca7322a-1900-0000-656f-24490a140000 pid=5130 execve guuid=00c5802c-1900-0000-656f-244913140000 pid=5139 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=00c5802c-1900-0000-656f-244913140000 pid=5139 execve guuid=dee6e830-1900-0000-656f-244922140000 pid=5154 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=dee6e830-1900-0000-656f-244922140000 pid=5154 execve guuid=27283531-1900-0000-656f-244924140000 pid=5156 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=27283531-1900-0000-656f-244924140000 pid=5156 execve guuid=d69c8031-1900-0000-656f-244926140000 pid=5158 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=d69c8031-1900-0000-656f-244926140000 pid=5158 clone guuid=f8c6a631-1900-0000-656f-244928140000 pid=5160 /usr/bin/wget net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=f8c6a631-1900-0000-656f-244928140000 pid=5160 execve guuid=dc7c9934-1900-0000-656f-244932140000 pid=5170 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=dc7c9934-1900-0000-656f-244932140000 pid=5170 execve guuid=5179e038-1900-0000-656f-244941140000 pid=5185 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=5179e038-1900-0000-656f-244941140000 pid=5185 execve guuid=835f3639-1900-0000-656f-244942140000 pid=5186 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=835f3639-1900-0000-656f-244942140000 pid=5186 execve guuid=57288e39-1900-0000-656f-244945140000 pid=5189 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=57288e39-1900-0000-656f-244945140000 pid=5189 clone guuid=c022b43a-1900-0000-656f-24494a140000 pid=5194 /usr/bin/wget net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=c022b43a-1900-0000-656f-24494a140000 pid=5194 execve guuid=6aa18a3d-1900-0000-656f-24494f140000 pid=5199 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=6aa18a3d-1900-0000-656f-24494f140000 pid=5199 execve guuid=952cdb42-1900-0000-656f-24496d140000 pid=5229 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=952cdb42-1900-0000-656f-24496d140000 pid=5229 execve guuid=a0432a43-1900-0000-656f-244971140000 pid=5233 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=a0432a43-1900-0000-656f-244971140000 pid=5233 execve guuid=6a127043-1900-0000-656f-244974140000 pid=5236 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=6a127043-1900-0000-656f-244974140000 pid=5236 clone guuid=cead0c44-1900-0000-656f-244979140000 pid=5241 /usr/bin/wget net send-data guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=cead0c44-1900-0000-656f-244979140000 pid=5241 execve guuid=1820a946-1900-0000-656f-244985140000 pid=5253 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=1820a946-1900-0000-656f-244985140000 pid=5253 execve guuid=3675684b-1900-0000-656f-244986140000 pid=5254 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=3675684b-1900-0000-656f-244986140000 pid=5254 execve guuid=177bc24b-1900-0000-656f-244987140000 pid=5255 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=177bc24b-1900-0000-656f-244987140000 pid=5255 execve guuid=f661244c-1900-0000-656f-244988140000 pid=5256 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=f661244c-1900-0000-656f-244988140000 pid=5256 clone guuid=fcf25b4c-1900-0000-656f-244989140000 pid=5257 /usr/bin/wget net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=fcf25b4c-1900-0000-656f-244989140000 pid=5257 execve guuid=85fd8e4f-1900-0000-656f-24498a140000 pid=5258 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=85fd8e4f-1900-0000-656f-24498a140000 pid=5258 execve guuid=c81d5054-1900-0000-656f-24498b140000 pid=5259 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=c81d5054-1900-0000-656f-24498b140000 pid=5259 execve guuid=a20fb654-1900-0000-656f-24498c140000 pid=5260 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=a20fb654-1900-0000-656f-24498c140000 pid=5260 execve guuid=ffd91055-1900-0000-656f-24498d140000 pid=5261 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=ffd91055-1900-0000-656f-24498d140000 pid=5261 clone guuid=d6f2c855-1900-0000-656f-24498f140000 pid=5263 /usr/bin/wget net send-data guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=d6f2c855-1900-0000-656f-24498f140000 pid=5263 execve guuid=e5844e58-1900-0000-656f-244990140000 pid=5264 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=e5844e58-1900-0000-656f-244990140000 pid=5264 execve guuid=92793c5c-1900-0000-656f-244991140000 pid=5265 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=92793c5c-1900-0000-656f-244991140000 pid=5265 execve guuid=c01cad5c-1900-0000-656f-244992140000 pid=5266 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=c01cad5c-1900-0000-656f-244992140000 pid=5266 execve guuid=6884f85c-1900-0000-656f-244993140000 pid=5267 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=6884f85c-1900-0000-656f-244993140000 pid=5267 clone guuid=eb9e215d-1900-0000-656f-244994140000 pid=5268 /usr/bin/wget net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=eb9e215d-1900-0000-656f-244994140000 pid=5268 execve guuid=eacc1961-1900-0000-656f-244998140000 pid=5272 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=eacc1961-1900-0000-656f-244998140000 pid=5272 execve guuid=dc365d8c-1900-0000-656f-244999140000 pid=5273 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=dc365d8c-1900-0000-656f-244999140000 pid=5273 execve guuid=a552fe8c-1900-0000-656f-24499a140000 pid=5274 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=a552fe8c-1900-0000-656f-24499a140000 pid=5274 execve guuid=9da07a8d-1900-0000-656f-24499d140000 pid=5277 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=9da07a8d-1900-0000-656f-24499d140000 pid=5277 clone guuid=51c89d8e-1900-0000-656f-24499f140000 pid=5279 /usr/bin/wget net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=51c89d8e-1900-0000-656f-24499f140000 pid=5279 execve guuid=62390993-1900-0000-656f-2449a6140000 pid=5286 /usr/bin/curl net send-data write-file guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=62390993-1900-0000-656f-2449a6140000 pid=5286 execve guuid=5a49d197-1900-0000-656f-2449a7140000 pid=5287 /usr/bin/cat guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=5a49d197-1900-0000-656f-2449a7140000 pid=5287 execve guuid=eb211f98-1900-0000-656f-2449a8140000 pid=5288 /usr/bin/chmod guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=eb211f98-1900-0000-656f-2449a8140000 pid=5288 execve guuid=b4206598-1900-0000-656f-2449a9140000 pid=5289 /usr/bin/bash guuid=3d49ede8-1800-0000-656f-244908130000 pid=4872->guuid=b4206598-1900-0000-656f-2449a9140000 pid=5289 clone 30869a63-1c02-59d5-b327-e457809c9911 41.216.188.162:80 guuid=bd424be9-1800-0000-656f-24490a130000 pid=4874->30869a63-1c02-59d5-b327-e457809c9911 send: 142B guuid=19e030ef-1800-0000-656f-244924130000 pid=4900->30869a63-1c02-59d5-b327-e457809c9911 send: 91B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=97cdeffb-1800-0000-656f-244949130000 pid=4937->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=2843ddff-1800-0000-656f-244957130000 pid=4951->30869a63-1c02-59d5-b327-e457809c9911 send: 143B guuid=4cee9f04-1900-0000-656f-24496b130000 pid=4971->30869a63-1c02-59d5-b327-e457809c9911 send: 92B guuid=2485250a-1900-0000-656f-244983130000 pid=4995->30869a63-1c02-59d5-b327-e457809c9911 send: 145B guuid=4094840c-1900-0000-656f-24498a130000 pid=5002->30869a63-1c02-59d5-b327-e457809c9911 send: 94B guuid=78353d11-1900-0000-656f-244997130000 pid=5015->30869a63-1c02-59d5-b327-e457809c9911 send: 143B guuid=ea527215-1900-0000-656f-2449aa130000 pid=5034->30869a63-1c02-59d5-b327-e457809c9911 send: 92B guuid=b7fbaa19-1900-0000-656f-2449be130000 pid=5054->30869a63-1c02-59d5-b327-e457809c9911 send: 143B guuid=ab64e81b-1900-0000-656f-2449ca130000 pid=5066->30869a63-1c02-59d5-b327-e457809c9911 send: 92B guuid=73fa4e20-1900-0000-656f-2449e3130000 pid=5091->30869a63-1c02-59d5-b327-e457809c9911 send: 143B guuid=4d365423-1900-0000-656f-2449ef130000 pid=5103->30869a63-1c02-59d5-b327-e457809c9911 send: 92B guuid=cca7322a-1900-0000-656f-24490a140000 pid=5130->30869a63-1c02-59d5-b327-e457809c9911 send: 143B guuid=00c5802c-1900-0000-656f-244913140000 pid=5139->30869a63-1c02-59d5-b327-e457809c9911 send: 92B guuid=f8c6a631-1900-0000-656f-244928140000 pid=5160->30869a63-1c02-59d5-b327-e457809c9911 send: 143B guuid=dc7c9934-1900-0000-656f-244932140000 pid=5170->30869a63-1c02-59d5-b327-e457809c9911 send: 92B guuid=c022b43a-1900-0000-656f-24494a140000 pid=5194->30869a63-1c02-59d5-b327-e457809c9911 send: 143B guuid=6aa18a3d-1900-0000-656f-24494f140000 pid=5199->30869a63-1c02-59d5-b327-e457809c9911 send: 92B guuid=cead0c44-1900-0000-656f-244979140000 pid=5241->30869a63-1c02-59d5-b327-e457809c9911 send: 143B guuid=1820a946-1900-0000-656f-244985140000 pid=5253->30869a63-1c02-59d5-b327-e457809c9911 send: 92B guuid=fcf25b4c-1900-0000-656f-244989140000 pid=5257->30869a63-1c02-59d5-b327-e457809c9911 send: 142B guuid=85fd8e4f-1900-0000-656f-24498a140000 pid=5258->30869a63-1c02-59d5-b327-e457809c9911 send: 91B guuid=d6f2c855-1900-0000-656f-24498f140000 pid=5263->30869a63-1c02-59d5-b327-e457809c9911 send: 147B guuid=e5844e58-1900-0000-656f-244990140000 pid=5264->30869a63-1c02-59d5-b327-e457809c9911 send: 96B guuid=eb9e215d-1900-0000-656f-244994140000 pid=5268->30869a63-1c02-59d5-b327-e457809c9911 send: 143B guuid=eacc1961-1900-0000-656f-244998140000 pid=5272->30869a63-1c02-59d5-b327-e457809c9911 send: 92B guuid=51c89d8e-1900-0000-656f-24499f140000 pid=5279->30869a63-1c02-59d5-b327-e457809c9911 send: 142B guuid=62390993-1900-0000-656f-2449a6140000 pid=5286->30869a63-1c02-59d5-b327-e457809c9911 send: 91B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/39c16c4e55c36bae4d1444cddde77b8e8ba449a7be6528dda304f939d45cd775
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39c16c4e55c36bae4d1444cddde77b8e8ba449a7be6528dda304f939d45cd775/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/39c16c4e55c36bae4d1444cddde77b8e8ba449a7be6528dda304f939d45cd775
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2026-01-13 19:05:31 UTC
File Type:
Text (Shell)
AV detection:
22 of 36 (61.11%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhawytsvynv24tiuitg53z33r2f2isnhxzssrxndat4ttvc4252q._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:sora antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260113-xrpsmagv5g/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
UPX packed file
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (46798) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/39c16c4e55c3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/39c16c4e55c36bae4d1444cddde77b8e8ba449a7be6528dda304f939d45cd775

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 39c16c4e55c36bae4d1444cddde77b8e8ba449a7be6528dda304f939d45cd775

(this sample)

Mirai

elf ad0c39dff07834a302dd1f44bb682e26ceebcc77f31f124e955e7fc1f6d12bda

  
URLhaus
https://urlhaus.abuse.ch/url/3757324/
  
Delivery method
Distributed via web download
  
Dropping
MD5 60efb0c190eae741a31d3bd43555a6af
  
Dropping
SHA256 ad0c39dff07834a302dd1f44bb682e26ceebcc77f31f124e955e7fc1f6d12bda

Comments