MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bbef0ab2f04aa5cc5290ee8351bd3c33998916f3b21c6fe9dfd398435cf221f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bbef0ab2f04aa5cc5290ee8351bd3c33998916f3b21c6fe9dfd398435cf221f
SHA3-384 hash: ce0d7fdd9df251cbac0551938063835490eb1ea1b97700f322d1dd31068ef4ff376bf0ba8036e861f61d2412f84bcac0
SHA1 hash: 832642bcd8224c14dc287d8b1707ec68035929b8
MD5 hash: 4f8c2b854974e3576a243e0388a2e374
humanhash: alaska-don-louisiana-bravo
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'970 bytes
First seen:2025-11-10 09:04:23 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vL7Y7N7hLN6GLglzPL9KWL/oUL7/7o7ULf23bLo9RLDcgLkpVLlSOLx+CLGfTL+y:vL7Y7N7hLN6GLglzPL9KWL/oUL7/7o70
TLSH T17E51068947264C30AD676F33E7B6C13830C690D298E1AFD5D9E6BAF8066EC34B541763
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://196.251.116.84/hiddenbin/boatnet.x86f887fd162d877d85fb975c83af0d1f70aa03a5fae61e08a6f2e0f9ae5c5c273d Miraielf mirai ua-wget
http://196.251.116.84/hiddenbin/boatnet.mips1c9292a62c542522f79631a4a6b93e2fea4019b6a3dde18f28c8a8261c3263bc Miraielf mirai ua-wget
http://196.251.116.84/hiddenbin/boatnet.arc42ba5ec6cf3dc802a23063edec39cc0e608e3ddf1407f965cf12d98d2386730c Miraielf mirai ua-wget
http://196.251.116.84/hiddenbin/boatnet.i468n/an/aelf ua-wget
http://196.251.116.84/hiddenbin/boatnet.i686n/an/aelf ua-wget
http://196.251.116.84/hiddenbin/boatnet.x86_64n/an/aelf ua-wget
http://196.251.116.84/hiddenbin/boatnet.mpsl7d98201dcbfeee116f1c019cc65df468203805542da413e944254e438a01d11c Miraielf mirai ua-wget
http://196.251.116.84/hiddenbin/boatnet.arm8e3609432f8f35865250ac6ecf783eb81cae278fd247ad9967aa910add9a2633 Miraielf mirai ua-wget
http://196.251.116.84/hiddenbin/boatnet.arm5497fd7ad53163c7557be6f98cccdd4de780e6941e5921c2ec3e66efd3d4beafe Miraielf mirai ua-wget
http://196.251.116.84/hiddenbin/boatnet.arm6b7496334d805b7a5f6bc0728e13bdd90463cc7b4dc61f2976ecf8584eda18718 Miraielf mirai ua-wget
http://196.251.116.84/hiddenbin/boatnet.arm71a4858ffc7e002c6078868554dd0db93340bf51bc9848accd50d329f6f27012c Miraielf mirai ua-wget
http://196.251.116.84/hiddenbin/boatnet.ppc44e7ce8eaf3c16f88db43537d43ca2d83e1e8cb3aa908b5431d8967b54fd2654 Miraielf mirai ua-wget
http://196.251.116.84/hiddenbin/boatnet.spc563dc5d35c07ef636f4a518f7fd0b5e90155e4a34553eab9f9c3697ce28eba41 Miraielf mirai ua-wget
http://196.251.116.84/hiddenbin/boatnet.m68kb6b9d83516da5960a75b474b2e54bbf50156c42bec7b24b5a33cd4c12f52a985 Miraielf mirai ua-wget
http://196.251.116.84/hiddenbin/boatnet.sh46ad4f96f7120073baefff3f599ea4c7ea74868c0acf81d439e2aa774f5b1c328 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
medusa mirai
Link:
https://www.filescan.io/uploads/6911aad5d63f755c32c3fd52/reports/a0582e9b-cc1e-461e-9355-008faa76e623/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-10T05:30:00Z UTC
Last seen:
2025-11-11T17:51:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p
Link:
https://opentip.kaspersky.com/3bbef0ab2f04aa5cc5290ee8351bd3c33998916f3b21c6fe9dfd398435cf221f/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/eb9ced65-6003-4be5-9b8d-266a492fcd42
Behavior Graph:
Download SVG
%3 guuid=d0c7fb20-1800-0000-e4b3-faab1d0c0000 pid=3101 /usr/bin/sudo guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110 /tmp/sample.bin guuid=d0c7fb20-1800-0000-e4b3-faab1d0c0000 pid=3101->guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110 execve guuid=bd179123-1800-0000-e4b3-faab280c0000 pid=3112 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=bd179123-1800-0000-e4b3-faab280c0000 pid=3112 execve guuid=5d0eae28-1800-0000-e4b3-faab3b0c0000 pid=3131 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=5d0eae28-1800-0000-e4b3-faab3b0c0000 pid=3131 execve guuid=cf64c532-1800-0000-e4b3-faab4d0c0000 pid=3149 /usr/bin/cat guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=cf64c532-1800-0000-e4b3-faab4d0c0000 pid=3149 execve guuid=ce7c2333-1800-0000-e4b3-faab4f0c0000 pid=3151 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=ce7c2333-1800-0000-e4b3-faab4f0c0000 pid=3151 execve guuid=deb36233-1800-0000-e4b3-faab510c0000 pid=3153 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=deb36233-1800-0000-e4b3-faab510c0000 pid=3153 execve guuid=ffbba233-1800-0000-e4b3-faab560c0000 pid=3158 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=ffbba233-1800-0000-e4b3-faab560c0000 pid=3158 execve guuid=c9e65336-1800-0000-e4b3-faab5f0c0000 pid=3167 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=c9e65336-1800-0000-e4b3-faab5f0c0000 pid=3167 execve guuid=68cb3e3b-1800-0000-e4b3-faab690c0000 pid=3177 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=68cb3e3b-1800-0000-e4b3-faab690c0000 pid=3177 clone guuid=9be15e3b-1800-0000-e4b3-faab6a0c0000 pid=3178 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=9be15e3b-1800-0000-e4b3-faab6a0c0000 pid=3178 execve guuid=a57fbc3b-1800-0000-e4b3-faab6b0c0000 pid=3179 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=a57fbc3b-1800-0000-e4b3-faab6b0c0000 pid=3179 execve guuid=5e390e3c-1800-0000-e4b3-faab6f0c0000 pid=3183 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=5e390e3c-1800-0000-e4b3-faab6f0c0000 pid=3183 execve guuid=de783841-1800-0000-e4b3-faab700c0000 pid=3184 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=de783841-1800-0000-e4b3-faab700c0000 pid=3184 execve guuid=903d3b47-1800-0000-e4b3-faab710c0000 pid=3185 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=903d3b47-1800-0000-e4b3-faab710c0000 pid=3185 clone guuid=09916647-1800-0000-e4b3-faab720c0000 pid=3186 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=09916647-1800-0000-e4b3-faab720c0000 pid=3186 execve guuid=d45dd547-1800-0000-e4b3-faab730c0000 pid=3187 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=d45dd547-1800-0000-e4b3-faab730c0000 pid=3187 execve guuid=00933448-1800-0000-e4b3-faab770c0000 pid=3191 /usr/bin/wget net send-data guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=00933448-1800-0000-e4b3-faab770c0000 pid=3191 execve guuid=e3fdf34b-1800-0000-e4b3-faab7d0c0000 pid=3197 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=e3fdf34b-1800-0000-e4b3-faab7d0c0000 pid=3197 execve guuid=7d8d374f-1800-0000-e4b3-faab840c0000 pid=3204 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=7d8d374f-1800-0000-e4b3-faab840c0000 pid=3204 clone guuid=a43e894f-1800-0000-e4b3-faab860c0000 pid=3206 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=a43e894f-1800-0000-e4b3-faab860c0000 pid=3206 execve guuid=b709d04f-1800-0000-e4b3-faab880c0000 pid=3208 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=b709d04f-1800-0000-e4b3-faab880c0000 pid=3208 execve guuid=4d6a1650-1800-0000-e4b3-faab8d0c0000 pid=3213 /usr/bin/wget net send-data guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=4d6a1650-1800-0000-e4b3-faab8d0c0000 pid=3213 execve guuid=b1d14b52-1800-0000-e4b3-faab930c0000 pid=3219 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=b1d14b52-1800-0000-e4b3-faab930c0000 pid=3219 execve guuid=3809a356-1800-0000-e4b3-faab9c0c0000 pid=3228 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=3809a356-1800-0000-e4b3-faab9c0c0000 pid=3228 clone guuid=e76db756-1800-0000-e4b3-faab9d0c0000 pid=3229 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=e76db756-1800-0000-e4b3-faab9d0c0000 pid=3229 execve guuid=4a251157-1800-0000-e4b3-faab9f0c0000 pid=3231 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=4a251157-1800-0000-e4b3-faab9f0c0000 pid=3231 execve guuid=be4f5257-1800-0000-e4b3-faaba40c0000 pid=3236 /usr/bin/wget net send-data guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=be4f5257-1800-0000-e4b3-faaba40c0000 pid=3236 execve guuid=2b82ac59-1800-0000-e4b3-faabac0c0000 pid=3244 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=2b82ac59-1800-0000-e4b3-faabac0c0000 pid=3244 execve guuid=af27c65d-1800-0000-e4b3-faabad0c0000 pid=3245 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=af27c65d-1800-0000-e4b3-faabad0c0000 pid=3245 clone guuid=0d30e55d-1800-0000-e4b3-faabae0c0000 pid=3246 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=0d30e55d-1800-0000-e4b3-faabae0c0000 pid=3246 execve guuid=9760405e-1800-0000-e4b3-faabaf0c0000 pid=3247 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=9760405e-1800-0000-e4b3-faabaf0c0000 pid=3247 execve guuid=3431945e-1800-0000-e4b3-faabb30c0000 pid=3251 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=3431945e-1800-0000-e4b3-faabb30c0000 pid=3251 execve guuid=11af5262-1800-0000-e4b3-faabb40c0000 pid=3252 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=11af5262-1800-0000-e4b3-faabb40c0000 pid=3252 execve guuid=2dcb0968-1800-0000-e4b3-faabb50c0000 pid=3253 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=2dcb0968-1800-0000-e4b3-faabb50c0000 pid=3253 clone guuid=b3163168-1800-0000-e4b3-faabb60c0000 pid=3254 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=b3163168-1800-0000-e4b3-faabb60c0000 pid=3254 execve guuid=a49dbe68-1800-0000-e4b3-faabb70c0000 pid=3255 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=a49dbe68-1800-0000-e4b3-faabb70c0000 pid=3255 execve guuid=790c1469-1800-0000-e4b3-faabbb0c0000 pid=3259 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=790c1469-1800-0000-e4b3-faabbb0c0000 pid=3259 execve guuid=b104706c-1800-0000-e4b3-faabc10c0000 pid=3265 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=b104706c-1800-0000-e4b3-faabc10c0000 pid=3265 execve guuid=f64fec70-1800-0000-e4b3-faabca0c0000 pid=3274 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=f64fec70-1800-0000-e4b3-faabca0c0000 pid=3274 clone guuid=d05d0d71-1800-0000-e4b3-faabcc0c0000 pid=3276 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=d05d0d71-1800-0000-e4b3-faabcc0c0000 pid=3276 execve guuid=f1e65871-1800-0000-e4b3-faabcd0c0000 pid=3277 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=f1e65871-1800-0000-e4b3-faabcd0c0000 pid=3277 execve guuid=9856a571-1800-0000-e4b3-faabd10c0000 pid=3281 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=9856a571-1800-0000-e4b3-faabd10c0000 pid=3281 execve guuid=9f1c4575-1800-0000-e4b3-faabd60c0000 pid=3286 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=9f1c4575-1800-0000-e4b3-faabd60c0000 pid=3286 execve guuid=eba4767c-1800-0000-e4b3-faabdf0c0000 pid=3295 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=eba4767c-1800-0000-e4b3-faabdf0c0000 pid=3295 clone guuid=ce78d07c-1800-0000-e4b3-faabe10c0000 pid=3297 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=ce78d07c-1800-0000-e4b3-faabe10c0000 pid=3297 execve guuid=36f0357d-1800-0000-e4b3-faabe30c0000 pid=3299 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=36f0357d-1800-0000-e4b3-faabe30c0000 pid=3299 execve guuid=49f79b7d-1800-0000-e4b3-faabe80c0000 pid=3304 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=49f79b7d-1800-0000-e4b3-faabe80c0000 pid=3304 execve guuid=bbd6c880-1800-0000-e4b3-faabec0c0000 pid=3308 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=bbd6c880-1800-0000-e4b3-faabec0c0000 pid=3308 execve guuid=59735085-1800-0000-e4b3-faabf70c0000 pid=3319 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=59735085-1800-0000-e4b3-faabf70c0000 pid=3319 clone guuid=38526685-1800-0000-e4b3-faabf80c0000 pid=3320 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=38526685-1800-0000-e4b3-faabf80c0000 pid=3320 execve guuid=ba26ab85-1800-0000-e4b3-faabf90c0000 pid=3321 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=ba26ab85-1800-0000-e4b3-faabf90c0000 pid=3321 execve guuid=41d3ec85-1800-0000-e4b3-faabfd0c0000 pid=3325 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=41d3ec85-1800-0000-e4b3-faabfd0c0000 pid=3325 execve guuid=8654b889-1800-0000-e4b3-faabfe0c0000 pid=3326 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=8654b889-1800-0000-e4b3-faabfe0c0000 pid=3326 execve guuid=bfbab58f-1800-0000-e4b3-faab050d0000 pid=3333 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=bfbab58f-1800-0000-e4b3-faab050d0000 pid=3333 clone guuid=ac10e28f-1800-0000-e4b3-faab070d0000 pid=3335 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=ac10e28f-1800-0000-e4b3-faab070d0000 pid=3335 execve guuid=2da23b90-1800-0000-e4b3-faab090d0000 pid=3337 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=2da23b90-1800-0000-e4b3-faab090d0000 pid=3337 execve guuid=5ac89690-1800-0000-e4b3-faab0e0d0000 pid=3342 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=5ac89690-1800-0000-e4b3-faab0e0d0000 pid=3342 execve guuid=f04b1194-1800-0000-e4b3-faab190d0000 pid=3353 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=f04b1194-1800-0000-e4b3-faab190d0000 pid=3353 execve guuid=42150598-1800-0000-e4b3-faab220d0000 pid=3362 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=42150598-1800-0000-e4b3-faab220d0000 pid=3362 clone guuid=f9ab1f98-1800-0000-e4b3-faab230d0000 pid=3363 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=f9ab1f98-1800-0000-e4b3-faab230d0000 pid=3363 execve guuid=e7076a98-1800-0000-e4b3-faab250d0000 pid=3365 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=e7076a98-1800-0000-e4b3-faab250d0000 pid=3365 execve guuid=0205ac98-1800-0000-e4b3-faab2a0d0000 pid=3370 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=0205ac98-1800-0000-e4b3-faab2a0d0000 pid=3370 execve guuid=e8c2509d-1800-0000-e4b3-faab340d0000 pid=3380 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=e8c2509d-1800-0000-e4b3-faab340d0000 pid=3380 execve guuid=abadcaa3-1800-0000-e4b3-faab3d0d0000 pid=3389 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=abadcaa3-1800-0000-e4b3-faab3d0d0000 pid=3389 clone guuid=1e7be7a3-1800-0000-e4b3-faab3e0d0000 pid=3390 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=1e7be7a3-1800-0000-e4b3-faab3e0d0000 pid=3390 execve guuid=85023aa4-1800-0000-e4b3-faab400d0000 pid=3392 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=85023aa4-1800-0000-e4b3-faab400d0000 pid=3392 execve guuid=285d85a4-1800-0000-e4b3-faab450d0000 pid=3397 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=285d85a4-1800-0000-e4b3-faab450d0000 pid=3397 execve guuid=647252a8-1800-0000-e4b3-faab530d0000 pid=3411 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=647252a8-1800-0000-e4b3-faab530d0000 pid=3411 execve guuid=4e5422ae-1800-0000-e4b3-faab5e0d0000 pid=3422 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=4e5422ae-1800-0000-e4b3-faab5e0d0000 pid=3422 clone guuid=dd4a43ae-1800-0000-e4b3-faab5f0d0000 pid=3423 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=dd4a43ae-1800-0000-e4b3-faab5f0d0000 pid=3423 execve guuid=59e81faf-1800-0000-e4b3-faab600d0000 pid=3424 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=59e81faf-1800-0000-e4b3-faab600d0000 pid=3424 execve guuid=12eab8af-1800-0000-e4b3-faab640d0000 pid=3428 /usr/bin/wget net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=12eab8af-1800-0000-e4b3-faab640d0000 pid=3428 execve guuid=66f179b4-1800-0000-e4b3-faab660d0000 pid=3430 /usr/bin/curl net send-data write-file guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=66f179b4-1800-0000-e4b3-faab660d0000 pid=3430 execve guuid=be8c5fba-1800-0000-e4b3-faab780d0000 pid=3448 /usr/bin/bash guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=be8c5fba-1800-0000-e4b3-faab780d0000 pid=3448 clone guuid=88ce75ba-1800-0000-e4b3-faab790d0000 pid=3449 /usr/bin/chmod guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=88ce75ba-1800-0000-e4b3-faab790d0000 pid=3449 execve guuid=5203d7ba-1800-0000-e4b3-faab7b0d0000 pid=3451 /tmp/WTF net guuid=1dbe2f23-1800-0000-e4b3-faab260c0000 pid=3110->guuid=5203d7ba-1800-0000-e4b3-faab7b0d0000 pid=3451 execve 63e39990-4689-5a8d-8bcd-588050da3c4e 196.251.116.84:80 guuid=bd179123-1800-0000-e4b3-faab280c0000 pid=3112->63e39990-4689-5a8d-8bcd-588050da3c4e send: 150B guuid=5d0eae28-1800-0000-e4b3-faab3b0c0000 pid=3131->63e39990-4689-5a8d-8bcd-588050da3c4e send: 99B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=deb36233-1800-0000-e4b3-faab510c0000 pid=3153->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ddfd9333-1800-0000-e4b3-faab530c0000 pid=3155 /tmp/WTF zombie guuid=deb36233-1800-0000-e4b3-faab510c0000 pid=3153->guuid=ddfd9333-1800-0000-e4b3-faab530c0000 pid=3155 clone guuid=3aa99733-1800-0000-e4b3-faab540c0000 pid=3156 /tmp/WTF guuid=deb36233-1800-0000-e4b3-faab510c0000 pid=3153->guuid=3aa99733-1800-0000-e4b3-faab540c0000 pid=3156 clone guuid=57299b33-1800-0000-e4b3-faab550c0000 pid=3157 /tmp/WTF net send-data zombie guuid=deb36233-1800-0000-e4b3-faab510c0000 pid=3153->guuid=57299b33-1800-0000-e4b3-faab550c0000 pid=3157 clone guuid=57299b33-1800-0000-e4b3-faab550c0000 pid=3157->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 072dc274-5a40-5f96-929d-846a6cbc7eea 196.251.116.84:3778 guuid=57299b33-1800-0000-e4b3-faab550c0000 pid=3157->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=ffbba233-1800-0000-e4b3-faab560c0000 pid=3158->63e39990-4689-5a8d-8bcd-588050da3c4e send: 151B guuid=c9e65336-1800-0000-e4b3-faab5f0c0000 pid=3167->63e39990-4689-5a8d-8bcd-588050da3c4e send: 100B guuid=a57fbc3b-1800-0000-e4b3-faab6b0c0000 pid=3179->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=cfe0f53b-1800-0000-e4b3-faab6c0c0000 pid=3180 /tmp/WTF guuid=a57fbc3b-1800-0000-e4b3-faab6b0c0000 pid=3179->guuid=cfe0f53b-1800-0000-e4b3-faab6c0c0000 pid=3180 clone guuid=73c5f93b-1800-0000-e4b3-faab6d0c0000 pid=3181 /tmp/WTF guuid=a57fbc3b-1800-0000-e4b3-faab6b0c0000 pid=3179->guuid=73c5f93b-1800-0000-e4b3-faab6d0c0000 pid=3181 clone guuid=7643003c-1800-0000-e4b3-faab6e0c0000 pid=3182 /tmp/WTF net send-data zombie guuid=a57fbc3b-1800-0000-e4b3-faab6b0c0000 pid=3179->guuid=7643003c-1800-0000-e4b3-faab6e0c0000 pid=3182 clone guuid=7643003c-1800-0000-e4b3-faab6e0c0000 pid=3182->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=7643003c-1800-0000-e4b3-faab6e0c0000 pid=3182->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=5e390e3c-1800-0000-e4b3-faab6f0c0000 pid=3183->63e39990-4689-5a8d-8bcd-588050da3c4e send: 150B guuid=de783841-1800-0000-e4b3-faab700c0000 pid=3184->63e39990-4689-5a8d-8bcd-588050da3c4e send: 99B guuid=d45dd547-1800-0000-e4b3-faab730c0000 pid=3187->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a22c1a48-1800-0000-e4b3-faab740c0000 pid=3188 /tmp/WTF guuid=d45dd547-1800-0000-e4b3-faab730c0000 pid=3187->guuid=a22c1a48-1800-0000-e4b3-faab740c0000 pid=3188 clone guuid=a2031f48-1800-0000-e4b3-faab750c0000 pid=3189 /tmp/WTF guuid=d45dd547-1800-0000-e4b3-faab730c0000 pid=3187->guuid=a2031f48-1800-0000-e4b3-faab750c0000 pid=3189 clone guuid=630f2548-1800-0000-e4b3-faab760c0000 pid=3190 /tmp/WTF net send-data zombie guuid=d45dd547-1800-0000-e4b3-faab730c0000 pid=3187->guuid=630f2548-1800-0000-e4b3-faab760c0000 pid=3190 clone guuid=630f2548-1800-0000-e4b3-faab760c0000 pid=3190->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=630f2548-1800-0000-e4b3-faab760c0000 pid=3190->072dc274-5a40-5f96-929d-846a6cbc7eea send: 12B guuid=00933448-1800-0000-e4b3-faab770c0000 pid=3191->63e39990-4689-5a8d-8bcd-588050da3c4e send: 151B guuid=e3fdf34b-1800-0000-e4b3-faab7d0c0000 pid=3197->63e39990-4689-5a8d-8bcd-588050da3c4e send: 100B guuid=b709d04f-1800-0000-e4b3-faab880c0000 pid=3208->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=623c0450-1800-0000-e4b3-faab8a0c0000 pid=3210 /tmp/WTF guuid=b709d04f-1800-0000-e4b3-faab880c0000 pid=3208->guuid=623c0450-1800-0000-e4b3-faab8a0c0000 pid=3210 clone guuid=a5270750-1800-0000-e4b3-faab8b0c0000 pid=3211 /tmp/WTF guuid=b709d04f-1800-0000-e4b3-faab880c0000 pid=3208->guuid=a5270750-1800-0000-e4b3-faab8b0c0000 pid=3211 clone guuid=c2580c50-1800-0000-e4b3-faab8c0c0000 pid=3212 /tmp/WTF net send-data zombie guuid=b709d04f-1800-0000-e4b3-faab880c0000 pid=3208->guuid=c2580c50-1800-0000-e4b3-faab8c0c0000 pid=3212 clone guuid=c2580c50-1800-0000-e4b3-faab8c0c0000 pid=3212->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c2580c50-1800-0000-e4b3-faab8c0c0000 pid=3212->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=4d6a1650-1800-0000-e4b3-faab8d0c0000 pid=3213->63e39990-4689-5a8d-8bcd-588050da3c4e send: 151B guuid=b1d14b52-1800-0000-e4b3-faab930c0000 pid=3219->63e39990-4689-5a8d-8bcd-588050da3c4e send: 100B guuid=4a251157-1800-0000-e4b3-faab9f0c0000 pid=3231->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ca5a3e57-1800-0000-e4b3-faaba10c0000 pid=3233 /tmp/WTF guuid=4a251157-1800-0000-e4b3-faab9f0c0000 pid=3231->guuid=ca5a3e57-1800-0000-e4b3-faaba10c0000 pid=3233 clone guuid=7c084257-1800-0000-e4b3-faaba20c0000 pid=3234 /tmp/WTF guuid=4a251157-1800-0000-e4b3-faab9f0c0000 pid=3231->guuid=7c084257-1800-0000-e4b3-faaba20c0000 pid=3234 clone guuid=18004657-1800-0000-e4b3-faaba30c0000 pid=3235 /tmp/WTF net send-data zombie guuid=4a251157-1800-0000-e4b3-faab9f0c0000 pid=3231->guuid=18004657-1800-0000-e4b3-faaba30c0000 pid=3235 clone guuid=18004657-1800-0000-e4b3-faaba30c0000 pid=3235->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=18004657-1800-0000-e4b3-faaba30c0000 pid=3235->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=be4f5257-1800-0000-e4b3-faaba40c0000 pid=3236->63e39990-4689-5a8d-8bcd-588050da3c4e send: 153B guuid=2b82ac59-1800-0000-e4b3-faabac0c0000 pid=3244->63e39990-4689-5a8d-8bcd-588050da3c4e send: 102B guuid=9760405e-1800-0000-e4b3-faabaf0c0000 pid=3247->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=80fe7b5e-1800-0000-e4b3-faabb00c0000 pid=3248 /tmp/WTF guuid=9760405e-1800-0000-e4b3-faabaf0c0000 pid=3247->guuid=80fe7b5e-1800-0000-e4b3-faabb00c0000 pid=3248 clone guuid=526f805e-1800-0000-e4b3-faabb10c0000 pid=3249 /tmp/WTF guuid=9760405e-1800-0000-e4b3-faabaf0c0000 pid=3247->guuid=526f805e-1800-0000-e4b3-faabb10c0000 pid=3249 clone guuid=7a80845e-1800-0000-e4b3-faabb20c0000 pid=3250 /tmp/WTF net send-data zombie guuid=9760405e-1800-0000-e4b3-faabaf0c0000 pid=3247->guuid=7a80845e-1800-0000-e4b3-faabb20c0000 pid=3250 clone guuid=7a80845e-1800-0000-e4b3-faabb20c0000 pid=3250->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=7a80845e-1800-0000-e4b3-faabb20c0000 pid=3250->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=3431945e-1800-0000-e4b3-faabb30c0000 pid=3251->63e39990-4689-5a8d-8bcd-588050da3c4e send: 151B guuid=11af5262-1800-0000-e4b3-faabb40c0000 pid=3252->63e39990-4689-5a8d-8bcd-588050da3c4e send: 100B guuid=a49dbe68-1800-0000-e4b3-faabb70c0000 pid=3255->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=eeebfa68-1800-0000-e4b3-faabb80c0000 pid=3256 /tmp/WTF guuid=a49dbe68-1800-0000-e4b3-faabb70c0000 pid=3255->guuid=eeebfa68-1800-0000-e4b3-faabb80c0000 pid=3256 clone guuid=573eff68-1800-0000-e4b3-faabb90c0000 pid=3257 /tmp/WTF guuid=a49dbe68-1800-0000-e4b3-faabb70c0000 pid=3255->guuid=573eff68-1800-0000-e4b3-faabb90c0000 pid=3257 clone guuid=106d0569-1800-0000-e4b3-faabba0c0000 pid=3258 /tmp/WTF net send-data zombie guuid=a49dbe68-1800-0000-e4b3-faabb70c0000 pid=3255->guuid=106d0569-1800-0000-e4b3-faabba0c0000 pid=3258 clone guuid=106d0569-1800-0000-e4b3-faabba0c0000 pid=3258->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=106d0569-1800-0000-e4b3-faabba0c0000 pid=3258->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=790c1469-1800-0000-e4b3-faabbb0c0000 pid=3259->63e39990-4689-5a8d-8bcd-588050da3c4e send: 150B guuid=b104706c-1800-0000-e4b3-faabc10c0000 pid=3265->63e39990-4689-5a8d-8bcd-588050da3c4e send: 99B guuid=f1e65871-1800-0000-e4b3-faabcd0c0000 pid=3277->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1ea28e71-1800-0000-e4b3-faabce0c0000 pid=3278 /tmp/WTF guuid=f1e65871-1800-0000-e4b3-faabcd0c0000 pid=3277->guuid=1ea28e71-1800-0000-e4b3-faabce0c0000 pid=3278 clone guuid=3dba9271-1800-0000-e4b3-faabcf0c0000 pid=3279 /tmp/WTF guuid=f1e65871-1800-0000-e4b3-faabcd0c0000 pid=3277->guuid=3dba9271-1800-0000-e4b3-faabcf0c0000 pid=3279 clone guuid=dbae9671-1800-0000-e4b3-faabd00c0000 pid=3280 /tmp/WTF net send-data zombie guuid=f1e65871-1800-0000-e4b3-faabcd0c0000 pid=3277->guuid=dbae9671-1800-0000-e4b3-faabd00c0000 pid=3280 clone guuid=dbae9671-1800-0000-e4b3-faabd00c0000 pid=3280->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=dbae9671-1800-0000-e4b3-faabd00c0000 pid=3280->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=9856a571-1800-0000-e4b3-faabd10c0000 pid=3281->63e39990-4689-5a8d-8bcd-588050da3c4e send: 151B guuid=9f1c4575-1800-0000-e4b3-faabd60c0000 pid=3286->63e39990-4689-5a8d-8bcd-588050da3c4e send: 100B guuid=36f0357d-1800-0000-e4b3-faabe30c0000 pid=3299->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=44ef7c7d-1800-0000-e4b3-faabe40c0000 pid=3300 /tmp/WTF guuid=36f0357d-1800-0000-e4b3-faabe30c0000 pid=3299->guuid=44ef7c7d-1800-0000-e4b3-faabe40c0000 pid=3300 clone guuid=b7d1817d-1800-0000-e4b3-faabe50c0000 pid=3301 /tmp/WTF guuid=36f0357d-1800-0000-e4b3-faabe30c0000 pid=3299->guuid=b7d1817d-1800-0000-e4b3-faabe50c0000 pid=3301 clone guuid=286f907d-1800-0000-e4b3-faabe70c0000 pid=3303 /tmp/WTF net send-data zombie guuid=36f0357d-1800-0000-e4b3-faabe30c0000 pid=3299->guuid=286f907d-1800-0000-e4b3-faabe70c0000 pid=3303 clone guuid=286f907d-1800-0000-e4b3-faabe70c0000 pid=3303->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=286f907d-1800-0000-e4b3-faabe70c0000 pid=3303->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=49f79b7d-1800-0000-e4b3-faabe80c0000 pid=3304->63e39990-4689-5a8d-8bcd-588050da3c4e send: 151B guuid=bbd6c880-1800-0000-e4b3-faabec0c0000 pid=3308->63e39990-4689-5a8d-8bcd-588050da3c4e send: 100B guuid=ba26ab85-1800-0000-e4b3-faabf90c0000 pid=3321->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=69a6d885-1800-0000-e4b3-faabfa0c0000 pid=3322 /tmp/WTF guuid=ba26ab85-1800-0000-e4b3-faabf90c0000 pid=3321->guuid=69a6d885-1800-0000-e4b3-faabfa0c0000 pid=3322 clone guuid=f562dd85-1800-0000-e4b3-faabfb0c0000 pid=3323 /tmp/WTF guuid=ba26ab85-1800-0000-e4b3-faabf90c0000 pid=3321->guuid=f562dd85-1800-0000-e4b3-faabfb0c0000 pid=3323 clone guuid=1b16e185-1800-0000-e4b3-faabfc0c0000 pid=3324 /tmp/WTF net send-data zombie guuid=ba26ab85-1800-0000-e4b3-faabf90c0000 pid=3321->guuid=1b16e185-1800-0000-e4b3-faabfc0c0000 pid=3324 clone guuid=1b16e185-1800-0000-e4b3-faabfc0c0000 pid=3324->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1b16e185-1800-0000-e4b3-faabfc0c0000 pid=3324->072dc274-5a40-5f96-929d-846a6cbc7eea send: 12B guuid=41d3ec85-1800-0000-e4b3-faabfd0c0000 pid=3325->63e39990-4689-5a8d-8bcd-588050da3c4e send: 151B guuid=8654b889-1800-0000-e4b3-faabfe0c0000 pid=3326->63e39990-4689-5a8d-8bcd-588050da3c4e send: 100B guuid=2da23b90-1800-0000-e4b3-faab090d0000 pid=3337->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=fc5e7990-1800-0000-e4b3-faab0b0d0000 pid=3339 /tmp/WTF guuid=2da23b90-1800-0000-e4b3-faab090d0000 pid=3337->guuid=fc5e7990-1800-0000-e4b3-faab0b0d0000 pid=3339 clone guuid=05447e90-1800-0000-e4b3-faab0c0d0000 pid=3340 /tmp/WTF guuid=2da23b90-1800-0000-e4b3-faab090d0000 pid=3337->guuid=05447e90-1800-0000-e4b3-faab0c0d0000 pid=3340 clone guuid=34278590-1800-0000-e4b3-faab0d0d0000 pid=3341 /tmp/WTF net send-data zombie guuid=2da23b90-1800-0000-e4b3-faab090d0000 pid=3337->guuid=34278590-1800-0000-e4b3-faab0d0d0000 pid=3341 clone guuid=34278590-1800-0000-e4b3-faab0d0d0000 pid=3341->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=34278590-1800-0000-e4b3-faab0d0d0000 pid=3341->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=5ac89690-1800-0000-e4b3-faab0e0d0000 pid=3342->63e39990-4689-5a8d-8bcd-588050da3c4e send: 150B guuid=f04b1194-1800-0000-e4b3-faab190d0000 pid=3353->63e39990-4689-5a8d-8bcd-588050da3c4e send: 99B guuid=e7076a98-1800-0000-e4b3-faab250d0000 pid=3365->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1e429898-1800-0000-e4b3-faab270d0000 pid=3367 /tmp/WTF guuid=e7076a98-1800-0000-e4b3-faab250d0000 pid=3365->guuid=1e429898-1800-0000-e4b3-faab270d0000 pid=3367 clone guuid=66589c98-1800-0000-e4b3-faab280d0000 pid=3368 /tmp/WTF guuid=e7076a98-1800-0000-e4b3-faab250d0000 pid=3365->guuid=66589c98-1800-0000-e4b3-faab280d0000 pid=3368 clone guuid=6477a098-1800-0000-e4b3-faab290d0000 pid=3369 /tmp/WTF net send-data zombie guuid=e7076a98-1800-0000-e4b3-faab250d0000 pid=3365->guuid=6477a098-1800-0000-e4b3-faab290d0000 pid=3369 clone guuid=6477a098-1800-0000-e4b3-faab290d0000 pid=3369->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=6477a098-1800-0000-e4b3-faab290d0000 pid=3369->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=0205ac98-1800-0000-e4b3-faab2a0d0000 pid=3370->63e39990-4689-5a8d-8bcd-588050da3c4e send: 150B guuid=e8c2509d-1800-0000-e4b3-faab340d0000 pid=3380->63e39990-4689-5a8d-8bcd-588050da3c4e send: 99B guuid=85023aa4-1800-0000-e4b3-faab400d0000 pid=3392->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c37d69a4-1800-0000-e4b3-faab420d0000 pid=3394 /tmp/WTF guuid=85023aa4-1800-0000-e4b3-faab400d0000 pid=3392->guuid=c37d69a4-1800-0000-e4b3-faab420d0000 pid=3394 clone guuid=b79c6ca4-1800-0000-e4b3-faab430d0000 pid=3395 /tmp/WTF guuid=85023aa4-1800-0000-e4b3-faab400d0000 pid=3392->guuid=b79c6ca4-1800-0000-e4b3-faab430d0000 pid=3395 clone guuid=376d72a4-1800-0000-e4b3-faab440d0000 pid=3396 /tmp/WTF net send-data zombie guuid=85023aa4-1800-0000-e4b3-faab400d0000 pid=3392->guuid=376d72a4-1800-0000-e4b3-faab440d0000 pid=3396 clone guuid=376d72a4-1800-0000-e4b3-faab440d0000 pid=3396->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=376d72a4-1800-0000-e4b3-faab440d0000 pid=3396->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=285d85a4-1800-0000-e4b3-faab450d0000 pid=3397->63e39990-4689-5a8d-8bcd-588050da3c4e send: 151B guuid=647252a8-1800-0000-e4b3-faab530d0000 pid=3411->63e39990-4689-5a8d-8bcd-588050da3c4e send: 100B guuid=59e81faf-1800-0000-e4b3-faab600d0000 pid=3424->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=cfd991af-1800-0000-e4b3-faab610d0000 pid=3425 /tmp/WTF guuid=59e81faf-1800-0000-e4b3-faab600d0000 pid=3424->guuid=cfd991af-1800-0000-e4b3-faab610d0000 pid=3425 clone guuid=e9669baf-1800-0000-e4b3-faab620d0000 pid=3426 /tmp/WTF guuid=59e81faf-1800-0000-e4b3-faab600d0000 pid=3424->guuid=e9669baf-1800-0000-e4b3-faab620d0000 pid=3426 clone guuid=0f83a2af-1800-0000-e4b3-faab630d0000 pid=3427 /tmp/WTF net send-data zombie guuid=59e81faf-1800-0000-e4b3-faab600d0000 pid=3424->guuid=0f83a2af-1800-0000-e4b3-faab630d0000 pid=3427 clone guuid=0f83a2af-1800-0000-e4b3-faab630d0000 pid=3427->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=0f83a2af-1800-0000-e4b3-faab630d0000 pid=3427->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B guuid=12eab8af-1800-0000-e4b3-faab640d0000 pid=3428->63e39990-4689-5a8d-8bcd-588050da3c4e send: 150B guuid=66f179b4-1800-0000-e4b3-faab660d0000 pid=3430->63e39990-4689-5a8d-8bcd-588050da3c4e send: 99B guuid=5203d7ba-1800-0000-e4b3-faab7b0d0000 pid=3451->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=694511bb-1800-0000-e4b3-faab7c0d0000 pid=3452 /tmp/WTF guuid=5203d7ba-1800-0000-e4b3-faab7b0d0000 pid=3451->guuid=694511bb-1800-0000-e4b3-faab7c0d0000 pid=3452 clone guuid=953516bb-1800-0000-e4b3-faab7d0d0000 pid=3453 /tmp/WTF guuid=5203d7ba-1800-0000-e4b3-faab7b0d0000 pid=3451->guuid=953516bb-1800-0000-e4b3-faab7d0d0000 pid=3453 clone guuid=5d3d1dbb-1800-0000-e4b3-faab7e0d0000 pid=3454 /tmp/WTF net send-data zombie guuid=5203d7ba-1800-0000-e4b3-faab7b0d0000 pid=3451->guuid=5d3d1dbb-1800-0000-e4b3-faab7e0d0000 pid=3454 clone guuid=5d3d1dbb-1800-0000-e4b3-faab7e0d0000 pid=3454->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5d3d1dbb-1800-0000-e4b3-faab7e0d0000 pid=3454->072dc274-5a40-5f96-929d-846a6cbc7eea send: 7B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3bbef0ab2f04aa5cc5290ee8351bd3c33998916f3b21c6fe9dfd398435cf221f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bbef0ab2f04aa5cc5290ee8351bd3c33998916f3b21c6fe9dfd398435cf221f/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/3bbef0ab2f04aa5cc5290ee8351bd3c33998916f3b21c6fe9dfd398435cf221f
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-11-10 07:47:34 UTC
File Type:
Text (Shell)
AV detection:
23 of 36 (63.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ho7pbkzpasvfzrjjb3udkg6tym4zrelphmq4n7u57u4yinopeipq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251110-k2he3svmhj/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3bbef0ab2f04/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/3bbef0ab2f04aa5cc5290ee8351bd3c33998916f3b21c6fe9dfd398435cf221f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 3bbef0ab2f04aa5cc5290ee8351bd3c33998916f3b21c6fe9dfd398435cf221f

(this sample)

Mirai

elf 34f25a9200324897a978f22f543ea03f06c11e852da4d27ad208da9f914c60f2

Mirai

elf f887fd162d877d85fb975c83af0d1f70aa03a5fae61e08a6f2e0f9ae5c5c273d

  
URLhaus
https://urlhaus.abuse.ch/url/3701946/
  
Delivery method
Distributed via web download
  
Dropping
MD5 b927b925f81d3d112172524d3ea09e38
  
Dropping
SHA256 f887fd162d877d85fb975c83af0d1f70aa03a5fae61e08a6f2e0f9ae5c5c273d

Comments