MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46de421734f272934e7f6b69db826d4f74db727e89d15a7884420bb625b6679f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46de421734f272934e7f6b69db826d4f74db727e89d15a7884420bb625b6679f
SHA3-384 hash: ba4df8291d6cdce78ef6bb76a851b6fe7053b12680c6651f3306e793abefd094616adea00e21c0a9092cfd89a38158ab
SHA1 hash: d21890717b5d34310114e00e7cbb7ecd1e2e2c24
MD5 hash: 443c92484e4f5903d9cf693549b10e90
humanhash: vegan-fix-tango-bacon
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'344 bytes
First seen:2026-02-23 07:20:17 UTC
Last seen:2026-02-23 19:40:45 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 48:i1qZ1r31s91bf1xL1tL1/g/11eR1dvL1SDJ1zf1XD1Q11dudBgJs1bjk:iGtwt/3oyjLeBpMTiBgJs5k
TLSH T19D615DF7034147335CEB89D632AA4425664C84DBA8DF0F7A9BECA8E68C4EEC87C41651
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://185.91.127.182/00101010101001/morte.x861fbe6cb0e6ba20afc340df967e6ff7e7862b3d010ee5626ac73e6db4852c8eef Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.mipsc7b2a2b4b4644f6c66dca72290d7f44fb6337b019124d6dcfeb6aad79cbe0c6e Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.arc8f2e2be996b6a5700859ec8cafc2455637fca6a3f5702e3674e2bb1a34907612 Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.i468n/an/aelf ua-wget
http://185.91.127.182/00101010101001/morte.i686315c34efa6fbbbbaa61ec83f02a3ab80df64b58e30df9b40fe9926eb89727822 Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.x86_640b3217709d2927ba08c7559f54485084f6ddb21f5dd4806e0f4ae31510286e9f Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.mpsl9305e8c59a66507f47230f6cc2008ad305751a84692c5d1ce02f8f00ab1ab0d8 Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.arm95131e989ffcf20fac261e4ac9cdf89698a54a8689718dedc8fa20e53d61802a Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.arm5eeec163a3cfa424ac7a3c2d70dfc1da7c13200ab4aa6ac4185eb31df4bbfd7ad Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.arm692fb174b9020ae360d4bf9422b0b14b6e480b2d29f825740017f5430856ff048 Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.arm78023e6c8e78879d50b058d851f30c8ba72abf545b87d917b8a9ab4ffa7907c8b Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.ppc9ade06515009c61fc82215074fbe0c7af07aeb434c8cc3994a42f59ed8856641 Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.spc69a084828958de9978a95b462b9ca83db8bcd1f12fa07c27665d196d0edd41b5 Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.m68k27932c15c6c21ef787ec5275f35c1ad751d9a80c623a9a44d1582f72dbd9dbe5 Miraielf mirai ua-wget
http://185.91.127.182/00101010101001/morte.sh4f1fb52f8792ff45b86cfe050b2a0957e0f07d801fd9cd5e972a5eb580beba6e8 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
54
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive medusa mirai virus
Link:
https://www.filescan.io/uploads/699bffb510e80629d4eded7c/reports/72e5c7b0-41c3-4e33-ac22-efeb53f47ebd/overview
Verdict:
Malicious
File Type:
unix shell
Link:
https://opentip.kaspersky.com/46de421734f272934e7f6b69db826d4f74db727e89d15a7884420bb625b6679f/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/88f6be2f-0817-440b-b531-5870125cbebb
Behavior Graph:
Download SVG
%3 guuid=78ab0d76-1600-0000-8bd2-16937f0c0000 pid=3199 /usr/bin/sudo guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201 /tmp/sample.bin guuid=78ab0d76-1600-0000-8bd2-16937f0c0000 pid=3199->guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201 execve guuid=3ddc347a-1600-0000-8bd2-1693820c0000 pid=3202 /usr/bin/cp guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=3ddc347a-1600-0000-8bd2-1693820c0000 pid=3202 execve guuid=d999a57f-1600-0000-8bd2-16938e0c0000 pid=3214 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=d999a57f-1600-0000-8bd2-16938e0c0000 pid=3214 execve guuid=fbb78884-1600-0000-8bd2-1693950c0000 pid=3221 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=fbb78884-1600-0000-8bd2-1693950c0000 pid=3221 execve guuid=9ed92e8f-1600-0000-8bd2-16939b0c0000 pid=3227 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=9ed92e8f-1600-0000-8bd2-16939b0c0000 pid=3227 execve guuid=752c908f-1600-0000-8bd2-16939d0c0000 pid=3229 /tmp/morte.x86 net guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=752c908f-1600-0000-8bd2-16939d0c0000 pid=3229 execve guuid=a4bb2d90-1600-0000-8bd2-1693a10c0000 pid=3233 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=a4bb2d90-1600-0000-8bd2-1693a10c0000 pid=3233 execve guuid=7c8a6c90-1600-0000-8bd2-1693a40c0000 pid=3236 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=7c8a6c90-1600-0000-8bd2-1693a40c0000 pid=3236 execve guuid=0811f093-1600-0000-8bd2-1693ab0c0000 pid=3243 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=0811f093-1600-0000-8bd2-1693ab0c0000 pid=3243 execve guuid=816f8a9b-1600-0000-8bd2-1693b80c0000 pid=3256 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=816f8a9b-1600-0000-8bd2-1693b80c0000 pid=3256 execve guuid=ad9cdf9b-1600-0000-8bd2-1693b90c0000 pid=3257 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=ad9cdf9b-1600-0000-8bd2-1693b90c0000 pid=3257 clone guuid=e4b6849c-1600-0000-8bd2-1693bb0c0000 pid=3259 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=e4b6849c-1600-0000-8bd2-1693bb0c0000 pid=3259 execve guuid=c060d89c-1600-0000-8bd2-1693bc0c0000 pid=3260 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=c060d89c-1600-0000-8bd2-1693bc0c0000 pid=3260 execve guuid=499821a2-1600-0000-8bd2-1693c60c0000 pid=3270 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=499821a2-1600-0000-8bd2-1693c60c0000 pid=3270 execve guuid=fe3dc7a8-1600-0000-8bd2-1693e00c0000 pid=3296 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=fe3dc7a8-1600-0000-8bd2-1693e00c0000 pid=3296 execve guuid=213d0fa9-1600-0000-8bd2-1693e20c0000 pid=3298 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=213d0fa9-1600-0000-8bd2-1693e20c0000 pid=3298 clone guuid=bad989a9-1600-0000-8bd2-1693e60c0000 pid=3302 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=bad989a9-1600-0000-8bd2-1693e60c0000 pid=3302 execve guuid=708927aa-1600-0000-8bd2-1693e80c0000 pid=3304 /usr/bin/wget net send-data guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=708927aa-1600-0000-8bd2-1693e80c0000 pid=3304 execve guuid=e8e2b1ac-1600-0000-8bd2-1693f10c0000 pid=3313 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=e8e2b1ac-1600-0000-8bd2-1693f10c0000 pid=3313 execve guuid=88957fb0-1600-0000-8bd2-1693010d0000 pid=3329 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=88957fb0-1600-0000-8bd2-1693010d0000 pid=3329 execve guuid=be06c4b0-1600-0000-8bd2-1693030d0000 pid=3331 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=be06c4b0-1600-0000-8bd2-1693030d0000 pid=3331 clone guuid=c709f7b0-1600-0000-8bd2-1693050d0000 pid=3333 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=c709f7b0-1600-0000-8bd2-1693050d0000 pid=3333 execve guuid=99013fb1-1600-0000-8bd2-1693070d0000 pid=3335 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=99013fb1-1600-0000-8bd2-1693070d0000 pid=3335 execve guuid=e89de9b5-1600-0000-8bd2-16930f0d0000 pid=3343 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=e89de9b5-1600-0000-8bd2-16930f0d0000 pid=3343 execve guuid=e5c712bb-1600-0000-8bd2-1693100d0000 pid=3344 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=e5c712bb-1600-0000-8bd2-1693100d0000 pid=3344 execve guuid=926571bb-1600-0000-8bd2-1693110d0000 pid=3345 /tmp/morte.i686 net guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=926571bb-1600-0000-8bd2-1693110d0000 pid=3345 execve guuid=a92126bc-1600-0000-8bd2-1693140d0000 pid=3348 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=a92126bc-1600-0000-8bd2-1693140d0000 pid=3348 execve guuid=ff2a78bc-1600-0000-8bd2-1693150d0000 pid=3349 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=ff2a78bc-1600-0000-8bd2-1693150d0000 pid=3349 execve guuid=48dfe7c1-1600-0000-8bd2-16931d0d0000 pid=3357 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=48dfe7c1-1600-0000-8bd2-16931d0d0000 pid=3357 execve guuid=903e5ccb-1600-0000-8bd2-1693360d0000 pid=3382 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=903e5ccb-1600-0000-8bd2-1693360d0000 pid=3382 execve guuid=9662a9cb-1600-0000-8bd2-1693380d0000 pid=3384 /tmp/morte.x86_64 mprotect-exec net guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=9662a9cb-1600-0000-8bd2-1693380d0000 pid=3384 execve guuid=b38c19cc-1600-0000-8bd2-16933d0d0000 pid=3389 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=b38c19cc-1600-0000-8bd2-16933d0d0000 pid=3389 execve guuid=483455cc-1600-0000-8bd2-16933f0d0000 pid=3391 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=483455cc-1600-0000-8bd2-16933f0d0000 pid=3391 execve guuid=15f102d3-1600-0000-8bd2-1693590d0000 pid=3417 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=15f102d3-1600-0000-8bd2-1693590d0000 pid=3417 execve guuid=4a5e63d8-1600-0000-8bd2-16936e0d0000 pid=3438 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=4a5e63d8-1600-0000-8bd2-16936e0d0000 pid=3438 execve guuid=d0f9a8d8-1600-0000-8bd2-1693700d0000 pid=3440 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=d0f9a8d8-1600-0000-8bd2-1693700d0000 pid=3440 clone guuid=ec482bd9-1600-0000-8bd2-1693740d0000 pid=3444 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=ec482bd9-1600-0000-8bd2-1693740d0000 pid=3444 execve guuid=d0f439da-1600-0000-8bd2-1693790d0000 pid=3449 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=d0f439da-1600-0000-8bd2-1693790d0000 pid=3449 execve guuid=6b46c0dd-1600-0000-8bd2-1693860d0000 pid=3462 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=6b46c0dd-1600-0000-8bd2-1693860d0000 pid=3462 execve guuid=27d7f6e2-1600-0000-8bd2-16939a0d0000 pid=3482 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=27d7f6e2-1600-0000-8bd2-16939a0d0000 pid=3482 execve guuid=edac3be3-1600-0000-8bd2-16939c0d0000 pid=3484 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=edac3be3-1600-0000-8bd2-16939c0d0000 pid=3484 clone guuid=50a8e2e3-1600-0000-8bd2-1693a00d0000 pid=3488 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=50a8e2e3-1600-0000-8bd2-1693a00d0000 pid=3488 execve guuid=1a5234e4-1600-0000-8bd2-1693a20d0000 pid=3490 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=1a5234e4-1600-0000-8bd2-1693a20d0000 pid=3490 execve guuid=1a2ec0e7-1600-0000-8bd2-1693ad0d0000 pid=3501 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=1a2ec0e7-1600-0000-8bd2-1693ad0d0000 pid=3501 execve guuid=a0e856ec-1600-0000-8bd2-1693bc0d0000 pid=3516 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=a0e856ec-1600-0000-8bd2-1693bc0d0000 pid=3516 execve guuid=423db3ec-1600-0000-8bd2-1693be0d0000 pid=3518 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=423db3ec-1600-0000-8bd2-1693be0d0000 pid=3518 clone guuid=1d0574ed-1600-0000-8bd2-1693c20d0000 pid=3522 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=1d0574ed-1600-0000-8bd2-1693c20d0000 pid=3522 execve guuid=66cfcbed-1600-0000-8bd2-1693c40d0000 pid=3524 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=66cfcbed-1600-0000-8bd2-1693c40d0000 pid=3524 execve guuid=528947f2-1600-0000-8bd2-1693d20d0000 pid=3538 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=528947f2-1600-0000-8bd2-1693d20d0000 pid=3538 execve guuid=d7eee6f7-1600-0000-8bd2-1693d90d0000 pid=3545 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=d7eee6f7-1600-0000-8bd2-1693d90d0000 pid=3545 execve guuid=814f63f8-1600-0000-8bd2-1693da0d0000 pid=3546 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=814f63f8-1600-0000-8bd2-1693da0d0000 pid=3546 clone guuid=982fbef9-1600-0000-8bd2-1693df0d0000 pid=3551 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=982fbef9-1600-0000-8bd2-1693df0d0000 pid=3551 execve guuid=3784e4fa-1600-0000-8bd2-1693e40d0000 pid=3556 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=3784e4fa-1600-0000-8bd2-1693e40d0000 pid=3556 execve guuid=d38ec9ff-1600-0000-8bd2-1693ec0d0000 pid=3564 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=d38ec9ff-1600-0000-8bd2-1693ec0d0000 pid=3564 execve guuid=636d1006-1700-0000-8bd2-1693f80d0000 pid=3576 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=636d1006-1700-0000-8bd2-1693f80d0000 pid=3576 execve guuid=c9ff6b06-1700-0000-8bd2-1693fa0d0000 pid=3578 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=c9ff6b06-1700-0000-8bd2-1693fa0d0000 pid=3578 clone guuid=9d932c07-1700-0000-8bd2-1693fe0d0000 pid=3582 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=9d932c07-1700-0000-8bd2-1693fe0d0000 pid=3582 execve guuid=c148310a-1700-0000-8bd2-1693030e0000 pid=3587 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=c148310a-1700-0000-8bd2-1693030e0000 pid=3587 execve guuid=2c3bfa0d-1700-0000-8bd2-16930a0e0000 pid=3594 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=2c3bfa0d-1700-0000-8bd2-16930a0e0000 pid=3594 execve guuid=32228914-1700-0000-8bd2-16931b0e0000 pid=3611 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=32228914-1700-0000-8bd2-16931b0e0000 pid=3611 execve guuid=a3e0e914-1700-0000-8bd2-16931d0e0000 pid=3613 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=a3e0e914-1700-0000-8bd2-16931d0e0000 pid=3613 clone guuid=3b75cd15-1700-0000-8bd2-1693210e0000 pid=3617 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=3b75cd15-1700-0000-8bd2-1693210e0000 pid=3617 execve guuid=d2444116-1700-0000-8bd2-1693230e0000 pid=3619 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=d2444116-1700-0000-8bd2-1693230e0000 pid=3619 execve guuid=af7e4c1b-1700-0000-8bd2-1693330e0000 pid=3635 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=af7e4c1b-1700-0000-8bd2-1693330e0000 pid=3635 execve guuid=56f35126-1700-0000-8bd2-1693460e0000 pid=3654 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=56f35126-1700-0000-8bd2-1693460e0000 pid=3654 execve guuid=15adcd26-1700-0000-8bd2-1693470e0000 pid=3655 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=15adcd26-1700-0000-8bd2-1693470e0000 pid=3655 clone guuid=efa4e227-1700-0000-8bd2-16934b0e0000 pid=3659 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=efa4e227-1700-0000-8bd2-16934b0e0000 pid=3659 execve guuid=d45e7628-1700-0000-8bd2-16934d0e0000 pid=3661 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=d45e7628-1700-0000-8bd2-16934d0e0000 pid=3661 execve guuid=d1c1ab2d-1700-0000-8bd2-1693550e0000 pid=3669 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=d1c1ab2d-1700-0000-8bd2-1693550e0000 pid=3669 execve guuid=f81a2334-1700-0000-8bd2-1693610e0000 pid=3681 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=f81a2334-1700-0000-8bd2-1693610e0000 pid=3681 execve guuid=0d00a034-1700-0000-8bd2-1693630e0000 pid=3683 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=0d00a034-1700-0000-8bd2-1693630e0000 pid=3683 clone guuid=3115aa35-1700-0000-8bd2-1693680e0000 pid=3688 /usr/bin/rm delete-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=3115aa35-1700-0000-8bd2-1693680e0000 pid=3688 execve guuid=de103736-1700-0000-8bd2-16936a0e0000 pid=3690 /usr/bin/wget net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=de103736-1700-0000-8bd2-16936a0e0000 pid=3690 execve guuid=04814c3b-1700-0000-8bd2-16937a0e0000 pid=3706 /usr/bin/curl net send-data write-file guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=04814c3b-1700-0000-8bd2-16937a0e0000 pid=3706 execve guuid=6ff42541-1700-0000-8bd2-16938b0e0000 pid=3723 /usr/bin/chmod guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=6ff42541-1700-0000-8bd2-16938b0e0000 pid=3723 execve guuid=594a9941-1700-0000-8bd2-16938f0e0000 pid=3727 /usr/bin/bash guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=594a9941-1700-0000-8bd2-16938f0e0000 pid=3727 clone guuid=2fcb6f42-1700-0000-8bd2-1693930e0000 pid=3731 /usr/bin/rm guuid=a03c5679-1600-0000-8bd2-1693810c0000 pid=3201->guuid=2fcb6f42-1700-0000-8bd2-1693930e0000 pid=3731 execve b2079959-8dd5-5d83-9384-844859739e72 185.91.127.182:80 guuid=d999a57f-1600-0000-8bd2-16938e0c0000 pid=3214->b2079959-8dd5-5d83-9384-844859739e72 send: 153B guuid=fbb78884-1600-0000-8bd2-1693950c0000 pid=3221->b2079959-8dd5-5d83-9384-844859739e72 send: 102B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=752c908f-1600-0000-8bd2-16939d0c0000 pid=3229->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d0eb2190-1600-0000-8bd2-1693a00c0000 pid=3232 /tmp/morte.x86 guuid=752c908f-1600-0000-8bd2-16939d0c0000 pid=3229->guuid=d0eb2190-1600-0000-8bd2-1693a00c0000 pid=3232 clone guuid=330c3d90-1600-0000-8bd2-1693a20c0000 pid=3234 /tmp/morte.x86 write-config zombie guuid=d0eb2190-1600-0000-8bd2-1693a00c0000 pid=3232->guuid=330c3d90-1600-0000-8bd2-1693a20c0000 pid=3234 clone guuid=f428c493-1600-0000-8bd2-1693aa0c0000 pid=3242 /usr/bin/dash guuid=330c3d90-1600-0000-8bd2-1693a20c0000 pid=3234->guuid=f428c493-1600-0000-8bd2-1693aa0c0000 pid=3242 execve guuid=46e65797-1600-0000-8bd2-1693b10c0000 pid=3249 /tmp/morte.x86 delete-file guuid=330c3d90-1600-0000-8bd2-1693a20c0000 pid=3234->guuid=46e65797-1600-0000-8bd2-1693b10c0000 pid=3249 clone guuid=7c8a6c90-1600-0000-8bd2-1693a40c0000 pid=3236->b2079959-8dd5-5d83-9384-844859739e72 send: 154B guuid=4a5d1e94-1600-0000-8bd2-1693ad0c0000 pid=3245 /usr/bin/cp guuid=f428c493-1600-0000-8bd2-1693aa0c0000 pid=3242->guuid=4a5d1e94-1600-0000-8bd2-1693ad0c0000 pid=3245 execve guuid=0811f093-1600-0000-8bd2-1693ab0c0000 pid=3243->b2079959-8dd5-5d83-9384-844859739e72 send: 103B guuid=c060d89c-1600-0000-8bd2-1693bc0c0000 pid=3260->b2079959-8dd5-5d83-9384-844859739e72 send: 153B guuid=499821a2-1600-0000-8bd2-1693c60c0000 pid=3270->b2079959-8dd5-5d83-9384-844859739e72 send: 102B guuid=708927aa-1600-0000-8bd2-1693e80c0000 pid=3304->b2079959-8dd5-5d83-9384-844859739e72 send: 154B guuid=e8e2b1ac-1600-0000-8bd2-1693f10c0000 pid=3313->b2079959-8dd5-5d83-9384-844859739e72 send: 103B guuid=99013fb1-1600-0000-8bd2-1693070d0000 pid=3335->b2079959-8dd5-5d83-9384-844859739e72 send: 154B guuid=e89de9b5-1600-0000-8bd2-16930f0d0000 pid=3343->b2079959-8dd5-5d83-9384-844859739e72 send: 103B guuid=926571bb-1600-0000-8bd2-1693110d0000 pid=3345->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=2a711abc-1600-0000-8bd2-1693120d0000 pid=3346 /tmp/morte.i686 guuid=926571bb-1600-0000-8bd2-1693110d0000 pid=3345->guuid=2a711abc-1600-0000-8bd2-1693120d0000 pid=3346 clone guuid=f8ed25bc-1600-0000-8bd2-1693130d0000 pid=3347 /tmp/morte.i686 write-config zombie guuid=2a711abc-1600-0000-8bd2-1693120d0000 pid=3346->guuid=f8ed25bc-1600-0000-8bd2-1693130d0000 pid=3347 clone guuid=194078bf-1600-0000-8bd2-1693160d0000 pid=3350 /usr/bin/dash guuid=f8ed25bc-1600-0000-8bd2-1693130d0000 pid=3347->guuid=194078bf-1600-0000-8bd2-1693160d0000 pid=3350 execve guuid=152adec1-1600-0000-8bd2-16931c0d0000 pid=3356 /tmp/morte.i686 delete-file guuid=f8ed25bc-1600-0000-8bd2-1693130d0000 pid=3347->guuid=152adec1-1600-0000-8bd2-16931c0d0000 pid=3356 clone guuid=6b78c4c6-1a00-0000-8bd2-1693df140000 pid=5343 /tmp/morte.i686 dns net send-data guuid=f8ed25bc-1600-0000-8bd2-1693130d0000 pid=3347->guuid=6b78c4c6-1a00-0000-8bd2-1693df140000 pid=5343 clone guuid=ff2a78bc-1600-0000-8bd2-1693150d0000 pid=3349->b2079959-8dd5-5d83-9384-844859739e72 send: 156B guuid=25baaabf-1600-0000-8bd2-1693180d0000 pid=3352 /usr/bin/cp guuid=194078bf-1600-0000-8bd2-1693160d0000 pid=3350->guuid=25baaabf-1600-0000-8bd2-1693180d0000 pid=3352 execve guuid=48dfe7c1-1600-0000-8bd2-16931d0d0000 pid=3357->b2079959-8dd5-5d83-9384-844859739e72 send: 105B guuid=9662a9cb-1600-0000-8bd2-1693380d0000 pid=3384->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ecb810cc-1600-0000-8bd2-16933b0d0000 pid=3387 /tmp/morte.x86_64 zombie guuid=9662a9cb-1600-0000-8bd2-1693380d0000 pid=3384->guuid=ecb810cc-1600-0000-8bd2-16933b0d0000 pid=3387 clone guuid=a89c17cc-1600-0000-8bd2-16933c0d0000 pid=3388 /tmp/morte.x86_64 write-config zombie guuid=ecb810cc-1600-0000-8bd2-16933b0d0000 pid=3387->guuid=a89c17cc-1600-0000-8bd2-16933c0d0000 pid=3388 clone guuid=f97e82cc-1600-0000-8bd2-1693410d0000 pid=3393 /usr/bin/dash guuid=a89c17cc-1600-0000-8bd2-16933c0d0000 pid=3388->guuid=f97e82cc-1600-0000-8bd2-1693410d0000 pid=3393 execve guuid=60943acd-1600-0000-8bd2-1693450d0000 pid=3397 /tmp/morte.x86_64 delete-file dns net send-data guuid=a89c17cc-1600-0000-8bd2-16933c0d0000 pid=3388->guuid=60943acd-1600-0000-8bd2-1693450d0000 pid=3397 clone guuid=483455cc-1600-0000-8bd2-16933f0d0000 pid=3391->b2079959-8dd5-5d83-9384-844859739e72 send: 154B guuid=ef91abcc-1600-0000-8bd2-1693420d0000 pid=3394 /usr/bin/cp guuid=f97e82cc-1600-0000-8bd2-1693410d0000 pid=3393->guuid=ef91abcc-1600-0000-8bd2-1693420d0000 pid=3394 execve guuid=60943acd-1600-0000-8bd2-1693450d0000 pid=3397->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 170B 48307eaf-cf26-520f-82cd-1e2602267767 185.91.127.182:1337 guuid=60943acd-1600-0000-8bd2-1693450d0000 pid=3397->48307eaf-cf26-520f-82cd-1e2602267767 send: 31B guuid=15f102d3-1600-0000-8bd2-1693590d0000 pid=3417->b2079959-8dd5-5d83-9384-844859739e72 send: 103B guuid=d0f439da-1600-0000-8bd2-1693790d0000 pid=3449->b2079959-8dd5-5d83-9384-844859739e72 send: 153B guuid=6b46c0dd-1600-0000-8bd2-1693860d0000 pid=3462->b2079959-8dd5-5d83-9384-844859739e72 send: 102B guuid=1a5234e4-1600-0000-8bd2-1693a20d0000 pid=3490->b2079959-8dd5-5d83-9384-844859739e72 send: 154B guuid=1a2ec0e7-1600-0000-8bd2-1693ad0d0000 pid=3501->b2079959-8dd5-5d83-9384-844859739e72 send: 103B guuid=66cfcbed-1600-0000-8bd2-1693c40d0000 pid=3524->b2079959-8dd5-5d83-9384-844859739e72 send: 154B guuid=528947f2-1600-0000-8bd2-1693d20d0000 pid=3538->b2079959-8dd5-5d83-9384-844859739e72 send: 103B guuid=3784e4fa-1600-0000-8bd2-1693e40d0000 pid=3556->b2079959-8dd5-5d83-9384-844859739e72 send: 154B guuid=d38ec9ff-1600-0000-8bd2-1693ec0d0000 pid=3564->b2079959-8dd5-5d83-9384-844859739e72 send: 103B guuid=c148310a-1700-0000-8bd2-1693030e0000 pid=3587->b2079959-8dd5-5d83-9384-844859739e72 send: 153B guuid=2c3bfa0d-1700-0000-8bd2-16930a0e0000 pid=3594->b2079959-8dd5-5d83-9384-844859739e72 send: 102B guuid=d2444116-1700-0000-8bd2-1693230e0000 pid=3619->b2079959-8dd5-5d83-9384-844859739e72 send: 153B guuid=af7e4c1b-1700-0000-8bd2-1693330e0000 pid=3635->b2079959-8dd5-5d83-9384-844859739e72 send: 102B guuid=d45e7628-1700-0000-8bd2-16934d0e0000 pid=3661->b2079959-8dd5-5d83-9384-844859739e72 send: 154B guuid=d1c1ab2d-1700-0000-8bd2-1693550e0000 pid=3669->b2079959-8dd5-5d83-9384-844859739e72 send: 103B guuid=de103736-1700-0000-8bd2-16936a0e0000 pid=3690->b2079959-8dd5-5d83-9384-844859739e72 send: 153B guuid=04814c3b-1700-0000-8bd2-16937a0e0000 pid=3706->b2079959-8dd5-5d83-9384-844859739e72 send: 102B guuid=6b78c4c6-1a00-0000-8bd2-1693df140000 pid=5343->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 170B guuid=6b78c4c6-1a00-0000-8bd2-1693df140000 pid=5343->48307eaf-cf26-520f-82cd-1e2602267767 send: 27B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/46de421734f272934e7f6b69db826d4f74db727e89d15a7884420bb625b6679f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46de421734f272934e7f6b69db826d4f74db727e89d15a7884420bb625b6679f/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-02-23 00:37:22 UTC
File Type:
Text (Shell)
AV detection:
22 of 36 (61.11%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3peefzu6jzjgtt7nnu5xatnj52nw4t6rhivu6eeiif3mjnwm6pq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet credential_access defense_evasion discovery execution linux persistence upx
Link:
https://tria.ge/reports/260223-h5814agt2a/
Behaviour
Command and Scripting Interpreter: Unix Shell
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Reads process memory
UPX packed file
Enumerates active TCP sockets
Enumerates running processes
Modifies init.d
Modifies rc script
File and Directory Permissions Modification
Executes dropped EXE
Mirai
Mirai family
Malware Config
C2 Extraction:
last.galaxias.cc
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/46de421734f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/46de421734f272934e7f6b69db826d4f74db727e89d15a7884420bb625b6679f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 46de421734f272934e7f6b69db826d4f74db727e89d15a7884420bb625b6679f

(this sample)

Mirai

elf 023c9e9f263ae9fea5253e5481389c2a6c4e163fe3809869d9c2c0e1a90b3c35

Mirai

elf 1fbe6cb0e6ba20afc340df967e6ff7e7862b3d010ee5626ac73e6db4852c8eef

  
URLhaus
https://urlhaus.abuse.ch/url/3783957/
  
Delivery method
Distributed via web download
  
Dropping
MD5 da7fe378239a12c3b1f630f7576c1171
  
Dropping
SHA256 1fbe6cb0e6ba20afc340df967e6ff7e7862b3d010ee5626ac73e6db4852c8eef

Comments