MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5079206433607fd6dc1af3bf52cedce1a3be292048ada3338620fe9aee26283a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5079206433607fd6dc1af3bf52cedce1a3be292048ada3338620fe9aee26283a
SHA3-384 hash: b2548fd1fd45ca888e733c5f36f676656e7c4d5a12960c1eee933137b2272e5f614e644d4b3eb2de482413b8e1eef36c
SHA1 hash: f3ed2160a79e50a5d296b4acceb2de7925a1a205
MD5 hash: cc1760c1a898dd5fee088d7e37f30eb2
humanhash: nebraska-comet-idaho-blue
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'794 bytes
First seen:2026-03-12 01:51:23 UTC
Last seen:2026-03-14 08:45:46 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 48:iEzLmzLVzLVzL7zL5zLtxEzLazLVzL6zLTzLtzLBzL4zLIz:iE3m3V3V37353LE3a3V363T3t3B343Iz
TLSH T1EB5140D6F75206306F7AAEA7B9B64805B19990A39DD0A906F4FC7CFD528CE0C30906C3
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://45.141.26.73/bins/sora.arc9b9832e1543cec7b332c9cc47897d16216d042a2a8ba351130a4c84c3005818a Miraiarc elf mirai opendir ua-wget
http://45.141.26.73/bins/sora.x863247319c4f6220528565e6dc67893af871eb946ce9fb519b46c6a2ccb24dfc31 Mirai32-bit elf mirai x86-32
http://45.141.26.73/bins/sora.x86_642f94b3aef184e009a4a8a6c1958d44734a0ddf2f29807e2ca2500fb0dbfc512f Mirai64-bit elf mirai x86-64
http://45.141.26.73/bins/sora.i686da38555c7e2a1a01ff071455be3b9a50124633aabe902b6aa3ac96f5302b3e4c Miraielf mirai opendir ua-wget x86
http://45.141.26.73/bins/sora.mips8d6c715294ff2a9bda70ef9bf4c730280fbca6fe4da717116ecb0ad7d26938ab Miraielf mips mirai opendir ua-wget
http://45.141.26.73/bins/sora.mips64n/an/an/a
http://45.141.26.73/bins/sora.mpsld6de8e3161a50b85bd7ba8169ed7374139fe27d08ed4695862a70a012b93e419 Miraielf mips mirai opendir ua-wget
http://45.141.26.73/bins/sora.arm6f27a543fd302747782dcab22e7e81ebb1b37b272ff8a460765b856c202c06a5 Miraiarm elf mirai opendir ua-wget
http://45.141.26.73/bins/sora.arm58e102c0c72beeb13e0302ff51629d7e76d659fbf409fff37bacdf94532241a23 Miraiarm elf mirai opendir ua-wget
http://45.141.26.73/bins/sora.arm6edd2e49303aa96953f7427eb7972348aaca4f48c8cc6498f1c1d97f699db2a25 Miraiarm elf mirai opendir ua-wget
http://45.141.26.73/bins/sora.arm74cf1333f5de389e2627636314215400ad59fdb34bca093d2e4e4ac8667cd9a29 Miraiarm elf mirai opendir ua-wget
http://45.141.26.73/bins/sora.ppcdd37c287059afdf784e603100a2313eb5db5f393d360577d60e29fd38d18e091 Miraielf mirai opendir PowerPC ua-wget
http://45.141.26.73/bins/sora.sparcn/an/an/a
http://45.141.26.73/bins/sora.m68kd07c62f2e31fdb1d62c42c2bbaa0b3140ea79218220525b784bbf399307457f9 Miraielf m68k mirai opendir ua-wget
http://45.141.26.73/bins/sora.sh43f78233884ca029b470e74c40554927465ebf539ebe8c119779f22dc8ffd1473 Miraielf mirai opendir SuperH ua-wget

Intelligence

File Origin
# of uploads :
4
# of downloads :
80
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
Link:
https://opentip.kaspersky.com/5079206433607fd6dc1af3bf52cedce1a3be292048ada3338620fe9aee26283a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f60aebeb-8efc-4bf5-95b6-d73e589b0f34
Behavior Graph:
Download SVG
%3 guuid=af60c76b-1a00-0000-e030-79e7c4090000 pid=2500 /usr/bin/sudo guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508 /tmp/sample.bin guuid=af60c76b-1a00-0000-e030-79e7c4090000 pid=2500->guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508 execve guuid=c4a3cc6f-1a00-0000-e030-79e7ce090000 pid=2510 /usr/bin/cp guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=c4a3cc6f-1a00-0000-e030-79e7ce090000 pid=2510 execve guuid=3057c175-1a00-0000-e030-79e7d9090000 pid=2521 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=3057c175-1a00-0000-e030-79e7d9090000 pid=2521 execve guuid=d7f7fdb3-1a00-0000-e030-79e75e0a0000 pid=2654 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=d7f7fdb3-1a00-0000-e030-79e75e0a0000 pid=2654 execve guuid=274658f1-1a00-0000-e030-79e7e60a0000 pid=2790 /usr/bin/cat guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=274658f1-1a00-0000-e030-79e7e60a0000 pid=2790 execve guuid=6ab1a8f1-1a00-0000-e030-79e7e70a0000 pid=2791 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=6ab1a8f1-1a00-0000-e030-79e7e70a0000 pid=2791 execve guuid=15c6fff1-1a00-0000-e030-79e7e90a0000 pid=2793 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=15c6fff1-1a00-0000-e030-79e7e90a0000 pid=2793 clone guuid=832d18f3-1a00-0000-e030-79e7ec0a0000 pid=2796 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=832d18f3-1a00-0000-e030-79e7ec0a0000 pid=2796 execve guuid=8e967d17-1b00-0000-e030-79e7110b0000 pid=2833 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=8e967d17-1b00-0000-e030-79e7110b0000 pid=2833 execve guuid=5bb0e14d-1b00-0000-e030-79e7790b0000 pid=2937 /usr/bin/cat guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=5bb0e14d-1b00-0000-e030-79e7790b0000 pid=2937 execve guuid=1bd94f4e-1b00-0000-e030-79e77a0b0000 pid=2938 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=1bd94f4e-1b00-0000-e030-79e77a0b0000 pid=2938 execve guuid=0054984e-1b00-0000-e030-79e77c0b0000 pid=2940 /tmp/Chaotic delete-file net guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=0054984e-1b00-0000-e030-79e77c0b0000 pid=2940 execve guuid=1313bbc6-1b00-0000-e030-79e7800c0000 pid=3200 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=1313bbc6-1b00-0000-e030-79e7800c0000 pid=3200 execve guuid=27f81dfa-1b00-0000-e030-79e7a60c0000 pid=3238 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=27f81dfa-1b00-0000-e030-79e7a60c0000 pid=3238 execve guuid=8cb05d2b-1c00-0000-e030-79e7e40c0000 pid=3300 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=8cb05d2b-1c00-0000-e030-79e7e40c0000 pid=3300 clone guuid=84977e2b-1c00-0000-e030-79e7e50c0000 pid=3301 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=84977e2b-1c00-0000-e030-79e7e50c0000 pid=3301 execve guuid=4adacb2b-1c00-0000-e030-79e7e70c0000 pid=3303 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=4adacb2b-1c00-0000-e030-79e7e70c0000 pid=3303 execve guuid=fc866e2c-1c00-0000-e030-79e7ea0c0000 pid=3306 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=fc866e2c-1c00-0000-e030-79e7ea0c0000 pid=3306 execve guuid=3918854f-1c00-0000-e030-79e7260d0000 pid=3366 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=3918854f-1c00-0000-e030-79e7260d0000 pid=3366 execve guuid=d2897b75-1c00-0000-e030-79e76b0d0000 pid=3435 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=d2897b75-1c00-0000-e030-79e76b0d0000 pid=3435 clone guuid=af74aa75-1c00-0000-e030-79e76c0d0000 pid=3436 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=af74aa75-1c00-0000-e030-79e76c0d0000 pid=3436 execve guuid=04ce1d76-1c00-0000-e030-79e76e0d0000 pid=3438 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=04ce1d76-1c00-0000-e030-79e76e0d0000 pid=3438 execve guuid=ca321e77-1c00-0000-e030-79e7710d0000 pid=3441 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=ca321e77-1c00-0000-e030-79e7710d0000 pid=3441 execve guuid=cd3baaa5-1c00-0000-e030-79e7d30d0000 pid=3539 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=cd3baaa5-1c00-0000-e030-79e7d30d0000 pid=3539 execve guuid=7f55a8d5-1c00-0000-e030-79e7290e0000 pid=3625 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=7f55a8d5-1c00-0000-e030-79e7290e0000 pid=3625 clone guuid=0effc7d5-1c00-0000-e030-79e72a0e0000 pid=3626 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=0effc7d5-1c00-0000-e030-79e72a0e0000 pid=3626 execve guuid=369f4ad6-1c00-0000-e030-79e72b0e0000 pid=3627 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=369f4ad6-1c00-0000-e030-79e72b0e0000 pid=3627 execve guuid=9e0f00d7-1c00-0000-e030-79e72c0e0000 pid=3628 /usr/bin/wget net send-data guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=9e0f00d7-1c00-0000-e030-79e72c0e0000 pid=3628 execve guuid=c6089aee-1c00-0000-e030-79e76b0e0000 pid=3691 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=c6089aee-1c00-0000-e030-79e76b0e0000 pid=3691 execve guuid=3e1bff0b-1d00-0000-e030-79e7900e0000 pid=3728 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=3e1bff0b-1d00-0000-e030-79e7900e0000 pid=3728 clone guuid=45dd200c-1d00-0000-e030-79e7910e0000 pid=3729 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=45dd200c-1d00-0000-e030-79e7910e0000 pid=3729 execve guuid=499d780c-1d00-0000-e030-79e7930e0000 pid=3731 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=499d780c-1d00-0000-e030-79e7930e0000 pid=3731 execve guuid=fb432a0d-1d00-0000-e030-79e7960e0000 pid=3734 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=fb432a0d-1d00-0000-e030-79e7960e0000 pid=3734 execve guuid=2b55833b-1d00-0000-e030-79e72c0f0000 pid=3884 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=2b55833b-1d00-0000-e030-79e72c0f0000 pid=3884 execve guuid=796f286d-1d00-0000-e030-79e7af0f0000 pid=4015 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=796f286d-1d00-0000-e030-79e7af0f0000 pid=4015 clone guuid=8cbe476d-1d00-0000-e030-79e7b30f0000 pid=4019 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=8cbe476d-1d00-0000-e030-79e7b30f0000 pid=4019 execve guuid=18bfb96d-1d00-0000-e030-79e7b40f0000 pid=4020 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=18bfb96d-1d00-0000-e030-79e7b40f0000 pid=4020 execve guuid=057c776e-1d00-0000-e030-79e7b70f0000 pid=4023 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=057c776e-1d00-0000-e030-79e7b70f0000 pid=4023 execve guuid=ed2e369c-1d00-0000-e030-79e742100000 pid=4162 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=ed2e369c-1d00-0000-e030-79e742100000 pid=4162 execve guuid=55387bd3-1d00-0000-e030-79e7fb100000 pid=4347 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=55387bd3-1d00-0000-e030-79e7fb100000 pid=4347 clone guuid=ad0a95d3-1d00-0000-e030-79e7fc100000 pid=4348 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=ad0a95d3-1d00-0000-e030-79e7fc100000 pid=4348 execve guuid=e77ee2d3-1d00-0000-e030-79e7fd100000 pid=4349 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=e77ee2d3-1d00-0000-e030-79e7fd100000 pid=4349 execve guuid=1fe5b0d4-1d00-0000-e030-79e701110000 pid=4353 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=1fe5b0d4-1d00-0000-e030-79e701110000 pid=4353 execve guuid=497357f9-1d00-0000-e030-79e71d110000 pid=4381 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=497357f9-1d00-0000-e030-79e71d110000 pid=4381 execve guuid=850e2e1d-1e00-0000-e030-79e793110000 pid=4499 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=850e2e1d-1e00-0000-e030-79e793110000 pid=4499 clone guuid=889d561d-1e00-0000-e030-79e794110000 pid=4500 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=889d561d-1e00-0000-e030-79e794110000 pid=4500 execve guuid=dbedb21d-1e00-0000-e030-79e798110000 pid=4504 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=dbedb21d-1e00-0000-e030-79e798110000 pid=4504 execve guuid=2add591e-1e00-0000-e030-79e79b110000 pid=4507 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=2add591e-1e00-0000-e030-79e79b110000 pid=4507 execve guuid=cc3e6c4c-1e00-0000-e030-79e713120000 pid=4627 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=cc3e6c4c-1e00-0000-e030-79e713120000 pid=4627 execve guuid=7ec62f7d-1e00-0000-e030-79e7a5120000 pid=4773 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=7ec62f7d-1e00-0000-e030-79e7a5120000 pid=4773 clone guuid=005a487d-1e00-0000-e030-79e7a6120000 pid=4774 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=005a487d-1e00-0000-e030-79e7a6120000 pid=4774 execve guuid=4a12be7d-1e00-0000-e030-79e7aa120000 pid=4778 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=4a12be7d-1e00-0000-e030-79e7aa120000 pid=4778 execve guuid=c6d65c7e-1e00-0000-e030-79e7ae120000 pid=4782 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=c6d65c7e-1e00-0000-e030-79e7ae120000 pid=4782 execve guuid=251664c4-1e00-0000-e030-79e76b130000 pid=4971 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=251664c4-1e00-0000-e030-79e76b130000 pid=4971 execve guuid=a6c77ff3-1e00-0000-e030-79e705140000 pid=5125 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=a6c77ff3-1e00-0000-e030-79e705140000 pid=5125 clone guuid=83089ff3-1e00-0000-e030-79e706140000 pid=5126 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=83089ff3-1e00-0000-e030-79e706140000 pid=5126 execve guuid=8414eef3-1e00-0000-e030-79e709140000 pid=5129 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=8414eef3-1e00-0000-e030-79e709140000 pid=5129 execve guuid=49e78cf4-1e00-0000-e030-79e70e140000 pid=5134 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=49e78cf4-1e00-0000-e030-79e70e140000 pid=5134 execve guuid=cde5bf24-1f00-0000-e030-79e7a3140000 pid=5283 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=cde5bf24-1f00-0000-e030-79e7a3140000 pid=5283 execve guuid=b692de55-1f00-0000-e030-79e7a7140000 pid=5287 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=b692de55-1f00-0000-e030-79e7a7140000 pid=5287 clone guuid=b40cf855-1f00-0000-e030-79e7a8140000 pid=5288 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=b40cf855-1f00-0000-e030-79e7a8140000 pid=5288 execve guuid=322d7256-1f00-0000-e030-79e7ab140000 pid=5291 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=322d7256-1f00-0000-e030-79e7ab140000 pid=5291 execve guuid=52b22b57-1f00-0000-e030-79e7ac140000 pid=5292 /usr/bin/wget net send-data guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=52b22b57-1f00-0000-e030-79e7ac140000 pid=5292 execve guuid=ee77356f-1f00-0000-e030-79e7b3140000 pid=5299 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=ee77356f-1f00-0000-e030-79e7b3140000 pid=5299 execve guuid=0bf13d8a-1f00-0000-e030-79e7b4140000 pid=5300 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=0bf13d8a-1f00-0000-e030-79e7b4140000 pid=5300 clone guuid=88ab7c8a-1f00-0000-e030-79e7b5140000 pid=5301 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=88ab7c8a-1f00-0000-e030-79e7b5140000 pid=5301 execve guuid=3345308b-1f00-0000-e030-79e7b6140000 pid=5302 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=3345308b-1f00-0000-e030-79e7b6140000 pid=5302 execve guuid=c27a2a8c-1f00-0000-e030-79e7b7140000 pid=5303 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=c27a2a8c-1f00-0000-e030-79e7b7140000 pid=5303 execve guuid=7fc12ac6-1f00-0000-e030-79e7b8140000 pid=5304 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=7fc12ac6-1f00-0000-e030-79e7b8140000 pid=5304 execve guuid=ac16ee04-2000-0000-e030-79e7b9140000 pid=5305 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=ac16ee04-2000-0000-e030-79e7b9140000 pid=5305 clone guuid=5f1d2405-2000-0000-e030-79e7ba140000 pid=5306 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=5f1d2405-2000-0000-e030-79e7ba140000 pid=5306 execve guuid=3a518f05-2000-0000-e030-79e7bb140000 pid=5307 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=3a518f05-2000-0000-e030-79e7bb140000 pid=5307 execve guuid=fadd4906-2000-0000-e030-79e7bc140000 pid=5308 /usr/bin/wget net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=fadd4906-2000-0000-e030-79e7bc140000 pid=5308 execve guuid=617a4e3f-2000-0000-e030-79e7bd140000 pid=5309 /usr/bin/curl net send-data write-file guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=617a4e3f-2000-0000-e030-79e7bd140000 pid=5309 execve guuid=fa57d29c-2000-0000-e030-79e7c5140000 pid=5317 /usr/bin/bash guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=fa57d29c-2000-0000-e030-79e7c5140000 pid=5317 clone guuid=e8eb489d-2000-0000-e030-79e7c6140000 pid=5318 /usr/bin/chmod guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=e8eb489d-2000-0000-e030-79e7c6140000 pid=5318 execve guuid=4553189e-2000-0000-e030-79e7c7140000 pid=5319 /tmp/Chaotic guuid=8eb93e6f-1a00-0000-e030-79e7cc090000 pid=2508->guuid=4553189e-2000-0000-e030-79e7c7140000 pid=5319 execve 32b08929-3d64-5d95-8940-fab0ae1cb144 45.141.26.73:80 guuid=3057c175-1a00-0000-e030-79e7d9090000 pid=2521->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 140B guuid=d7f7fdb3-1a00-0000-e030-79e75e0a0000 pid=2654->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 89B guuid=832d18f3-1a00-0000-e030-79e7ec0a0000 pid=2796->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 140B guuid=8e967d17-1b00-0000-e030-79e7110b0000 pid=2833->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 89B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=0054984e-1b00-0000-e030-79e77c0b0000 pid=2940->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a706344f-1b00-0000-e030-79e77f0b0000 pid=2943 /tmp/Chaotic guuid=0054984e-1b00-0000-e030-79e77c0b0000 pid=2940->guuid=a706344f-1b00-0000-e030-79e77f0b0000 pid=2943 clone guuid=c067dc8a-1b00-0000-e030-79e7fd0b0000 pid=3069 /tmp/Chaotic guuid=0054984e-1b00-0000-e030-79e77c0b0000 pid=2940->guuid=c067dc8a-1b00-0000-e030-79e7fd0b0000 pid=3069 clone guuid=45ab8ac6-1b00-0000-e030-79e77e0c0000 pid=3198 /tmp/Chaotic guuid=0054984e-1b00-0000-e030-79e77c0b0000 pid=2940->guuid=45ab8ac6-1b00-0000-e030-79e77e0c0000 pid=3198 clone guuid=20de95c6-1b00-0000-e030-79e77f0c0000 pid=3199 /tmp/Chaotic net send-data zombie guuid=0054984e-1b00-0000-e030-79e77c0b0000 pid=2940->guuid=20de95c6-1b00-0000-e030-79e77f0c0000 pid=3199 clone guuid=20de95c6-1b00-0000-e030-79e77f0c0000 pid=3199->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 908fa970-7cd0-5cba-8e6e-c06fbba3cfe5 45.141.26.73:3778 guuid=20de95c6-1b00-0000-e030-79e77f0c0000 pid=3199->908fa970-7cd0-5cba-8e6e-c06fbba3cfe5 send: 205B guuid=1313bbc6-1b00-0000-e030-79e7800c0000 pid=3200->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 143B guuid=27f81dfa-1b00-0000-e030-79e7a60c0000 pid=3238->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 92B guuid=fc866e2c-1c00-0000-e030-79e7ea0c0000 pid=3306->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=3918854f-1c00-0000-e030-79e7260d0000 pid=3366->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=ca321e77-1c00-0000-e030-79e7710d0000 pid=3441->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=cd3baaa5-1c00-0000-e030-79e7d30d0000 pid=3539->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=9e0f00d7-1c00-0000-e030-79e72c0e0000 pid=3628->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 143B guuid=c6089aee-1c00-0000-e030-79e76b0e0000 pid=3691->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 92B guuid=fb432a0d-1d00-0000-e030-79e7960e0000 pid=3734->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=2b55833b-1d00-0000-e030-79e72c0f0000 pid=3884->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=057c776e-1d00-0000-e030-79e7b70f0000 pid=4023->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 140B guuid=ed2e369c-1d00-0000-e030-79e742100000 pid=4162->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 89B guuid=1fe5b0d4-1d00-0000-e030-79e701110000 pid=4353->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=497357f9-1d00-0000-e030-79e71d110000 pid=4381->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=2add591e-1e00-0000-e030-79e79b110000 pid=4507->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=cc3e6c4c-1e00-0000-e030-79e713120000 pid=4627->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=c6d65c7e-1e00-0000-e030-79e7ae120000 pid=4782->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=251664c4-1e00-0000-e030-79e76b130000 pid=4971->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=49e78cf4-1e00-0000-e030-79e70e140000 pid=5134->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 140B guuid=cde5bf24-1f00-0000-e030-79e7a3140000 pid=5283->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 89B guuid=52b22b57-1f00-0000-e030-79e7ac140000 pid=5292->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 142B guuid=ee77356f-1f00-0000-e030-79e7b3140000 pid=5299->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 91B guuid=c27a2a8c-1f00-0000-e030-79e7b7140000 pid=5303->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=7fc12ac6-1f00-0000-e030-79e7b8140000 pid=5304->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=fadd4906-2000-0000-e030-79e7bc140000 pid=5308->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 140B guuid=617a4e3f-2000-0000-e030-79e7bd140000 pid=5309->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 89B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5079206433607fd6dc1af3bf52cedce1a3be292048ada3338620fe9aee26283a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5079206433607fd6dc1af3bf52cedce1a3be292048ada3338620fe9aee26283a/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/5079206433607fd6dc1af3bf52cedce1a3be292048ada3338620fe9aee26283a
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-03-12 01:52:27 UTC
File Type:
Text (Shell)
AV detection:
22 of 36 (61.11%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kb4sazbtmb75nxa26o7vftw44gr34kjajcw2gm4ged7jv3rgfa5a._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260312-cajj3ag18n/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
UPX packed file
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/507920643360/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/5079206433607fd6dc1af3bf52cedce1a3be292048ada3338620fe9aee26283a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 5079206433607fd6dc1af3bf52cedce1a3be292048ada3338620fe9aee26283a

(this sample)

Mirai

elf 9b9832e1543cec7b332c9cc47897d16216d042a2a8ba351130a4c84c3005818a

  
URLhaus
https://urlhaus.abuse.ch/url/3794408/
  
Delivery method
Distributed via web download
  
Dropping
MD5 44fe27b3895b1acdfa4ab16c0d77c944
  
Dropping
SHA256 9b9832e1543cec7b332c9cc47897d16216d042a2a8ba351130a4c84c3005818a

Comments