MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 65d60f4a208eb2dedea7e6c091bd505862ae97d1c8ccafc7d7212c796a0f59b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 65d60f4a208eb2dedea7e6c091bd505862ae97d1c8ccafc7d7212c796a0f59b7
SHA3-384 hash: 47480d24220b8dffd084057c7602ea35956f17221d63baa68b660bf0b816b826c509ba84b4ed74156e656fc903e9c554
SHA1 hash: 3c79631c853500030a8e290c80f35240e7c4c3d5
MD5 hash: ce6dc48e47d481b66a961e667f6a6f6a
humanhash: don-lithium-undress-cola
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'329 bytes
First seen:2025-09-25 18:13:48 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:143F4JU1LMdcKMe8/fvR2M5pIiSWO6NXCmCQ3gSv:bpRQ3gSv
TLSH T19E41C6F6A38BCB03D27D8BCA3E650406B015C36BB49F8734DCE9FAC90490E8C7155A85
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://157.20.32.209/bins/morte.x8620eec1f49d7ab9223b5d47b6f464aed12e418942570966eae401968088463f1a Miraimirai opendir
http://157.20.32.209/bins/morte.mips1cb41b9c1a9e8123336054934a6ade938b976b5dbb87e852c742ef3f1fa9cdbb Miraimirai opendir
http://157.20.32.209/bins/morte.arc4704e07f48738bd7b4cd44cec97a7c5526a4419fa665fd425ba217425916024a Miraimirai opendir
http://157.20.32.209/bins/morte.i468n/an/aelf ua-wget
http://157.20.32.209/bins/morte.i686a1617a2f4c04b81e7d8fa32fd63a09ed977cd7607b24b76055b36fdea3112c89 Miraimirai opendir
http://157.20.32.209/bins/morte.x86_6416ba16bf6f0d4de4341bf38820777755012f008554f5e482b88cd4a85e97eb8b Miraimirai opendir
http://157.20.32.209/bins/morte.mpsl9f142d179fbde485e13d3364d65180ee6d62449aff02e35d87447ca0f9417210 Miraimirai opendir
http://157.20.32.209/bins/morte.armf6d0afe358d658d05afad447734fee5a590e953c6c0f98cbd217a867521f8754 Miraimirai opendir
http://157.20.32.209/bins/morte.arm517bb63761f5c8c1601c331cf193c55c09d4619053f9572b3648ef69e49fd1a89 Miraimirai opendir
http://157.20.32.209/bins/morte.arm6b3cd17f0afa885b377f8b04679e75f7f0827189f0b3f025a3814d156b4db1c38 Miraimirai opendir
http://157.20.32.209/bins/morte.arm709d4f358af13014b924279b5b4318a7da185db5a95b1175fac33a87e93f00b35 Miraimirai opendir
http://157.20.32.209/bins/morte.ppc1dc7e464cdaabeaa49a759a198d6a69d7cfc69014337f7fe1881dc9f3efdb8dd Miraimirai opendir
http://157.20.32.209/bins/morte.sh4bb8425e14a2cc5ce0d44da49e2b28d19e081b6352f48c376c7b0f9b0c92e3054 Miraimirai opendir
http://157.20.32.209/bins/morte.spce43b10988feae69a629b29ad0826d88d485372dabbed9421f2e1094147da7c01 Miraimirai opendir
http://157.20.32.209/bins/morte.m68kcdab74aed8c37c66f1370e839cd48ae264c4bda7f1aae193b516e1c9a52a93ea Miraimirai opendir

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
URLhaus.3632024.UNOFFICIAL
Create hunting rule

URLhaus.3632056.UNOFFICIAL
Create hunting rule

URLhaus.3632025.UNOFFICIAL
Create hunting rule

URLhaus.3632053.UNOFFICIAL
Create hunting rule

URLhaus.3632006.UNOFFICIAL
Create hunting rule

URLhaus.3632027.UNOFFICIAL
Create hunting rule

URLhaus.3632062.UNOFFICIAL
Create hunting rule

URLhaus.3632052.UNOFFICIAL
Create hunting rule

URLhaus.3632007.UNOFFICIAL
Create hunting rule

URLhaus.3631994.UNOFFICIAL
Create hunting rule

URLhaus.3632043.UNOFFICIAL
Create hunting rule

URLhaus.3632003.UNOFFICIAL
Create hunting rule

URLhaus.3632008.UNOFFICIAL
Create hunting rule

URLhaus.3631995.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
busybox
Link:
https://www.filescan.io/uploads/68d58799c564c8e81d07dc9c/reports/48032641-f0a4-49dc-baee-2354a04b3348/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-09-21T07:54:00Z UTC
Last seen:
2025-09-21T07:54:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/65d60f4a208eb2dedea7e6c091bd505862ae97d1c8ccafc7d7212c796a0f59b7/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/1faf1d42-299e-4291-b498-e272e169bb3c
Behavior Graph:
Download SVG
%3 guuid=8756f194-1c00-0000-6482-2262ed0b0000 pid=3053 /usr/bin/sudo guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060 /tmp/sample.bin guuid=8756f194-1c00-0000-6482-2262ed0b0000 pid=3053->guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060 execve guuid=7ade9597-1c00-0000-6482-2262fa0b0000 pid=3066 /usr/bin/cp guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=7ade9597-1c00-0000-6482-2262fa0b0000 pid=3066 execve guuid=54b3299d-1c00-0000-6482-2262050c0000 pid=3077 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=54b3299d-1c00-0000-6482-2262050c0000 pid=3077 execve guuid=ea3379be-1c00-0000-6482-2262560c0000 pid=3158 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=ea3379be-1c00-0000-6482-2262560c0000 pid=3158 execve guuid=f7e35be3-1c00-0000-6482-22627d0c0000 pid=3197 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=f7e35be3-1c00-0000-6482-22627d0c0000 pid=3197 execve guuid=2d4ee0e3-1c00-0000-6482-22627e0c0000 pid=3198 /tmp/morte.x86 net guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=2d4ee0e3-1c00-0000-6482-22627e0c0000 pid=3198 execve guuid=3d6e7ce4-1c00-0000-6482-2262810c0000 pid=3201 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=3d6e7ce4-1c00-0000-6482-2262810c0000 pid=3201 execve guuid=3fc9c6e4-1c00-0000-6482-2262820c0000 pid=3202 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=3fc9c6e4-1c00-0000-6482-2262820c0000 pid=3202 execve guuid=0dab620f-1d00-0000-6482-2262ad0c0000 pid=3245 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=0dab620f-1d00-0000-6482-2262ad0c0000 pid=3245 execve guuid=2cf3433c-1d00-0000-6482-2262090d0000 pid=3337 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=2cf3433c-1d00-0000-6482-2262090d0000 pid=3337 execve guuid=8f2ba53c-1d00-0000-6482-22620a0d0000 pid=3338 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=8f2ba53c-1d00-0000-6482-22620a0d0000 pid=3338 clone guuid=b7320b3e-1d00-0000-6482-22620c0d0000 pid=3340 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=b7320b3e-1d00-0000-6482-22620c0d0000 pid=3340 execve guuid=95f3ac3e-1d00-0000-6482-22620d0d0000 pid=3341 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=95f3ac3e-1d00-0000-6482-22620d0d0000 pid=3341 execve guuid=48a63673-1d00-0000-6482-2262800d0000 pid=3456 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=48a63673-1d00-0000-6482-2262800d0000 pid=3456 execve guuid=9defc1ac-1d00-0000-6482-2262e10d0000 pid=3553 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=9defc1ac-1d00-0000-6482-2262e10d0000 pid=3553 execve guuid=33cb0aad-1d00-0000-6482-2262e30d0000 pid=3555 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=33cb0aad-1d00-0000-6482-2262e30d0000 pid=3555 clone guuid=f6d2d6ad-1d00-0000-6482-2262e80d0000 pid=3560 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=f6d2d6ad-1d00-0000-6482-2262e80d0000 pid=3560 execve guuid=a41b7baf-1d00-0000-6482-2262ed0d0000 pid=3565 /usr/bin/wget net send-data guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=a41b7baf-1d00-0000-6482-2262ed0d0000 pid=3565 execve guuid=39683ac4-1d00-0000-6482-2262210e0000 pid=3617 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=39683ac4-1d00-0000-6482-2262210e0000 pid=3617 execve guuid=71d74ddc-1d00-0000-6482-2262630e0000 pid=3683 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=71d74ddc-1d00-0000-6482-2262630e0000 pid=3683 execve guuid=56cc9ddc-1d00-0000-6482-2262640e0000 pid=3684 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=56cc9ddc-1d00-0000-6482-2262640e0000 pid=3684 clone guuid=1ff3c1dc-1d00-0000-6482-2262650e0000 pid=3685 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=1ff3c1dc-1d00-0000-6482-2262650e0000 pid=3685 execve guuid=6b7b21dd-1d00-0000-6482-2262660e0000 pid=3686 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=6b7b21dd-1d00-0000-6482-2262660e0000 pid=3686 execve guuid=91b668fe-1d00-0000-6482-2262b60e0000 pid=3766 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=91b668fe-1d00-0000-6482-2262b60e0000 pid=3766 execve guuid=463cb521-1e00-0000-6482-22622b0f0000 pid=3883 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=463cb521-1e00-0000-6482-22622b0f0000 pid=3883 execve guuid=aa513122-1e00-0000-6482-22622d0f0000 pid=3885 /tmp/morte.i686 net guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=aa513122-1e00-0000-6482-22622d0f0000 pid=3885 execve guuid=7ac5f122-1e00-0000-6482-2262320f0000 pid=3890 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=7ac5f122-1e00-0000-6482-2262320f0000 pid=3890 execve guuid=86749023-1e00-0000-6482-2262340f0000 pid=3892 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=86749023-1e00-0000-6482-2262340f0000 pid=3892 execve guuid=4a33fa44-1e00-0000-6482-22629c0f0000 pid=3996 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=4a33fa44-1e00-0000-6482-22629c0f0000 pid=3996 execve guuid=99437569-1e00-0000-6482-2262f70f0000 pid=4087 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=99437569-1e00-0000-6482-2262f70f0000 pid=4087 execve guuid=65a8eb69-1e00-0000-6482-2262fb0f0000 pid=4091 /tmp/morte.x86_64 mprotect-exec net guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=65a8eb69-1e00-0000-6482-2262fb0f0000 pid=4091 execve guuid=6916ab6a-1e00-0000-6482-226201100000 pid=4097 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=6916ab6a-1e00-0000-6482-226201100000 pid=4097 execve guuid=2c9c306b-1e00-0000-6482-226204100000 pid=4100 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=2c9c306b-1e00-0000-6482-226204100000 pid=4100 execve guuid=662f4095-1e00-0000-6482-226294100000 pid=4244 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=662f4095-1e00-0000-6482-226294100000 pid=4244 execve guuid=314f12c0-1e00-0000-6482-22620b110000 pid=4363 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=314f12c0-1e00-0000-6482-22620b110000 pid=4363 execve guuid=d53b8cc0-1e00-0000-6482-22620d110000 pid=4365 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=d53b8cc0-1e00-0000-6482-22620d110000 pid=4365 clone guuid=37177cc1-1e00-0000-6482-226211110000 pid=4369 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=37177cc1-1e00-0000-6482-226211110000 pid=4369 execve guuid=5e6314c4-1e00-0000-6482-226212110000 pid=4370 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=5e6314c4-1e00-0000-6482-226212110000 pid=4370 execve guuid=ec91bbe3-1e00-0000-6482-226289110000 pid=4489 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=ec91bbe3-1e00-0000-6482-226289110000 pid=4489 execve guuid=db669504-1f00-0000-6482-2262bf110000 pid=4543 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=db669504-1f00-0000-6482-2262bf110000 pid=4543 execve guuid=cf84ee04-1f00-0000-6482-2262c0110000 pid=4544 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=cf84ee04-1f00-0000-6482-2262c0110000 pid=4544 clone guuid=d7bf8c05-1f00-0000-6482-2262c2110000 pid=4546 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=d7bf8c05-1f00-0000-6482-2262c2110000 pid=4546 execve guuid=17aed905-1f00-0000-6482-2262c3110000 pid=4547 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=17aed905-1f00-0000-6482-2262c3110000 pid=4547 execve guuid=d94e8d25-1f00-0000-6482-22622d120000 pid=4653 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=d94e8d25-1f00-0000-6482-22622d120000 pid=4653 execve guuid=b64ee546-1f00-0000-6482-226289120000 pid=4745 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=b64ee546-1f00-0000-6482-226289120000 pid=4745 execve guuid=0c506047-1f00-0000-6482-22628b120000 pid=4747 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=0c506047-1f00-0000-6482-22628b120000 pid=4747 clone guuid=9b710a48-1f00-0000-6482-22628f120000 pid=4751 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=9b710a48-1f00-0000-6482-22628f120000 pid=4751 execve guuid=1ef45548-1f00-0000-6482-226293120000 pid=4755 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=1ef45548-1f00-0000-6482-226293120000 pid=4755 execve guuid=1365f471-1f00-0000-6482-22622e130000 pid=4910 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=1365f471-1f00-0000-6482-22622e130000 pid=4910 execve guuid=6ee11aa8-1f00-0000-6482-2262d1130000 pid=5073 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=6ee11aa8-1f00-0000-6482-2262d1130000 pid=5073 execve guuid=868167a8-1f00-0000-6482-2262d3130000 pid=5075 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=868167a8-1f00-0000-6482-2262d3130000 pid=5075 clone guuid=9e8703a9-1f00-0000-6482-2262d6130000 pid=5078 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=9e8703a9-1f00-0000-6482-2262d6130000 pid=5078 execve guuid=cd9850a9-1f00-0000-6482-2262d8130000 pid=5080 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=cd9850a9-1f00-0000-6482-2262d8130000 pid=5080 execve guuid=97b0c0d3-1f00-0000-6482-22626f140000 pid=5231 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=97b0c0d3-1f00-0000-6482-22626f140000 pid=5231 execve guuid=e49cdb00-2000-0000-6482-2262b1140000 pid=5297 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=e49cdb00-2000-0000-6482-2262b1140000 pid=5297 execve guuid=c4bf2301-2000-0000-6482-2262b2140000 pid=5298 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=c4bf2301-2000-0000-6482-2262b2140000 pid=5298 clone guuid=4e21b301-2000-0000-6482-2262b4140000 pid=5300 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=4e21b301-2000-0000-6482-2262b4140000 pid=5300 execve guuid=98560302-2000-0000-6482-2262b5140000 pid=5301 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=98560302-2000-0000-6482-2262b5140000 pid=5301 execve guuid=a2960922-2000-0000-6482-2262b7140000 pid=5303 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=a2960922-2000-0000-6482-2262b7140000 pid=5303 execve guuid=40870345-2000-0000-6482-2262b8140000 pid=5304 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=40870345-2000-0000-6482-2262b8140000 pid=5304 execve guuid=7d2e5f45-2000-0000-6482-2262b9140000 pid=5305 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=7d2e5f45-2000-0000-6482-2262b9140000 pid=5305 clone guuid=7cfa0046-2000-0000-6482-2262bb140000 pid=5307 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=7cfa0046-2000-0000-6482-2262bb140000 pid=5307 execve guuid=af616446-2000-0000-6482-2262bc140000 pid=5308 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=af616446-2000-0000-6482-2262bc140000 pid=5308 execve guuid=4c4f4f6f-2000-0000-6482-2262bd140000 pid=5309 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=4c4f4f6f-2000-0000-6482-2262bd140000 pid=5309 execve guuid=bfec8a99-2000-0000-6482-2262be140000 pid=5310 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=bfec8a99-2000-0000-6482-2262be140000 pid=5310 execve guuid=73fc099a-2000-0000-6482-2262bf140000 pid=5311 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=73fc099a-2000-0000-6482-2262bf140000 pid=5311 clone guuid=388c089b-2000-0000-6482-2262c1140000 pid=5313 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=388c089b-2000-0000-6482-2262c1140000 pid=5313 execve guuid=66005f9b-2000-0000-6482-2262c2140000 pid=5314 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=66005f9b-2000-0000-6482-2262c2140000 pid=5314 execve guuid=1b0fc0c4-2000-0000-6482-2262c3140000 pid=5315 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=1b0fc0c4-2000-0000-6482-2262c3140000 pid=5315 execve guuid=160ae2ef-2000-0000-6482-2262cb140000 pid=5323 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=160ae2ef-2000-0000-6482-2262cb140000 pid=5323 execve guuid=e3ef44f0-2000-0000-6482-2262cc140000 pid=5324 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=e3ef44f0-2000-0000-6482-2262cc140000 pid=5324 clone guuid=d379fef0-2000-0000-6482-2262ce140000 pid=5326 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=d379fef0-2000-0000-6482-2262ce140000 pid=5326 execve guuid=d7e565f1-2000-0000-6482-2262cf140000 pid=5327 /usr/bin/wget net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=d7e565f1-2000-0000-6482-2262cf140000 pid=5327 execve guuid=8397531b-2100-0000-6482-2262d0140000 pid=5328 /usr/bin/curl net send-data write-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=8397531b-2100-0000-6482-2262d0140000 pid=5328 execve guuid=beada54d-2100-0000-6482-2262d1140000 pid=5329 /usr/bin/chmod guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=beada54d-2100-0000-6482-2262d1140000 pid=5329 execve guuid=24087a4e-2100-0000-6482-2262d2140000 pid=5330 /usr/bin/bash guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=24087a4e-2100-0000-6482-2262d2140000 pid=5330 clone guuid=35e2e451-2100-0000-6482-2262d4140000 pid=5332 /usr/bin/rm delete-file guuid=69a7c396-1c00-0000-6482-2262f40b0000 pid=3060->guuid=35e2e451-2100-0000-6482-2262d4140000 pid=5332 execve 3ec9d820-2553-5143-b726-8f9a2d649b55 157.20.32.209:80 guuid=54b3299d-1c00-0000-6482-2262050c0000 pid=3077->3ec9d820-2553-5143-b726-8f9a2d649b55 send: 142B guuid=ea3379be-1c00-0000-6482-2262560c0000 pid=3158->3ec9d820-2553-5143-b726-8f9a2d649b55 send: 91B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=2d4ee0e3-1c00-0000-6482-22627e0c0000 pid=3198->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=40cd6ce4-1c00-0000-6482-22627f0c0000 pid=3199 /tmp/morte.x86 guuid=2d4ee0e3-1c00-0000-6482-22627e0c0000 pid=3198->guuid=40cd6ce4-1c00-0000-6482-22627f0c0000 pid=3199 clone guuid=3cb275e4-1c00-0000-6482-2262800c0000 pid=3200 /tmp/morte.x86 write-config zombie guuid=40cd6ce4-1c00-0000-6482-22627f0c0000 pid=3199->guuid=3cb275e4-1c00-0000-6482-2262800c0000 pid=3200 clone guuid=32c104e8-1c00-0000-6482-2262890c0000 pid=3209 /usr/bin/dash guuid=3cb275e4-1c00-0000-6482-2262800c0000 pid=3200->guuid=32c104e8-1c00-0000-6482-2262890c0000 pid=3209 execve guuid=e55241ea-1c00-0000-6482-22628b0c0000 pid=3211 /tmp/morte.x86 delete-file dns net send-data guuid=3cb275e4-1c00-0000-6482-2262800c0000 pid=3200->guuid=e55241ea-1c00-0000-6482-22628b0c0000 pid=3211 clone guuid=3fc9c6e4-1c00-0000-6482-2262820c0000 pid=3202->3ec9d820-2553-5143-b726-8f9a2d649b55 send: 143B guuid=815934e8-1c00-0000-6482-22628a0c0000 pid=3210 /usr/bin/cp guuid=32c104e8-1c00-0000-6482-2262890c0000 pid=3209->guuid=815934e8-1c00-0000-6482-22628a0c0000 pid=3210 execve guuid=e55241ea-1c00-0000-6482-22628b0c0000 pid=3211->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 28B b5fff71e-f613-58be-ba84-80cefb09aafc demoon.vip:12121 guuid=e55241ea-1c00-0000-6482-22628b0c0000 pid=3211->b5fff71e-f613-58be-ba84-80cefb09aafc send: 23B guuid=0dab620f-1d00-0000-6482-2262ad0c0000 pid=3245->3ec9d820-2553-5143-b726-8f9a2d649b55 send: 92B 5254f68f-83a3-5768-b2d4-708fd1ae2ac3 demoon.vip:80 guuid=95f3ac3e-1d00-0000-6482-22620d0d0000 pid=3341->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 142B guuid=48a63673-1d00-0000-6482-2262800d0000 pid=3456->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 91B guuid=a41b7baf-1d00-0000-6482-2262ed0d0000 pid=3565->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 143B guuid=39683ac4-1d00-0000-6482-2262210e0000 pid=3617->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 92B guuid=6b7b21dd-1d00-0000-6482-2262660e0000 pid=3686->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 143B guuid=91b668fe-1d00-0000-6482-2262b60e0000 pid=3766->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 92B guuid=aa513122-1e00-0000-6482-22622d0f0000 pid=3885->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d93de422-1e00-0000-6482-2262300f0000 pid=3888 /tmp/morte.i686 guuid=aa513122-1e00-0000-6482-22622d0f0000 pid=3885->guuid=d93de422-1e00-0000-6482-2262300f0000 pid=3888 clone guuid=0850ee22-1e00-0000-6482-2262310f0000 pid=3889 /tmp/morte.i686 write-config zombie guuid=d93de422-1e00-0000-6482-2262300f0000 pid=3888->guuid=0850ee22-1e00-0000-6482-2262310f0000 pid=3889 clone guuid=e50c9626-1e00-0000-6482-2262410f0000 pid=3905 /usr/bin/dash guuid=0850ee22-1e00-0000-6482-2262310f0000 pid=3889->guuid=e50c9626-1e00-0000-6482-2262410f0000 pid=3905 execve guuid=2fa60129-1e00-0000-6482-22624e0f0000 pid=3918 /tmp/morte.i686 guuid=0850ee22-1e00-0000-6482-2262310f0000 pid=3889->guuid=2fa60129-1e00-0000-6482-22624e0f0000 pid=3918 clone guuid=85f34e15-2000-0000-6482-2262b6140000 pid=5302 /tmp/morte.i686 dns net send-data guuid=0850ee22-1e00-0000-6482-2262310f0000 pid=3889->guuid=85f34e15-2000-0000-6482-2262b6140000 pid=5302 clone guuid=86749023-1e00-0000-6482-2262340f0000 pid=3892->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 145B guuid=6978c526-1e00-0000-6482-2262440f0000 pid=3908 /usr/bin/cp guuid=e50c9626-1e00-0000-6482-2262410f0000 pid=3905->guuid=6978c526-1e00-0000-6482-2262440f0000 pid=3908 execve guuid=4a33fa44-1e00-0000-6482-22629c0f0000 pid=3996->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 94B guuid=65a8eb69-1e00-0000-6482-2262fb0f0000 pid=4091->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=7da09a6a-1e00-0000-6482-2262ff0f0000 pid=4095 /tmp/morte.x86_64 zombie guuid=65a8eb69-1e00-0000-6482-2262fb0f0000 pid=4091->guuid=7da09a6a-1e00-0000-6482-2262ff0f0000 pid=4095 clone guuid=e26d036b-1e00-0000-6482-226203100000 pid=4099 /tmp/morte.x86_64 write-config zombie guuid=7da09a6a-1e00-0000-6482-2262ff0f0000 pid=4095->guuid=e26d036b-1e00-0000-6482-226203100000 pid=4099 clone guuid=eed6a86b-1e00-0000-6482-226207100000 pid=4103 /usr/bin/dash guuid=e26d036b-1e00-0000-6482-226203100000 pid=4099->guuid=eed6a86b-1e00-0000-6482-226207100000 pid=4103 execve guuid=8c7eb96d-1e00-0000-6482-226210100000 pid=4112 /tmp/morte.x86_64 delete-file dns net send-data zombie guuid=e26d036b-1e00-0000-6482-226203100000 pid=4099->guuid=8c7eb96d-1e00-0000-6482-226210100000 pid=4112 clone guuid=2c9c306b-1e00-0000-6482-226204100000 pid=4100->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 143B guuid=c3efcf6c-1e00-0000-6482-22620b100000 pid=4107 /usr/bin/cp guuid=eed6a86b-1e00-0000-6482-226207100000 pid=4103->guuid=c3efcf6c-1e00-0000-6482-22620b100000 pid=4107 execve guuid=8c7eb96d-1e00-0000-6482-226210100000 pid=4112->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=8c7eb96d-1e00-0000-6482-226210100000 pid=4112->b5fff71e-f613-58be-ba84-80cefb09aafc send: 58B guuid=662f4095-1e00-0000-6482-226294100000 pid=4244->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 92B guuid=5e6314c4-1e00-0000-6482-226212110000 pid=4370->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 142B guuid=ec91bbe3-1e00-0000-6482-226289110000 pid=4489->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 91B guuid=17aed905-1f00-0000-6482-2262c3110000 pid=4547->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 143B guuid=d94e8d25-1f00-0000-6482-22622d120000 pid=4653->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 92B guuid=1ef45548-1f00-0000-6482-226293120000 pid=4755->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 143B guuid=1365f471-1f00-0000-6482-22622e130000 pid=4910->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 92B guuid=cd9850a9-1f00-0000-6482-2262d8130000 pid=5080->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 143B guuid=97b0c0d3-1f00-0000-6482-22626f140000 pid=5231->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 92B guuid=98560302-2000-0000-6482-2262b5140000 pid=5301->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 142B guuid=85f34e15-2000-0000-6482-2262b6140000 pid=5302->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 392B guuid=85f34e15-2000-0000-6482-2262b6140000 pid=5302->b5fff71e-f613-58be-ba84-80cefb09aafc send: 350B guuid=a2960922-2000-0000-6482-2262b7140000 pid=5303->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 91B guuid=af616446-2000-0000-6482-2262bc140000 pid=5308->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 142B guuid=4c4f4f6f-2000-0000-6482-2262bd140000 pid=5309->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 91B guuid=66005f9b-2000-0000-6482-2262c2140000 pid=5314->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 142B guuid=1b0fc0c4-2000-0000-6482-2262c3140000 pid=5315->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 91B guuid=d7e565f1-2000-0000-6482-2262cf140000 pid=5327->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 143B guuid=8397531b-2100-0000-6482-2262d0140000 pid=5328->5254f68f-83a3-5768-b2d4-708fd1ae2ac3 send: 92B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/65d60f4a208eb2dedea7e6c091bd505862ae97d1c8ccafc7d7212c796a0f59b7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/65d60f4a208eb2dedea7e6c091bd505862ae97d1c8ccafc7d7212c796a0f59b7/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/65d60f4a208eb2dedea7e6c091bd505862ae97d1c8ccafc7d7212c796a0f59b7
Threat name:
Linux.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-09-21 13:29:16 UTC
File Type:
Text (Shell)
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mxla6srar2zn5xvh43ajdpkqlbrk5f6rzdgk7r6xeewhs2qplg3q._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet credential_access defense_evasion discovery linux persistence upx
Link:
https://tria.ge/reports/250925-wx25ga1mz8/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Reads process memory
UPX packed file
Enumerates active TCP sockets
Enumerates running processes
Modifies init.d
Modifies rc script
File and Directory Permissions Modification
Executes dropped EXE
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/65d60f4a208e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/65d60f4a208eb2dedea7e6c091bd505862ae97d1c8ccafc7d7212c796a0f59b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 65d60f4a208eb2dedea7e6c091bd505862ae97d1c8ccafc7d7212c796a0f59b7

(this sample)

Mirai

elf cc7246687c487abd95c85bb60e0915723f7fa61fa76abaaf66e662ea0d102be8

  
URLhaus
https://urlhaus.abuse.ch/url/3631998/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3632060/
  
Dropping
MD5 1ef5b0e536defe05467b90be43e8f655
  
Dropping
SHA256 cc7246687c487abd95c85bb60e0915723f7fa61fa76abaaf66e662ea0d102be8

Comments