MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 774296dc835184ef72238da2e6b2a04af6928cca5342ecf878cd22444bde7d79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 774296dc835184ef72238da2e6b2a04af6928cca5342ecf878cd22444bde7d79
SHA3-384 hash: 073a1b18f13aa2dbb370b13ed339e6bbdbdd8a71c36303d0bd479eb58f43510a048b406adfe9ffe4bcb8717ebb7a9a58
SHA1 hash: 3e409bb0182ce77a916f68c3b31ee5e1898002ed
MD5 hash: 1cd158832d970d3bb9ff72f345f17889
humanhash: single-saturn-coffee-fanta
File name:pay
Download: download sample
Signature Mirai
Create hunting rule
File size:2'053 bytes
First seen:2025-07-09 08:51:19 UTC
Last seen:2025-07-10 03:28:19 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 48:v1v/R1xMxl9R16NK6G9R1VZVdtR1opR1YMYU9R1WhR1M5R19x9ycR1gZe:vzbwlfMDGfPDFS+9Ufg6H7y2Z
TLSH T1074186858943C0B66CBA8F33E169C564719D64D3B9C06D2258EE7CFAC48DF047C64AA3
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://196.251.66.32/LjEZs/top1miku.x86243e36182318eff7614e2a6ffb0ea54c7136a90034bc4611c76bca76c4dfb637 Miraielf mirai ua-wget
http://196.251.66.32/LjEZs/top1miku.mips05bb4a3491ddf037a4282c6fdb19406103dd8acdedbfca229768dcddbb156b77 Miraielf mirai ua-wget
http://196.251.66.32/LjEZs/top1miku.mpslbdcff829ac7520228ad160fadaf081b44a8ff17397ef7e3138fb7b544879582a Miraielf mirai ua-wget
http://196.251.66.32/LjEZs/top1miku.arm4n/an/aelf ua-wget
http://196.251.66.32/LjEZs/top1miku.arm54300c039a3d8b17a9e2663d0e8853141dfc93b1e11975706ca3a463b7284e410 Miraielf mirai ua-wget
http://196.251.66.32/LjEZs/top1miku.arm6eaa5a72f4c6f1f7ae025c4222cb84277a4f73566a7c9fed4ccf52120a16edf72 Miraielf mirai ua-wget
http://196.251.66.32/LjEZs/top1miku.arm7b43beb52a40d65c9fad461f1a2c7bf52d7d32cbc4ce3413c7c110d0e73875965 Miraielf mirai ua-wget
http://196.251.66.32/LjEZs/top1miku.ppc96155cd3d0b32ac3bcb71b9dc94ec0c83db739836f2e924b00532e473d3f05ac Miraielf mirai ua-wget
http://196.251.66.32/LjEZs/top1miku.m68k9b2fa701ca354364b50a5f165c945bc99b58f00e789c11b1b141f74d6c46ecf4 Miraielf mirai ua-wget
http://196.251.66.32/LjEZs/top1miku.sh46666837a8339c4d64813e79346e6a07a3e71f41c912fe93ce47d9dc17299dfd7 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
27
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686e2e1bc9eb97473767d795linux22vpnfull_triage
Tags:
mirai ddos
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/6d6f6ab0-70c3-40a2-9fe9-aeeadf6d5a24
Behavior Graph:
Download SVG
%3 guuid=f414d7ad-1900-0000-152e-ba9dc9090000 pid=2505 /usr/bin/sudo guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513 /tmp/sample.bin guuid=f414d7ad-1900-0000-152e-ba9dc9090000 pid=2505->guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513 execve guuid=59e8bbb0-1900-0000-152e-ba9dd3090000 pid=2515 /usr/bin/wget net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=59e8bbb0-1900-0000-152e-ba9dd3090000 pid=2515 execve guuid=2d8665b9-1900-0000-152e-ba9de5090000 pid=2533 /usr/bin/curl net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=2d8665b9-1900-0000-152e-ba9de5090000 pid=2533 execve guuid=c7a07bc7-1900-0000-152e-ba9df9090000 pid=2553 /usr/bin/cat guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=c7a07bc7-1900-0000-152e-ba9df9090000 pid=2553 execve guuid=a0adeac7-1900-0000-152e-ba9dfb090000 pid=2555 /usr/bin/chmod guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=a0adeac7-1900-0000-152e-ba9dfb090000 pid=2555 execve guuid=cadc38c8-1900-0000-152e-ba9dfc090000 pid=2556 /tmp/robben net guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=cadc38c8-1900-0000-152e-ba9dfc090000 pid=2556 execve guuid=329c78c8-1900-0000-152e-ba9d000a0000 pid=2560 /usr/bin/wget net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=329c78c8-1900-0000-152e-ba9d000a0000 pid=2560 execve guuid=56210bce-1900-0000-152e-ba9d0c0a0000 pid=2572 /usr/bin/curl net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=56210bce-1900-0000-152e-ba9d0c0a0000 pid=2572 execve guuid=63fef1d4-1900-0000-152e-ba9d200a0000 pid=2592 /usr/bin/bash guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=63fef1d4-1900-0000-152e-ba9d200a0000 pid=2592 clone guuid=15260ed5-1900-0000-152e-ba9d210a0000 pid=2593 /usr/bin/chmod guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=15260ed5-1900-0000-152e-ba9d210a0000 pid=2593 execve guuid=cc9c56d5-1900-0000-152e-ba9d240a0000 pid=2596 /tmp/robben net guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=cc9c56d5-1900-0000-152e-ba9d240a0000 pid=2596 execve guuid=2171ff06-1b00-0000-152e-ba9d8a0c0000 pid=3210 /usr/bin/wget net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=2171ff06-1b00-0000-152e-ba9d8a0c0000 pid=3210 execve guuid=b06c0a0c-1b00-0000-152e-ba9d920c0000 pid=3218 /usr/bin/curl net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=b06c0a0c-1b00-0000-152e-ba9d920c0000 pid=3218 execve guuid=8e59ec16-1b00-0000-152e-ba9d9d0c0000 pid=3229 /usr/bin/bash guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=8e59ec16-1b00-0000-152e-ba9d9d0c0000 pid=3229 clone guuid=6c7b1417-1b00-0000-152e-ba9d9e0c0000 pid=3230 /usr/bin/chmod guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=6c7b1417-1b00-0000-152e-ba9d9e0c0000 pid=3230 execve guuid=b65d9117-1b00-0000-152e-ba9d9f0c0000 pid=3231 /tmp/robben net guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=b65d9117-1b00-0000-152e-ba9d9f0c0000 pid=3231 execve guuid=fba9ca48-1c00-0000-152e-ba9d4d0f0000 pid=3917 /usr/bin/wget net send-data guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=fba9ca48-1c00-0000-152e-ba9d4d0f0000 pid=3917 execve guuid=e0de704c-1c00-0000-152e-ba9d580f0000 pid=3928 /usr/bin/curl net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=e0de704c-1c00-0000-152e-ba9d580f0000 pid=3928 execve guuid=e5663152-1c00-0000-152e-ba9d6e0f0000 pid=3950 /usr/bin/bash guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=e5663152-1c00-0000-152e-ba9d6e0f0000 pid=3950 clone guuid=852c5352-1c00-0000-152e-ba9d6f0f0000 pid=3951 /usr/bin/chmod guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=852c5352-1c00-0000-152e-ba9d6f0f0000 pid=3951 execve guuid=e7b49c52-1c00-0000-152e-ba9d710f0000 pid=3953 /tmp/robben net guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=e7b49c52-1c00-0000-152e-ba9d710f0000 pid=3953 execve guuid=2fe40086-1d00-0000-152e-ba9dad130000 pid=5037 /usr/bin/wget net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=2fe40086-1d00-0000-152e-ba9dad130000 pid=5037 execve guuid=e95f5d8b-1d00-0000-152e-ba9dc1130000 pid=5057 /usr/bin/curl net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=e95f5d8b-1d00-0000-152e-ba9dc1130000 pid=5057 execve guuid=5943df91-1d00-0000-152e-ba9ddc130000 pid=5084 /usr/bin/bash guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=5943df91-1d00-0000-152e-ba9ddc130000 pid=5084 clone guuid=c3cb1192-1d00-0000-152e-ba9ddd130000 pid=5085 /usr/bin/chmod guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=c3cb1192-1d00-0000-152e-ba9ddd130000 pid=5085 execve guuid=b2686c92-1d00-0000-152e-ba9ddf130000 pid=5087 /tmp/robben net guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=b2686c92-1d00-0000-152e-ba9ddf130000 pid=5087 execve guuid=0387a2c7-1e00-0000-152e-ba9d8d140000 pid=5261 /usr/bin/wget net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=0387a2c7-1e00-0000-152e-ba9d8d140000 pid=5261 execve guuid=4cbbedcb-1e00-0000-152e-ba9d90140000 pid=5264 /usr/bin/curl net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=4cbbedcb-1e00-0000-152e-ba9d90140000 pid=5264 execve guuid=26d2d8d1-1e00-0000-152e-ba9d94140000 pid=5268 /usr/bin/bash guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=26d2d8d1-1e00-0000-152e-ba9d94140000 pid=5268 clone guuid=e10904d2-1e00-0000-152e-ba9d95140000 pid=5269 /usr/bin/chmod guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=e10904d2-1e00-0000-152e-ba9d95140000 pid=5269 execve guuid=33bb6ad2-1e00-0000-152e-ba9d96140000 pid=5270 /tmp/robben net guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=33bb6ad2-1e00-0000-152e-ba9d96140000 pid=5270 execve guuid=97cc2a08-2000-0000-152e-ba9dac140000 pid=5292 /usr/bin/wget net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=97cc2a08-2000-0000-152e-ba9dac140000 pid=5292 execve guuid=edfdad17-2000-0000-152e-ba9dbf140000 pid=5311 /usr/bin/curl net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=edfdad17-2000-0000-152e-ba9dbf140000 pid=5311 execve guuid=6ce6e428-2000-0000-152e-ba9dc0140000 pid=5312 /usr/bin/bash guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=6ce6e428-2000-0000-152e-ba9dc0140000 pid=5312 clone guuid=7523fc28-2000-0000-152e-ba9dc1140000 pid=5313 /usr/bin/chmod guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=7523fc28-2000-0000-152e-ba9dc1140000 pid=5313 execve guuid=eb6b4029-2000-0000-152e-ba9dc2140000 pid=5314 /tmp/robben net guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=eb6b4029-2000-0000-152e-ba9dc2140000 pid=5314 execve guuid=5d972261-2100-0000-152e-ba9dc6140000 pid=5318 /usr/bin/wget net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=5d972261-2100-0000-152e-ba9dc6140000 pid=5318 execve guuid=0006c265-2100-0000-152e-ba9dc7140000 pid=5319 /usr/bin/curl net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=0006c265-2100-0000-152e-ba9dc7140000 pid=5319 execve guuid=580b406c-2100-0000-152e-ba9dc8140000 pid=5320 /usr/bin/bash guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=580b406c-2100-0000-152e-ba9dc8140000 pid=5320 clone guuid=fefe5c6c-2100-0000-152e-ba9dc9140000 pid=5321 /usr/bin/chmod guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=fefe5c6c-2100-0000-152e-ba9dc9140000 pid=5321 execve guuid=b346af6c-2100-0000-152e-ba9dca140000 pid=5322 /tmp/robben net guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=b346af6c-2100-0000-152e-ba9dca140000 pid=5322 execve guuid=6f031ba6-2200-0000-152e-ba9dcc140000 pid=5324 /usr/bin/wget net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=6f031ba6-2200-0000-152e-ba9dcc140000 pid=5324 execve guuid=5ef9e9ab-2200-0000-152e-ba9dcf140000 pid=5327 /usr/bin/curl net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=5ef9e9ab-2200-0000-152e-ba9dcf140000 pid=5327 execve guuid=96b1e5b2-2200-0000-152e-ba9dd0140000 pid=5328 /usr/bin/bash guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=96b1e5b2-2200-0000-152e-ba9dd0140000 pid=5328 clone guuid=d1fb1ab3-2200-0000-152e-ba9dd1140000 pid=5329 /usr/bin/chmod guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=d1fb1ab3-2200-0000-152e-ba9dd1140000 pid=5329 execve guuid=3061c7b3-2200-0000-152e-ba9dd2140000 pid=5330 /tmp/robben net guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=3061c7b3-2200-0000-152e-ba9dd2140000 pid=5330 execve guuid=ed548bee-2300-0000-152e-ba9dd5140000 pid=5333 /usr/bin/wget net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=ed548bee-2300-0000-152e-ba9dd5140000 pid=5333 execve guuid=4a5547f3-2300-0000-152e-ba9dd7140000 pid=5335 /usr/bin/curl net send-data write-file guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=4a5547f3-2300-0000-152e-ba9dd7140000 pid=5335 execve guuid=b61db3f9-2300-0000-152e-ba9dd8140000 pid=5336 /usr/bin/bash guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=b61db3f9-2300-0000-152e-ba9dd8140000 pid=5336 clone guuid=6116eff9-2300-0000-152e-ba9dd9140000 pid=5337 /usr/bin/chmod guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=6116eff9-2300-0000-152e-ba9dd9140000 pid=5337 execve guuid=509d7cfa-2300-0000-152e-ba9dda140000 pid=5338 /tmp/robben net guuid=e88c04b0-1900-0000-152e-ba9dd1090000 pid=2513->guuid=509d7cfa-2300-0000-152e-ba9dda140000 pid=5338 execve b4463e29-c6ee-5341-9c75-3bf4da178e37 196.251.66.32:80 guuid=59e8bbb0-1900-0000-152e-ba9dd3090000 pid=2515->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 146B guuid=2d8665b9-1900-0000-152e-ba9de5090000 pid=2533->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 95B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=cadc38c8-1900-0000-152e-ba9dfc090000 pid=2556->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=37fd66c8-1900-0000-152e-ba9dfd090000 pid=2557 /tmp/robben net send-data zombie guuid=cadc38c8-1900-0000-152e-ba9dfc090000 pid=2556->guuid=37fd66c8-1900-0000-152e-ba9dfd090000 pid=2557 clone guuid=37fd66c8-1900-0000-152e-ba9dfd090000 pid=2557->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con b07a7f29-f341-5457-ac66-92995794ff16 196.251.66.32:1302 guuid=37fd66c8-1900-0000-152e-ba9dfd090000 pid=2557->b07a7f29-f341-5457-ac66-92995794ff16 send: 60B guuid=f6e071c8-1900-0000-152e-ba9dfe090000 pid=2558 /tmp/robben guuid=37fd66c8-1900-0000-152e-ba9dfd090000 pid=2557->guuid=f6e071c8-1900-0000-152e-ba9dfe090000 pid=2558 clone guuid=3c8978c8-1900-0000-152e-ba9dff090000 pid=2559 /tmp/robben guuid=37fd66c8-1900-0000-152e-ba9dfd090000 pid=2557->guuid=3c8978c8-1900-0000-152e-ba9dff090000 pid=2559 clone guuid=329c78c8-1900-0000-152e-ba9d000a0000 pid=2560->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 147B guuid=56210bce-1900-0000-152e-ba9d0c0a0000 pid=2572->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 96B guuid=cc9c56d5-1900-0000-152e-ba9d240a0000 pid=2596->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 836dce14-4611-5ec0-94fd-a9232d5a3558 0.0.0.0:9473 guuid=cc9c56d5-1900-0000-152e-ba9d240a0000 pid=2596->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=39a1ed06-1b00-0000-152e-ba9d870c0000 pid=3207 /tmp/robben net send-data zombie guuid=cc9c56d5-1900-0000-152e-ba9d240a0000 pid=2596->guuid=39a1ed06-1b00-0000-152e-ba9d870c0000 pid=3207 clone guuid=39a1ed06-1b00-0000-152e-ba9d870c0000 pid=3207->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=39a1ed06-1b00-0000-152e-ba9d870c0000 pid=3207->b07a7f29-f341-5457-ac66-92995794ff16 send: 12B guuid=3e81f906-1b00-0000-152e-ba9d880c0000 pid=3208 /tmp/robben guuid=39a1ed06-1b00-0000-152e-ba9d870c0000 pid=3207->guuid=3e81f906-1b00-0000-152e-ba9d880c0000 pid=3208 clone guuid=5748fe06-1b00-0000-152e-ba9d890c0000 pid=3209 /tmp/robben guuid=39a1ed06-1b00-0000-152e-ba9d870c0000 pid=3207->guuid=5748fe06-1b00-0000-152e-ba9d890c0000 pid=3209 clone guuid=2171ff06-1b00-0000-152e-ba9d8a0c0000 pid=3210->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 147B guuid=b06c0a0c-1b00-0000-152e-ba9d920c0000 pid=3218->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 96B guuid=b65d9117-1b00-0000-152e-ba9d9f0c0000 pid=3231->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b65d9117-1b00-0000-152e-ba9d9f0c0000 pid=3231->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=be80bc48-1c00-0000-152e-ba9d4c0f0000 pid=3916 /tmp/robben net send-data zombie guuid=b65d9117-1b00-0000-152e-ba9d9f0c0000 pid=3231->guuid=be80bc48-1c00-0000-152e-ba9d4c0f0000 pid=3916 clone guuid=be80bc48-1c00-0000-152e-ba9d4c0f0000 pid=3916->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=be80bc48-1c00-0000-152e-ba9d4c0f0000 pid=3916->b07a7f29-f341-5457-ac66-92995794ff16 send: 60B guuid=3b9bcb48-1c00-0000-152e-ba9d4e0f0000 pid=3918 /tmp/robben guuid=be80bc48-1c00-0000-152e-ba9d4c0f0000 pid=3916->guuid=3b9bcb48-1c00-0000-152e-ba9d4e0f0000 pid=3918 clone guuid=121fcf48-1c00-0000-152e-ba9d4f0f0000 pid=3919 /tmp/robben guuid=be80bc48-1c00-0000-152e-ba9d4c0f0000 pid=3916->guuid=121fcf48-1c00-0000-152e-ba9d4f0f0000 pid=3919 clone guuid=fba9ca48-1c00-0000-152e-ba9d4d0f0000 pid=3917->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 147B guuid=e0de704c-1c00-0000-152e-ba9d580f0000 pid=3928->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 96B guuid=e7b49c52-1c00-0000-152e-ba9d710f0000 pid=3953->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e7b49c52-1c00-0000-152e-ba9d710f0000 pid=3953->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=ee56f485-1d00-0000-152e-ba9dac130000 pid=5036 /tmp/robben net send-data zombie guuid=e7b49c52-1c00-0000-152e-ba9d710f0000 pid=3953->guuid=ee56f485-1d00-0000-152e-ba9dac130000 pid=5036 clone guuid=ee56f485-1d00-0000-152e-ba9dac130000 pid=5036->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ee56f485-1d00-0000-152e-ba9dac130000 pid=5036->b07a7f29-f341-5457-ac66-92995794ff16 send: 60B guuid=6a0f0986-1d00-0000-152e-ba9dae130000 pid=5038 /tmp/robben guuid=ee56f485-1d00-0000-152e-ba9dac130000 pid=5036->guuid=6a0f0986-1d00-0000-152e-ba9dae130000 pid=5038 clone guuid=3f7a0f86-1d00-0000-152e-ba9daf130000 pid=5039 /tmp/robben guuid=ee56f485-1d00-0000-152e-ba9dac130000 pid=5036->guuid=3f7a0f86-1d00-0000-152e-ba9daf130000 pid=5039 clone guuid=2fe40086-1d00-0000-152e-ba9dad130000 pid=5037->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 147B guuid=e95f5d8b-1d00-0000-152e-ba9dc1130000 pid=5057->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 96B guuid=b2686c92-1d00-0000-152e-ba9ddf130000 pid=5087->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b2686c92-1d00-0000-152e-ba9ddf130000 pid=5087->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=bc018ac7-1e00-0000-152e-ba9d8c140000 pid=5260 /tmp/robben net send-data zombie guuid=b2686c92-1d00-0000-152e-ba9ddf130000 pid=5087->guuid=bc018ac7-1e00-0000-152e-ba9d8c140000 pid=5260 clone guuid=bc018ac7-1e00-0000-152e-ba9d8c140000 pid=5260->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=bc018ac7-1e00-0000-152e-ba9d8c140000 pid=5260->b07a7f29-f341-5457-ac66-92995794ff16 send: 60B guuid=ea3bb8c7-1e00-0000-152e-ba9d8e140000 pid=5262 /tmp/robben guuid=bc018ac7-1e00-0000-152e-ba9d8c140000 pid=5260->guuid=ea3bb8c7-1e00-0000-152e-ba9d8e140000 pid=5262 clone guuid=4996c3c7-1e00-0000-152e-ba9d8f140000 pid=5263 /tmp/robben guuid=bc018ac7-1e00-0000-152e-ba9d8c140000 pid=5260->guuid=4996c3c7-1e00-0000-152e-ba9d8f140000 pid=5263 clone guuid=0387a2c7-1e00-0000-152e-ba9d8d140000 pid=5261->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 147B guuid=4cbbedcb-1e00-0000-152e-ba9d90140000 pid=5264->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 96B guuid=33bb6ad2-1e00-0000-152e-ba9d96140000 pid=5270->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=33bb6ad2-1e00-0000-152e-ba9d96140000 pid=5270->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=ab7c1d08-2000-0000-152e-ba9dab140000 pid=5291 /tmp/robben net send-data zombie guuid=33bb6ad2-1e00-0000-152e-ba9d96140000 pid=5270->guuid=ab7c1d08-2000-0000-152e-ba9dab140000 pid=5291 clone guuid=ab7c1d08-2000-0000-152e-ba9dab140000 pid=5291->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ab7c1d08-2000-0000-152e-ba9dab140000 pid=5291->b07a7f29-f341-5457-ac66-92995794ff16 send: 48B guuid=4bfb700e-2000-0000-152e-ba9db5140000 pid=5301 /tmp/robben guuid=ab7c1d08-2000-0000-152e-ba9dab140000 pid=5291->guuid=4bfb700e-2000-0000-152e-ba9db5140000 pid=5301 clone guuid=6899770e-2000-0000-152e-ba9db6140000 pid=5302 /tmp/robben guuid=ab7c1d08-2000-0000-152e-ba9dab140000 pid=5291->guuid=6899770e-2000-0000-152e-ba9db6140000 pid=5302 clone guuid=97cc2a08-2000-0000-152e-ba9dac140000 pid=5292->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 147B guuid=edfdad17-2000-0000-152e-ba9dbf140000 pid=5311->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 96B guuid=eb6b4029-2000-0000-152e-ba9dc2140000 pid=5314->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=eb6b4029-2000-0000-152e-ba9dc2140000 pid=5314->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=37c50961-2100-0000-152e-ba9dc3140000 pid=5315 /tmp/robben net send-data zombie guuid=eb6b4029-2000-0000-152e-ba9dc2140000 pid=5314->guuid=37c50961-2100-0000-152e-ba9dc3140000 pid=5315 clone guuid=37c50961-2100-0000-152e-ba9dc3140000 pid=5315->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=37c50961-2100-0000-152e-ba9dc3140000 pid=5315->b07a7f29-f341-5457-ac66-92995794ff16 send: 60B guuid=346d1661-2100-0000-152e-ba9dc4140000 pid=5316 /tmp/robben guuid=37c50961-2100-0000-152e-ba9dc3140000 pid=5315->guuid=346d1661-2100-0000-152e-ba9dc4140000 pid=5316 clone guuid=76c61b61-2100-0000-152e-ba9dc5140000 pid=5317 /tmp/robben guuid=37c50961-2100-0000-152e-ba9dc3140000 pid=5315->guuid=76c61b61-2100-0000-152e-ba9dc5140000 pid=5317 clone guuid=5d972261-2100-0000-152e-ba9dc6140000 pid=5318->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 146B guuid=0006c265-2100-0000-152e-ba9dc7140000 pid=5319->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 95B guuid=b346af6c-2100-0000-152e-ba9dca140000 pid=5322->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b346af6c-2100-0000-152e-ba9dca140000 pid=5322->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=e39206a6-2200-0000-152e-ba9dcb140000 pid=5323 /tmp/robben net send-data zombie guuid=b346af6c-2100-0000-152e-ba9dca140000 pid=5322->guuid=e39206a6-2200-0000-152e-ba9dcb140000 pid=5323 clone guuid=e39206a6-2200-0000-152e-ba9dcb140000 pid=5323->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e39206a6-2200-0000-152e-ba9dcb140000 pid=5323->b07a7f29-f341-5457-ac66-92995794ff16 send: 72B guuid=05352ba6-2200-0000-152e-ba9dcd140000 pid=5325 /tmp/robben guuid=e39206a6-2200-0000-152e-ba9dcb140000 pid=5323->guuid=05352ba6-2200-0000-152e-ba9dcd140000 pid=5325 clone guuid=4e1637a6-2200-0000-152e-ba9dce140000 pid=5326 /tmp/robben guuid=e39206a6-2200-0000-152e-ba9dcb140000 pid=5323->guuid=4e1637a6-2200-0000-152e-ba9dce140000 pid=5326 clone guuid=6f031ba6-2200-0000-152e-ba9dcc140000 pid=5324->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 147B guuid=5ef9e9ab-2200-0000-152e-ba9dcf140000 pid=5327->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 96B guuid=3061c7b3-2200-0000-152e-ba9dd2140000 pid=5330->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=3061c7b3-2200-0000-152e-ba9dd2140000 pid=5330->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=46dd74ee-2300-0000-152e-ba9dd3140000 pid=5331 /tmp/robben net send-data zombie guuid=3061c7b3-2200-0000-152e-ba9dd2140000 pid=5330->guuid=46dd74ee-2300-0000-152e-ba9dd3140000 pid=5331 clone guuid=46dd74ee-2300-0000-152e-ba9dd3140000 pid=5331->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=46dd74ee-2300-0000-152e-ba9dd3140000 pid=5331->b07a7f29-f341-5457-ac66-92995794ff16 send: 60B guuid=52af82ee-2300-0000-152e-ba9dd4140000 pid=5332 /tmp/robben guuid=46dd74ee-2300-0000-152e-ba9dd3140000 pid=5331->guuid=52af82ee-2300-0000-152e-ba9dd4140000 pid=5332 clone guuid=b9e88bee-2300-0000-152e-ba9dd6140000 pid=5334 /tmp/robben guuid=46dd74ee-2300-0000-152e-ba9dd3140000 pid=5331->guuid=b9e88bee-2300-0000-152e-ba9dd6140000 pid=5334 clone guuid=ed548bee-2300-0000-152e-ba9dd5140000 pid=5333->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 146B guuid=4a5547f3-2300-0000-152e-ba9dd7140000 pid=5335->b4463e29-c6ee-5341-9c75-3bf4da178e37 send: 95B guuid=509d7cfa-2300-0000-152e-ba9dda140000 pid=5338->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=509d7cfa-2300-0000-152e-ba9dda140000 pid=5338->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=0a34db35-2500-0000-152e-ba9ddb140000 pid=5339 /tmp/robben net send-data zombie guuid=509d7cfa-2300-0000-152e-ba9dda140000 pid=5338->guuid=0a34db35-2500-0000-152e-ba9ddb140000 pid=5339 clone guuid=0a34db35-2500-0000-152e-ba9ddb140000 pid=5339->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=0a34db35-2500-0000-152e-ba9ddb140000 pid=5339->b07a7f29-f341-5457-ac66-92995794ff16 send: 300B guuid=c9bae735-2500-0000-152e-ba9ddc140000 pid=5340 /tmp/robben guuid=0a34db35-2500-0000-152e-ba9ddb140000 pid=5339->guuid=c9bae735-2500-0000-152e-ba9ddc140000 pid=5340 clone guuid=79a9ec35-2500-0000-152e-ba9ddd140000 pid=5341 /tmp/robben guuid=0a34db35-2500-0000-152e-ba9ddb140000 pid=5339->guuid=79a9ec35-2500-0000-152e-ba9ddd140000 pid=5341 clone
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/774296dc835184ef72238da2e6b2a04af6928cca5342ecf878cd22444bde7d79
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/774296dc835184ef72238da2e6b2a04af6928cca5342ecf878cd22444bde7d79/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-07-09 08:52:49 UTC
File Type:
Text (Shell)
AV detection:
23 of 38 (60.53%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5bjnxedkgco64rdrwronmvajl3jfdgkknboz6dyzureis66pv4q._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:demons antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/250709-kszb8swqw2/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/774296dc835184ef72238da2e6b2a04af6928cca5342ecf878cd22444bde7d79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 774296dc835184ef72238da2e6b2a04af6928cca5342ecf878cd22444bde7d79

(this sample)

Mirai

elf 52284d01fc3f84da3e73592d9a367cfb31664ec9e85813fa44090cf4a5623bc7

  
URLhaus
https://urlhaus.abuse.ch/url/3579567/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3579571/
  
URLhaus
https://urlhaus.abuse.ch/url/3579577/
  
Dropping
MD5 0a289df6ffd65ccfead0a53c2da456b2
  
Dropping
SHA256 52284d01fc3f84da3e73592d9a367cfb31664ec9e85813fa44090cf4a5623bc7

Comments