MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e525ee0298f64817f7a0e84a31063ee4d76bd6a9cd884aea15cb2f2b4b62121. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e525ee0298f64817f7a0e84a31063ee4d76bd6a9cd884aea15cb2f2b4b62121
SHA3-384 hash: 79550dd2920fecd1e06fdb068e0ca490399a52d1690e6f5790ad34bda11519bb237d92219fe3ecb181afcab08830a68b
SHA1 hash: 06085a8ca560759eb2bbd59d888aa4d128fe36ab
MD5 hash: c7925e6bc1f9072849356e7fe573587b
humanhash: speaker-pluto-mango-salami
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'794 bytes
First seen:2026-03-17 09:03:51 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 12:JCkp0FNPiDeuKp0FNoDUh2Kp0FNZDl42Kp0FNdDpZKp0FNPDbdlKp0FNQexDQetg:ItUG33jpye+ejDJTOkahS37eXTpv7wNC
TLSH T17B5161CA339606306F769EB7B2B50945B4A490A7A9C0D985E8FC3CF9924CE4E20D1683
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://45.141.26.73/bins/sora.arc9b9832e1543cec7b332c9cc47897d16216d042a2a8ba351130a4c84c3005818a Miraiarc elf mirai opendir ua-wget
http://45.141.26.73/bins/sora.x863247319c4f6220528565e6dc67893af871eb946ce9fb519b46c6a2ccb24dfc31 Mirai32-bit elf mirai x86-32
http://45.141.26.73/bins/sora.x86_642f94b3aef184e009a4a8a6c1958d44734a0ddf2f29807e2ca2500fb0dbfc512f Mirai64-bit elf mirai x86-64
http://45.141.26.73/bins/sora.i686da38555c7e2a1a01ff071455be3b9a50124633aabe902b6aa3ac96f5302b3e4c Miraielf mirai opendir ua-wget x86
http://45.141.26.73/bins/sora.mips8d6c715294ff2a9bda70ef9bf4c730280fbca6fe4da717116ecb0ad7d26938ab Miraielf mips mirai opendir ua-wget
http://45.141.26.73/bins/sora.mips64n/an/an/a
http://45.141.26.73/bins/sora.mpsld6de8e3161a50b85bd7ba8169ed7374139fe27d08ed4695862a70a012b93e419 Miraielf mips mirai opendir ua-wget
http://45.141.26.73/bins/sora.arm6f27a543fd302747782dcab22e7e81ebb1b37b272ff8a460765b856c202c06a5 Miraiarm elf mirai opendir ua-wget
http://45.141.26.73/bins/sora.arm58e102c0c72beeb13e0302ff51629d7e76d659fbf409fff37bacdf94532241a23 Miraiarm elf mirai opendir ua-wget
http://45.141.26.73/bins/sora.arm6edd2e49303aa96953f7427eb7972348aaca4f48c8cc6498f1c1d97f699db2a25 Miraiarm elf mirai opendir ua-wget
http://45.141.26.73/bins/sora.arm74cf1333f5de389e2627636314215400ad59fdb34bca093d2e4e4ac8667cd9a29 Miraiarm elf mirai opendir ua-wget
http://45.141.26.73/bins/sora.ppcdd37c287059afdf784e603100a2313eb5db5f393d360577d60e29fd38d18e091 Miraielf mirai opendir PowerPC ua-wget
http://45.141.26.73/bins/sora.sparcn/an/an/a
http://45.141.26.73/bins/sora.m68kd07c62f2e31fdb1d62c42c2bbaa0b3140ea79218220525b784bbf399307457f9 Miraielf m68k mirai opendir ua-wget
http://45.141.26.73/bins/sora.sh43f78233884ca029b470e74c40554927465ebf539ebe8c119779f22dc8ffd1473 Miraielf mirai opendir SuperH ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
busybox medusa mirai
Link:
https://www.filescan.io/uploads/69b9190f4ec2f522cc4c3c41/reports/43aa240c-832c-4651-a660-9b7a9b297305/overview
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.c HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen
Link:
https://opentip.kaspersky.com/7e525ee0298f64817f7a0e84a31063ee4d76bd6a9cd884aea15cb2f2b4b62121/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/465413ee-f135-4c47-8860-0ad42f3af8ac
Behavior Graph:
Download SVG
%3 guuid=ac55db8b-1600-0000-a0d8-89a14b0e0000 pid=3659 /usr/bin/sudo guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666 /tmp/sample.bin guuid=ac55db8b-1600-0000-a0d8-89a14b0e0000 pid=3659->guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666 execve guuid=a007e98e-1600-0000-a0d8-89a1530e0000 pid=3667 /usr/bin/cp guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=a007e98e-1600-0000-a0d8-89a1530e0000 pid=3667 execve guuid=b029d594-1600-0000-a0d8-89a15c0e0000 pid=3676 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=b029d594-1600-0000-a0d8-89a15c0e0000 pid=3676 execve guuid=bcac2dd0-1600-0000-a0d8-89a1530f0000 pid=3923 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=bcac2dd0-1600-0000-a0d8-89a1530f0000 pid=3923 execve guuid=ff66a00b-1700-0000-a0d8-89a138100000 pid=4152 /usr/bin/cat guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=ff66a00b-1700-0000-a0d8-89a138100000 pid=4152 execve guuid=bf350c0c-1700-0000-a0d8-89a139100000 pid=4153 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=bf350c0c-1700-0000-a0d8-89a139100000 pid=4153 execve guuid=c009cf0c-1700-0000-a0d8-89a13d100000 pid=4157 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=c009cf0c-1700-0000-a0d8-89a13d100000 pid=4157 clone guuid=b157df0d-1700-0000-a0d8-89a142100000 pid=4162 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=b157df0d-1700-0000-a0d8-89a142100000 pid=4162 execve guuid=5bba9b32-1700-0000-a0d8-89a1df100000 pid=4319 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=5bba9b32-1700-0000-a0d8-89a1df100000 pid=4319 execve guuid=d2dbbb56-1700-0000-a0d8-89a160110000 pid=4448 /usr/bin/cat guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=d2dbbb56-1700-0000-a0d8-89a160110000 pid=4448 execve guuid=c81b0b57-1700-0000-a0d8-89a164110000 pid=4452 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=c81b0b57-1700-0000-a0d8-89a164110000 pid=4452 execve guuid=69a25657-1700-0000-a0d8-89a166110000 pid=4454 /tmp/FuckYou delete-file net guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=69a25657-1700-0000-a0d8-89a166110000 pid=4454 execve guuid=2f5f77cf-1700-0000-a0d8-89a181130000 pid=4993 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=2f5f77cf-1700-0000-a0d8-89a181130000 pid=4993 execve guuid=1bad1700-1800-0000-a0d8-89a145140000 pid=5189 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=1bad1700-1800-0000-a0d8-89a145140000 pid=5189 execve guuid=7ed92b2f-1800-0000-a0d8-89a16e140000 pid=5230 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=7ed92b2f-1800-0000-a0d8-89a16e140000 pid=5230 clone guuid=ddeb642f-1800-0000-a0d8-89a16f140000 pid=5231 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=ddeb642f-1800-0000-a0d8-89a16f140000 pid=5231 execve guuid=e8832830-1800-0000-a0d8-89a170140000 pid=5232 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=e8832830-1800-0000-a0d8-89a170140000 pid=5232 execve guuid=0b8b4531-1800-0000-a0d8-89a171140000 pid=5233 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=0b8b4531-1800-0000-a0d8-89a171140000 pid=5233 execve guuid=9ed5d754-1800-0000-a0d8-89a17a140000 pid=5242 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=9ed5d754-1800-0000-a0d8-89a17a140000 pid=5242 execve guuid=e043178b-1800-0000-a0d8-89a17b140000 pid=5243 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=e043178b-1800-0000-a0d8-89a17b140000 pid=5243 clone guuid=6e03328b-1800-0000-a0d8-89a17c140000 pid=5244 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=6e03328b-1800-0000-a0d8-89a17c140000 pid=5244 execve guuid=eeeda88b-1800-0000-a0d8-89a17d140000 pid=5245 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=eeeda88b-1800-0000-a0d8-89a17d140000 pid=5245 execve guuid=c6d8478c-1800-0000-a0d8-89a17e140000 pid=5246 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=c6d8478c-1800-0000-a0d8-89a17e140000 pid=5246 execve guuid=c49b26bb-1800-0000-a0d8-89a17f140000 pid=5247 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=c49b26bb-1800-0000-a0d8-89a17f140000 pid=5247 execve guuid=e997e2eb-1800-0000-a0d8-89a180140000 pid=5248 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=e997e2eb-1800-0000-a0d8-89a180140000 pid=5248 clone guuid=9a6afaeb-1800-0000-a0d8-89a181140000 pid=5249 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=9a6afaeb-1800-0000-a0d8-89a181140000 pid=5249 execve guuid=c08f5cec-1800-0000-a0d8-89a182140000 pid=5250 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=c08f5cec-1800-0000-a0d8-89a182140000 pid=5250 execve guuid=1ef9fcec-1800-0000-a0d8-89a183140000 pid=5251 /usr/bin/wget net send-data guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=1ef9fcec-1800-0000-a0d8-89a183140000 pid=5251 execve guuid=089a7304-1900-0000-a0d8-89a18b140000 pid=5259 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=089a7304-1900-0000-a0d8-89a18b140000 pid=5259 execve guuid=9e54631e-1900-0000-a0d8-89a18c140000 pid=5260 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=9e54631e-1900-0000-a0d8-89a18c140000 pid=5260 clone guuid=c615831e-1900-0000-a0d8-89a18d140000 pid=5261 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=c615831e-1900-0000-a0d8-89a18d140000 pid=5261 execve guuid=0d5cf61e-1900-0000-a0d8-89a18e140000 pid=5262 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=0d5cf61e-1900-0000-a0d8-89a18e140000 pid=5262 execve guuid=cfc2eb1f-1900-0000-a0d8-89a18f140000 pid=5263 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=cfc2eb1f-1900-0000-a0d8-89a18f140000 pid=5263 execve guuid=8ce5df5f-1900-0000-a0d8-89a190140000 pid=5264 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=8ce5df5f-1900-0000-a0d8-89a190140000 pid=5264 execve guuid=afe1cfa7-1900-0000-a0d8-89a191140000 pid=5265 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=afe1cfa7-1900-0000-a0d8-89a191140000 pid=5265 clone guuid=39103ba8-1900-0000-a0d8-89a192140000 pid=5266 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=39103ba8-1900-0000-a0d8-89a192140000 pid=5266 execve guuid=b6547ea8-1900-0000-a0d8-89a193140000 pid=5267 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=b6547ea8-1900-0000-a0d8-89a193140000 pid=5267 execve guuid=e34e6ca9-1900-0000-a0d8-89a194140000 pid=5268 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=e34e6ca9-1900-0000-a0d8-89a194140000 pid=5268 execve guuid=0a89e9da-1900-0000-a0d8-89a195140000 pid=5269 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=0a89e9da-1900-0000-a0d8-89a195140000 pid=5269 execve guuid=c421280a-1a00-0000-a0d8-89a19c140000 pid=5276 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=c421280a-1a00-0000-a0d8-89a19c140000 pid=5276 clone guuid=5f94460a-1a00-0000-a0d8-89a19d140000 pid=5277 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=5f94460a-1a00-0000-a0d8-89a19d140000 pid=5277 execve guuid=3d313b10-1a00-0000-a0d8-89a19f140000 pid=5279 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=3d313b10-1a00-0000-a0d8-89a19f140000 pid=5279 execve guuid=51cec910-1a00-0000-a0d8-89a1a1140000 pid=5281 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=51cec910-1a00-0000-a0d8-89a1a1140000 pid=5281 execve guuid=c5bdf443-1a00-0000-a0d8-89a1ba140000 pid=5306 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=c5bdf443-1a00-0000-a0d8-89a1ba140000 pid=5306 execve guuid=a9b1c378-1a00-0000-a0d8-89a1bb140000 pid=5307 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=a9b1c378-1a00-0000-a0d8-89a1bb140000 pid=5307 clone guuid=5ee5ee78-1a00-0000-a0d8-89a1bc140000 pid=5308 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=5ee5ee78-1a00-0000-a0d8-89a1bc140000 pid=5308 execve guuid=14fc3779-1a00-0000-a0d8-89a1bd140000 pid=5309 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=14fc3779-1a00-0000-a0d8-89a1bd140000 pid=5309 execve guuid=dff4d279-1a00-0000-a0d8-89a1be140000 pid=5310 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=dff4d279-1a00-0000-a0d8-89a1be140000 pid=5310 execve guuid=e8850fa9-1a00-0000-a0d8-89a1bf140000 pid=5311 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=e8850fa9-1a00-0000-a0d8-89a1bf140000 pid=5311 execve guuid=da3b1ed8-1a00-0000-a0d8-89a1c0140000 pid=5312 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=da3b1ed8-1a00-0000-a0d8-89a1c0140000 pid=5312 clone guuid=59c740d8-1a00-0000-a0d8-89a1c1140000 pid=5313 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=59c740d8-1a00-0000-a0d8-89a1c1140000 pid=5313 execve guuid=803092d8-1a00-0000-a0d8-89a1c2140000 pid=5314 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=803092d8-1a00-0000-a0d8-89a1c2140000 pid=5314 execve guuid=95b615d9-1a00-0000-a0d8-89a1c3140000 pid=5315 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=95b615d9-1a00-0000-a0d8-89a1c3140000 pid=5315 execve guuid=9328fb06-1b00-0000-a0d8-89a1c4140000 pid=5316 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=9328fb06-1b00-0000-a0d8-89a1c4140000 pid=5316 execve guuid=2dd03135-1b00-0000-a0d8-89a1c5140000 pid=5317 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=2dd03135-1b00-0000-a0d8-89a1c5140000 pid=5317 clone guuid=37424d35-1b00-0000-a0d8-89a1c6140000 pid=5318 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=37424d35-1b00-0000-a0d8-89a1c6140000 pid=5318 execve guuid=352fd035-1b00-0000-a0d8-89a1c7140000 pid=5319 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=352fd035-1b00-0000-a0d8-89a1c7140000 pid=5319 execve guuid=6c565a36-1b00-0000-a0d8-89a1c8140000 pid=5320 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=6c565a36-1b00-0000-a0d8-89a1c8140000 pid=5320 execve guuid=702f4564-1b00-0000-a0d8-89a1c9140000 pid=5321 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=702f4564-1b00-0000-a0d8-89a1c9140000 pid=5321 execve guuid=823948ab-1b00-0000-a0d8-89a1ca140000 pid=5322 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=823948ab-1b00-0000-a0d8-89a1ca140000 pid=5322 clone guuid=ad7063ab-1b00-0000-a0d8-89a1cb140000 pid=5323 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=ad7063ab-1b00-0000-a0d8-89a1cb140000 pid=5323 execve guuid=c005aaab-1b00-0000-a0d8-89a1cc140000 pid=5324 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=c005aaab-1b00-0000-a0d8-89a1cc140000 pid=5324 execve guuid=253c2cac-1b00-0000-a0d8-89a1cd140000 pid=5325 /usr/bin/wget net send-data guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=253c2cac-1b00-0000-a0d8-89a1cd140000 pid=5325 execve guuid=7b716ac3-1b00-0000-a0d8-89a1ce140000 pid=5326 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=7b716ac3-1b00-0000-a0d8-89a1ce140000 pid=5326 execve guuid=2a24bcdb-1b00-0000-a0d8-89a1cf140000 pid=5327 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=2a24bcdb-1b00-0000-a0d8-89a1cf140000 pid=5327 clone guuid=0634dbdb-1b00-0000-a0d8-89a1d0140000 pid=5328 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=0634dbdb-1b00-0000-a0d8-89a1d0140000 pid=5328 execve guuid=6b5121dc-1b00-0000-a0d8-89a1d1140000 pid=5329 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=6b5121dc-1b00-0000-a0d8-89a1d1140000 pid=5329 execve guuid=eca21cdd-1b00-0000-a0d8-89a1d2140000 pid=5330 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=eca21cdd-1b00-0000-a0d8-89a1d2140000 pid=5330 execve guuid=ef1c5016-1c00-0000-a0d8-89a1d3140000 pid=5331 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=ef1c5016-1c00-0000-a0d8-89a1d3140000 pid=5331 execve guuid=95750852-1c00-0000-a0d8-89a1d4140000 pid=5332 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=95750852-1c00-0000-a0d8-89a1d4140000 pid=5332 clone guuid=4d852b52-1c00-0000-a0d8-89a1d5140000 pid=5333 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=4d852b52-1c00-0000-a0d8-89a1d5140000 pid=5333 execve guuid=75727752-1c00-0000-a0d8-89a1d6140000 pid=5334 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=75727752-1c00-0000-a0d8-89a1d6140000 pid=5334 execve guuid=67390153-1c00-0000-a0d8-89a1d7140000 pid=5335 /usr/bin/wget net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=67390153-1c00-0000-a0d8-89a1d7140000 pid=5335 execve guuid=7f27b1a6-1c00-0000-a0d8-89a1d8140000 pid=5336 /usr/bin/curl net send-data write-file guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=7f27b1a6-1c00-0000-a0d8-89a1d8140000 pid=5336 execve guuid=57929f01-1d00-0000-a0d8-89a1d9140000 pid=5337 /usr/bin/bash guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=57929f01-1d00-0000-a0d8-89a1d9140000 pid=5337 clone guuid=538dbb01-1d00-0000-a0d8-89a1da140000 pid=5338 /usr/bin/chmod guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=538dbb01-1d00-0000-a0d8-89a1da140000 pid=5338 execve guuid=55fa0a02-1d00-0000-a0d8-89a1db140000 pid=5339 /tmp/FuckYou guuid=14c9348e-1600-0000-a0d8-89a1520e0000 pid=3666->guuid=55fa0a02-1d00-0000-a0d8-89a1db140000 pid=5339 execve 32b08929-3d64-5d95-8940-fab0ae1cb144 45.141.26.73:80 guuid=b029d594-1600-0000-a0d8-89a15c0e0000 pid=3676->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 140B guuid=bcac2dd0-1600-0000-a0d8-89a1530f0000 pid=3923->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 89B guuid=b157df0d-1700-0000-a0d8-89a142100000 pid=4162->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 140B guuid=5bba9b32-1700-0000-a0d8-89a1df100000 pid=4319->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 89B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=69a25657-1700-0000-a0d8-89a166110000 pid=4454->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=00f70358-1700-0000-a0d8-89a16b110000 pid=4459 /tmp/FuckYou guuid=69a25657-1700-0000-a0d8-89a166110000 pid=4454->guuid=00f70358-1700-0000-a0d8-89a16b110000 pid=4459 clone guuid=30aca993-1700-0000-a0d8-89a184120000 pid=4740 /tmp/FuckYou guuid=69a25657-1700-0000-a0d8-89a166110000 pid=4454->guuid=30aca993-1700-0000-a0d8-89a184120000 pid=4740 clone guuid=94de50cf-1700-0000-a0d8-89a17f130000 pid=4991 /tmp/FuckYou guuid=69a25657-1700-0000-a0d8-89a166110000 pid=4454->guuid=94de50cf-1700-0000-a0d8-89a17f130000 pid=4991 clone guuid=80a457cf-1700-0000-a0d8-89a180130000 pid=4992 /tmp/FuckYou net send-data zombie guuid=69a25657-1700-0000-a0d8-89a166110000 pid=4454->guuid=80a457cf-1700-0000-a0d8-89a180130000 pid=4992 clone guuid=80a457cf-1700-0000-a0d8-89a180130000 pid=4992->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 908fa970-7cd0-5cba-8e6e-c06fbba3cfe5 45.141.26.73:3778 guuid=80a457cf-1700-0000-a0d8-89a180130000 pid=4992->908fa970-7cd0-5cba-8e6e-c06fbba3cfe5 send: 210B guuid=2f5f77cf-1700-0000-a0d8-89a181130000 pid=4993->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 143B guuid=1bad1700-1800-0000-a0d8-89a145140000 pid=5189->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 92B guuid=0b8b4531-1800-0000-a0d8-89a171140000 pid=5233->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=9ed5d754-1800-0000-a0d8-89a17a140000 pid=5242->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=c6d8478c-1800-0000-a0d8-89a17e140000 pid=5246->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=c49b26bb-1800-0000-a0d8-89a17f140000 pid=5247->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=1ef9fcec-1800-0000-a0d8-89a183140000 pid=5251->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 143B guuid=089a7304-1900-0000-a0d8-89a18b140000 pid=5259->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 92B guuid=cfc2eb1f-1900-0000-a0d8-89a18f140000 pid=5263->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=8ce5df5f-1900-0000-a0d8-89a190140000 pid=5264->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=e34e6ca9-1900-0000-a0d8-89a194140000 pid=5268->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 140B guuid=0a89e9da-1900-0000-a0d8-89a195140000 pid=5269->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 89B guuid=51cec910-1a00-0000-a0d8-89a1a1140000 pid=5281->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=c5bdf443-1a00-0000-a0d8-89a1ba140000 pid=5306->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=dff4d279-1a00-0000-a0d8-89a1be140000 pid=5310->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=e8850fa9-1a00-0000-a0d8-89a1bf140000 pid=5311->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=95b615d9-1a00-0000-a0d8-89a1c3140000 pid=5315->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=9328fb06-1b00-0000-a0d8-89a1c4140000 pid=5316->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=6c565a36-1b00-0000-a0d8-89a1c8140000 pid=5320->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 140B guuid=702f4564-1b00-0000-a0d8-89a1c9140000 pid=5321->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 89B guuid=253c2cac-1b00-0000-a0d8-89a1cd140000 pid=5325->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 142B guuid=7b716ac3-1b00-0000-a0d8-89a1ce140000 pid=5326->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 91B guuid=eca21cdd-1b00-0000-a0d8-89a1d2140000 pid=5330->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 141B guuid=ef1c5016-1c00-0000-a0d8-89a1d3140000 pid=5331->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 90B guuid=67390153-1c00-0000-a0d8-89a1d7140000 pid=5335->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 140B guuid=7f27b1a6-1c00-0000-a0d8-89a1d8140000 pid=5336->32b08929-3d64-5d95-8940-fab0ae1cb144 send: 89B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7e525ee0298f64817f7a0e84a31063ee4d76bd6a9cd884aea15cb2f2b4b62121
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e525ee0298f64817f7a0e84a31063ee4d76bd6a9cd884aea15cb2f2b4b62121/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/7e525ee0298f64817f7a0e84a31063ee4d76bd6a9cd884aea15cb2f2b4b62121
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-03-17 09:04:22 UTC
File Type:
Text (Shell)
AV detection:
15 of 22 (68.18%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pzjf5ybjr5sic732b2ckgedd5zgxnplkttmijlvblszpfnfweeqq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260317-k1p4jahv6y/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
UPX packed file
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e525ee0298f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/7e525ee0298f64817f7a0e84a31063ee4d76bd6a9cd884aea15cb2f2b4b62121

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 7e525ee0298f64817f7a0e84a31063ee4d76bd6a9cd884aea15cb2f2b4b62121

(this sample)

Mirai

elf 9b9832e1543cec7b332c9cc47897d16216d042a2a8ba351130a4c84c3005818a

  
URLhaus
https://urlhaus.abuse.ch/url/3794408/
  
Delivery method
Distributed via web download
  
Dropping
MD5 44fe27b3895b1acdfa4ab16c0d77c944
  
Dropping
SHA256 9b9832e1543cec7b332c9cc47897d16216d042a2a8ba351130a4c84c3005818a

Comments