MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ff10b3508b2978df36801e49f5b63dd6ee7e599269aabcb0d8e478383b83e94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ff10b3508b2978df36801e49f5b63dd6ee7e599269aabcb0d8e478383b83e94
SHA3-384 hash: caa2b4b63ab96c10d85623dc482b66077b0f06a4a9e7ef32b29043e5bba2ceffe91edcb237ca11e4b077e4543983f647
SHA1 hash: 0c80514d243e5920f5dbe9b0d3b5d2877c2aa08e
MD5 hash: 73751496ca14824fce4a404002dded80
humanhash: bacon-alpha-cold-summer
File name:hnap
Download: download sample
Signature Mirai
Create hunting rule
File size:4'816 bytes
First seen:2025-10-12 11:30:44 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:v8ZMV4kRW8C1V4NW8rXrWV44W8NoV4yW8EhEEV4E2W8BkV4WW8C1V4NW8eZV4JWJ:vDCpj3mTKL2EprboJ3r1zWbA1F7RbYJK
TLSH T181A128E9747493AE6DB1ED7325C6C652B14171AAE4D64C0AE3E1F0E8084EF61F4E4BC2
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86924b4daa3d183fc7d1312a17b68aa952c8d0136918478730cd95623bb1890ed9 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips4e06ece7ae576417a8dc0e419b8782ce0860cd9e90bc947b4c118e2a52786304 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl6294a0eb4ee65e6ba006a024522658107ec8753f6d3df2dc7309776199da65e7 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm236fa5092bd06813996532ef793834e31a69ed1e576599eaa97bcf8fb7db9b61 Miraielf mirai
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5dc06d5d4daab1b23eef11b6eac8da75bafa7e75a7e44d60fb14c9db8199c7553 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm641e5adc3527479d2bee1a3bb4c590899d40713df8fd20e0871a8f2e46a7afedd Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm76d65317a9d29fdfee8ff125c78705186155fdb0162f3d13890c43b971bdf6586 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppccd58c26a61496c5f2091a6e51f6d2764a61073bf619bdd2322be5379b519c71d Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68kfa94633bd1d61a6bfaad5d6308f4020013ccc11c9c9fa463e9795485b84ddaf5 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc9c08e0232337e3288d21e5f278f98d2a7d514763b85aa5d79c3588e81037ec5d Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i6864bd20d49002299fd230f3eeddddcf6bf9e81033d15c8519cdfc296723a57b9d3 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh48ac733a14bdcdf3b2543a8e420d2fa224bc067e425ac38ea9d99fbe389f48c44 Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc248b6599aebc4e053a68ae502bafc1fec19cc1edcc455a8358e2d3dbe46f0e5e Miraielf mirai ua-wget
http://158.94.209.95/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_64e1872b44f151615dd30c9120e8d8bd8d477212b7188a79478af49ff7df6610a9 Miraielf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-12T08:52:00Z UTC
Last seen:
2025-10-12T10:34:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/7ff10b3508b2978df36801e49f5b63dd6ee7e599269aabcb0d8e478383b83e94/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/1351b242-0e77-47a9-9298-84f8b57dbb36
Behavior Graph:
Download SVG
%3 guuid=7114c6f9-1f00-0000-57e8-adf4c80a0000 pid=2760 /usr/bin/sudo guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763 /tmp/sample.bin guuid=7114c6f9-1f00-0000-57e8-adf4c80a0000 pid=2760->guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763 execve guuid=df3099fd-1f00-0000-57e8-adf4cd0a0000 pid=2765 /usr/bin/wget net send-data write-file guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=df3099fd-1f00-0000-57e8-adf4cd0a0000 pid=2765 execve guuid=c864bd09-2000-0000-57e8-adf4e70a0000 pid=2791 /usr/bin/curl net send-data write-file guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=c864bd09-2000-0000-57e8-adf4e70a0000 pid=2791 execve guuid=c9e39517-2000-0000-57e8-adf4f80a0000 pid=2808 /usr/bin/cat guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=c9e39517-2000-0000-57e8-adf4f80a0000 pid=2808 execve guuid=d2e0e217-2000-0000-57e8-adf4f90a0000 pid=2809 /usr/bin/chmod guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=d2e0e217-2000-0000-57e8-adf4f90a0000 pid=2809 execve guuid=96942b18-2000-0000-57e8-adf4fb0a0000 pid=2811 /tmp/76d32be0 net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=96942b18-2000-0000-57e8-adf4fb0a0000 pid=2811 execve guuid=3e8a8518-2000-0000-57e8-adf4000b0000 pid=2816 /usr/bin/wget net send-data write-file guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=3e8a8518-2000-0000-57e8-adf4000b0000 pid=2816 execve guuid=c904ec26-2000-0000-57e8-adf4140b0000 pid=2836 /usr/bin/curl net send-data write-file guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=c904ec26-2000-0000-57e8-adf4140b0000 pid=2836 execve guuid=96200936-2000-0000-57e8-adf4300b0000 pid=2864 /usr/bin/bash guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=96200936-2000-0000-57e8-adf4300b0000 pid=2864 clone guuid=b24c3636-2000-0000-57e8-adf4310b0000 pid=2865 /usr/bin/chmod guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=b24c3636-2000-0000-57e8-adf4310b0000 pid=2865 execve guuid=07929236-2000-0000-57e8-adf4320b0000 pid=2866 /tmp/76d32be0 net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=07929236-2000-0000-57e8-adf4320b0000 pid=2866 execve guuid=be3bcf78-2400-0000-57e8-adf476140000 pid=5238 /usr/bin/wget net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=be3bcf78-2400-0000-57e8-adf476140000 pid=5238 execve guuid=6c49047b-2400-0000-57e8-adf47a140000 pid=5242 /usr/bin/curl net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=6c49047b-2400-0000-57e8-adf47a140000 pid=5242 execve guuid=2740d27e-2400-0000-57e8-adf47b140000 pid=5243 /usr/bin/bash guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=2740d27e-2400-0000-57e8-adf47b140000 pid=5243 clone guuid=a733fd7e-2400-0000-57e8-adf47c140000 pid=5244 /usr/bin/chmod guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=a733fd7e-2400-0000-57e8-adf47c140000 pid=5244 execve guuid=9f1c517f-2400-0000-57e8-adf47d140000 pid=5245 /tmp/76d32be0 net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=9f1c517f-2400-0000-57e8-adf47d140000 pid=5245 execve guuid=638afebf-2800-0000-57e8-adf4a6140000 pid=5286 /usr/bin/wget net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=638afebf-2800-0000-57e8-adf4a6140000 pid=5286 execve guuid=3c7daac1-2800-0000-57e8-adf4aa140000 pid=5290 /usr/bin/curl net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=3c7daac1-2800-0000-57e8-adf4aa140000 pid=5290 execve guuid=352ab6c3-2800-0000-57e8-adf4ab140000 pid=5291 /usr/bin/bash guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=352ab6c3-2800-0000-57e8-adf4ab140000 pid=5291 clone guuid=9fa3cec3-2800-0000-57e8-adf4ac140000 pid=5292 /usr/bin/chmod guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=9fa3cec3-2800-0000-57e8-adf4ac140000 pid=5292 execve guuid=f83114c4-2800-0000-57e8-adf4ad140000 pid=5293 /tmp/76d32be0 net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=f83114c4-2800-0000-57e8-adf4ad140000 pid=5293 execve guuid=0eff2005-2d00-0000-57e8-adf4af140000 pid=5295 /usr/bin/wget net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=0eff2005-2d00-0000-57e8-adf4af140000 pid=5295 execve guuid=bf874a06-2d00-0000-57e8-adf4b3140000 pid=5299 /usr/bin/curl net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=bf874a06-2d00-0000-57e8-adf4b3140000 pid=5299 execve guuid=dc208908-2d00-0000-57e8-adf4b4140000 pid=5300 /usr/bin/bash guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=dc208908-2d00-0000-57e8-adf4b4140000 pid=5300 clone guuid=1d36a508-2d00-0000-57e8-adf4b5140000 pid=5301 /usr/bin/chmod guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=1d36a508-2d00-0000-57e8-adf4b5140000 pid=5301 execve guuid=0b17f208-2d00-0000-57e8-adf4b6140000 pid=5302 /tmp/76d32be0 net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=0b17f208-2d00-0000-57e8-adf4b6140000 pid=5302 execve guuid=8c64884a-3100-0000-57e8-adf4b8140000 pid=5304 /usr/bin/wget net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=8c64884a-3100-0000-57e8-adf4b8140000 pid=5304 execve guuid=a68eeb4b-3100-0000-57e8-adf4bc140000 pid=5308 /usr/bin/curl net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=a68eeb4b-3100-0000-57e8-adf4bc140000 pid=5308 execve guuid=a8962a4e-3100-0000-57e8-adf4bd140000 pid=5309 /usr/bin/bash guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=a8962a4e-3100-0000-57e8-adf4bd140000 pid=5309 clone guuid=4505454e-3100-0000-57e8-adf4be140000 pid=5310 /usr/bin/chmod guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=4505454e-3100-0000-57e8-adf4be140000 pid=5310 execve guuid=be8da94e-3100-0000-57e8-adf4bf140000 pid=5311 /tmp/76d32be0 net guuid=67c6ccfc-1f00-0000-57e8-adf4cb0a0000 pid=2763->guuid=be8da94e-3100-0000-57e8-adf4bf140000 pid=5311 execve ca4cc0d7-5486-5710-a0a1-75a555a3b3a4 158.94.209.95:80 guuid=df3099fd-1f00-0000-57e8-adf4cd0a0000 pid=2765->ca4cc0d7-5486-5710-a0a1-75a555a3b3a4 send: 197B guuid=c864bd09-2000-0000-57e8-adf4e70a0000 pid=2791->ca4cc0d7-5486-5710-a0a1-75a555a3b3a4 send: 146B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=96942b18-2000-0000-57e8-adf4fb0a0000 pid=2811->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=907b7818-2000-0000-57e8-adf4fe0a0000 pid=2814 /tmp/76d32be0 dns net send-data zombie guuid=96942b18-2000-0000-57e8-adf4fb0a0000 pid=2811->guuid=907b7818-2000-0000-57e8-adf4fe0a0000 pid=2814 clone guuid=907b7818-2000-0000-57e8-adf4fe0a0000 pid=2814->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 28B 2ac2249c-25bc-5019-a88f-33a6c2731b07 cnc.504.su:56999 guuid=907b7818-2000-0000-57e8-adf4fe0a0000 pid=2814->2ac2249c-25bc-5019-a88f-33a6c2731b07 con guuid=afd88318-2000-0000-57e8-adf4ff0a0000 pid=2815 /tmp/76d32be0 guuid=907b7818-2000-0000-57e8-adf4fe0a0000 pid=2814->guuid=afd88318-2000-0000-57e8-adf4ff0a0000 pid=2815 clone guuid=7a478718-2000-0000-57e8-adf4010b0000 pid=2817 /tmp/76d32be0 net net-scan send-data zombie guuid=907b7818-2000-0000-57e8-adf4fe0a0000 pid=2814->guuid=7a478718-2000-0000-57e8-adf4010b0000 pid=2817 clone guuid=4e058b18-2000-0000-57e8-adf4020b0000 pid=2818 /tmp/76d32be0 guuid=907b7818-2000-0000-57e8-adf4fe0a0000 pid=2814->guuid=4e058b18-2000-0000-57e8-adf4020b0000 pid=2818 clone 4bcd05e0-7ebf-53bb-9cc8-c008d3256770 cnc.504.su:80 guuid=3e8a8518-2000-0000-57e8-adf4000b0000 pid=2816->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 198B guuid=7a478718-2000-0000-57e8-adf4010b0000 pid=2817->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con b907ad32-a8d2-513d-9af3-e7e1e275f32d 147.46.46.120:23 guuid=7a478718-2000-0000-57e8-adf4010b0000 pid=2817->b907ad32-a8d2-513d-9af3-e7e1e275f32d send: 40B guuid=7a478718-2000-0000-57e8-adf4010b0000 pid=2817|send-data send-data to 4097 IP addresses review logs to see them all guuid=7a478718-2000-0000-57e8-adf4010b0000 pid=2817->guuid=7a478718-2000-0000-57e8-adf4010b0000 pid=2817|send-data send guuid=c904ec26-2000-0000-57e8-adf4140b0000 pid=2836->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 147B guuid=07929236-2000-0000-57e8-adf4320b0000 pid=2866->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 5fbefa0b-74db-5ddb-909f-7c8f89ca1384 0.0.0.0:46157 guuid=07929236-2000-0000-57e8-adf4320b0000 pid=2866->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=8160c178-2400-0000-57e8-adf475140000 pid=5237 /tmp/76d32be0 net send-data zombie guuid=07929236-2000-0000-57e8-adf4320b0000 pid=2866->guuid=8160c178-2400-0000-57e8-adf475140000 pid=5237 clone guuid=8160c178-2400-0000-57e8-adf475140000 pid=5237->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=ac4fd978-2400-0000-57e8-adf477140000 pid=5239 /tmp/76d32be0 guuid=8160c178-2400-0000-57e8-adf475140000 pid=5237->guuid=ac4fd978-2400-0000-57e8-adf477140000 pid=5239 clone guuid=9ec0e078-2400-0000-57e8-adf478140000 pid=5240 /tmp/76d32be0 net net-scan send-data zombie guuid=8160c178-2400-0000-57e8-adf475140000 pid=5237->guuid=9ec0e078-2400-0000-57e8-adf478140000 pid=5240 clone guuid=3e9de778-2400-0000-57e8-adf479140000 pid=5241 /tmp/76d32be0 guuid=8160c178-2400-0000-57e8-adf475140000 pid=5237->guuid=3e9de778-2400-0000-57e8-adf479140000 pid=5241 clone guuid=be3bcf78-2400-0000-57e8-adf476140000 pid=5238->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=9ec0e078-2400-0000-57e8-adf478140000 pid=5240->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=9ec0e078-2400-0000-57e8-adf478140000 pid=5240|send-data send-data to 4097 IP addresses review logs to see them all guuid=9ec0e078-2400-0000-57e8-adf478140000 pid=5240->guuid=9ec0e078-2400-0000-57e8-adf478140000 pid=5240|send-data send guuid=6c49047b-2400-0000-57e8-adf47a140000 pid=5242->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=9f1c517f-2400-0000-57e8-adf47d140000 pid=5245->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=9f1c517f-2400-0000-57e8-adf47d140000 pid=5245->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=ac62e5bf-2800-0000-57e8-adf4a5140000 pid=5285 /tmp/76d32be0 net send-data zombie guuid=9f1c517f-2400-0000-57e8-adf47d140000 pid=5245->guuid=ac62e5bf-2800-0000-57e8-adf4a5140000 pid=5285 clone guuid=ac62e5bf-2800-0000-57e8-adf4a5140000 pid=5285->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=6e8e0cc0-2800-0000-57e8-adf4a7140000 pid=5287 /tmp/76d32be0 guuid=ac62e5bf-2800-0000-57e8-adf4a5140000 pid=5285->guuid=6e8e0cc0-2800-0000-57e8-adf4a7140000 pid=5287 clone guuid=90b61dc0-2800-0000-57e8-adf4a8140000 pid=5288 /tmp/76d32be0 net net-scan send-data zombie guuid=ac62e5bf-2800-0000-57e8-adf4a5140000 pid=5285->guuid=90b61dc0-2800-0000-57e8-adf4a8140000 pid=5288 clone guuid=96c02bc0-2800-0000-57e8-adf4a9140000 pid=5289 /tmp/76d32be0 guuid=ac62e5bf-2800-0000-57e8-adf4a5140000 pid=5285->guuid=96c02bc0-2800-0000-57e8-adf4a9140000 pid=5289 clone guuid=638afebf-2800-0000-57e8-adf4a6140000 pid=5286->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=90b61dc0-2800-0000-57e8-adf4a8140000 pid=5288->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=90b61dc0-2800-0000-57e8-adf4a8140000 pid=5288|send-data send-data to 4097 IP addresses review logs to see them all guuid=90b61dc0-2800-0000-57e8-adf4a8140000 pid=5288->guuid=90b61dc0-2800-0000-57e8-adf4a8140000 pid=5288|send-data send guuid=3c7daac1-2800-0000-57e8-adf4aa140000 pid=5290->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=f83114c4-2800-0000-57e8-adf4ad140000 pid=5293->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=f83114c4-2800-0000-57e8-adf4ad140000 pid=5293->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=ac191305-2d00-0000-57e8-adf4ae140000 pid=5294 /tmp/76d32be0 net send-data zombie guuid=f83114c4-2800-0000-57e8-adf4ad140000 pid=5293->guuid=ac191305-2d00-0000-57e8-adf4ae140000 pid=5294 clone guuid=ac191305-2d00-0000-57e8-adf4ae140000 pid=5294->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=7d902105-2d00-0000-57e8-adf4b0140000 pid=5296 /tmp/76d32be0 guuid=ac191305-2d00-0000-57e8-adf4ae140000 pid=5294->guuid=7d902105-2d00-0000-57e8-adf4b0140000 pid=5296 clone guuid=c0992505-2d00-0000-57e8-adf4b1140000 pid=5297 /tmp/76d32be0 net net-scan send-data zombie guuid=ac191305-2d00-0000-57e8-adf4ae140000 pid=5294->guuid=c0992505-2d00-0000-57e8-adf4b1140000 pid=5297 clone guuid=4db42f05-2d00-0000-57e8-adf4b2140000 pid=5298 /tmp/76d32be0 guuid=ac191305-2d00-0000-57e8-adf4ae140000 pid=5294->guuid=4db42f05-2d00-0000-57e8-adf4b2140000 pid=5298 clone guuid=0eff2005-2d00-0000-57e8-adf4af140000 pid=5295->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=c0992505-2d00-0000-57e8-adf4b1140000 pid=5297->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c0992505-2d00-0000-57e8-adf4b1140000 pid=5297|send-data send-data to 4097 IP addresses review logs to see them all guuid=c0992505-2d00-0000-57e8-adf4b1140000 pid=5297->guuid=c0992505-2d00-0000-57e8-adf4b1140000 pid=5297|send-data send guuid=bf874a06-2d00-0000-57e8-adf4b3140000 pid=5299->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=0b17f208-2d00-0000-57e8-adf4b6140000 pid=5302->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=0b17f208-2d00-0000-57e8-adf4b6140000 pid=5302->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=e975794a-3100-0000-57e8-adf4b7140000 pid=5303 /tmp/76d32be0 net send-data zombie guuid=0b17f208-2d00-0000-57e8-adf4b6140000 pid=5302->guuid=e975794a-3100-0000-57e8-adf4b7140000 pid=5303 clone guuid=e975794a-3100-0000-57e8-adf4b7140000 pid=5303->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 28B guuid=b3638a4a-3100-0000-57e8-adf4b9140000 pid=5305 /tmp/76d32be0 guuid=e975794a-3100-0000-57e8-adf4b7140000 pid=5303->guuid=b3638a4a-3100-0000-57e8-adf4b9140000 pid=5305 clone guuid=aaec8f4a-3100-0000-57e8-adf4ba140000 pid=5306 /tmp/76d32be0 net net-scan send-data guuid=e975794a-3100-0000-57e8-adf4b7140000 pid=5303->guuid=aaec8f4a-3100-0000-57e8-adf4ba140000 pid=5306 clone guuid=13b6974a-3100-0000-57e8-adf4bb140000 pid=5307 /tmp/76d32be0 guuid=e975794a-3100-0000-57e8-adf4b7140000 pid=5303->guuid=13b6974a-3100-0000-57e8-adf4bb140000 pid=5307 clone guuid=8c64884a-3100-0000-57e8-adf4b8140000 pid=5304->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=aaec8f4a-3100-0000-57e8-adf4ba140000 pid=5306->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=aaec8f4a-3100-0000-57e8-adf4ba140000 pid=5306|send-data send-data to 1920 IP addresses review logs to see them all guuid=aaec8f4a-3100-0000-57e8-adf4ba140000 pid=5306->guuid=aaec8f4a-3100-0000-57e8-adf4ba140000 pid=5306|send-data send guuid=a68eeb4b-3100-0000-57e8-adf4bc140000 pid=5308->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=be8da94e-3100-0000-57e8-adf4bf140000 pid=5311->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=be8da94e-3100-0000-57e8-adf4bf140000 pid=5311->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7ff10b3508b2978df36801e49f5b63dd6ee7e599269aabcb0d8e478383b83e94
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ff10b3508b2978df36801e49f5b63dd6ee7e599269aabcb0d8e478383b83e94/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-10-12 11:23:22 UTC
File Type:
Text (Shell)
AV detection:
18 of 24 (75.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p7yqwniiwkly343iahsj6w3d3vxopzmze2nkxsynrzdyha5yh2ka._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:unstable antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251012-nmvzeatmt4/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
UPX packed file
Enumerates active TCP sockets
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (53000) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware Config
C2 Extraction:
cnc.504.su
scan.504.su
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ff10b3508b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ff10b3508b2978df36801e49f5b63dd6ee7e599269aabcb0d8e478383b83e94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 7ff10b3508b2978df36801e49f5b63dd6ee7e599269aabcb0d8e478383b83e94

(this sample)

Mirai

elf 924b4daa3d183fc7d1312a17b68aa952c8d0136918478730cd95623bb1890ed9

  
URLhaus
https://urlhaus.abuse.ch/url/3669651/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3669708/
  
URLhaus
https://urlhaus.abuse.ch/url/3669715/
  
Dropping
MD5 e4e48028a8e278bd6b7a9296154dcb51
  
Dropping
SHA256 924b4daa3d183fc7d1312a17b68aa952c8d0136918478730cd95623bb1890ed9

Comments