MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9115fbb78cc1ce44275e44500738a04decb3f51dfc506cbeb224b69ec2876a67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9115fbb78cc1ce44275e44500738a04decb3f51dfc506cbeb224b69ec2876a67
SHA3-384 hash: 140191220abcd2d24a99548d11d9ffe9c6076565a157b4906d7bf21d9651b4e1f1e9d055f6f0676adc3ce19cc65a3362
SHA1 hash: a23e8c115e208c16d5ba1dadd4adc54425958853
MD5 hash: d6b0ba27be97eeeeb1a5ea305eb180f7
humanhash: avocado-salami-sixteen-winner
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'344 bytes
First seen:2025-12-28 08:14:28 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:iNE3NpFNaE2NE2EGLesNzxNrBNlolxN43NTFLNshJNtlN020y56sNOzNirNFt0:iqBYZ/DcW3Lm5mly56sE8R0
TLSH T1B56173CAB29603F39DF24BAB72764C4437E4A1E644C6AE15A5DCA4F10A4DD3C740B5D3
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://41.216.189.149/HOME/Mark90c80.x86e2bcf189c377f8a005f152bad20c89f66f74dfd40f6c5432b5a2e01831ba014e Miraielf mirai ua-wget
http://41.216.189.149/HOME/Mark90c80.mips271d6a0e041ad8a3fcb638d869b36abc1d358509f69a57817c561723973dd305 Miraielf mirai ua-wget
http://41.216.189.149/HOME/Mark90c80.arc64e28d40ae1b261c53dafe3ede379e4286e5cf16bec6839486df9cd96fe1cb0b Miraielf mirai ua-wget
http://41.216.189.149/HOME/Mark90c80.i468n/an/aelf ua-wget
http://41.216.189.149/HOME/Mark90c80.i6865c3143983ed8466d1dfad3b559c5e889431ca53c41b9ea8fb523e7f8ec17d781 Miraielf mirai ua-wget
http://41.216.189.149/HOME/Mark90c80.x86_6462cebcf7aabaff4f582c281f620811e45a16ac5e5fcfdd782f8748dc01c18a17 Miraielf mirai ua-wget
http://41.216.189.149/HOME/Mark90c80.mpsl88c5165e657f1257c2968e8d7653f72128db4128741ee59a421b5456279ef0f8 Miraielf mirai ua-wget
http://41.216.189.149/HOME/Mark90c80.armeb32c5d648cb6ac14419232cdb50f6babd4f1034b16b1bb0b7a9491b1c394a3a Miraielf mirai ua-wget
http://41.216.189.149/HOME/Mark90c80.arm56e04ebb5902187654c319021840c486cbc8e9202325d35fd668b5545956d6d7c Miraielf mirai ua-wget
http://41.216.189.149/HOME/Mark90c80.arm6n/an/aelf ua-wget
http://41.216.189.149/HOME/Mark90c80.arm7n/an/aelf ua-wget
http://41.216.189.149/HOME/Mark90c80.ppc87d5d6f02f582b4ce13433f4dad7f428ea812bfdc6b3fdc5983ec5c1ecb6bc1a Miraielf mirai ua-wget
http://41.216.189.149/HOME/Mark90c80.spcn/an/aelf ua-wget
http://41.216.189.149/HOME/Mark90c80.m68k3155e9279470b9498e8b9f70a9bf57a6351be5fb47ddc2e5dc3a57456771c271 Miraielf mirai ua-wget
http://41.216.189.149/HOME/Mark90c80.sh4ed7f373864180e1c167c8bc9d45725b7d7c3df7604d7834280b0f2003d52d948 Gafgytelf gafgyt ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive medusa mirai
Link:
https://www.filescan.io/uploads/6950e71be126b9ff4393c6b5/reports/9c1935cb-56a3-4c1e-9d6c-c4e897e25f3b/overview
Result
Gathering data
Verdict:
Malicious
File Type:
Script
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/9115fbb78cc1ce44275e44500738a04decb3f51dfc506cbeb224b69ec2876a67/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/dab74eb6-e0c3-4b6d-993a-39aef5bb72e3
Behavior Graph:
Download SVG
%3 guuid=540b5d45-1a00-0000-48ce-17d2bb090000 pid=2491 /usr/bin/sudo guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498 /tmp/sample.bin guuid=540b5d45-1a00-0000-48ce-17d2bb090000 pid=2491->guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498 execve guuid=c34d2749-1a00-0000-48ce-17d2c4090000 pid=2500 /usr/bin/cp guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=c34d2749-1a00-0000-48ce-17d2c4090000 pid=2500 execve guuid=b6c29e4b-1a00-0000-48ce-17d2c9090000 pid=2505 /usr/bin/wget net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=b6c29e4b-1a00-0000-48ce-17d2c9090000 pid=2505 execve guuid=77eb5651-1a00-0000-48ce-17d2d4090000 pid=2516 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=77eb5651-1a00-0000-48ce-17d2d4090000 pid=2516 execve guuid=6972215e-1a00-0000-48ce-17d2eb090000 pid=2539 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=6972215e-1a00-0000-48ce-17d2eb090000 pid=2539 execve guuid=c733855e-1a00-0000-48ce-17d2ec090000 pid=2540 /tmp/Mark90c80.x86 net guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=c733855e-1a00-0000-48ce-17d2ec090000 pid=2540 execve guuid=322d9a5f-1a00-0000-48ce-17d2ee090000 pid=2542 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=322d9a5f-1a00-0000-48ce-17d2ee090000 pid=2542 execve guuid=3aff0860-1a00-0000-48ce-17d2f1090000 pid=2545 /usr/bin/wget net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=3aff0860-1a00-0000-48ce-17d2f1090000 pid=2545 execve guuid=bd0fb563-1a00-0000-48ce-17d2f8090000 pid=2552 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=bd0fb563-1a00-0000-48ce-17d2f8090000 pid=2552 execve guuid=acf5796a-1a00-0000-48ce-17d20c0a0000 pid=2572 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=acf5796a-1a00-0000-48ce-17d20c0a0000 pid=2572 execve guuid=01f3bb6a-1a00-0000-48ce-17d20d0a0000 pid=2573 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=01f3bb6a-1a00-0000-48ce-17d20d0a0000 pid=2573 clone guuid=7981bf6b-1a00-0000-48ce-17d2120a0000 pid=2578 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=7981bf6b-1a00-0000-48ce-17d2120a0000 pid=2578 execve guuid=551ab86f-1a00-0000-48ce-17d2200a0000 pid=2592 /usr/bin/wget net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=551ab86f-1a00-0000-48ce-17d2200a0000 pid=2592 execve guuid=37630477-1a00-0000-48ce-17d2280a0000 pid=2600 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=37630477-1a00-0000-48ce-17d2280a0000 pid=2600 execve guuid=f6e6567e-1a00-0000-48ce-17d22f0a0000 pid=2607 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=f6e6567e-1a00-0000-48ce-17d22f0a0000 pid=2607 execve guuid=54e08f7e-1a00-0000-48ce-17d2300a0000 pid=2608 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=54e08f7e-1a00-0000-48ce-17d2300a0000 pid=2608 clone guuid=3040447f-1a00-0000-48ce-17d2320a0000 pid=2610 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=3040447f-1a00-0000-48ce-17d2320a0000 pid=2610 execve guuid=5326857f-1a00-0000-48ce-17d2330a0000 pid=2611 /usr/bin/wget net send-data guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=5326857f-1a00-0000-48ce-17d2330a0000 pid=2611 execve guuid=066abe81-1a00-0000-48ce-17d2350a0000 pid=2613 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=066abe81-1a00-0000-48ce-17d2350a0000 pid=2613 execve guuid=33930186-1a00-0000-48ce-17d2360a0000 pid=2614 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=33930186-1a00-0000-48ce-17d2360a0000 pid=2614 execve guuid=7cdd5786-1a00-0000-48ce-17d2370a0000 pid=2615 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=7cdd5786-1a00-0000-48ce-17d2370a0000 pid=2615 clone guuid=3c378786-1a00-0000-48ce-17d2380a0000 pid=2616 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=3c378786-1a00-0000-48ce-17d2380a0000 pid=2616 execve guuid=019bce86-1a00-0000-48ce-17d2390a0000 pid=2617 /usr/bin/wget net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=019bce86-1a00-0000-48ce-17d2390a0000 pid=2617 execve guuid=e2495e8b-1a00-0000-48ce-17d23a0a0000 pid=2618 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=e2495e8b-1a00-0000-48ce-17d23a0a0000 pid=2618 execve guuid=b9d69c93-1a00-0000-48ce-17d23b0a0000 pid=2619 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=b9d69c93-1a00-0000-48ce-17d23b0a0000 pid=2619 execve guuid=2b610294-1a00-0000-48ce-17d23c0a0000 pid=2620 /tmp/Mark90c80.i686 net guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=2b610294-1a00-0000-48ce-17d23c0a0000 pid=2620 execve guuid=f8747295-1a00-0000-48ce-17d23e0a0000 pid=2622 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=f8747295-1a00-0000-48ce-17d23e0a0000 pid=2622 execve guuid=36bb2296-1a00-0000-48ce-17d2400a0000 pid=2624 /usr/bin/wget net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=36bb2296-1a00-0000-48ce-17d2400a0000 pid=2624 execve guuid=bc06ed9a-1a00-0000-48ce-17d2450a0000 pid=2629 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=bc06ed9a-1a00-0000-48ce-17d2450a0000 pid=2629 execve guuid=b8a24da5-1a00-0000-48ce-17d2460a0000 pid=2630 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=b8a24da5-1a00-0000-48ce-17d2460a0000 pid=2630 execve guuid=31ccb6a5-1a00-0000-48ce-17d2470a0000 pid=2631 /tmp/Mark90c80.x86_64 mprotect-exec net guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=31ccb6a5-1a00-0000-48ce-17d2470a0000 pid=2631 execve guuid=e2758da6-1a00-0000-48ce-17d2490a0000 pid=2633 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=e2758da6-1a00-0000-48ce-17d2490a0000 pid=2633 execve guuid=ce4bb5a7-1a00-0000-48ce-17d24f0a0000 pid=2639 /usr/bin/wget net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=ce4bb5a7-1a00-0000-48ce-17d24f0a0000 pid=2639 execve guuid=652304b5-1a00-0000-48ce-17d2510a0000 pid=2641 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=652304b5-1a00-0000-48ce-17d2510a0000 pid=2641 execve guuid=d66863bb-1a00-0000-48ce-17d2530a0000 pid=2643 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=d66863bb-1a00-0000-48ce-17d2530a0000 pid=2643 execve guuid=b168b0bb-1a00-0000-48ce-17d2540a0000 pid=2644 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=b168b0bb-1a00-0000-48ce-17d2540a0000 pid=2644 clone guuid=915d67bc-1a00-0000-48ce-17d2560a0000 pid=2646 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=915d67bc-1a00-0000-48ce-17d2560a0000 pid=2646 execve guuid=f91890c0-1a00-0000-48ce-17d2570a0000 pid=2647 /usr/bin/wget net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=f91890c0-1a00-0000-48ce-17d2570a0000 pid=2647 execve guuid=34f29ac4-1a00-0000-48ce-17d2580a0000 pid=2648 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=34f29ac4-1a00-0000-48ce-17d2580a0000 pid=2648 execve guuid=a3c118cb-1a00-0000-48ce-17d2590a0000 pid=2649 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=a3c118cb-1a00-0000-48ce-17d2590a0000 pid=2649 execve guuid=d8d5a1cb-1a00-0000-48ce-17d25a0a0000 pid=2650 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=d8d5a1cb-1a00-0000-48ce-17d25a0a0000 pid=2650 clone guuid=882b8bcc-1a00-0000-48ce-17d25c0a0000 pid=2652 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=882b8bcc-1a00-0000-48ce-17d25c0a0000 pid=2652 execve guuid=62cb48cf-1a00-0000-48ce-17d25d0a0000 pid=2653 /usr/bin/wget net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=62cb48cf-1a00-0000-48ce-17d25d0a0000 pid=2653 execve guuid=9d6b3ad4-1a00-0000-48ce-17d25e0a0000 pid=2654 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=9d6b3ad4-1a00-0000-48ce-17d25e0a0000 pid=2654 execve guuid=a60c98d8-1a00-0000-48ce-17d25f0a0000 pid=2655 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=a60c98d8-1a00-0000-48ce-17d25f0a0000 pid=2655 execve guuid=0402f4d8-1a00-0000-48ce-17d2600a0000 pid=2656 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=0402f4d8-1a00-0000-48ce-17d2600a0000 pid=2656 clone guuid=6971c8d9-1a00-0000-48ce-17d2620a0000 pid=2658 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=6971c8d9-1a00-0000-48ce-17d2620a0000 pid=2658 execve guuid=13865cda-1a00-0000-48ce-17d2630a0000 pid=2659 /usr/bin/wget net send-data guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=13865cda-1a00-0000-48ce-17d2630a0000 pid=2659 execve guuid=546d53dd-1a00-0000-48ce-17d2640a0000 pid=2660 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=546d53dd-1a00-0000-48ce-17d2640a0000 pid=2660 execve guuid=79dcc4e1-1a00-0000-48ce-17d2650a0000 pid=2661 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=79dcc4e1-1a00-0000-48ce-17d2650a0000 pid=2661 execve guuid=4e8d37e2-1a00-0000-48ce-17d2660a0000 pid=2662 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=4e8d37e2-1a00-0000-48ce-17d2660a0000 pid=2662 clone guuid=758571e2-1a00-0000-48ce-17d2670a0000 pid=2663 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=758571e2-1a00-0000-48ce-17d2670a0000 pid=2663 execve guuid=047ce7e2-1a00-0000-48ce-17d2680a0000 pid=2664 /usr/bin/wget net send-data guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=047ce7e2-1a00-0000-48ce-17d2680a0000 pid=2664 execve guuid=a9ba42e7-1a00-0000-48ce-17d2690a0000 pid=2665 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=a9ba42e7-1a00-0000-48ce-17d2690a0000 pid=2665 execve guuid=3a2fc0ed-1a00-0000-48ce-17d26a0a0000 pid=2666 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=3a2fc0ed-1a00-0000-48ce-17d26a0a0000 pid=2666 execve guuid=17202aee-1a00-0000-48ce-17d26b0a0000 pid=2667 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=17202aee-1a00-0000-48ce-17d26b0a0000 pid=2667 clone guuid=d71ca1ee-1a00-0000-48ce-17d26c0a0000 pid=2668 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=d71ca1ee-1a00-0000-48ce-17d26c0a0000 pid=2668 execve guuid=8a051cef-1a00-0000-48ce-17d26d0a0000 pid=2669 /usr/bin/wget net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=8a051cef-1a00-0000-48ce-17d26d0a0000 pid=2669 execve guuid=ecf575f3-1a00-0000-48ce-17d26e0a0000 pid=2670 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=ecf575f3-1a00-0000-48ce-17d26e0a0000 pid=2670 execve guuid=863975f8-1a00-0000-48ce-17d26f0a0000 pid=2671 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=863975f8-1a00-0000-48ce-17d26f0a0000 pid=2671 execve guuid=3410d3f8-1a00-0000-48ce-17d2700a0000 pid=2672 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=3410d3f8-1a00-0000-48ce-17d2700a0000 pid=2672 clone guuid=3afa02fb-1a00-0000-48ce-17d2720a0000 pid=2674 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=3afa02fb-1a00-0000-48ce-17d2720a0000 pid=2674 execve guuid=678c5bfb-1a00-0000-48ce-17d2730a0000 pid=2675 /usr/bin/wget net send-data guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=678c5bfb-1a00-0000-48ce-17d2730a0000 pid=2675 execve guuid=3097cffd-1a00-0000-48ce-17d2740a0000 pid=2676 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=3097cffd-1a00-0000-48ce-17d2740a0000 pid=2676 execve guuid=09594a03-1b00-0000-48ce-17d2760a0000 pid=2678 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=09594a03-1b00-0000-48ce-17d2760a0000 pid=2678 execve guuid=5f2e2604-1b00-0000-48ce-17d2770a0000 pid=2679 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=5f2e2604-1b00-0000-48ce-17d2770a0000 pid=2679 clone guuid=aa1d8404-1b00-0000-48ce-17d2780a0000 pid=2680 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=aa1d8404-1b00-0000-48ce-17d2780a0000 pid=2680 execve guuid=99ab3205-1b00-0000-48ce-17d2790a0000 pid=2681 /usr/bin/wget net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=99ab3205-1b00-0000-48ce-17d2790a0000 pid=2681 execve guuid=7c219c0b-1b00-0000-48ce-17d27a0a0000 pid=2682 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=7c219c0b-1b00-0000-48ce-17d27a0a0000 pid=2682 execve guuid=1f17ad11-1b00-0000-48ce-17d27b0a0000 pid=2683 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=1f17ad11-1b00-0000-48ce-17d27b0a0000 pid=2683 execve guuid=a817fb11-1b00-0000-48ce-17d27c0a0000 pid=2684 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=a817fb11-1b00-0000-48ce-17d27c0a0000 pid=2684 clone guuid=5485d912-1b00-0000-48ce-17d27e0a0000 pid=2686 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=5485d912-1b00-0000-48ce-17d27e0a0000 pid=2686 execve guuid=267cb015-1b00-0000-48ce-17d27f0a0000 pid=2687 /usr/bin/wget net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=267cb015-1b00-0000-48ce-17d27f0a0000 pid=2687 execve guuid=eea6e31a-1b00-0000-48ce-17d2800a0000 pid=2688 /usr/bin/curl net send-data write-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=eea6e31a-1b00-0000-48ce-17d2800a0000 pid=2688 execve guuid=b812ca20-1b00-0000-48ce-17d2810a0000 pid=2689 /usr/bin/chmod guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=b812ca20-1b00-0000-48ce-17d2810a0000 pid=2689 execve guuid=94795421-1b00-0000-48ce-17d2820a0000 pid=2690 /usr/bin/bash guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=94795421-1b00-0000-48ce-17d2820a0000 pid=2690 clone guuid=98093622-1b00-0000-48ce-17d2840a0000 pid=2692 /usr/bin/rm delete-file guuid=b8f1a948-1a00-0000-48ce-17d2c2090000 pid=2498->guuid=98093622-1b00-0000-48ce-17d2840a0000 pid=2692 execve 6af55d18-ce3e-52a6-afd4-3a102b893152 41.216.189.149:80 guuid=b6c29e4b-1a00-0000-48ce-17d2c9090000 pid=2505->6af55d18-ce3e-52a6-afd4-3a102b893152 send: 147B guuid=77eb5651-1a00-0000-48ce-17d2d4090000 pid=2516->6af55d18-ce3e-52a6-afd4-3a102b893152 send: 96B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=c733855e-1a00-0000-48ce-17d2ec090000 pid=2540->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=8dad865f-1a00-0000-48ce-17d2ed090000 pid=2541 /tmp/Mark90c80.x86 guuid=c733855e-1a00-0000-48ce-17d2ec090000 pid=2540->guuid=8dad865f-1a00-0000-48ce-17d2ed090000 pid=2541 clone guuid=72eac15f-1a00-0000-48ce-17d2ef090000 pid=2543 /tmp/Mark90c80.x86 guuid=8dad865f-1a00-0000-48ce-17d2ed090000 pid=2541->guuid=72eac15f-1a00-0000-48ce-17d2ef090000 pid=2543 clone guuid=0fcf7463-1a00-0000-48ce-17d2f6090000 pid=2550 /tmp/Mark90c80.x86 dns net send-data zombie guuid=72eac15f-1a00-0000-48ce-17d2ef090000 pid=2543->guuid=0fcf7463-1a00-0000-48ce-17d2f6090000 pid=2550 clone guuid=3aff0860-1a00-0000-48ce-17d2f1090000 pid=2545->6af55d18-ce3e-52a6-afd4-3a102b893152 send: 148B guuid=0fcf7463-1a00-0000-48ce-17d2f6090000 pid=2550->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 33B d3dcab34-0530-5a7b-920e-a46bc908528e yummystakes.win:12121 guuid=0fcf7463-1a00-0000-48ce-17d2f6090000 pid=2550->d3dcab34-0530-5a7b-920e-a46bc908528e send: 27B guuid=6929c163-1a00-0000-48ce-17d2f9090000 pid=2553 /tmp/Mark90c80.x86 guuid=0fcf7463-1a00-0000-48ce-17d2f6090000 pid=2550->guuid=6929c163-1a00-0000-48ce-17d2f9090000 pid=2553 clone 75da5180-3f21-57e5-bb18-ec3abd0b9fbc yummystakes.win:80 guuid=bd0fb563-1a00-0000-48ce-17d2f8090000 pid=2552->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 97B guuid=ed68cc63-1a00-0000-48ce-17d2fa090000 pid=2554 /tmp/Mark90c80.x86 guuid=6929c163-1a00-0000-48ce-17d2f9090000 pid=2553->guuid=ed68cc63-1a00-0000-48ce-17d2fa090000 pid=2554 clone guuid=8fcfdb63-1a00-0000-48ce-17d2fb090000 pid=2555 /tmp/Mark90c80.x86 zombie guuid=6929c163-1a00-0000-48ce-17d2f9090000 pid=2553->guuid=8fcfdb63-1a00-0000-48ce-17d2fb090000 pid=2555 clone guuid=551ab86f-1a00-0000-48ce-17d2200a0000 pid=2592->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 147B guuid=37630477-1a00-0000-48ce-17d2280a0000 pid=2600->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 96B guuid=5326857f-1a00-0000-48ce-17d2330a0000 pid=2611->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 148B guuid=066abe81-1a00-0000-48ce-17d2350a0000 pid=2613->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 97B guuid=019bce86-1a00-0000-48ce-17d2390a0000 pid=2617->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 148B guuid=e2495e8b-1a00-0000-48ce-17d23a0a0000 pid=2618->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 97B guuid=2b610294-1a00-0000-48ce-17d23c0a0000 pid=2620->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=8c455995-1a00-0000-48ce-17d23d0a0000 pid=2621 /tmp/Mark90c80.i686 guuid=2b610294-1a00-0000-48ce-17d23c0a0000 pid=2620->guuid=8c455995-1a00-0000-48ce-17d23d0a0000 pid=2621 clone guuid=d6a17295-1a00-0000-48ce-17d23f0a0000 pid=2623 /tmp/Mark90c80.i686 guuid=8c455995-1a00-0000-48ce-17d23d0a0000 pid=2621->guuid=d6a17295-1a00-0000-48ce-17d23f0a0000 pid=2623 clone guuid=0231bf98-1a00-0000-48ce-17d2410a0000 pid=2625 /tmp/Mark90c80.i686 dns net send-data zombie guuid=d6a17295-1a00-0000-48ce-17d23f0a0000 pid=2623->guuid=0231bf98-1a00-0000-48ce-17d2410a0000 pid=2625 clone guuid=36bb2296-1a00-0000-48ce-17d2400a0000 pid=2624->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 150B guuid=0231bf98-1a00-0000-48ce-17d2410a0000 pid=2625->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 33B guuid=0231bf98-1a00-0000-48ce-17d2410a0000 pid=2625->d3dcab34-0530-5a7b-920e-a46bc908528e send: 29B guuid=5a26d398-1a00-0000-48ce-17d2420a0000 pid=2626 /tmp/Mark90c80.i686 guuid=0231bf98-1a00-0000-48ce-17d2410a0000 pid=2625->guuid=5a26d398-1a00-0000-48ce-17d2420a0000 pid=2626 clone guuid=6484de98-1a00-0000-48ce-17d2430a0000 pid=2627 /tmp/Mark90c80.i686 guuid=5a26d398-1a00-0000-48ce-17d2420a0000 pid=2626->guuid=6484de98-1a00-0000-48ce-17d2430a0000 pid=2627 clone guuid=73c4f498-1a00-0000-48ce-17d2440a0000 pid=2628 /tmp/Mark90c80.i686 zombie guuid=5a26d398-1a00-0000-48ce-17d2420a0000 pid=2626->guuid=73c4f498-1a00-0000-48ce-17d2440a0000 pid=2628 clone guuid=bc06ed9a-1a00-0000-48ce-17d2450a0000 pid=2629->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 99B guuid=31ccb6a5-1a00-0000-48ce-17d2470a0000 pid=2631->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=be1683a6-1a00-0000-48ce-17d2480a0000 pid=2632 /tmp/Mark90c80.x86_64 zombie guuid=31ccb6a5-1a00-0000-48ce-17d2470a0000 pid=2631->guuid=be1683a6-1a00-0000-48ce-17d2480a0000 pid=2632 clone guuid=04aaa4a6-1a00-0000-48ce-17d24a0a0000 pid=2634 /tmp/Mark90c80.x86_64 zombie guuid=be1683a6-1a00-0000-48ce-17d2480a0000 pid=2632->guuid=04aaa4a6-1a00-0000-48ce-17d24a0a0000 pid=2634 clone guuid=f7e0dfa6-1a00-0000-48ce-17d24b0a0000 pid=2635 /tmp/Mark90c80.x86_64 net send-data zombie guuid=04aaa4a6-1a00-0000-48ce-17d24a0a0000 pid=2634->guuid=f7e0dfa6-1a00-0000-48ce-17d24b0a0000 pid=2635 clone guuid=f7e0dfa6-1a00-0000-48ce-17d24b0a0000 pid=2635->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 495B guuid=b75af9a6-1a00-0000-48ce-17d24c0a0000 pid=2636 /tmp/Mark90c80.x86_64 guuid=f7e0dfa6-1a00-0000-48ce-17d24b0a0000 pid=2635->guuid=b75af9a6-1a00-0000-48ce-17d24c0a0000 pid=2636 clone guuid=708afea6-1a00-0000-48ce-17d24d0a0000 pid=2637 /tmp/Mark90c80.x86_64 guuid=b75af9a6-1a00-0000-48ce-17d24c0a0000 pid=2636->guuid=708afea6-1a00-0000-48ce-17d24d0a0000 pid=2637 clone guuid=7aee05a7-1a00-0000-48ce-17d24e0a0000 pid=2638 /tmp/Mark90c80.x86_64 zombie guuid=b75af9a6-1a00-0000-48ce-17d24c0a0000 pid=2636->guuid=7aee05a7-1a00-0000-48ce-17d24e0a0000 pid=2638 clone guuid=ce4bb5a7-1a00-0000-48ce-17d24f0a0000 pid=2639->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 148B guuid=652304b5-1a00-0000-48ce-17d2510a0000 pid=2641->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 97B guuid=f91890c0-1a00-0000-48ce-17d2570a0000 pid=2647->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 147B guuid=34f29ac4-1a00-0000-48ce-17d2580a0000 pid=2648->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 96B guuid=62cb48cf-1a00-0000-48ce-17d25d0a0000 pid=2653->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 148B guuid=9d6b3ad4-1a00-0000-48ce-17d25e0a0000 pid=2654->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 97B guuid=13865cda-1a00-0000-48ce-17d2630a0000 pid=2659->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 148B guuid=546d53dd-1a00-0000-48ce-17d2640a0000 pid=2660->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 97B guuid=047ce7e2-1a00-0000-48ce-17d2680a0000 pid=2664->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 148B guuid=a9ba42e7-1a00-0000-48ce-17d2690a0000 pid=2665->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 97B guuid=8a051cef-1a00-0000-48ce-17d26d0a0000 pid=2669->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 147B guuid=ecf575f3-1a00-0000-48ce-17d26e0a0000 pid=2670->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 96B guuid=678c5bfb-1a00-0000-48ce-17d2730a0000 pid=2675->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 147B guuid=3097cffd-1a00-0000-48ce-17d2740a0000 pid=2676->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 96B guuid=99ab3205-1b00-0000-48ce-17d2790a0000 pid=2681->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 148B guuid=7c219c0b-1b00-0000-48ce-17d27a0a0000 pid=2682->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 97B guuid=267cb015-1b00-0000-48ce-17d27f0a0000 pid=2687->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 147B guuid=eea6e31a-1b00-0000-48ce-17d2800a0000 pid=2688->75da5180-3f21-57e5-bb18-ec3abd0b9fbc send: 96B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9115fbb78cc1ce44275e44500738a04decb3f51dfc506cbeb224b69ec2876a67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9115fbb78cc1ce44275e44500738a04decb3f51dfc506cbeb224b69ec2876a67/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/9115fbb78cc1ce44275e44500738a04decb3f51dfc506cbeb224b69ec2876a67
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-12-28 08:15:25 UTC
File Type:
Text (Shell)
AV detection:
21 of 36 (58.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sek7xn4myhheij26iriaoofajxwlh5i57rigzpvses3j5quhnjtq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251228-j5rmgsgx5b/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
UPX packed file
Deletes log files
Enumerates active TCP sockets
Enumerates running processes
File and Directory Permissions Modification
Deletes Audit logs
Deletes system logs
Executes dropped EXE
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9115fbb78cc1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/9115fbb78cc1ce44275e44500738a04decb3f51dfc506cbeb224b69ec2876a67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 9115fbb78cc1ce44275e44500738a04decb3f51dfc506cbeb224b69ec2876a67

(this sample)

Mirai

elf 785eba9db3aa1dd40a44711c9cdb5136dfe2452d18009d78de914253aa727695

Mirai

elf e2bcf189c377f8a005f152bad20c89f66f74dfd40f6c5432b5a2e01831ba014e

  
URLhaus
https://urlhaus.abuse.ch/url/3738190/
  
Delivery method
Distributed via web download
  
Dropping
MD5 47234899731feba26a338f87ca9e8183
  
Dropping
SHA256 e2bcf189c377f8a005f152bad20c89f66f74dfd40f6c5432b5a2e01831ba014e

Comments