MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 932ee6f9d46bbce160c3af9aa3c34ef032c2a95e7000d7984f0dc195029bcbe6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 932ee6f9d46bbce160c3af9aa3c34ef032c2a95e7000d7984f0dc195029bcbe6
SHA3-384 hash: a19adf4bd57bc64175c9d08c2d3e255670de67781792c3264c0c692c64a0d18e7f1760a8bf3932683339f0dcc10cb48d
SHA1 hash: 56b8d7a1e9d0b13bd9cd1db34a068ab48bc7a745
MD5 hash: f3063064f2104a6e85627f43545f6fc4
humanhash: equal-fix-east-ohio
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'344 bytes
First seen:2025-11-13 22:41:10 UTC
Last seen:2025-11-16 19:27:17 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 24:ItStMZsSsBbhSP+kSU5lfSynmsSGTTSTnTGgJSpA6S2jnLSlnlNIpKksS8xMESgS:i2nMLd5+T1u1LqJ3lkGzBgJsFk
TLSH T1DC6191FB238906375CB2C9D632BA4444719481AB54CE6F77ABDC38B61E8DECC7C42652
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://41.216.189.110/00101010101001/morte.x866b8117e57a2b87b7c07cd609d3478f8027ade35043062b6488457fe9466d8568 Miraielf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/morte.mips2d4a96fdb4a0dcc89308bc1d799f8a4d3509bfcb381c8525b321b6b7bcab9aa0 Miraielf geofenced mips mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.arc5160c864a5c5542b4efa4b7952f1e982c95d0576cf5c149bad7e18017ef9aada Miraiarc elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.i468n/an/aelf ua-wget
http://41.216.189.110/00101010101001/morte.i686c09490aa3ea0e45aa2512f7a369a34399f6b0b4dd9f654d8946202096d3d48a6 Miraielf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/morte.x86_645fa965225e35c97914d3d6b771c39e2971d4b8914609922852fe1efbc9a6010d Miraielf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/morte.mpsl1394597ae3c643387f065c3aab90c5a6c4d0ab7d6ec30f6ca761cf446d509d66 Miraielf geofenced mips mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.arm0439be6a9f9aaf5623ce70f54f82ab5268a44e746bde17138516f52896edeeec Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.arm5f5a3b1941dce7671aad2f0c427452a8f4643d0bd6506fd563f669c22d6db4a05 Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.arm6963e41aeaa3f297bff3ae1f0acc83b9a4d94f941d00aea025bc8a091757860f7 Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.arm7dfafa5b4d7a552dfbbc3f03e47adc80fa21ad45da03c1ebcf927377229d8c867 Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.ppc67bcae4e962af5378b2e2b6c29ab298d1806cb7487158138b4e9fbf503e427f2 Miraielf geofenced mirai opendir PowerPC ua-wget USA
http://41.216.189.110/00101010101001/morte.spc4fe283d9131ca04a8dc9da34a9ca9b8b92db99f1a39bd434e20f0c39095b9f2c Miraielf geofenced mirai opendir sparc ua-wget USA
http://41.216.189.110/00101010101001/morte.m68kceba64aafe8d83bf0ea695c0290fd23e591b6afb660962ef4fd7ec27e4675610 Miraielf geofenced m68k mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/morte.sh4a392585d6003c1ce9fe4983cb7edf01cc8d36b2f33fbda420380fb48dbc6be79 Miraielf geofenced mirai opendir SuperH ua-wget USA

Intelligence

File Origin
# of uploads :
2
# of downloads :
53
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive
Link:
https://www.filescan.io/uploads/69165ebc57cbae4ee079cfed/reports/8725adf9-71ae-4b1f-acd1-8be9561e206b/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-13T15:09:00Z UTC
Last seen:
2025-11-14T10:24:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/932ee6f9d46bbce160c3af9aa3c34ef032c2a95e7000d7984f0dc195029bcbe6/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/4c48a8a5-954b-4e14-8031-86bafbad50bb
Behavior Graph:
Download SVG
%3 guuid=5b30fa89-1800-0000-9e14-051ce7050000 pid=1511 /usr/bin/sudo guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520 /tmp/sample.bin guuid=5b30fa89-1800-0000-9e14-051ce7050000 pid=1511->guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520 execve guuid=3033578d-1800-0000-9e14-051cf2050000 pid=1522 /usr/bin/cp guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=3033578d-1800-0000-9e14-051cf2050000 pid=1522 execve guuid=501e0292-1800-0000-9e14-051cfd050000 pid=1533 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=501e0292-1800-0000-9e14-051cfd050000 pid=1533 execve guuid=69840c9d-1800-0000-9e14-051c1d060000 pid=1565 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=69840c9d-1800-0000-9e14-051c1d060000 pid=1565 execve guuid=22ba13b2-1800-0000-9e14-051c52060000 pid=1618 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=22ba13b2-1800-0000-9e14-051c52060000 pid=1618 execve guuid=ffe481b2-1800-0000-9e14-051c54060000 pid=1620 /tmp/morte.x86 net guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=ffe481b2-1800-0000-9e14-051c54060000 pid=1620 execve guuid=77db36e0-1900-0000-9e14-051ccd080000 pid=2253 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=77db36e0-1900-0000-9e14-051ccd080000 pid=2253 execve guuid=de9fade0-1900-0000-9e14-051cce080000 pid=2254 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=de9fade0-1900-0000-9e14-051cce080000 pid=2254 execve guuid=361f6df6-1900-0000-9e14-051ccf080000 pid=2255 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=361f6df6-1900-0000-9e14-051ccf080000 pid=2255 execve guuid=a28d8fff-1900-0000-9e14-051cdb080000 pid=2267 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=a28d8fff-1900-0000-9e14-051cdb080000 pid=2267 execve guuid=72e0e1ff-1900-0000-9e14-051cdd080000 pid=2269 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=72e0e1ff-1900-0000-9e14-051cdd080000 pid=2269 clone guuid=981eab00-1a00-0000-9e14-051ce0080000 pid=2272 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=981eab00-1a00-0000-9e14-051ce0080000 pid=2272 execve guuid=dac84a01-1a00-0000-9e14-051ce3080000 pid=2275 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=dac84a01-1a00-0000-9e14-051ce3080000 pid=2275 execve guuid=ee7b130c-1a00-0000-9e14-051cf7080000 pid=2295 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=ee7b130c-1a00-0000-9e14-051cf7080000 pid=2295 execve guuid=8504ca15-1a00-0000-9e14-051c0c090000 pid=2316 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=8504ca15-1a00-0000-9e14-051c0c090000 pid=2316 execve guuid=f2da2516-1a00-0000-9e14-051c0d090000 pid=2317 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=f2da2516-1a00-0000-9e14-051c0d090000 pid=2317 clone guuid=d5c8bc16-1a00-0000-9e14-051c0f090000 pid=2319 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=d5c8bc16-1a00-0000-9e14-051c0f090000 pid=2319 execve guuid=2da9d217-1a00-0000-9e14-051c10090000 pid=2320 /usr/bin/wget net send-data guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=2da9d217-1a00-0000-9e14-051c10090000 pid=2320 execve guuid=43b9a71e-1a00-0000-9e14-051c1d090000 pid=2333 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=43b9a71e-1a00-0000-9e14-051c1d090000 pid=2333 execve guuid=d93b5523-1a00-0000-9e14-051c26090000 pid=2342 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=d93b5523-1a00-0000-9e14-051c26090000 pid=2342 execve guuid=b1bc9a23-1a00-0000-9e14-051c28090000 pid=2344 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=b1bc9a23-1a00-0000-9e14-051c28090000 pid=2344 clone guuid=63ebcc23-1a00-0000-9e14-051c29090000 pid=2345 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=63ebcc23-1a00-0000-9e14-051c29090000 pid=2345 execve guuid=5c5e3124-1a00-0000-9e14-051c2c090000 pid=2348 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=5c5e3124-1a00-0000-9e14-051c2c090000 pid=2348 execve guuid=3ccfcf29-1a00-0000-9e14-051c3b090000 pid=2363 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=3ccfcf29-1a00-0000-9e14-051c3b090000 pid=2363 execve guuid=74119c36-1a00-0000-9e14-051c51090000 pid=2385 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=74119c36-1a00-0000-9e14-051c51090000 pid=2385 execve guuid=519afc36-1a00-0000-9e14-051c52090000 pid=2386 /tmp/morte.i686 net guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=519afc36-1a00-0000-9e14-051c52090000 pid=2386 execve guuid=ed4610af-1a00-0000-9e14-051c7f0a0000 pid=2687 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=ed4610af-1a00-0000-9e14-051c7f0a0000 pid=2687 execve guuid=e0128aaf-1a00-0000-9e14-051c810a0000 pid=2689 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=e0128aaf-1a00-0000-9e14-051c810a0000 pid=2689 execve guuid=97981bb6-1a00-0000-9e14-051c910a0000 pid=2705 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=97981bb6-1a00-0000-9e14-051c910a0000 pid=2705 execve guuid=3aa44cc2-1a00-0000-9e14-051cb50a0000 pid=2741 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=3aa44cc2-1a00-0000-9e14-051cb50a0000 pid=2741 execve guuid=eead9fc2-1a00-0000-9e14-051cb70a0000 pid=2743 /tmp/morte.x86_64 mprotect-exec net guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=eead9fc2-1a00-0000-9e14-051cb70a0000 pid=2743 execve guuid=2a4aa93a-1b00-0000-9e14-051c5e0b0000 pid=2910 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=2a4aa93a-1b00-0000-9e14-051c5e0b0000 pid=2910 execve guuid=1776003b-1b00-0000-9e14-051c600b0000 pid=2912 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=1776003b-1b00-0000-9e14-051c600b0000 pid=2912 execve guuid=41f9b440-1b00-0000-9e14-051c6b0b0000 pid=2923 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=41f9b440-1b00-0000-9e14-051c6b0b0000 pid=2923 execve guuid=0ca40c4d-1b00-0000-9e14-051c820b0000 pid=2946 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=0ca40c4d-1b00-0000-9e14-051c820b0000 pid=2946 execve guuid=045a8f4d-1b00-0000-9e14-051c840b0000 pid=2948 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=045a8f4d-1b00-0000-9e14-051c840b0000 pid=2948 clone guuid=0e8c4c4e-1b00-0000-9e14-051c870b0000 pid=2951 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=0e8c4c4e-1b00-0000-9e14-051c870b0000 pid=2951 execve guuid=63c1024f-1b00-0000-9e14-051c880b0000 pid=2952 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=63c1024f-1b00-0000-9e14-051c880b0000 pid=2952 execve guuid=51649758-1b00-0000-9e14-051c910b0000 pid=2961 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=51649758-1b00-0000-9e14-051c910b0000 pid=2961 execve guuid=968d8b62-1b00-0000-9e14-051ca00b0000 pid=2976 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=968d8b62-1b00-0000-9e14-051ca00b0000 pid=2976 execve guuid=80e8e162-1b00-0000-9e14-051ca10b0000 pid=2977 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=80e8e162-1b00-0000-9e14-051ca10b0000 pid=2977 clone guuid=0d5a7663-1b00-0000-9e14-051ca50b0000 pid=2981 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=0d5a7663-1b00-0000-9e14-051ca50b0000 pid=2981 execve guuid=309b1368-1b00-0000-9e14-051cac0b0000 pid=2988 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=309b1368-1b00-0000-9e14-051cac0b0000 pid=2988 execve guuid=2643b277-1b00-0000-9e14-051cc80b0000 pid=3016 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=2643b277-1b00-0000-9e14-051cc80b0000 pid=3016 execve guuid=c1992e81-1b00-0000-9e14-051cde0b0000 pid=3038 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=c1992e81-1b00-0000-9e14-051cde0b0000 pid=3038 execve guuid=2230a381-1b00-0000-9e14-051cdf0b0000 pid=3039 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=2230a381-1b00-0000-9e14-051cdf0b0000 pid=3039 clone guuid=764ab382-1b00-0000-9e14-051ce10b0000 pid=3041 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=764ab382-1b00-0000-9e14-051ce10b0000 pid=3041 execve guuid=af329f87-1b00-0000-9e14-051ce30b0000 pid=3043 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=af329f87-1b00-0000-9e14-051ce30b0000 pid=3043 execve guuid=f3741a8f-1b00-0000-9e14-051cf10b0000 pid=3057 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=f3741a8f-1b00-0000-9e14-051cf10b0000 pid=3057 execve guuid=f327dca2-1b00-0000-9e14-051c270c0000 pid=3111 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=f327dca2-1b00-0000-9e14-051c270c0000 pid=3111 execve guuid=ce6a2ca3-1b00-0000-9e14-051c2b0c0000 pid=3115 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=ce6a2ca3-1b00-0000-9e14-051c2b0c0000 pid=3115 clone guuid=c8aadea3-1b00-0000-9e14-051c2e0c0000 pid=3118 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=c8aadea3-1b00-0000-9e14-051c2e0c0000 pid=3118 execve guuid=5dc7c8a4-1b00-0000-9e14-051c310c0000 pid=3121 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=5dc7c8a4-1b00-0000-9e14-051c310c0000 pid=3121 execve guuid=7782aead-1b00-0000-9e14-051c4a0c0000 pid=3146 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=7782aead-1b00-0000-9e14-051c4a0c0000 pid=3146 execve guuid=f7fe53b5-1b00-0000-9e14-051c5f0c0000 pid=3167 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=f7fe53b5-1b00-0000-9e14-051c5f0c0000 pid=3167 execve guuid=9940afb5-1b00-0000-9e14-051c610c0000 pid=3169 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=9940afb5-1b00-0000-9e14-051c610c0000 pid=3169 clone guuid=a0a35bb6-1b00-0000-9e14-051c650c0000 pid=3173 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=a0a35bb6-1b00-0000-9e14-051c650c0000 pid=3173 execve guuid=f14171b8-1b00-0000-9e14-051c6d0c0000 pid=3181 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=f14171b8-1b00-0000-9e14-051c6d0c0000 pid=3181 execve guuid=fe057fc1-1b00-0000-9e14-051c870c0000 pid=3207 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=fe057fc1-1b00-0000-9e14-051c870c0000 pid=3207 execve guuid=579619cb-1b00-0000-9e14-051c9a0c0000 pid=3226 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=579619cb-1b00-0000-9e14-051c9a0c0000 pid=3226 execve guuid=7a0986cb-1b00-0000-9e14-051c9c0c0000 pid=3228 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=7a0986cb-1b00-0000-9e14-051c9c0c0000 pid=3228 clone guuid=4f12b4cc-1b00-0000-9e14-051c9f0c0000 pid=3231 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=4f12b4cc-1b00-0000-9e14-051c9f0c0000 pid=3231 execve guuid=613912cf-1b00-0000-9e14-051ca00c0000 pid=3232 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=613912cf-1b00-0000-9e14-051ca00c0000 pid=3232 execve guuid=9d104bd6-1b00-0000-9e14-051ca80c0000 pid=3240 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=9d104bd6-1b00-0000-9e14-051ca80c0000 pid=3240 execve guuid=6c5281e3-1b00-0000-9e14-051cc70c0000 pid=3271 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=6c5281e3-1b00-0000-9e14-051cc70c0000 pid=3271 execve guuid=6ff5c7e3-1b00-0000-9e14-051cc90c0000 pid=3273 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=6ff5c7e3-1b00-0000-9e14-051cc90c0000 pid=3273 clone guuid=7e4e56e4-1b00-0000-9e14-051ccd0c0000 pid=3277 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=7e4e56e4-1b00-0000-9e14-051ccd0c0000 pid=3277 execve guuid=722da8e4-1b00-0000-9e14-051ccf0c0000 pid=3279 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=722da8e4-1b00-0000-9e14-051ccf0c0000 pid=3279 execve guuid=098c88eb-1b00-0000-9e14-051cd30c0000 pid=3283 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=098c88eb-1b00-0000-9e14-051cd30c0000 pid=3283 execve guuid=fcacbd04-1c00-0000-9e14-051cf60c0000 pid=3318 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=fcacbd04-1c00-0000-9e14-051cf60c0000 pid=3318 execve guuid=ff344105-1c00-0000-9e14-051cf70c0000 pid=3319 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=ff344105-1c00-0000-9e14-051cf70c0000 pid=3319 clone guuid=15124208-1c00-0000-9e14-051cfc0c0000 pid=3324 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=15124208-1c00-0000-9e14-051cfc0c0000 pid=3324 execve guuid=f487d908-1c00-0000-9e14-051cfe0c0000 pid=3326 /usr/bin/wget net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=f487d908-1c00-0000-9e14-051cfe0c0000 pid=3326 execve guuid=a923e20f-1c00-0000-9e14-051c030d0000 pid=3331 /usr/bin/curl net send-data write-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=a923e20f-1c00-0000-9e14-051c030d0000 pid=3331 execve guuid=86219118-1c00-0000-9e14-051c160d0000 pid=3350 /usr/bin/chmod guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=86219118-1c00-0000-9e14-051c160d0000 pid=3350 execve guuid=dddfff18-1c00-0000-9e14-051c180d0000 pid=3352 /usr/bin/bash guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=dddfff18-1c00-0000-9e14-051c180d0000 pid=3352 clone guuid=c3c5071a-1c00-0000-9e14-051c1a0d0000 pid=3354 /usr/bin/rm delete-file guuid=ee56e58c-1800-0000-9e14-051cf0050000 pid=1520->guuid=c3c5071a-1c00-0000-9e14-051c1a0d0000 pid=3354 execve 6212eaac-f1d9-5754-86f6-5d00d3f03015 41.216.189.110:80 guuid=501e0292-1800-0000-9e14-051cfd050000 pid=1533->6212eaac-f1d9-5754-86f6-5d00d3f03015 send: 153B guuid=69840c9d-1800-0000-9e14-051c1d060000 pid=1565->6212eaac-f1d9-5754-86f6-5d00d3f03015 send: 102B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=ffe481b2-1800-0000-9e14-051c54060000 pid=1620->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=224d2eb3-1800-0000-9e14-051c57060000 pid=1623 /tmp/morte.x86 guuid=ffe481b2-1800-0000-9e14-051c54060000 pid=1620->guuid=224d2eb3-1800-0000-9e14-051c57060000 pid=1623 clone guuid=3b3d23e0-1900-0000-9e14-051ccb080000 pid=2251 /tmp/morte.x86 guuid=ffe481b2-1800-0000-9e14-051c54060000 pid=1620->guuid=3b3d23e0-1900-0000-9e14-051ccb080000 pid=2251 clone guuid=de212ae0-1900-0000-9e14-051ccc080000 pid=2252 /tmp/morte.x86 net send-data zombie guuid=ffe481b2-1800-0000-9e14-051c54060000 pid=1620->guuid=de212ae0-1900-0000-9e14-051ccc080000 pid=2252 clone guuid=4f8d35b3-1800-0000-9e14-051c58060000 pid=1624 /tmp/morte.x86 guuid=224d2eb3-1800-0000-9e14-051c57060000 pid=1623->guuid=4f8d35b3-1800-0000-9e14-051c58060000 pid=1624 clone guuid=99503ab3-1800-0000-9e14-051c59060000 pid=1625 /tmp/morte.x86 dns net send-data zombie guuid=224d2eb3-1800-0000-9e14-051c57060000 pid=1623->guuid=99503ab3-1800-0000-9e14-051c59060000 pid=1625 clone guuid=99503ab3-1800-0000-9e14-051c59060000 pid=1625->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 31B 01bb915c-71c6-57a6-bd5f-3cb536b9a274 vr3b.ddns.net:12121 guuid=99503ab3-1800-0000-9e14-051c59060000 pid=1625->01bb915c-71c6-57a6-bd5f-3cb536b9a274 send: 15B guuid=de212ae0-1900-0000-9e14-051ccc080000 pid=2252->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 155B a4e02df3-c7fa-5be2-b410-afe687812c07 41.216.189.108:80 guuid=de212ae0-1900-0000-9e14-051ccc080000 pid=2252->a4e02df3-c7fa-5be2-b410-afe687812c07 con 07e827d7-7cda-5c4b-9de8-23c1118e635d vr3b.ddns.net:80 guuid=de9fade0-1900-0000-9e14-051cce080000 pid=2254->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 154B guuid=361f6df6-1900-0000-9e14-051ccf080000 pid=2255->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 103B guuid=dac84a01-1a00-0000-9e14-051ce3080000 pid=2275->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 153B guuid=ee7b130c-1a00-0000-9e14-051cf7080000 pid=2295->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 102B guuid=2da9d217-1a00-0000-9e14-051c10090000 pid=2320->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 154B guuid=43b9a71e-1a00-0000-9e14-051c1d090000 pid=2333->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 103B guuid=5c5e3124-1a00-0000-9e14-051c2c090000 pid=2348->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 154B guuid=3ccfcf29-1a00-0000-9e14-051c3b090000 pid=2363->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 103B guuid=519afc36-1a00-0000-9e14-051c52090000 pid=2386->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con f77ebf5e-2af7-5b09-86f4-388588a8b445 0.0.0.0:12121 guuid=519afc36-1a00-0000-9e14-051c52090000 pid=2386->f77ebf5e-2af7-5b09-86f4-388588a8b445 con guuid=e0128aaf-1a00-0000-9e14-051c810a0000 pid=2689->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 156B guuid=97981bb6-1a00-0000-9e14-051c910a0000 pid=2705->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 105B guuid=eead9fc2-1a00-0000-9e14-051cb70a0000 pid=2743->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=eead9fc2-1a00-0000-9e14-051cb70a0000 pid=2743->f77ebf5e-2af7-5b09-86f4-388588a8b445 con guuid=1776003b-1b00-0000-9e14-051c600b0000 pid=2912->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 154B guuid=41f9b440-1b00-0000-9e14-051c6b0b0000 pid=2923->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 103B guuid=63c1024f-1b00-0000-9e14-051c880b0000 pid=2952->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 153B guuid=51649758-1b00-0000-9e14-051c910b0000 pid=2961->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 102B guuid=309b1368-1b00-0000-9e14-051cac0b0000 pid=2988->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 154B guuid=2643b277-1b00-0000-9e14-051cc80b0000 pid=3016->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 103B guuid=af329f87-1b00-0000-9e14-051ce30b0000 pid=3043->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 154B guuid=f3741a8f-1b00-0000-9e14-051cf10b0000 pid=3057->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 103B guuid=5dc7c8a4-1b00-0000-9e14-051c310c0000 pid=3121->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 154B guuid=7782aead-1b00-0000-9e14-051c4a0c0000 pid=3146->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 103B guuid=f14171b8-1b00-0000-9e14-051c6d0c0000 pid=3181->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 153B guuid=fe057fc1-1b00-0000-9e14-051c870c0000 pid=3207->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 102B guuid=613912cf-1b00-0000-9e14-051ca00c0000 pid=3232->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 153B guuid=9d104bd6-1b00-0000-9e14-051ca80c0000 pid=3240->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 102B guuid=722da8e4-1b00-0000-9e14-051ccf0c0000 pid=3279->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 154B guuid=098c88eb-1b00-0000-9e14-051cd30c0000 pid=3283->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 103B guuid=f487d908-1c00-0000-9e14-051cfe0c0000 pid=3326->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 153B guuid=a923e20f-1c00-0000-9e14-051c030d0000 pid=3331->07e827d7-7cda-5c4b-9de8-23c1118e635d send: 102B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/932ee6f9d46bbce160c3af9aa3c34ef032c2a95e7000d7984f0dc195029bcbe6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/932ee6f9d46bbce160c3af9aa3c34ef032c2a95e7000d7984f0dc195029bcbe6/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-11-13 20:36:07 UTC
File Type:
Text (Shell)
AV detection:
23 of 38 (60.53%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smxon6ouno6ocygdv6nkhq2o6azmfkk6oaanpgcpbxazkau3zpta._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251113-2mlmmaxnhj/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
vr3b.ddns.net
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/932ee6f9d46b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/932ee6f9d46bbce160c3af9aa3c34ef032c2a95e7000d7984f0dc195029bcbe6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 932ee6f9d46bbce160c3af9aa3c34ef032c2a95e7000d7984f0dc195029bcbe6

(this sample)

Mirai

elf 243efb2689067cc7e1be3353671b59d664ed6c2538cf72df2c7efe89aa4b0094

Mirai

elf f567d2f338d97663060bfb0d561faaa5ce9f739dab57e64e2b1658bd07c8cabf

  
URLhaus
https://urlhaus.abuse.ch/url/3704801/
  
Delivery method
Distributed via web download
  
Dropping
MD5 2b81f93f1028e11286d764f0397f63a5
  
Dropping
SHA256 f567d2f338d97663060bfb0d561faaa5ce9f739dab57e64e2b1658bd07c8cabf

Comments