MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a147cbde451e4a8a0c461c0e969d733d83abf5daae8ea15616da8bd7daa9cfc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a147cbde451e4a8a0c461c0e969d733d83abf5daae8ea15616da8bd7daa9cfc5
SHA3-384 hash: bf9a3af59adcbd9203395847743f5a044c6a6b6fd8f4af0a77acc45bfd4e056f28454536c362af8878ea53e034a757ba
SHA1 hash: 8c6fc0b2da7f1934bddf8dc5409e44701829269e
MD5 hash: 71f1d1a49346cda47ba641953ab4ebfd
humanhash: item-butter-spaghetti-utah
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'670 bytes
First seen:2026-02-22 09:27:24 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:vh/3/gh/0l/0bikh/5P/5Hyh/x2/xynh/xTQ/xTYh/+/Ch/is/N3Ch/5pj/5Oh/P:vWiObsXaYXsktcwCBUNU3Ush7kKM
TLSH T120510887127255B43CE29DBE72B51514F280E4692DC69DEDECD93AF48ACCE08229D783
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://45.90.163.37/network/bin.x867a230c866f44cec2e20b1d146f0f2cef759a7642f41981c0532371cc98f97cfa Miraicensys elf mirai ua-wget
http://45.90.163.37/network/bin.mipsd5c9fca326e5157fd60b1e8bca867b3803a121795a4ab737765e9198a593b096 Miraicensys elf mirai ua-wget
http://45.90.163.37/network/bin.arcn/an/acensys elf ua-wget
http://45.90.163.37/network/bin.i468n/an/acensys elf ua-wget
http://45.90.163.37/network/bin.i686n/an/acensys elf ua-wget
http://45.90.163.37/network/bin.x86_64c7e698a05ce1f31a85c30c227ff9e25e83d5fd29d4a1f3ff8da9eefcdf4a1621 Miraicensys elf mirai ua-wget
http://45.90.163.37/network/bin.mpslfaca2984de1ec208338d07a58785a2424adc8a7c019338a03871f0583b48f5b0 Miraicensys elf mirai ua-wget
http://45.90.163.37/network/bin.armbf9f9ce8bdfa8766baf6602c1d3ec01a309d6e7af6c25b6935b708408af947bd Miraicensys elf mirai ua-wget
http://45.90.163.37/network/bin.arm5594300d42eb735eadc2e407ac84eaf7554c662450ebe9846d45e11888fd18137 Miraicensys elf mirai ua-wget
http://45.90.163.37/network/bin.arm64d954c25e320adeb7b44a2dfc6bf5c6936e83c8ceb2f14142fb8914edf672993 Miraicensys elf mirai ua-wget
http://45.90.163.37/network/bin.arm71f2ae3461a20228370543cb57585a0aec46216658815df0a2a1357108267c396 Miraicensys elf mirai ua-wget
http://45.90.163.37/network/bin.ppcf9128964a1ce74a0e10a3abf497028981d7859875e8d565f2b880aec9bbd6b7c Miraicensys elf mirai ua-wget
http://45.90.163.37/network/bin.spcfa0b37d3c641fdd57113016a8183ec7e841fd4054c50a26ea8117ec1788eaf38 Miraicensys elf mirai ua-wget
http://45.90.163.37/network/bin.m68k569af99f50e0aab7512e598f9d9cd95356e0ff19b478da2511fcbff02628d54a Miraicensys elf mirai ua-wget
http://45.90.163.37/network/bin.sh4b8df72073674b33a20dcb9e597831f7926f8a0cb999dfd0f5d30d92f6fbd354b Miraicensys elf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
Link:
https://opentip.kaspersky.com/a147cbde451e4a8a0c461c0e969d733d83abf5daae8ea15616da8bd7daa9cfc5/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/abdf071d-b361-4b87-8854-0e658c4eb2d5
Behavior Graph:
Download SVG
%3 guuid=36c2619e-1a00-0000-9307-9550d8090000 pid=2520 /usr/bin/sudo guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523 /tmp/sample.bin guuid=36c2619e-1a00-0000-9307-9550d8090000 pid=2520->guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523 execve guuid=32efeca1-1a00-0000-9307-9550de090000 pid=2526 /usr/bin/wget net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=32efeca1-1a00-0000-9307-9550de090000 pid=2526 execve guuid=4473e8a7-1a00-0000-9307-9550e8090000 pid=2536 /usr/bin/curl net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=4473e8a7-1a00-0000-9307-9550e8090000 pid=2536 execve guuid=e9424db8-1a00-0000-9307-9550080a0000 pid=2568 /usr/bin/cat guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=e9424db8-1a00-0000-9307-9550080a0000 pid=2568 execve guuid=b3e9b8b8-1a00-0000-9307-95500a0a0000 pid=2570 /usr/bin/chmod guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=b3e9b8b8-1a00-0000-9307-95500a0a0000 pid=2570 execve guuid=6f29feb8-1a00-0000-9307-95500c0a0000 pid=2572 /tmp/WTF net guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=6f29feb8-1a00-0000-9307-95500c0a0000 pid=2572 execve guuid=c6de3bb9-1a00-0000-9307-95500f0a0000 pid=2575 /usr/bin/wget net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=c6de3bb9-1a00-0000-9307-95500f0a0000 pid=2575 execve guuid=9652e1bd-1a00-0000-9307-95501f0a0000 pid=2591 /usr/bin/curl net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=9652e1bd-1a00-0000-9307-95501f0a0000 pid=2591 execve guuid=a52701c6-1a00-0000-9307-9550360a0000 pid=2614 /usr/bin/bash guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=a52701c6-1a00-0000-9307-9550360a0000 pid=2614 clone guuid=d5b634c6-1a00-0000-9307-9550370a0000 pid=2615 /usr/bin/chmod guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=d5b634c6-1a00-0000-9307-9550370a0000 pid=2615 execve guuid=f59297c6-1a00-0000-9307-9550390a0000 pid=2617 /tmp/WTF net guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=f59297c6-1a00-0000-9307-9550390a0000 pid=2617 execve guuid=eee7aef8-1b00-0000-9307-95507d0c0000 pid=3197 /usr/bin/wget net send-data guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=eee7aef8-1b00-0000-9307-95507d0c0000 pid=3197 execve guuid=4da28dfb-1b00-0000-9307-9550870c0000 pid=3207 /usr/bin/curl net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=4da28dfb-1b00-0000-9307-9550870c0000 pid=3207 execve guuid=9a8ccdff-1b00-0000-9307-9550910c0000 pid=3217 /usr/bin/bash guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=9a8ccdff-1b00-0000-9307-9550910c0000 pid=3217 clone guuid=87a3f4ff-1b00-0000-9307-9550920c0000 pid=3218 /usr/bin/chmod guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=87a3f4ff-1b00-0000-9307-9550920c0000 pid=3218 execve guuid=7bb24700-1c00-0000-9307-9550940c0000 pid=3220 /tmp/WTF net guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=7bb24700-1c00-0000-9307-9550940c0000 pid=3220 execve guuid=7f01ef31-1d00-0000-9307-9550c50e0000 pid=3781 /usr/bin/wget net send-data guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=7f01ef31-1d00-0000-9307-9550c50e0000 pid=3781 execve guuid=e2639e35-1d00-0000-9307-9550ce0e0000 pid=3790 /usr/bin/curl net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=e2639e35-1d00-0000-9307-9550ce0e0000 pid=3790 execve guuid=67ac943c-1d00-0000-9307-9550e80e0000 pid=3816 /usr/bin/bash guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=67ac943c-1d00-0000-9307-9550e80e0000 pid=3816 clone guuid=4db9d53c-1d00-0000-9307-9550ea0e0000 pid=3818 /usr/bin/chmod guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=4db9d53c-1d00-0000-9307-9550ea0e0000 pid=3818 execve guuid=9995213d-1d00-0000-9307-9550ec0e0000 pid=3820 /tmp/WTF net guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=9995213d-1d00-0000-9307-9550ec0e0000 pid=3820 execve guuid=8d7cdb70-1e00-0000-9307-955096120000 pid=4758 /usr/bin/wget net send-data guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=8d7cdb70-1e00-0000-9307-955096120000 pid=4758 execve guuid=9af36d73-1e00-0000-9307-95509d120000 pid=4765 /usr/bin/curl net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=9af36d73-1e00-0000-9307-95509d120000 pid=4765 execve guuid=ef5bea77-1e00-0000-9307-9550af120000 pid=4783 /usr/bin/bash guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=ef5bea77-1e00-0000-9307-9550af120000 pid=4783 clone guuid=be6c0578-1e00-0000-9307-9550b1120000 pid=4785 /usr/bin/chmod guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=be6c0578-1e00-0000-9307-9550b1120000 pid=4785 execve guuid=473c6178-1e00-0000-9307-9550b3120000 pid=4787 /tmp/WTF net guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=473c6178-1e00-0000-9307-9550b3120000 pid=4787 execve guuid=41011ead-1f00-0000-9307-955093140000 pid=5267 /usr/bin/wget net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=41011ead-1f00-0000-9307-955093140000 pid=5267 execve guuid=11b92cb4-1f00-0000-9307-955094140000 pid=5268 /usr/bin/curl net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=11b92cb4-1f00-0000-9307-955094140000 pid=5268 execve guuid=d7384abc-1f00-0000-9307-955095140000 pid=5269 /usr/bin/bash guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=d7384abc-1f00-0000-9307-955095140000 pid=5269 clone guuid=4ea46abc-1f00-0000-9307-955096140000 pid=5270 /usr/bin/chmod guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=4ea46abc-1f00-0000-9307-955096140000 pid=5270 execve guuid=f9acc6bc-1f00-0000-9307-955097140000 pid=5271 /tmp/WTF net guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=f9acc6bc-1f00-0000-9307-955097140000 pid=5271 execve guuid=02441f93-2200-0000-9307-9550c1140000 pid=5313 /usr/bin/wget net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=02441f93-2200-0000-9307-9550c1140000 pid=5313 execve guuid=22c76298-2200-0000-9307-9550c2140000 pid=5314 /usr/bin/curl net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=22c76298-2200-0000-9307-9550c2140000 pid=5314 execve guuid=283e409e-2200-0000-9307-9550c3140000 pid=5315 /usr/bin/bash guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=283e409e-2200-0000-9307-9550c3140000 pid=5315 clone guuid=66b77b9e-2200-0000-9307-9550c4140000 pid=5316 /usr/bin/chmod guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=66b77b9e-2200-0000-9307-9550c4140000 pid=5316 execve guuid=12530e9f-2200-0000-9307-9550c5140000 pid=5317 /tmp/WTF net guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=12530e9f-2200-0000-9307-9550c5140000 pid=5317 execve guuid=72a398d4-2300-0000-9307-9550c8140000 pid=5320 /usr/bin/wget net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=72a398d4-2300-0000-9307-9550c8140000 pid=5320 execve guuid=19be54d9-2300-0000-9307-9550c9140000 pid=5321 /usr/bin/curl net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=19be54d9-2300-0000-9307-9550c9140000 pid=5321 execve guuid=5c9144e0-2300-0000-9307-9550ca140000 pid=5322 /usr/bin/bash guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=5c9144e0-2300-0000-9307-9550ca140000 pid=5322 clone guuid=924a88e0-2300-0000-9307-9550cb140000 pid=5323 /usr/bin/chmod guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=924a88e0-2300-0000-9307-9550cb140000 pid=5323 execve guuid=ffd021e1-2300-0000-9307-9550cc140000 pid=5324 /tmp/WTF net guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=ffd021e1-2300-0000-9307-9550cc140000 pid=5324 execve guuid=8db416b9-2600-0000-9307-9550cf140000 pid=5327 /usr/bin/wget net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=8db416b9-2600-0000-9307-9550cf140000 pid=5327 execve guuid=140776bd-2600-0000-9307-9550d0140000 pid=5328 /usr/bin/curl net send-data write-file guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=140776bd-2600-0000-9307-9550d0140000 pid=5328 execve guuid=31a5f4c1-2600-0000-9307-9550d1140000 pid=5329 /usr/bin/bash guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=31a5f4c1-2600-0000-9307-9550d1140000 pid=5329 clone guuid=80b91cc2-2600-0000-9307-9550d2140000 pid=5330 /usr/bin/chmod guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=80b91cc2-2600-0000-9307-9550d2140000 pid=5330 execve guuid=f569b8c2-2600-0000-9307-9550d3140000 pid=5331 /tmp/WTF net guuid=8f27e9a0-1a00-0000-9307-9550db090000 pid=2523->guuid=f569b8c2-2600-0000-9307-9550d3140000 pid=5331 execve 97f50563-e588-5eca-acd4-d61c8868f1d9 45.90.163.37:80 guuid=32efeca1-1a00-0000-9307-9550de090000 pid=2526->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 142B guuid=4473e8a7-1a00-0000-9307-9550e8090000 pid=2536->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 91B 31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 0.0.0.0:53 guuid=6f29feb8-1a00-0000-9307-95500c0a0000 pid=2572->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=f6e82cb9-1a00-0000-9307-95500e0a0000 pid=2574 /tmp/WTF net send-data zombie guuid=6f29feb8-1a00-0000-9307-95500c0a0000 pid=2572->guuid=f6e82cb9-1a00-0000-9307-95500e0a0000 pid=2574 clone guuid=f6e82cb9-1a00-0000-9307-95500e0a0000 pid=2574->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con 434f3465-c229-52dc-9ae0-880439d8c01d 0.0.0.0:23 guuid=f6e82cb9-1a00-0000-9307-95500e0a0000 pid=2574->434f3465-c229-52dc-9ae0-880439d8c01d con e0ec34da-6728-5421-bf74-e67eb37a76fd 127.0.0.1:53 guuid=f6e82cb9-1a00-0000-9307-95500e0a0000 pid=2574->e0ec34da-6728-5421-bf74-e67eb37a76fd send: 300B guuid=bf294bb9-1a00-0000-9307-9550100a0000 pid=2576 /tmp/WTF guuid=f6e82cb9-1a00-0000-9307-95500e0a0000 pid=2574->guuid=bf294bb9-1a00-0000-9307-9550100a0000 pid=2576 clone guuid=c6de3bb9-1a00-0000-9307-95500f0a0000 pid=2575->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 143B guuid=9652e1bd-1a00-0000-9307-95501f0a0000 pid=2591->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 92B guuid=f59297c6-1a00-0000-9307-9550390a0000 pid=2617->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con 5fbefa0b-74db-5ddb-909f-7c8f89ca1384 0.0.0.0:46157 guuid=f59297c6-1a00-0000-9307-9550390a0000 pid=2617->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=e8699bf8-1b00-0000-9307-95507c0c0000 pid=3196 /tmp/WTF net send-data zombie guuid=f59297c6-1a00-0000-9307-9550390a0000 pid=2617->guuid=e8699bf8-1b00-0000-9307-95507c0c0000 pid=3196 clone guuid=e8699bf8-1b00-0000-9307-95507c0c0000 pid=3196->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=e8699bf8-1b00-0000-9307-95507c0c0000 pid=3196->434f3465-c229-52dc-9ae0-880439d8c01d con guuid=e8699bf8-1b00-0000-9307-95507c0c0000 pid=3196->e0ec34da-6728-5421-bf74-e67eb37a76fd send: 300B guuid=610aaff8-1b00-0000-9307-95507e0c0000 pid=3198 /tmp/WTF guuid=e8699bf8-1b00-0000-9307-95507c0c0000 pid=3196->guuid=610aaff8-1b00-0000-9307-95507e0c0000 pid=3198 clone guuid=eee7aef8-1b00-0000-9307-95507d0c0000 pid=3197->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 142B guuid=4da28dfb-1b00-0000-9307-9550870c0000 pid=3207->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 91B guuid=7bb24700-1c00-0000-9307-9550940c0000 pid=3220->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=7bb24700-1c00-0000-9307-9550940c0000 pid=3220->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=98c6dd31-1d00-0000-9307-9550c30e0000 pid=3779 /tmp/WTF net send-data zombie guuid=7bb24700-1c00-0000-9307-9550940c0000 pid=3220->guuid=98c6dd31-1d00-0000-9307-9550c30e0000 pid=3779 clone guuid=98c6dd31-1d00-0000-9307-9550c30e0000 pid=3779->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=98c6dd31-1d00-0000-9307-9550c30e0000 pid=3779->434f3465-c229-52dc-9ae0-880439d8c01d con guuid=98c6dd31-1d00-0000-9307-9550c30e0000 pid=3779->e0ec34da-6728-5421-bf74-e67eb37a76fd send: 300B guuid=a884ea31-1d00-0000-9307-9550c40e0000 pid=3780 /tmp/WTF guuid=98c6dd31-1d00-0000-9307-9550c30e0000 pid=3779->guuid=a884ea31-1d00-0000-9307-9550c40e0000 pid=3780 clone guuid=7f01ef31-1d00-0000-9307-9550c50e0000 pid=3781->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 143B guuid=e2639e35-1d00-0000-9307-9550ce0e0000 pid=3790->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 92B guuid=9995213d-1d00-0000-9307-9550ec0e0000 pid=3820->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=9995213d-1d00-0000-9307-9550ec0e0000 pid=3820->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=1116d170-1e00-0000-9307-955095120000 pid=4757 /tmp/WTF net send-data zombie guuid=9995213d-1d00-0000-9307-9550ec0e0000 pid=3820->guuid=1116d170-1e00-0000-9307-955095120000 pid=4757 clone guuid=1116d170-1e00-0000-9307-955095120000 pid=4757->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=1116d170-1e00-0000-9307-955095120000 pid=4757->434f3465-c229-52dc-9ae0-880439d8c01d con guuid=1116d170-1e00-0000-9307-955095120000 pid=4757->e0ec34da-6728-5421-bf74-e67eb37a76fd send: 300B guuid=e9c7e870-1e00-0000-9307-955097120000 pid=4759 /tmp/WTF guuid=1116d170-1e00-0000-9307-955095120000 pid=4757->guuid=e9c7e870-1e00-0000-9307-955097120000 pid=4759 clone guuid=8d7cdb70-1e00-0000-9307-955096120000 pid=4758->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 143B guuid=9af36d73-1e00-0000-9307-95509d120000 pid=4765->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 92B guuid=473c6178-1e00-0000-9307-9550b3120000 pid=4787->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=473c6178-1e00-0000-9307-9550b3120000 pid=4787->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=9e9c09ad-1f00-0000-9307-955091140000 pid=5265 /tmp/WTF net send-data zombie guuid=473c6178-1e00-0000-9307-9550b3120000 pid=4787->guuid=9e9c09ad-1f00-0000-9307-955091140000 pid=5265 clone guuid=9e9c09ad-1f00-0000-9307-955091140000 pid=5265->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=9e9c09ad-1f00-0000-9307-955091140000 pid=5265->434f3465-c229-52dc-9ae0-880439d8c01d con guuid=9e9c09ad-1f00-0000-9307-955091140000 pid=5265->e0ec34da-6728-5421-bf74-e67eb37a76fd send: 150B guuid=9f2d1aad-1f00-0000-9307-955092140000 pid=5266 /tmp/WTF guuid=9e9c09ad-1f00-0000-9307-955091140000 pid=5265->guuid=9f2d1aad-1f00-0000-9307-955092140000 pid=5266 clone guuid=41011ead-1f00-0000-9307-955093140000 pid=5267->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 145B guuid=11b92cb4-1f00-0000-9307-955094140000 pid=5268->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 94B guuid=f9acc6bc-1f00-0000-9307-955097140000 pid=5271->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=f9acc6bc-1f00-0000-9307-955097140000 pid=5271->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=9adffb92-2200-0000-9307-9550bf140000 pid=5311 /tmp/WTF net send-data zombie guuid=f9acc6bc-1f00-0000-9307-955097140000 pid=5271->guuid=9adffb92-2200-0000-9307-9550bf140000 pid=5311 clone guuid=9adffb92-2200-0000-9307-9550bf140000 pid=5311->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=9adffb92-2200-0000-9307-9550bf140000 pid=5311->434f3465-c229-52dc-9ae0-880439d8c01d con guuid=9adffb92-2200-0000-9307-9550bf140000 pid=5311->e0ec34da-6728-5421-bf74-e67eb37a76fd send: 300B guuid=0e761e93-2200-0000-9307-9550c0140000 pid=5312 /tmp/WTF guuid=9adffb92-2200-0000-9307-9550bf140000 pid=5311->guuid=0e761e93-2200-0000-9307-9550c0140000 pid=5312 clone guuid=02441f93-2200-0000-9307-9550c1140000 pid=5313->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 143B guuid=22c76298-2200-0000-9307-9550c2140000 pid=5314->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 92B guuid=12530e9f-2200-0000-9307-9550c5140000 pid=5317->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=12530e9f-2200-0000-9307-9550c5140000 pid=5317->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=3d8888d4-2300-0000-9307-9550c6140000 pid=5318 /tmp/WTF net send-data zombie guuid=12530e9f-2200-0000-9307-9550c5140000 pid=5317->guuid=3d8888d4-2300-0000-9307-9550c6140000 pid=5318 clone guuid=3d8888d4-2300-0000-9307-9550c6140000 pid=5318->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=3d8888d4-2300-0000-9307-9550c6140000 pid=5318->434f3465-c229-52dc-9ae0-880439d8c01d con guuid=3d8888d4-2300-0000-9307-9550c6140000 pid=5318->e0ec34da-6728-5421-bf74-e67eb37a76fd send: 150B guuid=0c3a95d4-2300-0000-9307-9550c7140000 pid=5319 /tmp/WTF guuid=3d8888d4-2300-0000-9307-9550c6140000 pid=5318->guuid=0c3a95d4-2300-0000-9307-9550c7140000 pid=5319 clone guuid=72a398d4-2300-0000-9307-9550c8140000 pid=5320->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 142B guuid=19be54d9-2300-0000-9307-9550c9140000 pid=5321->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 91B guuid=ffd021e1-2300-0000-9307-9550cc140000 pid=5324->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=ffd021e1-2300-0000-9307-9550cc140000 pid=5324->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=ce8af6b8-2600-0000-9307-9550cd140000 pid=5325 /tmp/WTF net send-data zombie guuid=ffd021e1-2300-0000-9307-9550cc140000 pid=5324->guuid=ce8af6b8-2600-0000-9307-9550cd140000 pid=5325 clone guuid=ce8af6b8-2600-0000-9307-9550cd140000 pid=5325->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=ce8af6b8-2600-0000-9307-9550cd140000 pid=5325->434f3465-c229-52dc-9ae0-880439d8c01d con guuid=ce8af6b8-2600-0000-9307-9550cd140000 pid=5325->e0ec34da-6728-5421-bf74-e67eb37a76fd send: 150B guuid=00c214b9-2600-0000-9307-9550ce140000 pid=5326 /tmp/WTF guuid=ce8af6b8-2600-0000-9307-9550cd140000 pid=5325->guuid=00c214b9-2600-0000-9307-9550ce140000 pid=5326 clone guuid=8db416b9-2600-0000-9307-9550cf140000 pid=5327->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 143B guuid=140776bd-2600-0000-9307-9550d0140000 pid=5328->97f50563-e588-5eca-acd4-d61c8868f1d9 send: 92B guuid=f569b8c2-2600-0000-9307-9550d3140000 pid=5331->31f91e0e-ee2a-5a3c-a3b8-f9f401debf27 con guuid=f569b8c2-2600-0000-9307-9550d3140000 pid=5331->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a147cbde451e4a8a0c461c0e969d733d83abf5daae8ea15616da8bd7daa9cfc5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a147cbde451e4a8a0c461c0e969d733d83abf5daae8ea15616da8bd7daa9cfc5/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2026-02-22 09:28:20 UTC
File Type:
Text (Shell)
AV detection:
16 of 23 (69.57%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ufd4xxsfdzfiudcgdqhjnhlthwb2x5o2v2hkcvqw3kf5pwvjz7cq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/260222-lfe89sev9a/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Unexpected DNS network traffic destination
Mirai
Mirai family
Malware Config
C2 Extraction:
45.90.163.37
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a147cbde451e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/a147cbde451e4a8a0c461c0e969d733d83abf5daae8ea15616da8bd7daa9cfc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh a147cbde451e4a8a0c461c0e969d733d83abf5daae8ea15616da8bd7daa9cfc5

(this sample)

Mirai

elf 7a230c866f44cec2e20b1d146f0f2cef759a7642f41981c0532371cc98f97cfa

  
URLhaus
https://urlhaus.abuse.ch/url/3782695/
  
Delivery method
Distributed via web download
  
Dropping
MD5 0d92a2122e93e227a653397d186c4654
  
Dropping
SHA256 7a230c866f44cec2e20b1d146f0f2cef759a7642f41981c0532371cc98f97cfa

Comments