MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae478fec126ad5b9e5f9c39c1112e14832e16d1866917e71a9e7aa6a6ad884e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae478fec126ad5b9e5f9c39c1112e14832e16d1866917e71a9e7aa6a6ad884e8
SHA3-384 hash: 9b35bb0d7e931f9e71cc3cacd2ffb1de979dbb338c92480900127f113b9d577871dc54b6ce1f8de54ecbb67a500eac53
SHA1 hash: 3e3ada1ecb97369d101e2aaca70ad2542b6c3efe
MD5 hash: 7cca40c26d8cb957886e6df76a22b52c
humanhash: north-utah-hot-friend
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'869 bytes
First seen:2025-07-19 11:20:42 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:ivKozLvc8zLvDgdzLvH4zLvVEzLvfk1zLv7ahEzLvwQzLvzszLvUmzLvV8zLvx08:iv3538d3w3O3k13kE353o3T323y3K3R/
TLSH T1345180E59117D23A3CD1E922A1A7803DF1DE699935D53E02B9EEBCB991CCD04B050B92
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://212.11.64.25/LjEZs/uYtea.arc1b8fe8e23a22abe25ba0345ca14a926affad78b41277fe3e3c4a1678d8770701 Miraielf mirai ua-wget
http://212.11.64.25/LjEZs/uYtea.x866c87487055388d68866ebc3c0a28365554298885a22b024eaac8719f0b1f1d22 Miraielf mirai ua-wget
http://212.11.64.25/LjEZs/uYtea.x86_641262106837e73c0dda5cc0fa1bdcca3f4f51804dd2eb013420a646377d4effc8 Miraielf mirai ua-wget
http://212.11.64.25/LjEZs/uYtea.i686n/an/aelf ua-wget
http://212.11.64.25/LjEZs/uYtea.mips791ae9cab92d44cbf9972d8a53ff72b8062965722fa28a9a229612e1db35d4df Miraielf mirai ua-wget
http://212.11.64.25/LjEZs/uYtea.mips64n/an/aelf ua-wget
http://212.11.64.25/LjEZs/uYtea.mpsl9a68a95ce997cbca00cb93a120921f07ed28ed3c68eab4af9460575aa7fcf3c0 Miraielf mirai ua-wget
http://212.11.64.25/LjEZs/uYtea.arm21de5f5e109b9bd1aa2a2572019457430e750772f72fbdd6fd7ae41183c80472 Miraielf mirai ua-wget
http://212.11.64.25/LjEZs/uYtea.arm564e02dd9310346de4018671c31a8111158615abf5dcd9129d1777db5850c320a Miraielf mirai ua-wget
http://212.11.64.25/LjEZs/uYtea.arm68413b7a0c77712f2c52e146c59bcf0e77914f7336aad240c6e8be4d79496a018 Miraielf mirai ua-wget
http://212.11.64.25/LjEZs/uYtea.arm7c9d6fe17152ada2e3d8c9e771b76139dddba1ec3e4944bf9795a84c572f01e54 Miraielf mirai ua-wget
http://212.11.64.25/LjEZs/uYtea.ppc48111d82d812a894a8dee1738f323cf8d72c1ff36da7ca6186867d6089d6d50f Miraielf mirai ua-wget
http://212.11.64.25/LjEZs/uYtea.sparcn/an/aelf ua-wget
http://212.11.64.25/LjEZs/uYtea.m68k6ded261b58bc36629323eff336278e7f9b87619af341e817962e171a8461ce6b Miraielf mirai ua-wget
http://212.11.64.25/LjEZs/uYtea.sh4a0b07281d78b77ef45eae7053de7c5d4bb05123b1aa9b6499324b471783141fd Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
30
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/03477e90-b284-436e-808f-c3dfa97afc73
Behavior Graph:
Download SVG
%3 guuid=66837ba2-1800-0000-9758-416cc80b0000 pid=3016 /usr/bin/sudo guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022 /tmp/sample.bin guuid=66837ba2-1800-0000-9758-416cc80b0000 pid=3016->guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022 execve guuid=465c71a4-1800-0000-9758-416cd00b0000 pid=3024 /usr/bin/cp guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=465c71a4-1800-0000-9758-416cd00b0000 pid=3024 execve guuid=bb7131a9-1800-0000-9758-416cdd0b0000 pid=3037 /usr/bin/wget net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=bb7131a9-1800-0000-9758-416cdd0b0000 pid=3037 execve guuid=4986bcb2-1800-0000-9758-416cfc0b0000 pid=3068 /usr/bin/curl net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=4986bcb2-1800-0000-9758-416cfc0b0000 pid=3068 execve guuid=6e4e5bc4-1800-0000-9758-416c230c0000 pid=3107 /usr/bin/cat guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=6e4e5bc4-1800-0000-9758-416c230c0000 pid=3107 execve guuid=7e868bc7-1800-0000-9758-416c270c0000 pid=3111 /usr/bin/chmod guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=7e868bc7-1800-0000-9758-416c270c0000 pid=3111 execve guuid=34bee2c7-1800-0000-9758-416c290c0000 pid=3113 /usr/bin/bash guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=34bee2c7-1800-0000-9758-416c290c0000 pid=3113 clone guuid=1221d0c8-1800-0000-9758-416c2c0c0000 pid=3116 /usr/bin/wget net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=1221d0c8-1800-0000-9758-416c2c0c0000 pid=3116 execve guuid=f97180cf-1800-0000-9758-416c3e0c0000 pid=3134 /usr/bin/curl net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=f97180cf-1800-0000-9758-416c3e0c0000 pid=3134 execve guuid=92b4d2d6-1800-0000-9758-416c560c0000 pid=3158 /usr/bin/cat guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=92b4d2d6-1800-0000-9758-416c560c0000 pid=3158 execve guuid=064924d7-1800-0000-9758-416c570c0000 pid=3159 /usr/bin/chmod guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=064924d7-1800-0000-9758-416c570c0000 pid=3159 execve guuid=55336cd7-1800-0000-9758-416c590c0000 pid=3161 /tmp/Chaotic net guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=55336cd7-1800-0000-9758-416c590c0000 pid=3161 execve guuid=6ea5a2d7-1800-0000-9758-416c5c0c0000 pid=3164 /usr/bin/wget net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=6ea5a2d7-1800-0000-9758-416c5c0c0000 pid=3164 execve guuid=234460de-1800-0000-9758-416c680c0000 pid=3176 /usr/bin/curl net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=234460de-1800-0000-9758-416c680c0000 pid=3176 execve guuid=2fce78e6-1800-0000-9758-416c770c0000 pid=3191 /usr/bin/bash guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=2fce78e6-1800-0000-9758-416c770c0000 pid=3191 clone guuid=d6f0a1e6-1800-0000-9758-416c780c0000 pid=3192 /usr/bin/chmod guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=d6f0a1e6-1800-0000-9758-416c780c0000 pid=3192 execve guuid=60c0fbe6-1800-0000-9758-416c790c0000 pid=3193 /tmp/Chaotic net guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=60c0fbe6-1800-0000-9758-416c790c0000 pid=3193 execve guuid=18ad0b4b-1b00-0000-9758-416ce4120000 pid=4836 /usr/bin/wget net send-data guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=18ad0b4b-1b00-0000-9758-416ce4120000 pid=4836 execve guuid=89a79b4f-1b00-0000-9758-416cf4120000 pid=4852 /usr/bin/curl net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=89a79b4f-1b00-0000-9758-416cf4120000 pid=4852 execve guuid=96cd9b57-1b00-0000-9758-416c15130000 pid=4885 /usr/bin/bash guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=96cd9b57-1b00-0000-9758-416c15130000 pid=4885 clone guuid=b724c057-1b00-0000-9758-416c16130000 pid=4886 /usr/bin/chmod guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=b724c057-1b00-0000-9758-416c16130000 pid=4886 execve guuid=b3bc3358-1b00-0000-9758-416c19130000 pid=4889 /tmp/Chaotic net guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=b3bc3358-1b00-0000-9758-416c19130000 pid=4889 execve guuid=8e5b4dbc-1d00-0000-9758-416c8a140000 pid=5258 /usr/bin/wget net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=8e5b4dbc-1d00-0000-9758-416c8a140000 pid=5258 execve guuid=8557aec6-1d00-0000-9758-416c91140000 pid=5265 /usr/bin/curl net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=8557aec6-1d00-0000-9758-416c91140000 pid=5265 execve guuid=7a6a57d0-1d00-0000-9758-416c93140000 pid=5267 /usr/bin/bash guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=7a6a57d0-1d00-0000-9758-416c93140000 pid=5267 clone guuid=7cb571d0-1d00-0000-9758-416c94140000 pid=5268 /usr/bin/chmod guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=7cb571d0-1d00-0000-9758-416c94140000 pid=5268 execve guuid=5bd2b9d0-1d00-0000-9758-416c96140000 pid=5270 /tmp/Chaotic net guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=5bd2b9d0-1d00-0000-9758-416c96140000 pid=5270 execve guuid=6b6d3338-2000-0000-9758-416cb0140000 pid=5296 /usr/bin/wget net send-data guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=6b6d3338-2000-0000-9758-416cb0140000 pid=5296 execve guuid=beddb13c-2000-0000-9758-416cb2140000 pid=5298 /usr/bin/curl net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=beddb13c-2000-0000-9758-416cb2140000 pid=5298 execve guuid=f0db6d42-2000-0000-9758-416cb3140000 pid=5299 /usr/bin/bash guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=f0db6d42-2000-0000-9758-416cb3140000 pid=5299 clone guuid=01679b42-2000-0000-9758-416cb4140000 pid=5300 /usr/bin/chmod guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=01679b42-2000-0000-9758-416cb4140000 pid=5300 execve guuid=10121943-2000-0000-9758-416cb5140000 pid=5301 /tmp/Chaotic net guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=10121943-2000-0000-9758-416cb5140000 pid=5301 execve guuid=6dd6b2ac-2200-0000-9758-416cb7140000 pid=5303 /usr/bin/wget net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=6dd6b2ac-2200-0000-9758-416cb7140000 pid=5303 execve guuid=81fe1eb4-2200-0000-9758-416cb9140000 pid=5305 /usr/bin/curl net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=81fe1eb4-2200-0000-9758-416cb9140000 pid=5305 execve guuid=81c13fbb-2200-0000-9758-416cba140000 pid=5306 /usr/bin/bash guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=81c13fbb-2200-0000-9758-416cba140000 pid=5306 clone guuid=bf6667bb-2200-0000-9758-416cbb140000 pid=5307 /usr/bin/chmod guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=bf6667bb-2200-0000-9758-416cbb140000 pid=5307 execve guuid=929cb5bb-2200-0000-9758-416cbc140000 pid=5308 /tmp/Chaotic net guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=929cb5bb-2200-0000-9758-416cbc140000 pid=5308 execve guuid=dfff8c27-2500-0000-9758-416cbf140000 pid=5311 /usr/bin/wget net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=dfff8c27-2500-0000-9758-416cbf140000 pid=5311 execve guuid=7c4c1c2e-2500-0000-9758-416cc0140000 pid=5312 /usr/bin/curl net send-data write-file guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=7c4c1c2e-2500-0000-9758-416cc0140000 pid=5312 execve guuid=2419fa35-2500-0000-9758-416cc1140000 pid=5313 /usr/bin/bash guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=2419fa35-2500-0000-9758-416cc1140000 pid=5313 clone guuid=782b1836-2500-0000-9758-416cc2140000 pid=5314 /usr/bin/chmod guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=782b1836-2500-0000-9758-416cc2140000 pid=5314 execve guuid=1b766336-2500-0000-9758-416cc3140000 pid=5315 /tmp/Chaotic net guuid=9aae0ea4-1800-0000-9758-416cce0b0000 pid=3022->guuid=1b766336-2500-0000-9758-416cc3140000 pid=5315 execve eeaafefa-f084-5c46-b648-925974ebfae5 212.11.64.25:80 guuid=bb7131a9-1800-0000-9758-416cdd0b0000 pid=3037->eeaafefa-f084-5c46-b648-925974ebfae5 send: 142B guuid=4986bcb2-1800-0000-9758-416cfc0b0000 pid=3068->eeaafefa-f084-5c46-b648-925974ebfae5 send: 91B guuid=1221d0c8-1800-0000-9758-416c2c0c0000 pid=3116->eeaafefa-f084-5c46-b648-925974ebfae5 send: 142B guuid=f97180cf-1800-0000-9758-416c3e0c0000 pid=3134->eeaafefa-f084-5c46-b648-925974ebfae5 send: 91B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=55336cd7-1800-0000-9758-416c590c0000 pid=3161->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=3a4c92d7-1800-0000-9758-416c5b0c0000 pid=3163 /tmp/Chaotic net zombie guuid=55336cd7-1800-0000-9758-416c590c0000 pid=3161->guuid=3a4c92d7-1800-0000-9758-416c5b0c0000 pid=3163 clone f8481c1a-7939-58ab-aaca-d445d3b22619 212.11.64.25:1302 guuid=3a4c92d7-1800-0000-9758-416c5b0c0000 pid=3163->f8481c1a-7939-58ab-aaca-d445d3b22619 con guuid=d836b2d7-1800-0000-9758-416c5d0c0000 pid=3165 /tmp/Chaotic guuid=3a4c92d7-1800-0000-9758-416c5b0c0000 pid=3163->guuid=d836b2d7-1800-0000-9758-416c5d0c0000 pid=3165 clone guuid=6ea5a2d7-1800-0000-9758-416c5c0c0000 pid=3164->eeaafefa-f084-5c46-b648-925974ebfae5 send: 145B guuid=234460de-1800-0000-9758-416c680c0000 pid=3176->eeaafefa-f084-5c46-b648-925974ebfae5 send: 94B guuid=60c0fbe6-1800-0000-9758-416c790c0000 pid=3193->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 836dce14-4611-5ec0-94fd-a9232d5a3558 0.0.0.0:9473 guuid=60c0fbe6-1800-0000-9758-416c790c0000 pid=3193->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=1992fa4a-1b00-0000-9758-416ce2120000 pid=4834 /tmp/Chaotic net zombie guuid=60c0fbe6-1800-0000-9758-416c790c0000 pid=3193->guuid=1992fa4a-1b00-0000-9758-416ce2120000 pid=4834 clone guuid=1992fa4a-1b00-0000-9758-416ce2120000 pid=4834->f8481c1a-7939-58ab-aaca-d445d3b22619 con guuid=7ae5074b-1b00-0000-9758-416ce3120000 pid=4835 /tmp/Chaotic guuid=1992fa4a-1b00-0000-9758-416ce2120000 pid=4834->guuid=7ae5074b-1b00-0000-9758-416ce3120000 pid=4835 clone guuid=18ad0b4b-1b00-0000-9758-416ce4120000 pid=4836->eeaafefa-f084-5c46-b648-925974ebfae5 send: 143B guuid=89a79b4f-1b00-0000-9758-416cf4120000 pid=4852->eeaafefa-f084-5c46-b648-925974ebfae5 send: 92B guuid=b3bc3358-1b00-0000-9758-416c19130000 pid=4889->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b3bc3358-1b00-0000-9758-416c19130000 pid=4889->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=201940bc-1d00-0000-9758-416c89140000 pid=5257 /tmp/Chaotic net zombie guuid=b3bc3358-1b00-0000-9758-416c19130000 pid=4889->guuid=201940bc-1d00-0000-9758-416c89140000 pid=5257 clone guuid=201940bc-1d00-0000-9758-416c89140000 pid=5257->f8481c1a-7939-58ab-aaca-d445d3b22619 con guuid=5e1051bc-1d00-0000-9758-416c8b140000 pid=5259 /tmp/Chaotic guuid=201940bc-1d00-0000-9758-416c89140000 pid=5257->guuid=5e1051bc-1d00-0000-9758-416c8b140000 pid=5259 clone guuid=8e5b4dbc-1d00-0000-9758-416c8a140000 pid=5258->eeaafefa-f084-5c46-b648-925974ebfae5 send: 143B guuid=8557aec6-1d00-0000-9758-416c91140000 pid=5265->eeaafefa-f084-5c46-b648-925974ebfae5 send: 92B guuid=5bd2b9d0-1d00-0000-9758-416c96140000 pid=5270->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5bd2b9d0-1d00-0000-9758-416c96140000 pid=5270->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=facf2638-2000-0000-9758-416caf140000 pid=5295 /tmp/Chaotic net zombie guuid=5bd2b9d0-1d00-0000-9758-416c96140000 pid=5270->guuid=facf2638-2000-0000-9758-416caf140000 pid=5295 clone guuid=facf2638-2000-0000-9758-416caf140000 pid=5295->f8481c1a-7939-58ab-aaca-d445d3b22619 con guuid=52a33738-2000-0000-9758-416cb1140000 pid=5297 /tmp/Chaotic guuid=facf2638-2000-0000-9758-416caf140000 pid=5295->guuid=52a33738-2000-0000-9758-416cb1140000 pid=5297 clone guuid=6b6d3338-2000-0000-9758-416cb0140000 pid=5296->eeaafefa-f084-5c46-b648-925974ebfae5 send: 145B guuid=beddb13c-2000-0000-9758-416cb2140000 pid=5298->eeaafefa-f084-5c46-b648-925974ebfae5 send: 94B guuid=10121943-2000-0000-9758-416cb5140000 pid=5301->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=10121943-2000-0000-9758-416cb5140000 pid=5301->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=2d01a3ac-2200-0000-9758-416cb6140000 pid=5302 /tmp/Chaotic net zombie guuid=10121943-2000-0000-9758-416cb5140000 pid=5301->guuid=2d01a3ac-2200-0000-9758-416cb6140000 pid=5302 clone guuid=2d01a3ac-2200-0000-9758-416cb6140000 pid=5302->f8481c1a-7939-58ab-aaca-d445d3b22619 con guuid=763dbcac-2200-0000-9758-416cb8140000 pid=5304 /tmp/Chaotic guuid=2d01a3ac-2200-0000-9758-416cb6140000 pid=5302->guuid=763dbcac-2200-0000-9758-416cb8140000 pid=5304 clone guuid=6dd6b2ac-2200-0000-9758-416cb7140000 pid=5303->eeaafefa-f084-5c46-b648-925974ebfae5 send: 143B guuid=81fe1eb4-2200-0000-9758-416cb9140000 pid=5305->eeaafefa-f084-5c46-b648-925974ebfae5 send: 92B guuid=929cb5bb-2200-0000-9758-416cbc140000 pid=5308->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=929cb5bb-2200-0000-9758-416cbc140000 pid=5308->836dce14-4611-5ec0-94fd-a9232d5a3558 con guuid=77b66f27-2500-0000-9758-416cbd140000 pid=5309 /tmp/Chaotic guuid=929cb5bb-2200-0000-9758-416cbc140000 pid=5308->guuid=77b66f27-2500-0000-9758-416cbd140000 pid=5309 clone guuid=ca1a8027-2500-0000-9758-416cbe140000 pid=5310 /tmp/Chaotic guuid=77b66f27-2500-0000-9758-416cbd140000 pid=5309->guuid=ca1a8027-2500-0000-9758-416cbe140000 pid=5310 clone guuid=dfff8c27-2500-0000-9758-416cbf140000 pid=5311->eeaafefa-f084-5c46-b648-925974ebfae5 send: 142B guuid=7c4c1c2e-2500-0000-9758-416cc0140000 pid=5312->eeaafefa-f084-5c46-b648-925974ebfae5 send: 91B guuid=1b766336-2500-0000-9758-416cc3140000 pid=5315->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1b766336-2500-0000-9758-416cc3140000 pid=5315->836dce14-4611-5ec0-94fd-a9232d5a3558 con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ae478fec126ad5b9e5f9c39c1112e14832e16d1866917e71a9e7aa6a6ad884e8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae478fec126ad5b9e5f9c39c1112e14832e16d1866917e71a9e7aa6a6ad884e8/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-07-19 11:21:23 UTC
File Type:
Text (Shell)
AV detection:
22 of 37 (59.46%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzdy73asnlk3tzpzyoobcexbjazoc3iym2ix44nj46vgu2wyqtua._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:demons antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/250719-nf56ssbn7v/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Enumerates active TCP sockets
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae478fec126ad5b9e5f9c39c1112e14832e16d1866917e71a9e7aa6a6ad884e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh ae478fec126ad5b9e5f9c39c1112e14832e16d1866917e71a9e7aa6a6ad884e8

(this sample)

Mirai

elf 1b8fe8e23a22abe25ba0345ca14a926affad78b41277fe3e3c4a1678d8770701

  
URLhaus
https://urlhaus.abuse.ch/url/3585885/
  
Delivery method
Distributed via web download
  
Dropping
MD5 e296b447e1042ba9ae4de383e5cd711b
  
Dropping
SHA256 1b8fe8e23a22abe25ba0345ca14a926affad78b41277fe3e3c4a1678d8770701

Comments