MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb01c8693c796d4e331ca744a2b885e16d2f6cb5a9cdc94476ff9dee139843ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash: bb01c8693c796d4e331ca744a2b885e16d2f6cb5a9cdc94476ff9dee139843ea
SHA3-384 hash: 13dc5ee4909f41542e64f08e76864e8dc31144c22e76ab326685f0bef3b41666a3c42099d76cfef44892b2ef909af0e4
SHA1 hash: d8cd1fcd6ab2306dee84a41660532562a3520ce8
MD5 hash: 9bb247ab7e80a65bed35e41bb1c6a9a5
humanhash: louisiana-potato-king-table
File name:1.sh
Download: download sample
Signature Mirai
File size:3'194 bytes
First seen:2025-11-20 05:42:24 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:i4LdGVsxidz4cUPFyRMRJhLIvLcJ1f6kvsuN6:i4LdGVsxidz4cUPFyRMIvLm1f6kV6
TLSH T1DE6171F6618807346CE2AB97627E8048309592A740FA7F26A7DC38B55D8DFDCBC41663
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://41.216.189.110/00101010101001/S3o.x86d3f10f6d5e3c2b912e20a40579c75536930b660f07129c21bbd9788ac4efc728 Miraielf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/S3o.mips21782793f8c22a44cc00c57d28fc4468469c09be0879bae0921e423ff5a55f17 Miraielf geofenced mips mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.arc20b10e19db7094870b5c049dfab380a9af22bf0ab6b857d016f6e1870e0555a6 Miraiarc elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.i468n/an/aelf ua-wget
http://41.216.189.110/00101010101001/S3o.i68666f67c3960faab5dafa836ccaf9bc63733dc49a84e972fdd81bc47c45e6eb5fa Miraielf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/S3o.x86_6413c4df50e1cac452500fa11a328b86e70414281a294016b02151dff0152faf5c Miraielf geofenced mirai opendir ua-wget USA x86
http://41.216.189.110/00101010101001/S3o.mpsl5c08ebe6558b86f3ab363b062cefb8e699a27f699d7d1e4cc67d90fb3e5766c6 Miraielf geofenced mips mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.armfbe97ea7d5fad0c72fe5249bbfadff0d9c0f5ec90b0bcd4b1ad354bba51abba4 Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.arm548494bc2a98774569b60d6e657af2c1c781be83867fe60a12a8fa2f4279964b6 Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.arm686d1089b91ce9ce616774fee8146704ea26f33188be13aa4aba1efff6c5ec79c Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.arm7759b7b535e312929274b186c9baa02472a9cc3731e56c997c8fdf401a7dd9a61 Miraiarm elf geofenced mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.ppc81f81e4ad3508cd865b9245b2c856241111d01b7fa839f20e202815589a0f043 Miraielf geofenced mirai opendir PowerPC ua-wget USA
http://41.216.189.110/00101010101001/S3o.spc3789076d4c74180c9ea1f824f606fb32b2ef97c635cc8f567cd8b0bd598ca2e8 Miraielf geofenced mirai opendir sparc ua-wget USA
http://41.216.189.110/00101010101001/S3o.m68kbb719d6a4197953f3bf91eff21abb3692df553e35cf0c78a87ca25834731b6dd Miraielf geofenced m68k mirai opendir ua-wget USA
http://41.216.189.110/00101010101001/S3o.sh4a1cbc4b0188f1476ed7c316842583952b48c0069473d00b1b212fac91764450f Miraielf geofenced mirai opendir SuperH ua-wget USA

Intelligence


File Origin
# of uploads :
1
# of downloads :
50
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive medusa mirai
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-19T17:57:00Z UTC
Last seen:
2025-11-20T11:32:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p
Status:
terminated
Behavior Graph:
%3 guuid=6a021b51-1800-0000-4ebc-6e0c470d0000 pid=3399 /usr/bin/sudo guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407 /tmp/sample.bin guuid=6a021b51-1800-0000-4ebc-6e0c470d0000 pid=3399->guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407 execve guuid=57f96653-1800-0000-4ebc-6e0c510d0000 pid=3409 /usr/bin/cp guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=57f96653-1800-0000-4ebc-6e0c510d0000 pid=3409 execve guuid=77bbd655-1800-0000-4ebc-6e0c590d0000 pid=3417 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=77bbd655-1800-0000-4ebc-6e0c590d0000 pid=3417 execve guuid=aad6cf5f-1800-0000-4ebc-6e0c7b0d0000 pid=3451 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=aad6cf5f-1800-0000-4ebc-6e0c7b0d0000 pid=3451 execve guuid=2f19c96e-1800-0000-4ebc-6e0ca10d0000 pid=3489 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=2f19c96e-1800-0000-4ebc-6e0ca10d0000 pid=3489 execve guuid=a37d0f6f-1800-0000-4ebc-6e0ca20d0000 pid=3490 /tmp/S3o.x86 net guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=a37d0f6f-1800-0000-4ebc-6e0ca20d0000 pid=3490 execve guuid=2535f99b-1900-0000-4ebc-6e0c18100000 pid=4120 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=2535f99b-1900-0000-4ebc-6e0c18100000 pid=4120 execve guuid=d1766c9c-1900-0000-4ebc-6e0c1c100000 pid=4124 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=d1766c9c-1900-0000-4ebc-6e0c1c100000 pid=4124 execve guuid=c6d887a5-1900-0000-4ebc-6e0c3a100000 pid=4154 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=c6d887a5-1900-0000-4ebc-6e0c3a100000 pid=4154 execve guuid=4e8465ca-1900-0000-4ebc-6e0caa100000 pid=4266 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=4e8465ca-1900-0000-4ebc-6e0caa100000 pid=4266 execve guuid=3bdbfeca-1900-0000-4ebc-6e0cae100000 pid=4270 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=3bdbfeca-1900-0000-4ebc-6e0cae100000 pid=4270 clone guuid=69b23ccc-1900-0000-4ebc-6e0cb2100000 pid=4274 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=69b23ccc-1900-0000-4ebc-6e0cb2100000 pid=4274 execve guuid=61abe9cd-1900-0000-4ebc-6e0cb9100000 pid=4281 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=61abe9cd-1900-0000-4ebc-6e0cb9100000 pid=4281 execve guuid=589c9ad9-1900-0000-4ebc-6e0cd8100000 pid=4312 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=589c9ad9-1900-0000-4ebc-6e0cd8100000 pid=4312 execve guuid=e21925e4-1900-0000-4ebc-6e0c02110000 pid=4354 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=e21925e4-1900-0000-4ebc-6e0c02110000 pid=4354 execve guuid=e80577e4-1900-0000-4ebc-6e0c06110000 pid=4358 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=e80577e4-1900-0000-4ebc-6e0c06110000 pid=4358 clone guuid=7b111fe6-1900-0000-4ebc-6e0c0b110000 pid=4363 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=7b111fe6-1900-0000-4ebc-6e0c0b110000 pid=4363 execve guuid=b20e74e6-1900-0000-4ebc-6e0c0d110000 pid=4365 /usr/bin/wget net send-data guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=b20e74e6-1900-0000-4ebc-6e0c0d110000 pid=4365 execve guuid=b0b062ea-1900-0000-4ebc-6e0c1d110000 pid=4381 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=b0b062ea-1900-0000-4ebc-6e0c1d110000 pid=4381 execve guuid=0a5d8bf0-1900-0000-4ebc-6e0c32110000 pid=4402 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=0a5d8bf0-1900-0000-4ebc-6e0c32110000 pid=4402 execve guuid=c996cef0-1900-0000-4ebc-6e0c35110000 pid=4405 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=c996cef0-1900-0000-4ebc-6e0c35110000 pid=4405 clone guuid=6b5dfef0-1900-0000-4ebc-6e0c36110000 pid=4406 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=6b5dfef0-1900-0000-4ebc-6e0c36110000 pid=4406 execve guuid=0d173ff1-1900-0000-4ebc-6e0c38110000 pid=4408 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=0d173ff1-1900-0000-4ebc-6e0c38110000 pid=4408 execve guuid=2ccf39f7-1900-0000-4ebc-6e0c4f110000 pid=4431 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=2ccf39f7-1900-0000-4ebc-6e0c4f110000 pid=4431 execve guuid=973e3000-1a00-0000-4ebc-6e0c74110000 pid=4468 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=973e3000-1a00-0000-4ebc-6e0c74110000 pid=4468 execve guuid=ba01a400-1a00-0000-4ebc-6e0c78110000 pid=4472 /tmp/S3o.i686 net guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=ba01a400-1a00-0000-4ebc-6e0c78110000 pid=4472 execve guuid=12281579-1a00-0000-4ebc-6e0c95120000 pid=4757 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=12281579-1a00-0000-4ebc-6e0c95120000 pid=4757 execve guuid=f8008379-1a00-0000-4ebc-6e0c97120000 pid=4759 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=f8008379-1a00-0000-4ebc-6e0c97120000 pid=4759 execve guuid=e2917f7f-1a00-0000-4ebc-6e0c9f120000 pid=4767 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=e2917f7f-1a00-0000-4ebc-6e0c9f120000 pid=4767 execve guuid=bc164487-1a00-0000-4ebc-6e0cb5120000 pid=4789 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=bc164487-1a00-0000-4ebc-6e0cb5120000 pid=4789 execve guuid=2c6ba187-1a00-0000-4ebc-6e0cb7120000 pid=4791 /tmp/S3o.x86_64 mprotect-exec net guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=2c6ba187-1a00-0000-4ebc-6e0cb7120000 pid=4791 execve guuid=d4a2efff-1a00-0000-4ebc-6e0c96130000 pid=5014 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=d4a2efff-1a00-0000-4ebc-6e0c96130000 pid=5014 execve guuid=0cfecb00-1b00-0000-4ebc-6e0c98130000 pid=5016 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=0cfecb00-1b00-0000-4ebc-6e0c98130000 pid=5016 execve guuid=181e540a-1b00-0000-4ebc-6e0cae130000 pid=5038 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=181e540a-1b00-0000-4ebc-6e0cae130000 pid=5038 execve guuid=5e54b413-1b00-0000-4ebc-6e0cb6130000 pid=5046 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=5e54b413-1b00-0000-4ebc-6e0cb6130000 pid=5046 execve guuid=8a3d0014-1b00-0000-4ebc-6e0cb7130000 pid=5047 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=8a3d0014-1b00-0000-4ebc-6e0cb7130000 pid=5047 clone guuid=dd4a6815-1b00-0000-4ebc-6e0cb9130000 pid=5049 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=dd4a6815-1b00-0000-4ebc-6e0cb9130000 pid=5049 execve guuid=56b4e21b-1b00-0000-4ebc-6e0cba130000 pid=5050 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=56b4e21b-1b00-0000-4ebc-6e0cba130000 pid=5050 execve guuid=a2a98e25-1b00-0000-4ebc-6e0cd0130000 pid=5072 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=a2a98e25-1b00-0000-4ebc-6e0cd0130000 pid=5072 execve guuid=79cb4e2c-1b00-0000-4ebc-6e0ceb130000 pid=5099 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=79cb4e2c-1b00-0000-4ebc-6e0ceb130000 pid=5099 execve guuid=f119b32c-1b00-0000-4ebc-6e0cec130000 pid=5100 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=f119b32c-1b00-0000-4ebc-6e0cec130000 pid=5100 clone guuid=f6da762e-1b00-0000-4ebc-6e0cf1130000 pid=5105 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=f6da762e-1b00-0000-4ebc-6e0cf1130000 pid=5105 execve guuid=ad9ae82e-1b00-0000-4ebc-6e0cf3130000 pid=5107 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=ad9ae82e-1b00-0000-4ebc-6e0cf3130000 pid=5107 execve guuid=357e1234-1b00-0000-4ebc-6e0c07140000 pid=5127 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=357e1234-1b00-0000-4ebc-6e0c07140000 pid=5127 execve guuid=026fbc3b-1b00-0000-4ebc-6e0c1c140000 pid=5148 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=026fbc3b-1b00-0000-4ebc-6e0c1c140000 pid=5148 execve guuid=6de8223c-1b00-0000-4ebc-6e0c1e140000 pid=5150 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=6de8223c-1b00-0000-4ebc-6e0c1e140000 pid=5150 clone guuid=517a903d-1b00-0000-4ebc-6e0c24140000 pid=5156 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=517a903d-1b00-0000-4ebc-6e0c24140000 pid=5156 execve guuid=e8002a40-1b00-0000-4ebc-6e0c2d140000 pid=5165 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=e8002a40-1b00-0000-4ebc-6e0c2d140000 pid=5165 execve guuid=c09ce547-1b00-0000-4ebc-6e0c40140000 pid=5184 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=c09ce547-1b00-0000-4ebc-6e0c40140000 pid=5184 execve guuid=0683ef4f-1b00-0000-4ebc-6e0c5a140000 pid=5210 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=0683ef4f-1b00-0000-4ebc-6e0c5a140000 pid=5210 execve guuid=09a83350-1b00-0000-4ebc-6e0c5c140000 pid=5212 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=09a83350-1b00-0000-4ebc-6e0c5c140000 pid=5212 clone guuid=8a8fc350-1b00-0000-4ebc-6e0c60140000 pid=5216 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=8a8fc350-1b00-0000-4ebc-6e0c60140000 pid=5216 execve guuid=9da31c51-1b00-0000-4ebc-6e0c62140000 pid=5218 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=9da31c51-1b00-0000-4ebc-6e0c62140000 pid=5218 execve guuid=7e2d0059-1b00-0000-4ebc-6e0c85140000 pid=5253 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=7e2d0059-1b00-0000-4ebc-6e0c85140000 pid=5253 execve guuid=b566d363-1b00-0000-4ebc-6e0c9b140000 pid=5275 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=b566d363-1b00-0000-4ebc-6e0c9b140000 pid=5275 execve guuid=86864764-1b00-0000-4ebc-6e0c9c140000 pid=5276 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=86864764-1b00-0000-4ebc-6e0c9c140000 pid=5276 clone guuid=3adc4765-1b00-0000-4ebc-6e0c9e140000 pid=5278 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=3adc4765-1b00-0000-4ebc-6e0c9e140000 pid=5278 execve guuid=bee09865-1b00-0000-4ebc-6e0c9f140000 pid=5279 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=bee09865-1b00-0000-4ebc-6e0c9f140000 pid=5279 execve guuid=f3ca5d6d-1b00-0000-4ebc-6e0ca0140000 pid=5280 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=f3ca5d6d-1b00-0000-4ebc-6e0ca0140000 pid=5280 execve guuid=a2fb4879-1b00-0000-4ebc-6e0ca4140000 pid=5284 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=a2fb4879-1b00-0000-4ebc-6e0ca4140000 pid=5284 execve guuid=09a99e79-1b00-0000-4ebc-6e0ca5140000 pid=5285 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=09a99e79-1b00-0000-4ebc-6e0ca5140000 pid=5285 clone guuid=786f2d7a-1b00-0000-4ebc-6e0ca7140000 pid=5287 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=786f2d7a-1b00-0000-4ebc-6e0ca7140000 pid=5287 execve guuid=f1398a7a-1b00-0000-4ebc-6e0caa140000 pid=5290 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=f1398a7a-1b00-0000-4ebc-6e0caa140000 pid=5290 execve guuid=909a6184-1b00-0000-4ebc-6e0cb1140000 pid=5297 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=909a6184-1b00-0000-4ebc-6e0cb1140000 pid=5297 execve guuid=8844058f-1b00-0000-4ebc-6e0cb2140000 pid=5298 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=8844058f-1b00-0000-4ebc-6e0cb2140000 pid=5298 execve guuid=06fb778f-1b00-0000-4ebc-6e0cb3140000 pid=5299 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=06fb778f-1b00-0000-4ebc-6e0cb3140000 pid=5299 clone guuid=30b53a90-1b00-0000-4ebc-6e0cb5140000 pid=5301 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=30b53a90-1b00-0000-4ebc-6e0cb5140000 pid=5301 execve guuid=d3b12191-1b00-0000-4ebc-6e0cb6140000 pid=5302 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=d3b12191-1b00-0000-4ebc-6e0cb6140000 pid=5302 execve guuid=ad059a99-1b00-0000-4ebc-6e0cb7140000 pid=5303 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=ad059a99-1b00-0000-4ebc-6e0cb7140000 pid=5303 execve guuid=652132a3-1b00-0000-4ebc-6e0cb8140000 pid=5304 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=652132a3-1b00-0000-4ebc-6e0cb8140000 pid=5304 execve guuid=db3a99a3-1b00-0000-4ebc-6e0cb9140000 pid=5305 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=db3a99a3-1b00-0000-4ebc-6e0cb9140000 pid=5305 clone guuid=c0bb55a4-1b00-0000-4ebc-6e0cbb140000 pid=5307 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=c0bb55a4-1b00-0000-4ebc-6e0cbb140000 pid=5307 execve guuid=fd38b5a4-1b00-0000-4ebc-6e0cbc140000 pid=5308 /usr/bin/wget net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=fd38b5a4-1b00-0000-4ebc-6e0cbc140000 pid=5308 execve guuid=cdea75ae-1b00-0000-4ebc-6e0cbd140000 pid=5309 /usr/bin/curl net send-data write-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=cdea75ae-1b00-0000-4ebc-6e0cbd140000 pid=5309 execve guuid=a0eb96b6-1b00-0000-4ebc-6e0cbe140000 pid=5310 /usr/bin/chmod guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=a0eb96b6-1b00-0000-4ebc-6e0cbe140000 pid=5310 execve guuid=a8a3edb6-1b00-0000-4ebc-6e0cbf140000 pid=5311 /usr/bin/bash guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=a8a3edb6-1b00-0000-4ebc-6e0cbf140000 pid=5311 clone guuid=e657a8b7-1b00-0000-4ebc-6e0cc1140000 pid=5313 /usr/bin/rm delete-file guuid=55e31453-1800-0000-4ebc-6e0c4f0d0000 pid=3407->guuid=e657a8b7-1b00-0000-4ebc-6e0cc1140000 pid=5313 execve 6212eaac-f1d9-5754-86f6-5d00d3f03015 41.216.189.110:80 guuid=77bbd655-1800-0000-4ebc-6e0c590d0000 pid=3417->6212eaac-f1d9-5754-86f6-5d00d3f03015 send: 151B guuid=aad6cf5f-1800-0000-4ebc-6e0c7b0d0000 pid=3451->6212eaac-f1d9-5754-86f6-5d00d3f03015 send: 100B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=a37d0f6f-1800-0000-4ebc-6e0ca20d0000 pid=3490->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4fc0a76f-1800-0000-4ebc-6e0ca30d0000 pid=3491 /tmp/S3o.x86 guuid=a37d0f6f-1800-0000-4ebc-6e0ca20d0000 pid=3490->guuid=4fc0a76f-1800-0000-4ebc-6e0ca30d0000 pid=3491 clone guuid=2c3ce89b-1900-0000-4ebc-6e0c16100000 pid=4118 /tmp/S3o.x86 guuid=a37d0f6f-1800-0000-4ebc-6e0ca20d0000 pid=3490->guuid=2c3ce89b-1900-0000-4ebc-6e0c16100000 pid=4118 clone guuid=2171ee9b-1900-0000-4ebc-6e0c17100000 pid=4119 /tmp/S3o.x86 net send-data zombie guuid=a37d0f6f-1800-0000-4ebc-6e0ca20d0000 pid=3490->guuid=2171ee9b-1900-0000-4ebc-6e0c17100000 pid=4119 clone guuid=d4b4ae6f-1800-0000-4ebc-6e0ca40d0000 pid=3492 /tmp/S3o.x86 guuid=4fc0a76f-1800-0000-4ebc-6e0ca30d0000 pid=3491->guuid=d4b4ae6f-1800-0000-4ebc-6e0ca40d0000 pid=3492 clone guuid=2f83b26f-1800-0000-4ebc-6e0ca50d0000 pid=3493 /tmp/S3o.x86 dns net send-data zombie guuid=4fc0a76f-1800-0000-4ebc-6e0ca30d0000 pid=3491->guuid=2f83b26f-1800-0000-4ebc-6e0ca50d0000 pid=3493 clone guuid=2f83b26f-1800-0000-4ebc-6e0ca50d0000 pid=3493->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 36B 523b0464-0fb8-5b09-bcd5-9d712137b22c vmr3b.bounceme.net:12121 guuid=2f83b26f-1800-0000-4ebc-6e0ca50d0000 pid=3493->523b0464-0fb8-5b09-bcd5-9d712137b22c send: 13B guuid=2171ee9b-1900-0000-4ebc-6e0c17100000 pid=4119->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 180B cf3062e1-a511-5898-b42a-5b1904194015 vmr3b.bounceme.net:80 guuid=2171ee9b-1900-0000-4ebc-6e0c17100000 pid=4119->cf3062e1-a511-5898-b42a-5b1904194015 send: 13B guuid=d1766c9c-1900-0000-4ebc-6e0c1c100000 pid=4124->cf3062e1-a511-5898-b42a-5b1904194015 send: 152B guuid=c6d887a5-1900-0000-4ebc-6e0c3a100000 pid=4154->cf3062e1-a511-5898-b42a-5b1904194015 send: 101B guuid=61abe9cd-1900-0000-4ebc-6e0cb9100000 pid=4281->cf3062e1-a511-5898-b42a-5b1904194015 send: 151B guuid=589c9ad9-1900-0000-4ebc-6e0cd8100000 pid=4312->cf3062e1-a511-5898-b42a-5b1904194015 send: 100B guuid=b20e74e6-1900-0000-4ebc-6e0c0d110000 pid=4365->cf3062e1-a511-5898-b42a-5b1904194015 send: 152B guuid=b0b062ea-1900-0000-4ebc-6e0c1d110000 pid=4381->cf3062e1-a511-5898-b42a-5b1904194015 send: 101B guuid=0d173ff1-1900-0000-4ebc-6e0c38110000 pid=4408->cf3062e1-a511-5898-b42a-5b1904194015 send: 152B guuid=2ccf39f7-1900-0000-4ebc-6e0c4f110000 pid=4431->cf3062e1-a511-5898-b42a-5b1904194015 send: 101B guuid=ba01a400-1a00-0000-4ebc-6e0c78110000 pid=4472->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con f77ebf5e-2af7-5b09-86f4-388588a8b445 0.0.0.0:12121 guuid=ba01a400-1a00-0000-4ebc-6e0c78110000 pid=4472->f77ebf5e-2af7-5b09-86f4-388588a8b445 con guuid=f8008379-1a00-0000-4ebc-6e0c97120000 pid=4759->cf3062e1-a511-5898-b42a-5b1904194015 send: 154B guuid=e2917f7f-1a00-0000-4ebc-6e0c9f120000 pid=4767->cf3062e1-a511-5898-b42a-5b1904194015 send: 103B guuid=2c6ba187-1a00-0000-4ebc-6e0cb7120000 pid=4791->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=2c6ba187-1a00-0000-4ebc-6e0cb7120000 pid=4791->f77ebf5e-2af7-5b09-86f4-388588a8b445 con guuid=0cfecb00-1b00-0000-4ebc-6e0c98130000 pid=5016->cf3062e1-a511-5898-b42a-5b1904194015 send: 152B guuid=181e540a-1b00-0000-4ebc-6e0cae130000 pid=5038->cf3062e1-a511-5898-b42a-5b1904194015 send: 101B guuid=56b4e21b-1b00-0000-4ebc-6e0cba130000 pid=5050->cf3062e1-a511-5898-b42a-5b1904194015 send: 151B guuid=a2a98e25-1b00-0000-4ebc-6e0cd0130000 pid=5072->cf3062e1-a511-5898-b42a-5b1904194015 send: 100B guuid=ad9ae82e-1b00-0000-4ebc-6e0cf3130000 pid=5107->cf3062e1-a511-5898-b42a-5b1904194015 send: 152B guuid=357e1234-1b00-0000-4ebc-6e0c07140000 pid=5127->cf3062e1-a511-5898-b42a-5b1904194015 send: 101B guuid=e8002a40-1b00-0000-4ebc-6e0c2d140000 pid=5165->cf3062e1-a511-5898-b42a-5b1904194015 send: 152B guuid=c09ce547-1b00-0000-4ebc-6e0c40140000 pid=5184->cf3062e1-a511-5898-b42a-5b1904194015 send: 101B guuid=9da31c51-1b00-0000-4ebc-6e0c62140000 pid=5218->cf3062e1-a511-5898-b42a-5b1904194015 send: 152B guuid=7e2d0059-1b00-0000-4ebc-6e0c85140000 pid=5253->cf3062e1-a511-5898-b42a-5b1904194015 send: 101B guuid=bee09865-1b00-0000-4ebc-6e0c9f140000 pid=5279->cf3062e1-a511-5898-b42a-5b1904194015 send: 151B guuid=f3ca5d6d-1b00-0000-4ebc-6e0ca0140000 pid=5280->cf3062e1-a511-5898-b42a-5b1904194015 send: 100B guuid=f1398a7a-1b00-0000-4ebc-6e0caa140000 pid=5290->cf3062e1-a511-5898-b42a-5b1904194015 send: 151B guuid=909a6184-1b00-0000-4ebc-6e0cb1140000 pid=5297->cf3062e1-a511-5898-b42a-5b1904194015 send: 100B guuid=d3b12191-1b00-0000-4ebc-6e0cb6140000 pid=5302->cf3062e1-a511-5898-b42a-5b1904194015 send: 152B guuid=ad059a99-1b00-0000-4ebc-6e0cb7140000 pid=5303->cf3062e1-a511-5898-b42a-5b1904194015 send: 101B guuid=fd38b5a4-1b00-0000-4ebc-6e0cbc140000 pid=5308->cf3062e1-a511-5898-b42a-5b1904194015 send: 151B guuid=cdea75ae-1b00-0000-4ebc-6e0cbd140000 pid=5309->cf3062e1-a511-5898-b42a-5b1904194015 send: 100B
Threat name:
Linux.Downloader.Medusa
Status:
Malicious
First seen:
2025-11-20 01:22:16 UTC
File Type:
Text (Shell)
AV detection:
22 of 38 (57.89%)
Threat level:
  3/5
Result
Malware family:
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh bb01c8693c796d4e331ca744a2b885e16d2f6cb5a9cdc94476ff9dee139843ea

(this sample)

Comments