MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be057d7310293c3687d3e233fb1c2c792fc980854527b2afed5031ebfbca0bb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be057d7310293c3687d3e233fb1c2c792fc980854527b2afed5031ebfbca0bb2
SHA3-384 hash: ffd4ba5ba1bc16cf49238a4cd53959e6f7cf26839f40dc4d67353c8e87367a53dbc6dca58a570c7e03a7f593addfb6be
SHA1 hash: ddb21e397b6c50734bd5b23bdb851eff6785aeed
MD5 hash: 1a5d508436101b06458772b47ed744f2
humanhash: massachusetts-earth-nineteen-violet
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'284 bytes
First seen:2026-02-21 06:12:42 UTC
Last seen:2026-02-22 00:20:25 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 48:i55x5SNSK95rR54z5qr5if5M6MV05R3ROw56zL5zzJ5on5S75jp5NGU5GI/:ihoUK93E2a+0hQLvIinCUx/
TLSH T16B6166AA057206B67CD14A92BA7CC11772E1E79A51C65ECFEFFC38EA504CE1CF2405A1
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://209.97.163.167/johenlastgen/johen.x86291583d9406fe5602c2d2daecbddcc92e00977e7a863d92eaccbeb1c1f6b4f2b Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.mipse18e8c55c914b1dfb208fb9b87f73eb3db8ced972d8b96b2fe11d347662c2621 Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.arccc8eaf17e9933d4f68464bcb3ce7ffd49b7cee82cb145b6f1492529f38f5c442 Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.i468n/an/aelf ua-wget
http://209.97.163.167/johenlastgen/johen.i686de01ea5c6860c946d7b74242fba483fb365ef14b79e6437851d3be3e3d4d1ab1 Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.x86_6452aa716da3d2069286fe8ffe2bc40758565228c3c3e75684d645b73f36fb32f9 Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.mpsld6e33775c5e839e85414303124cffebeee61acac69ebc9a35c74d48e6f223649 Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.arm7c9636e0d6e4334999dcce2f14e7419c8cf03884a502dfd31ff332add2538c32 Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.arm5c826f80e8a9d7fb912e07bf86a03daec5e100b2580ff90db7f534b0f8199bdae Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.arm6a125d5ce74a326cd83c334f38e37e56f38186dfca912a6a3a8d9a0269401402e Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.arm7f10037af48312323111ce1a262bdbcd5a135043cb05300b0aa9d0d35ff6319ed Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.ppc38a2456dd82f660dc984cb616fd03f08d0fd6064deb8c794c8fcd50aee1d5922 Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.spc7d18f1225d590d3228edd6017728099fd2fcea4b56723b3c89ffd506d4e67647 Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.m68k3bec65b58f2495394cae5b7966102d7d41ce11852b9dba1c34ba99a1e54126c8 Miraielf mirai ua-wget
http://209.97.163.167/johenlastgen/johen.sh4763d249514c4c5e5ffc196cc4420784ad03d2fa33aa227b0b5bd1c3565c3381e Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
65
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
Link:
https://opentip.kaspersky.com/be057d7310293c3687d3e233fb1c2c792fc980854527b2afed5031ebfbca0bb2/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/2e5ab873-e0a5-4bc9-80f5-c3e3bb707d57
Behavior Graph:
Download SVG
%3 guuid=64031c56-1800-0000-4b47-75b4920c0000 pid=3218 /usr/bin/sudo guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224 /tmp/sample.bin guuid=64031c56-1800-0000-4b47-75b4920c0000 pid=3218->guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224 execve guuid=0ed71359-1800-0000-4b47-75b4990c0000 pid=3225 /usr/bin/cp guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=0ed71359-1800-0000-4b47-75b4990c0000 pid=3225 execve guuid=0ab6205d-1800-0000-4b47-75b4a00c0000 pid=3232 /usr/bin/wget net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=0ab6205d-1800-0000-4b47-75b4a00c0000 pid=3232 execve guuid=887179a0-1800-0000-4b47-75b4fe0c0000 pid=3326 /usr/bin/curl net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=887179a0-1800-0000-4b47-75b4fe0c0000 pid=3326 execve guuid=ff4b43e5-1800-0000-4b47-75b4680d0000 pid=3432 /usr/bin/chmod guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=ff4b43e5-1800-0000-4b47-75b4680d0000 pid=3432 execve guuid=3596dae5-1800-0000-4b47-75b46a0d0000 pid=3434 /tmp/johen.x86 net guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=3596dae5-1800-0000-4b47-75b46a0d0000 pid=3434 execve guuid=92ee7613-1a00-0000-4b47-75b4e40f0000 pid=4068 /usr/bin/rm delete-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=92ee7613-1a00-0000-4b47-75b4e40f0000 pid=4068 execve guuid=b7b6bd13-1a00-0000-4b47-75b4e70f0000 pid=4071 /usr/bin/wget net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=b7b6bd13-1a00-0000-4b47-75b4e70f0000 pid=4071 execve guuid=1fe2006a-1a00-0000-4b47-75b4b2100000 pid=4274 /usr/bin/curl net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=1fe2006a-1a00-0000-4b47-75b4b2100000 pid=4274 execve guuid=d803bcbd-1a00-0000-4b47-75b4a7110000 pid=4519 /usr/bin/chmod guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=d803bcbd-1a00-0000-4b47-75b4a7110000 pid=4519 execve guuid=64fa0ebe-1a00-0000-4b47-75b4a9110000 pid=4521 /usr/bin/bash guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=64fa0ebe-1a00-0000-4b47-75b4a9110000 pid=4521 clone guuid=c36fb9be-1a00-0000-4b47-75b4ae110000 pid=4526 /usr/bin/rm delete-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=c36fb9be-1a00-0000-4b47-75b4ae110000 pid=4526 execve guuid=ce2396bf-1a00-0000-4b47-75b4b3110000 pid=4531 /usr/bin/wget net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=ce2396bf-1a00-0000-4b47-75b4b3110000 pid=4531 execve guuid=2e701036-1b00-0000-4b47-75b49b120000 pid=4763 /usr/bin/curl net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=2e701036-1b00-0000-4b47-75b49b120000 pid=4763 execve guuid=508f0cb1-1b00-0000-4b47-75b4f2130000 pid=5106 /usr/bin/chmod guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=508f0cb1-1b00-0000-4b47-75b4f2130000 pid=5106 execve guuid=7c4885b1-1b00-0000-4b47-75b4f4130000 pid=5108 /usr/bin/bash guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=7c4885b1-1b00-0000-4b47-75b4f4130000 pid=5108 clone guuid=fdc464b2-1b00-0000-4b47-75b4f8130000 pid=5112 /usr/bin/rm delete-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=fdc464b2-1b00-0000-4b47-75b4f8130000 pid=5112 execve guuid=c303c5b2-1b00-0000-4b47-75b4fa130000 pid=5114 /usr/bin/wget net send-data guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=c303c5b2-1b00-0000-4b47-75b4fa130000 pid=5114 execve guuid=56bd04dd-1b00-0000-4b47-75b474140000 pid=5236 /usr/bin/curl net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=56bd04dd-1b00-0000-4b47-75b474140000 pid=5236 execve guuid=817f5b08-1c00-0000-4b47-75b480140000 pid=5248 /usr/bin/chmod guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=817f5b08-1c00-0000-4b47-75b480140000 pid=5248 execve guuid=ac95b408-1c00-0000-4b47-75b481140000 pid=5249 /usr/bin/bash guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=ac95b408-1c00-0000-4b47-75b481140000 pid=5249 clone guuid=da6be208-1c00-0000-4b47-75b482140000 pid=5250 /usr/bin/rm delete-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=da6be208-1c00-0000-4b47-75b482140000 pid=5250 execve guuid=c1744209-1c00-0000-4b47-75b483140000 pid=5251 /usr/bin/wget net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=c1744209-1c00-0000-4b47-75b483140000 pid=5251 execve guuid=14019f46-1c00-0000-4b47-75b484140000 pid=5252 /usr/bin/curl net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=14019f46-1c00-0000-4b47-75b484140000 pid=5252 execve guuid=3e84c189-1c00-0000-4b47-75b485140000 pid=5253 /usr/bin/chmod guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=3e84c189-1c00-0000-4b47-75b485140000 pid=5253 execve guuid=b0e1788a-1c00-0000-4b47-75b486140000 pid=5254 /tmp/johen.i686 net guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=b0e1788a-1c00-0000-4b47-75b486140000 pid=5254 execve guuid=c41eb6b8-1d00-0000-4b47-75b4a0140000 pid=5280 /usr/bin/rm delete-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=c41eb6b8-1d00-0000-4b47-75b4a0140000 pid=5280 execve guuid=02a689b9-1d00-0000-4b47-75b4a1140000 pid=5281 /usr/bin/wget net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=02a689b9-1d00-0000-4b47-75b4a1140000 pid=5281 execve guuid=b7f9bb15-1e00-0000-4b47-75b4b5140000 pid=5301 /usr/bin/curl net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=b7f9bb15-1e00-0000-4b47-75b4b5140000 pid=5301 execve guuid=da31c153-1e00-0000-4b47-75b4b6140000 pid=5302 /usr/bin/chmod guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=da31c153-1e00-0000-4b47-75b4b6140000 pid=5302 execve guuid=20864e54-1e00-0000-4b47-75b4b7140000 pid=5303 /tmp/johen.x86_64 mprotect-exec net guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=20864e54-1e00-0000-4b47-75b4b7140000 pid=5303 execve guuid=2e4b0c80-1f00-0000-4b47-75b4bd140000 pid=5309 /usr/bin/rm delete-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=2e4b0c80-1f00-0000-4b47-75b4bd140000 pid=5309 execve guuid=b5366280-1f00-0000-4b47-75b4be140000 pid=5310 /usr/bin/wget net send-data write-file guuid=cdfb6058-1800-0000-4b47-75b4980c0000 pid=3224->guuid=b5366280-1f00-0000-4b47-75b4be140000 pid=5310 execve 30719feb-39de-5e52-af6b-e872da40c17f 209.97.163.167:80 guuid=0ab6205d-1800-0000-4b47-75b4a00c0000 pid=3232->30719feb-39de-5e52-af6b-e872da40c17f send: 151B guuid=887179a0-1800-0000-4b47-75b4fe0c0000 pid=3326->30719feb-39de-5e52-af6b-e872da40c17f send: 100B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=3596dae5-1800-0000-4b47-75b46a0d0000 pid=3434->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=7954e2e6-1800-0000-4b47-75b46d0d0000 pid=3437 /tmp/johen.x86 guuid=3596dae5-1800-0000-4b47-75b46a0d0000 pid=3434->guuid=7954e2e6-1800-0000-4b47-75b46d0d0000 pid=3437 clone guuid=f9566913-1a00-0000-4b47-75b4e20f0000 pid=4066 /tmp/johen.x86 guuid=3596dae5-1800-0000-4b47-75b46a0d0000 pid=3434->guuid=f9566913-1a00-0000-4b47-75b4e20f0000 pid=4066 clone guuid=cff86e13-1a00-0000-4b47-75b4e30f0000 pid=4067 /tmp/johen.x86 net send-data zombie guuid=3596dae5-1800-0000-4b47-75b46a0d0000 pid=3434->guuid=cff86e13-1a00-0000-4b47-75b4e30f0000 pid=4067 clone guuid=ba29efe6-1800-0000-4b47-75b46e0d0000 pid=3438 /tmp/johen.x86 guuid=7954e2e6-1800-0000-4b47-75b46d0d0000 pid=3437->guuid=ba29efe6-1800-0000-4b47-75b46e0d0000 pid=3438 clone guuid=381ff9e6-1800-0000-4b47-75b46f0d0000 pid=3439 /tmp/johen.x86 dns net send-data zombie guuid=7954e2e6-1800-0000-4b47-75b46d0d0000 pid=3437->guuid=381ff9e6-1800-0000-4b47-75b46f0d0000 pid=3439 clone guuid=381ff9e6-1800-0000-4b47-75b46f0d0000 pid=3439->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 32B 20141176-cd0c-5212-bf78-948270771b57 bot.dead.my.id:69 guuid=381ff9e6-1800-0000-4b47-75b46f0d0000 pid=3439->20141176-cd0c-5212-bf78-948270771b57 send: 19B guuid=cff86e13-1a00-0000-4b47-75b4e30f0000 pid=4067->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 800B 310a0ed0-c544-54ca-bf3f-fca55e459297 65.222.202.53:80 guuid=cff86e13-1a00-0000-4b47-75b4e30f0000 pid=4067->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B 3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a bot.dead.my.id:80 guuid=b7b6bd13-1a00-0000-4b47-75b4e70f0000 pid=4071->3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a send: 152B guuid=1fe2006a-1a00-0000-4b47-75b4b2100000 pid=4274->3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a send: 101B guuid=ce2396bf-1a00-0000-4b47-75b4b3110000 pid=4531->3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a send: 151B guuid=2e701036-1b00-0000-4b47-75b49b120000 pid=4763->3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a send: 100B guuid=c303c5b2-1b00-0000-4b47-75b4fa130000 pid=5114->3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a send: 152B guuid=56bd04dd-1b00-0000-4b47-75b474140000 pid=5236->3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a send: 101B guuid=c1744209-1c00-0000-4b47-75b483140000 pid=5251->3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a send: 152B guuid=14019f46-1c00-0000-4b47-75b484140000 pid=5252->3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a send: 101B guuid=b0e1788a-1c00-0000-4b47-75b486140000 pid=5254->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ab515d8b-1c00-0000-4b47-75b487140000 pid=5255 /tmp/johen.i686 guuid=b0e1788a-1c00-0000-4b47-75b486140000 pid=5254->guuid=ab515d8b-1c00-0000-4b47-75b487140000 pid=5255 clone guuid=1a208cb8-1d00-0000-4b47-75b49e140000 pid=5278 /tmp/johen.i686 guuid=b0e1788a-1c00-0000-4b47-75b486140000 pid=5254->guuid=1a208cb8-1d00-0000-4b47-75b49e140000 pid=5278 clone guuid=89109ab8-1d00-0000-4b47-75b49f140000 pid=5279 /tmp/johen.i686 net send-data zombie guuid=b0e1788a-1c00-0000-4b47-75b486140000 pid=5254->guuid=89109ab8-1d00-0000-4b47-75b49f140000 pid=5279 clone guuid=783c658b-1c00-0000-4b47-75b488140000 pid=5256 /tmp/johen.i686 guuid=ab515d8b-1c00-0000-4b47-75b487140000 pid=5255->guuid=783c658b-1c00-0000-4b47-75b488140000 pid=5256 clone guuid=610a6e8b-1c00-0000-4b47-75b489140000 pid=5257 /tmp/johen.i686 dns net send-data zombie guuid=ab515d8b-1c00-0000-4b47-75b487140000 pid=5255->guuid=610a6e8b-1c00-0000-4b47-75b489140000 pid=5257 clone guuid=610a6e8b-1c00-0000-4b47-75b489140000 pid=5257->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 32B guuid=610a6e8b-1c00-0000-4b47-75b489140000 pid=5257->20141176-cd0c-5212-bf78-948270771b57 send: 18B guuid=89109ab8-1d00-0000-4b47-75b49f140000 pid=5279->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 640B guuid=89109ab8-1d00-0000-4b47-75b49f140000 pid=5279->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=02a689b9-1d00-0000-4b47-75b4a1140000 pid=5281->3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a send: 154B guuid=b7f9bb15-1e00-0000-4b47-75b4b5140000 pid=5301->3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a send: 103B guuid=20864e54-1e00-0000-4b47-75b4b7140000 pid=5303->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a0b82f55-1e00-0000-4b47-75b4b8140000 pid=5304 /tmp/johen.x86_64 guuid=20864e54-1e00-0000-4b47-75b4b7140000 pid=5303->guuid=a0b82f55-1e00-0000-4b47-75b4b8140000 pid=5304 clone guuid=a75ff47f-1f00-0000-4b47-75b4bb140000 pid=5307 /tmp/johen.x86_64 guuid=20864e54-1e00-0000-4b47-75b4b7140000 pid=5303->guuid=a75ff47f-1f00-0000-4b47-75b4bb140000 pid=5307 clone guuid=a6c2f97f-1f00-0000-4b47-75b4bc140000 pid=5308 /tmp/johen.x86_64 net send-data zombie guuid=20864e54-1e00-0000-4b47-75b4b7140000 pid=5303->guuid=a6c2f97f-1f00-0000-4b47-75b4bc140000 pid=5308 clone guuid=f8a43b55-1e00-0000-4b47-75b4b9140000 pid=5305 /tmp/johen.x86_64 guuid=a0b82f55-1e00-0000-4b47-75b4b8140000 pid=5304->guuid=f8a43b55-1e00-0000-4b47-75b4b9140000 pid=5305 clone guuid=44ea4455-1e00-0000-4b47-75b4ba140000 pid=5306 /tmp/johen.x86_64 net send-data zombie guuid=a0b82f55-1e00-0000-4b47-75b4b8140000 pid=5304->guuid=44ea4455-1e00-0000-4b47-75b4ba140000 pid=5306 clone guuid=44ea4455-1e00-0000-4b47-75b4ba140000 pid=5306->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 660B guuid=44ea4455-1e00-0000-4b47-75b4ba140000 pid=5306->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=a6c2f97f-1f00-0000-4b47-75b4bc140000 pid=5308->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 495B guuid=a6c2f97f-1f00-0000-4b47-75b4bc140000 pid=5308->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=b5366280-1f00-0000-4b47-75b4be140000 pid=5310->3ba11a79-c7d0-580d-aa5d-1b1a0ab4ca8a send: 152B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/be057d7310293c3687d3e233fb1c2c792fc980854527b2afed5031ebfbca0bb2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be057d7310293c3687d3e233fb1c2c792fc980854527b2afed5031ebfbca0bb2/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/be057d7310293c3687d3e233fb1c2c792fc980854527b2afed5031ebfbca0bb2
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-02-20 23:34:48 UTC
File Type:
Text (Shell)
AV detection:
21 of 36 (58.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xycx24yqfe6dnb6t4iz7whbmpex4taefiut3fl7nkay6x66kboza._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260221-gywxhsaz2e/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be057d731029/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/be057d7310293c3687d3e233fb1c2c792fc980854527b2afed5031ebfbca0bb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh be057d7310293c3687d3e233fb1c2c792fc980854527b2afed5031ebfbca0bb2

(this sample)

Mirai

elf b4321e1c05ad295194b4d13692b2d4bba059d231b62008da1547ed64c25ed908

Mirai

elf 291583d9406fe5602c2d2daecbddcc92e00977e7a863d92eaccbeb1c1f6b4f2b

  
URLhaus
https://urlhaus.abuse.ch/url/3782135/
  
Delivery method
Distributed via web download
  
Dropping
MD5 4dd5b4279561ba5c1e5aca0520941a1d
  
Dropping
SHA256 291583d9406fe5602c2d2daecbddcc92e00977e7a863d92eaccbeb1c1f6b4f2b
  
URLhaus
https://urlhaus.abuse.ch/url/3782337/
  
URLhaus
https://urlhaus.abuse.ch/url/3782357/

Comments