MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2cdacaa2059fbeb6bfaad78de529911ec37b37a4f487e166c5dfc6ddefd1eaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2cdacaa2059fbeb6bfaad78de529911ec37b37a4f487e166c5dfc6ddefd1eaa
SHA3-384 hash: 9ec3260e63413f87468970cc30ee0446e6a17b68102fd0a2ef1576bdac154e6be40659f708ef72d3dcbea1f3a9197c51
SHA1 hash: 9fa848bcb9d854c0b145505e330b1adbebf3705e
MD5 hash: f9cf2ba4e97f15ee52318486d908709f
humanhash: hydrogen-equal-louisiana-earth
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'999 bytes
First seen:2026-02-03 18:51:59 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:ItkzYskc3kqOqsFk0VBkqeskyLkBTB5JkgAgaNk6XLkPTPNI8ksko7ksfkaAaXXe:iOhPZsFl/jIFfGXLaJ5PtJHOj2hi
TLSH T14C51B4D510B18B743E65996AF3A44C1C3A84B49760C71F96AEDC38E560CFDA535807E2
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://144.172.108.230/Orbt/Orbt.x86955c8992a9f4377d52d5eaa260768bcf9219d965d69e335ba8a7bec2547116e5 Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.mips336a746f6be5c835eb03aa9805e3f5c96d4d1657a59389b1c2a9a53b112dc005 Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.arcf3639e05ddc7cc0a5d0ebb36a683c1c6dec5ddcdd835fbbd4ad0da19e7495402 Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.i468n/an/an/a
http://144.172.108.230/Orbt/Orbt.i6863aca404aad07d2f41b0572148b28433b7b752a77e1fd5fed7bbdc67824e75b12 Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.x86_642e97b806c426ac28a8782964bfcac48e93955635b70c12ac283d3f717ef12b70 Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.mpsl505b9c302899cf898d8812c22bf1c36e9e10bc818c0e538c9f8ade3f37771e1a Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.armb6416c2b6acbd2208c0ee0fce606241e27a1dabfe13c2d54926b5c0e01a4ebe8 Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.arm50b5a44d310d868e79d7ef9ead43c6080e0479684513099cec7d3deaf3c5c9676 Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.arm60bd753010fee80888a5969498a1215139f2548a90cad6298e01bcf54c40b94c3 Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.arm770274d5c4fb81f75f3b7aff57483e0126b79b51256227ea6fc1c0f8555406b2b Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.ppc44dfb4a3d329e43f9c5d1963465e9ce571b9d01f95c8534798ed9155634db8d1 Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.spc2fda4a4cb3f07146a3441f3a1a78289fd29492bb8022ad13ca94af648e2f5d33 Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.m68k8559a2a4b9ebe51f096a49cce3a70536b9db169bc593351fc25853a1fa329eaf Miraielf mirai ua-wget
http://144.172.108.230/Orbt/Orbt.sh47f602b7a2d5994fea011550a7eef299c31f21fc3134f244d5e05b127f1e24524 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Result
Gathering data
Verdict:
Malicious
File Type:
Script
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/c2cdacaa2059fbeb6bfaad78de529911ec37b37a4f487e166c5dfc6ddefd1eaa/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d91e33a1-f27f-4a25-ba98-6561a14180f2
Behavior Graph:
Download SVG
%3 guuid=8f352ed0-1a00-0000-5793-dec6f6080000 pid=2294 /usr/bin/sudo guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301 /tmp/sample.bin guuid=8f352ed0-1a00-0000-5793-dec6f6080000 pid=2294->guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301 execve guuid=a8243ad5-1a00-0000-5793-dec600090000 pid=2304 /usr/bin/cp guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=a8243ad5-1a00-0000-5793-dec600090000 pid=2304 execve guuid=4488f1d9-1a00-0000-5793-dec605090000 pid=2309 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=4488f1d9-1a00-0000-5793-dec605090000 pid=2309 execve guuid=d993edfd-1a00-0000-5793-dec640090000 pid=2368 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=d993edfd-1a00-0000-5793-dec640090000 pid=2368 execve guuid=c7606626-1b00-0000-5793-dec680090000 pid=2432 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=c7606626-1b00-0000-5793-dec680090000 pid=2432 execve guuid=d42dbf26-1b00-0000-5793-dec682090000 pid=2434 /tmp/Orbt.x86 net guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=d42dbf26-1b00-0000-5793-dec682090000 pid=2434 execve guuid=490b5754-1c00-0000-5793-dec6550b0000 pid=2901 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=490b5754-1c00-0000-5793-dec6550b0000 pid=2901 execve guuid=0b086055-1c00-0000-5793-dec6590b0000 pid=2905 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=0b086055-1c00-0000-5793-dec6590b0000 pid=2905 execve guuid=cbadaf76-1c00-0000-5793-dec6830b0000 pid=2947 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=cbadaf76-1c00-0000-5793-dec6830b0000 pid=2947 execve guuid=119af898-1c00-0000-5793-dec6c20b0000 pid=3010 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=119af898-1c00-0000-5793-dec6c20b0000 pid=3010 execve guuid=c6c85399-1c00-0000-5793-dec6c30b0000 pid=3011 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=c6c85399-1c00-0000-5793-dec6c30b0000 pid=3011 clone guuid=bc9f009a-1c00-0000-5793-dec6c60b0000 pid=3014 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=bc9f009a-1c00-0000-5793-dec6c60b0000 pid=3014 execve guuid=6c98aa9d-1c00-0000-5793-dec6ce0b0000 pid=3022 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=6c98aa9d-1c00-0000-5793-dec6ce0b0000 pid=3022 execve guuid=b6ff8ec7-1c00-0000-5793-dec6200c0000 pid=3104 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=b6ff8ec7-1c00-0000-5793-dec6200c0000 pid=3104 execve guuid=daacdff3-1c00-0000-5793-dec6740c0000 pid=3188 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=daacdff3-1c00-0000-5793-dec6740c0000 pid=3188 execve guuid=5507a6f4-1c00-0000-5793-dec6750c0000 pid=3189 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=5507a6f4-1c00-0000-5793-dec6750c0000 pid=3189 clone guuid=0570bdf5-1c00-0000-5793-dec6770c0000 pid=3191 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=0570bdf5-1c00-0000-5793-dec6770c0000 pid=3191 execve guuid=4d92d7f8-1c00-0000-5793-dec6790c0000 pid=3193 /usr/bin/wget net send-data guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=4d92d7f8-1c00-0000-5793-dec6790c0000 pid=3193 execve guuid=680dca0a-1d00-0000-5793-dec67f0c0000 pid=3199 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=680dca0a-1d00-0000-5793-dec67f0c0000 pid=3199 execve guuid=bd370e20-1d00-0000-5793-dec69b0c0000 pid=3227 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=bd370e20-1d00-0000-5793-dec69b0c0000 pid=3227 execve guuid=42b6af20-1d00-0000-5793-dec69d0c0000 pid=3229 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=42b6af20-1d00-0000-5793-dec69d0c0000 pid=3229 clone guuid=437be020-1d00-0000-5793-dec69f0c0000 pid=3231 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=437be020-1d00-0000-5793-dec69f0c0000 pid=3231 execve guuid=088c3021-1d00-0000-5793-dec6a00c0000 pid=3232 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=088c3021-1d00-0000-5793-dec6a00c0000 pid=3232 execve guuid=10b30c42-1d00-0000-5793-dec6b20c0000 pid=3250 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=10b30c42-1d00-0000-5793-dec6b20c0000 pid=3250 execve guuid=5574df64-1d00-0000-5793-dec6d30c0000 pid=3283 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=5574df64-1d00-0000-5793-dec6d30c0000 pid=3283 execve guuid=b1789a65-1d00-0000-5793-dec6d50c0000 pid=3285 /tmp/Orbt.i686 net guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=b1789a65-1d00-0000-5793-dec6d50c0000 pid=3285 execve guuid=c1d77493-1e00-0000-5793-dec60f0f0000 pid=3855 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=c1d77493-1e00-0000-5793-dec60f0f0000 pid=3855 execve guuid=eaccc793-1e00-0000-5793-dec6110f0000 pid=3857 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=eaccc793-1e00-0000-5793-dec6110f0000 pid=3857 execve guuid=57ae1bb5-1e00-0000-5793-dec6630f0000 pid=3939 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=57ae1bb5-1e00-0000-5793-dec6630f0000 pid=3939 execve guuid=231b34d7-1e00-0000-5793-dec6ba0f0000 pid=4026 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=231b34d7-1e00-0000-5793-dec6ba0f0000 pid=4026 execve guuid=517ef6d7-1e00-0000-5793-dec6bf0f0000 pid=4031 /tmp/Orbt.x86_64 mprotect-exec net guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=517ef6d7-1e00-0000-5793-dec6bf0f0000 pid=4031 execve guuid=85840004-2000-0000-5793-dec626130000 pid=4902 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=85840004-2000-0000-5793-dec626130000 pid=4902 execve guuid=33645304-2000-0000-5793-dec628130000 pid=4904 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=33645304-2000-0000-5793-dec628130000 pid=4904 execve guuid=868f3526-2000-0000-5793-dec67e130000 pid=4990 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=868f3526-2000-0000-5793-dec67e130000 pid=4990 execve guuid=b077d14a-2000-0000-5793-dec6d9130000 pid=5081 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=b077d14a-2000-0000-5793-dec6d9130000 pid=5081 execve guuid=9617394b-2000-0000-5793-dec6da130000 pid=5082 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=9617394b-2000-0000-5793-dec6da130000 pid=5082 clone guuid=5fbb174c-2000-0000-5793-dec6e0130000 pid=5088 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=5fbb174c-2000-0000-5793-dec6e0130000 pid=5088 execve guuid=5fdaa051-2000-0000-5793-dec6f6130000 pid=5110 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=5fdaa051-2000-0000-5793-dec6f6130000 pid=5110 execve guuid=9b04ca71-2000-0000-5793-dec644140000 pid=5188 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=9b04ca71-2000-0000-5793-dec644140000 pid=5188 execve guuid=fe758497-2000-0000-5793-dec694140000 pid=5268 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=fe758497-2000-0000-5793-dec694140000 pid=5268 execve guuid=a5fd2a98-2000-0000-5793-dec695140000 pid=5269 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=a5fd2a98-2000-0000-5793-dec695140000 pid=5269 clone guuid=778c949b-2000-0000-5793-dec697140000 pid=5271 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=778c949b-2000-0000-5793-dec697140000 pid=5271 execve guuid=044d349c-2000-0000-5793-dec698140000 pid=5272 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=044d349c-2000-0000-5793-dec698140000 pid=5272 execve guuid=e4d888b5-2000-0000-5793-dec69c140000 pid=5276 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=e4d888b5-2000-0000-5793-dec69c140000 pid=5276 execve guuid=e0ec8ccf-2000-0000-5793-dec6a5140000 pid=5285 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=e0ec8ccf-2000-0000-5793-dec6a5140000 pid=5285 execve guuid=21fcebcf-2000-0000-5793-dec6a6140000 pid=5286 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=21fcebcf-2000-0000-5793-dec6a6140000 pid=5286 clone guuid=dc14acd0-2000-0000-5793-dec6a8140000 pid=5288 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=dc14acd0-2000-0000-5793-dec6a8140000 pid=5288 execve guuid=fd53f9d0-2000-0000-5793-dec6a9140000 pid=5289 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=fd53f9d0-2000-0000-5793-dec6a9140000 pid=5289 execve guuid=6dd1c0f1-2000-0000-5793-dec6aa140000 pid=5290 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=6dd1c0f1-2000-0000-5793-dec6aa140000 pid=5290 execve guuid=ade2d015-2100-0000-5793-dec6ab140000 pid=5291 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=ade2d015-2100-0000-5793-dec6ab140000 pid=5291 execve guuid=f7b33316-2100-0000-5793-dec6ac140000 pid=5292 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=f7b33316-2100-0000-5793-dec6ac140000 pid=5292 clone guuid=82b1d816-2100-0000-5793-dec6ae140000 pid=5294 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=82b1d816-2100-0000-5793-dec6ae140000 pid=5294 execve guuid=0ef30d1c-2100-0000-5793-dec6af140000 pid=5295 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=0ef30d1c-2100-0000-5793-dec6af140000 pid=5295 execve guuid=ffae3e3d-2100-0000-5793-dec6b0140000 pid=5296 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=ffae3e3d-2100-0000-5793-dec6b0140000 pid=5296 execve guuid=b101bf60-2100-0000-5793-dec6b1140000 pid=5297 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=b101bf60-2100-0000-5793-dec6b1140000 pid=5297 execve guuid=c2964061-2100-0000-5793-dec6b2140000 pid=5298 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=c2964061-2100-0000-5793-dec6b2140000 pid=5298 clone guuid=491a1163-2100-0000-5793-dec6b4140000 pid=5300 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=491a1163-2100-0000-5793-dec6b4140000 pid=5300 execve guuid=ff61ac63-2100-0000-5793-dec6b5140000 pid=5301 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=ff61ac63-2100-0000-5793-dec6b5140000 pid=5301 execve guuid=f0477584-2100-0000-5793-dec6b6140000 pid=5302 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=f0477584-2100-0000-5793-dec6b6140000 pid=5302 execve guuid=6539b3a6-2100-0000-5793-dec6b7140000 pid=5303 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=6539b3a6-2100-0000-5793-dec6b7140000 pid=5303 execve guuid=58973fa7-2100-0000-5793-dec6b8140000 pid=5304 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=58973fa7-2100-0000-5793-dec6b8140000 pid=5304 clone guuid=a80e8fa8-2100-0000-5793-dec6ba140000 pid=5306 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=a80e8fa8-2100-0000-5793-dec6ba140000 pid=5306 execve guuid=ea3a34b4-2100-0000-5793-dec6bc140000 pid=5308 /usr/bin/wget net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=ea3a34b4-2100-0000-5793-dec6bc140000 pid=5308 execve guuid=3815a2d5-2100-0000-5793-dec6c3140000 pid=5315 /usr/bin/curl net send-data write-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=3815a2d5-2100-0000-5793-dec6c3140000 pid=5315 execve guuid=b381b7f9-2100-0000-5793-dec6c4140000 pid=5316 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=b381b7f9-2100-0000-5793-dec6c4140000 pid=5316 execve guuid=3fe52cfb-2100-0000-5793-dec6c5140000 pid=5317 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=3fe52cfb-2100-0000-5793-dec6c5140000 pid=5317 clone guuid=899536fd-2100-0000-5793-dec6c7140000 pid=5319 /usr/bin/rm delete-file guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=899536fd-2100-0000-5793-dec6c7140000 pid=5319 execve guuid=8b0517fe-2100-0000-5793-dec6c8140000 pid=5320 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=8b0517fe-2100-0000-5793-dec6c8140000 pid=5320 clone guuid=00b853fe-2100-0000-5793-dec6c9140000 pid=5321 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=00b853fe-2100-0000-5793-dec6c9140000 pid=5321 clone guuid=7cf0d8fe-2100-0000-5793-dec6ca140000 pid=5322 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=7cf0d8fe-2100-0000-5793-dec6ca140000 pid=5322 execve guuid=25a2ecff-2100-0000-5793-dec6cb140000 pid=5323 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=25a2ecff-2100-0000-5793-dec6cb140000 pid=5323 clone guuid=29766c00-2200-0000-5793-dec6cc140000 pid=5324 /usr/bin/rm guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=29766c00-2200-0000-5793-dec6cc140000 pid=5324 execve guuid=3cb2d600-2200-0000-5793-dec6cd140000 pid=5325 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=3cb2d600-2200-0000-5793-dec6cd140000 pid=5325 clone guuid=d8ba2201-2200-0000-5793-dec6ce140000 pid=5326 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=d8ba2201-2200-0000-5793-dec6ce140000 pid=5326 clone guuid=490b5801-2200-0000-5793-dec6cf140000 pid=5327 /usr/bin/chmod guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=490b5801-2200-0000-5793-dec6cf140000 pid=5327 execve guuid=407a0502-2200-0000-5793-dec6d0140000 pid=5328 /usr/bin/bash guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=407a0502-2200-0000-5793-dec6d0140000 pid=5328 clone guuid=7f474402-2200-0000-5793-dec6d1140000 pid=5329 /usr/bin/rm guuid=842e81d4-1a00-0000-5793-dec6fd080000 pid=2301->guuid=7f474402-2200-0000-5793-dec6d1140000 pid=5329 execve 544f0742-4e3d-513c-8d5e-ebef0e7a29e9 144.172.108.230:80 guuid=4488f1d9-1a00-0000-5793-dec605090000 pid=2309->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 143B guuid=d993edfd-1a00-0000-5793-dec640090000 pid=2368->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 92B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=d42dbf26-1b00-0000-5793-dec682090000 pid=2434->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=97418427-1b00-0000-5793-dec685090000 pid=2437 /tmp/Orbt.x86 guuid=d42dbf26-1b00-0000-5793-dec682090000 pid=2434->guuid=97418427-1b00-0000-5793-dec685090000 pid=2437 clone guuid=f7903d54-1c00-0000-5793-dec6530b0000 pid=2899 /tmp/Orbt.x86 guuid=d42dbf26-1b00-0000-5793-dec682090000 pid=2434->guuid=f7903d54-1c00-0000-5793-dec6530b0000 pid=2899 clone guuid=10144454-1c00-0000-5793-dec6540b0000 pid=2900 /tmp/Orbt.x86 net send-data zombie guuid=d42dbf26-1b00-0000-5793-dec682090000 pid=2434->guuid=10144454-1c00-0000-5793-dec6540b0000 pid=2900 clone guuid=5dc78b27-1b00-0000-5793-dec686090000 pid=2438 /tmp/Orbt.x86 guuid=97418427-1b00-0000-5793-dec685090000 pid=2437->guuid=5dc78b27-1b00-0000-5793-dec686090000 pid=2438 clone guuid=3f3a9027-1b00-0000-5793-dec687090000 pid=2439 /tmp/Orbt.x86 dns net send-data zombie guuid=97418427-1b00-0000-5793-dec685090000 pid=2437->guuid=3f3a9027-1b00-0000-5793-dec687090000 pid=2439 clone guuid=3f3a9027-1b00-0000-5793-dec687090000 pid=2439->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 1350B 0ecf02bb-0e2c-5ebd-8166-f09908e50581 mirailoversddos.duckdns.org:69 guuid=3f3a9027-1b00-0000-5793-dec687090000 pid=2439->0ecf02bb-0e2c-5ebd-8166-f09908e50581 send: 420B guuid=10144454-1c00-0000-5793-dec6540b0000 pid=2900->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 1150B 310a0ed0-c544-54ca-bf3f-fca55e459297 65.222.202.53:80 guuid=10144454-1c00-0000-5793-dec6540b0000 pid=2900->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=0b086055-1c00-0000-5793-dec6590b0000 pid=2905->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 144B guuid=cbadaf76-1c00-0000-5793-dec6830b0000 pid=2947->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 93B guuid=6c98aa9d-1c00-0000-5793-dec6ce0b0000 pid=3022->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 143B guuid=b6ff8ec7-1c00-0000-5793-dec6200c0000 pid=3104->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 92B guuid=4d92d7f8-1c00-0000-5793-dec6790c0000 pid=3193->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 144B guuid=680dca0a-1d00-0000-5793-dec67f0c0000 pid=3199->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 93B guuid=088c3021-1d00-0000-5793-dec6a00c0000 pid=3232->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 144B guuid=10b30c42-1d00-0000-5793-dec6b20c0000 pid=3250->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 93B guuid=b1789a65-1d00-0000-5793-dec6d50c0000 pid=3285->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=8af27a66-1d00-0000-5793-dec6d60c0000 pid=3286 /tmp/Orbt.i686 guuid=b1789a65-1d00-0000-5793-dec6d50c0000 pid=3285->guuid=8af27a66-1d00-0000-5793-dec6d60c0000 pid=3286 clone guuid=a08a6993-1e00-0000-5793-dec60d0f0000 pid=3853 /tmp/Orbt.i686 guuid=b1789a65-1d00-0000-5793-dec6d50c0000 pid=3285->guuid=a08a6993-1e00-0000-5793-dec60d0f0000 pid=3853 clone guuid=78a66d93-1e00-0000-5793-dec60e0f0000 pid=3854 /tmp/Orbt.i686 net send-data zombie guuid=b1789a65-1d00-0000-5793-dec6d50c0000 pid=3285->guuid=78a66d93-1e00-0000-5793-dec60e0f0000 pid=3854 clone guuid=e9d38c66-1d00-0000-5793-dec6d70c0000 pid=3287 /tmp/Orbt.i686 guuid=8af27a66-1d00-0000-5793-dec6d60c0000 pid=3286->guuid=e9d38c66-1d00-0000-5793-dec6d70c0000 pid=3287 clone guuid=ad249c66-1d00-0000-5793-dec6d80c0000 pid=3288 /tmp/Orbt.i686 dns net send-data zombie guuid=8af27a66-1d00-0000-5793-dec6d60c0000 pid=3286->guuid=ad249c66-1d00-0000-5793-dec6d80c0000 pid=3288 clone guuid=ad249c66-1d00-0000-5793-dec6d80c0000 pid=3288->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 1125B guuid=ad249c66-1d00-0000-5793-dec6d80c0000 pid=3288->0ecf02bb-0e2c-5ebd-8166-f09908e50581 send: 375B guuid=78a66d93-1e00-0000-5793-dec60e0f0000 pid=3854->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 1150B guuid=78a66d93-1e00-0000-5793-dec60e0f0000 pid=3854->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=eaccc793-1e00-0000-5793-dec6110f0000 pid=3857->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 146B guuid=57ae1bb5-1e00-0000-5793-dec6630f0000 pid=3939->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 95B guuid=517ef6d7-1e00-0000-5793-dec6bf0f0000 pid=4031->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=8113ecd8-1e00-0000-5793-dec6c30f0000 pid=4035 /tmp/Orbt.x86_64 guuid=517ef6d7-1e00-0000-5793-dec6bf0f0000 pid=4031->guuid=8113ecd8-1e00-0000-5793-dec6c30f0000 pid=4035 clone guuid=9c4eda03-2000-0000-5793-dec624130000 pid=4900 /tmp/Orbt.x86_64 guuid=517ef6d7-1e00-0000-5793-dec6bf0f0000 pid=4031->guuid=9c4eda03-2000-0000-5793-dec624130000 pid=4900 clone guuid=ba2df203-2000-0000-5793-dec625130000 pid=4901 /tmp/Orbt.x86_64 net send-data zombie guuid=517ef6d7-1e00-0000-5793-dec6bf0f0000 pid=4031->guuid=ba2df203-2000-0000-5793-dec625130000 pid=4901 clone guuid=d5d6f0d8-1e00-0000-5793-dec6c40f0000 pid=4036 /tmp/Orbt.x86_64 guuid=8113ecd8-1e00-0000-5793-dec6c30f0000 pid=4035->guuid=d5d6f0d8-1e00-0000-5793-dec6c40f0000 pid=4036 clone guuid=2589f6d8-1e00-0000-5793-dec6c50f0000 pid=4037 /tmp/Orbt.x86_64 net send-data zombie guuid=8113ecd8-1e00-0000-5793-dec6c30f0000 pid=4035->guuid=2589f6d8-1e00-0000-5793-dec6c50f0000 pid=4037 clone guuid=2589f6d8-1e00-0000-5793-dec6c50f0000 pid=4037->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 900B guuid=2589f6d8-1e00-0000-5793-dec6c50f0000 pid=4037->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=ba2df203-2000-0000-5793-dec625130000 pid=4901->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 920B guuid=ba2df203-2000-0000-5793-dec625130000 pid=4901->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=33645304-2000-0000-5793-dec628130000 pid=4904->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 144B guuid=868f3526-2000-0000-5793-dec67e130000 pid=4990->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 93B guuid=5fdaa051-2000-0000-5793-dec6f6130000 pid=5110->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 143B guuid=9b04ca71-2000-0000-5793-dec644140000 pid=5188->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 92B guuid=044d349c-2000-0000-5793-dec698140000 pid=5272->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 144B guuid=e4d888b5-2000-0000-5793-dec69c140000 pid=5276->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 93B guuid=fd53f9d0-2000-0000-5793-dec6a9140000 pid=5289->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 144B guuid=6dd1c0f1-2000-0000-5793-dec6aa140000 pid=5290->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 93B guuid=0ef30d1c-2100-0000-5793-dec6af140000 pid=5295->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 144B guuid=ffae3e3d-2100-0000-5793-dec6b0140000 pid=5296->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 93B guuid=ff61ac63-2100-0000-5793-dec6b5140000 pid=5301->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 143B guuid=f0477584-2100-0000-5793-dec6b6140000 pid=5302->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 92B guuid=ea3a34b4-2100-0000-5793-dec6bc140000 pid=5308->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 143B guuid=3815a2d5-2100-0000-5793-dec6c3140000 pid=5315->544f0742-4e3d-513c-8d5e-ebef0e7a29e9 send: 92B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c2cdacaa2059fbeb6bfaad78de529911ec37b37a4f487e166c5dfc6ddefd1eaa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2cdacaa2059fbeb6bfaad78de529911ec37b37a4f487e166c5dfc6ddefd1eaa/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/c2cdacaa2059fbeb6bfaad78de529911ec37b37a4f487e166c5dfc6ddefd1eaa
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-02-03 18:40:20 UTC
File Type:
Text (Shell)
AV detection:
20 of 36 (55.56%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ylg2zkralh56w272vv4n4uuzchwdpm32j5eh4ftmlx6g3xx5d2va._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260203-xh539ad19c/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
mirailoversddos.duckdns.org
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c2cdacaa2059/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/c2cdacaa2059fbeb6bfaad78de529911ec37b37a4f487e166c5dfc6ddefd1eaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh c2cdacaa2059fbeb6bfaad78de529911ec37b37a4f487e166c5dfc6ddefd1eaa

(this sample)

Mirai

elf 94128c4fbc307381663168ed550d070ba13dfeeb3a33e292328d3072d6780429

Mirai

elf 955c8992a9f4377d52d5eaa260768bcf9219d965d69e335ba8a7bec2547116e5

  
URLhaus
https://urlhaus.abuse.ch/url/3771771/
  
Delivery method
Distributed via web download
  
Dropping
MD5 3e927dbdc2072acecf7cb86908b3b9d1
  
Dropping
SHA256 955c8992a9f4377d52d5eaa260768bcf9219d965d69e335ba8a7bec2547116e5

Comments