MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d11834e2f999c8a7517b37d7c4d7b8d2180cfd07aeed0ec04b09b8c8115ea95b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d11834e2f999c8a7517b37d7c4d7b8d2180cfd07aeed0ec04b09b8c8115ea95b
SHA3-384 hash: 90052665f496ba96b192a12651c1db12372ffc8f28c582969a3f1a6e76aff2be5ca0ae52c33f83ad8c16ca8e0e05d471
SHA1 hash: 8a9e33d0a113590a3ed777f632611683ed062c52
MD5 hash: 2d1d831daa6f2ae4632fce859a91df99
humanhash: bacon-princess-india-mobile
File name:web-api.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'670 bytes
First seen:2026-02-01 07:47:31 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vJHCVXRVhqoGVNqVDnVzNCVndVn/VHmVHjV5MV9Uy:vNiHyI5Rijd2Ryh
TLSH T16B51D885228306619E339D5BB3B91A8577C980F94993EB2061BF359DD14DE08BEC4ACA
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://82.165.181.201:8080/bins/0scar.x864c19acf73b97c7c0807addc89262ca193a5ee0e876350d229f6bc017058a9487 Miraielf mirai ua-wget
http://82.165.181.201:8080/bins/0scar.mipsb04a0ca38f3b4e96c80ee6963a025dbdebf03af551a161f45c4e0b7922676974 Miraielf mirai ua-wget
http://82.165.181.201:8080/bins/0scar.mpslb04a0ca38f3b4e96c80ee6963a025dbdebf03af551a161f45c4e0b7922676974 Miraielf mirai ua-wget
http://82.165.181.201:8080/bins/0scar.arm121fddfee5e556565f91bb35d7b0993bc5d7eff381336898433003701a14f631 Miraielf mirai ua-wget
http://82.165.181.201:8080/bins/0scar.arm5121fddfee5e556565f91bb35d7b0993bc5d7eff381336898433003701a14f631 Miraielf mirai ua-wget
http://82.165.181.201:8080/bins/0scar.arm6121fddfee5e556565f91bb35d7b0993bc5d7eff381336898433003701a14f631 Miraielf mirai ua-wget
http://82.165.181.201:8080/bins/0scar.arm7121fddfee5e556565f91bb35d7b0993bc5d7eff381336898433003701a14f631 Miraielf mirai ua-wget
http://82.165.181.201:8080/bins/0scar.ppcb120b2b1d7360504a7fbbeb251ddc5a34b602334ca25fb9eb7a25f9dad9dcdb1 Miraielf mirai ua-wget
http://82.165.181.201:8080/bins/0scar.m68k930e2ede828f9bc2ddbde47170f841a6ec0f62d583168c753ee3332b3e72b634 Miraielf mirai ua-wget
http://82.165.181.201:8080/bins/0scar.sh4930e2ede828f9bc2ddbde47170f841a6ec0f62d583168c753ee3332b3e72b634 Miraielf mirai ua-wget
http://82.165.181.201:8080/bins/0scar.spc930e2ede828f9bc2ddbde47170f841a6ec0f62d583168c753ee3332b3e72b634 Miraielf mirai ua-wget
http://82.165.181.201:8080/bins/0scar.arc930e2ede828f9bc2ddbde47170f841a6ec0f62d583168c753ee3332b3e72b634 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
39
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2026-02-01T04:57:00Z UTC
Last seen:
2026-02-01T09:52:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p
Link:
https://opentip.kaspersky.com/d11834e2f999c8a7517b37d7c4d7b8d2180cfd07aeed0ec04b09b8c8115ea95b/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ed38369f-1d98-456a-a464-62ee5d3ae4d3
Behavior Graph:
Download SVG
%3 guuid=ba531f75-1a00-0000-9fd9-5174480b0000 pid=2888 /usr/bin/sudo guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893 /tmp/sample.bin guuid=ba531f75-1a00-0000-9fd9-5174480b0000 pid=2888->guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893 execve guuid=326ff177-1a00-0000-9fd9-5174500b0000 pid=2896 /usr/bin/wget net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=326ff177-1a00-0000-9fd9-5174500b0000 pid=2896 execve guuid=6df31381-1a00-0000-9fd9-5174600b0000 pid=2912 /usr/bin/curl net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=6df31381-1a00-0000-9fd9-5174600b0000 pid=2912 execve guuid=59cce991-1a00-0000-9fd9-51746f0b0000 pid=2927 /usr/bin/cat guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=59cce991-1a00-0000-9fd9-51746f0b0000 pid=2927 execve guuid=8e458692-1a00-0000-9fd9-5174700b0000 pid=2928 /usr/bin/chmod guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=8e458692-1a00-0000-9fd9-5174700b0000 pid=2928 execve guuid=49b50293-1a00-0000-9fd9-5174720b0000 pid=2930 /tmp/juliana707 net guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=49b50293-1a00-0000-9fd9-5174720b0000 pid=2930 execve guuid=7f007393-1a00-0000-9fd9-5174770b0000 pid=2935 /usr/bin/wget net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=7f007393-1a00-0000-9fd9-5174770b0000 pid=2935 execve guuid=05ec31a1-1a00-0000-9fd9-51748b0b0000 pid=2955 /usr/bin/curl net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=05ec31a1-1a00-0000-9fd9-51748b0b0000 pid=2955 execve guuid=e7cb51b9-1a00-0000-9fd9-51748d0b0000 pid=2957 /usr/bin/bash guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=e7cb51b9-1a00-0000-9fd9-51748d0b0000 pid=2957 clone guuid=7eaa79b9-1a00-0000-9fd9-51748e0b0000 pid=2958 /usr/bin/chmod guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=7eaa79b9-1a00-0000-9fd9-51748e0b0000 pid=2958 execve guuid=bf9710ba-1a00-0000-9fd9-51748f0b0000 pid=2959 /tmp/juliana707 net guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=bf9710ba-1a00-0000-9fd9-51748f0b0000 pid=2959 execve guuid=04d8b787-1d00-0000-9fd9-517475120000 pid=4725 /usr/bin/wget net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=04d8b787-1d00-0000-9fd9-517475120000 pid=4725 execve guuid=98b39593-1d00-0000-9fd9-517491120000 pid=4753 /usr/bin/curl net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=98b39593-1d00-0000-9fd9-517491120000 pid=4753 execve guuid=cb0c4fa3-1d00-0000-9fd9-5174ad120000 pid=4781 /usr/bin/bash guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=cb0c4fa3-1d00-0000-9fd9-5174ad120000 pid=4781 clone guuid=074468a3-1d00-0000-9fd9-5174af120000 pid=4783 /usr/bin/chmod guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=074468a3-1d00-0000-9fd9-5174af120000 pid=4783 execve guuid=ff98cea3-1d00-0000-9fd9-5174b1120000 pid=4785 /tmp/juliana707 net guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=ff98cea3-1d00-0000-9fd9-5174b1120000 pid=4785 execve guuid=72a44d72-2000-0000-9fd9-51749c140000 pid=5276 /usr/bin/wget net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=72a44d72-2000-0000-9fd9-51749c140000 pid=5276 execve guuid=c01b917d-2000-0000-9fd9-5174a0140000 pid=5280 /usr/bin/curl net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=c01b917d-2000-0000-9fd9-5174a0140000 pid=5280 execve guuid=da53fe89-2000-0000-9fd9-5174a2140000 pid=5282 /usr/bin/bash guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=da53fe89-2000-0000-9fd9-5174a2140000 pid=5282 clone guuid=61eb328a-2000-0000-9fd9-5174a3140000 pid=5283 /usr/bin/chmod guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=61eb328a-2000-0000-9fd9-5174a3140000 pid=5283 execve guuid=8ef5c28a-2000-0000-9fd9-5174a4140000 pid=5284 /tmp/juliana707 net guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=8ef5c28a-2000-0000-9fd9-5174a4140000 pid=5284 execve guuid=21c6c5b6-2100-0000-9fd9-5174b9140000 pid=5305 /usr/bin/wget net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=21c6c5b6-2100-0000-9fd9-5174b9140000 pid=5305 execve guuid=a940d5c2-2100-0000-9fd9-5174ba140000 pid=5306 /usr/bin/curl net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=a940d5c2-2100-0000-9fd9-5174ba140000 pid=5306 execve guuid=0c3e3cd0-2100-0000-9fd9-5174bb140000 pid=5307 /usr/bin/bash guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=0c3e3cd0-2100-0000-9fd9-5174bb140000 pid=5307 clone guuid=bb1270d0-2100-0000-9fd9-5174bc140000 pid=5308 /usr/bin/chmod guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=bb1270d0-2100-0000-9fd9-5174bc140000 pid=5308 execve guuid=c993ffd0-2100-0000-9fd9-5174bd140000 pid=5309 /tmp/juliana707 net guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=c993ffd0-2100-0000-9fd9-5174bd140000 pid=5309 execve guuid=7aceba9e-2400-0000-9fd9-5174c2140000 pid=5314 /usr/bin/wget net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=7aceba9e-2400-0000-9fd9-5174c2140000 pid=5314 execve guuid=abc351aa-2400-0000-9fd9-5174c3140000 pid=5315 /usr/bin/curl net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=abc351aa-2400-0000-9fd9-5174c3140000 pid=5315 execve guuid=1c6587b8-2400-0000-9fd9-5174c4140000 pid=5316 /usr/bin/bash guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=1c6587b8-2400-0000-9fd9-5174c4140000 pid=5316 clone guuid=f3f0b9b8-2400-0000-9fd9-5174c5140000 pid=5317 /usr/bin/chmod guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=f3f0b9b8-2400-0000-9fd9-5174c5140000 pid=5317 execve guuid=b9dc3cb9-2400-0000-9fd9-5174c6140000 pid=5318 /tmp/juliana707 net guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=b9dc3cb9-2400-0000-9fd9-5174c6140000 pid=5318 execve guuid=91507c87-2700-0000-9fd9-5174c9140000 pid=5321 /usr/bin/wget net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=91507c87-2700-0000-9fd9-5174c9140000 pid=5321 execve guuid=13f8f392-2700-0000-9fd9-5174cc140000 pid=5324 /usr/bin/curl net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=13f8f392-2700-0000-9fd9-5174cc140000 pid=5324 execve guuid=90fd40a2-2700-0000-9fd9-5174cd140000 pid=5325 /usr/bin/bash guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=90fd40a2-2700-0000-9fd9-5174cd140000 pid=5325 clone guuid=5b397ca2-2700-0000-9fd9-5174ce140000 pid=5326 /usr/bin/chmod guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=5b397ca2-2700-0000-9fd9-5174ce140000 pid=5326 execve guuid=a5dbcca2-2700-0000-9fd9-5174cf140000 pid=5327 /tmp/juliana707 net guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=a5dbcca2-2700-0000-9fd9-5174cf140000 pid=5327 execve guuid=4b86adfb-2800-0000-9fd9-5174de140000 pid=5342 /usr/bin/wget net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=4b86adfb-2800-0000-9fd9-5174de140000 pid=5342 execve guuid=426b350a-2900-0000-9fd9-5174df140000 pid=5343 /usr/bin/curl net send-data write-file guuid=1d421f77-1a00-0000-9fd9-51744d0b0000 pid=2893->guuid=426b350a-2900-0000-9fd9-5174df140000 pid=5343 execve a6d4064a-5629-5acb-a3fd-b3dd7d9f424a 82.165.181.201:8080 guuid=326ff177-1a00-0000-9fd9-5174500b0000 pid=2896->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 148B guuid=6df31381-1a00-0000-9fd9-5174600b0000 pid=2912->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 97B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=49b50293-1a00-0000-9fd9-5174720b0000 pid=2930->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c6cd4c93-1a00-0000-9fd9-5174730b0000 pid=2931 /tmp/juliana707 zombie guuid=49b50293-1a00-0000-9fd9-5174720b0000 pid=2930->guuid=c6cd4c93-1a00-0000-9fd9-5174730b0000 pid=2931 clone guuid=ead25093-1a00-0000-9fd9-5174740b0000 pid=2932 /tmp/juliana707 dns net send-data zombie guuid=49b50293-1a00-0000-9fd9-5174720b0000 pid=2930->guuid=ead25093-1a00-0000-9fd9-5174740b0000 pid=2932 clone guuid=ead25093-1a00-0000-9fd9-5174740b0000 pid=2932->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 160B 8ecec4bc-f136-5a18-8c95-3a3c69dcd569 82.165.181.201:60195 guuid=ead25093-1a00-0000-9fd9-5174740b0000 pid=2932->8ecec4bc-f136-5a18-8c95-3a3c69dcd569 con guuid=ab476193-1a00-0000-9fd9-5174750b0000 pid=2933 /tmp/juliana707 guuid=ead25093-1a00-0000-9fd9-5174740b0000 pid=2932->guuid=ab476193-1a00-0000-9fd9-5174750b0000 pid=2933 clone guuid=75546993-1a00-0000-9fd9-5174760b0000 pid=2934 /tmp/juliana707 guuid=ead25093-1a00-0000-9fd9-5174740b0000 pid=2932->guuid=75546993-1a00-0000-9fd9-5174760b0000 pid=2934 clone guuid=7f007393-1a00-0000-9fd9-5174770b0000 pid=2935->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 149B guuid=05ec31a1-1a00-0000-9fd9-51748b0b0000 pid=2955->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 98B guuid=bf9710ba-1a00-0000-9fd9-51748f0b0000 pid=2959->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con b2d8e54b-c731-5e9d-91ce-9be6b900c2bd 0.0.0.0:63841 guuid=bf9710ba-1a00-0000-9fd9-51748f0b0000 pid=2959->b2d8e54b-c731-5e9d-91ce-9be6b900c2bd con guuid=5cce9a87-1d00-0000-9fd9-517472120000 pid=4722 /tmp/juliana707 guuid=bf9710ba-1a00-0000-9fd9-51748f0b0000 pid=2959->guuid=5cce9a87-1d00-0000-9fd9-517472120000 pid=4722 clone guuid=ebf2a187-1d00-0000-9fd9-517473120000 pid=4723 /tmp/juliana707 dns net send-data zombie guuid=bf9710ba-1a00-0000-9fd9-51748f0b0000 pid=2959->guuid=ebf2a187-1d00-0000-9fd9-517473120000 pid=4723 clone guuid=ebf2a187-1d00-0000-9fd9-517473120000 pid=4723->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 160B guuid=ebf2a187-1d00-0000-9fd9-517473120000 pid=4723->8ecec4bc-f136-5a18-8c95-3a3c69dcd569 con guuid=1799b287-1d00-0000-9fd9-517474120000 pid=4724 /tmp/juliana707 guuid=ebf2a187-1d00-0000-9fd9-517473120000 pid=4723->guuid=1799b287-1d00-0000-9fd9-517474120000 pid=4724 clone guuid=05e0b787-1d00-0000-9fd9-517476120000 pid=4726 /tmp/juliana707 guuid=ebf2a187-1d00-0000-9fd9-517473120000 pid=4723->guuid=05e0b787-1d00-0000-9fd9-517476120000 pid=4726 clone guuid=04d8b787-1d00-0000-9fd9-517475120000 pid=4725->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 149B guuid=98b39593-1d00-0000-9fd9-517491120000 pid=4753->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 98B guuid=ff98cea3-1d00-0000-9fd9-5174b1120000 pid=4785->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ff98cea3-1d00-0000-9fd9-5174b1120000 pid=4785->b2d8e54b-c731-5e9d-91ce-9be6b900c2bd con guuid=e9753872-2000-0000-9fd9-51749a140000 pid=5274 /tmp/juliana707 guuid=ff98cea3-1d00-0000-9fd9-5174b1120000 pid=4785->guuid=e9753872-2000-0000-9fd9-51749a140000 pid=5274 clone guuid=c90f3c72-2000-0000-9fd9-51749b140000 pid=5275 /tmp/juliana707 dns net send-data zombie guuid=ff98cea3-1d00-0000-9fd9-5174b1120000 pid=4785->guuid=c90f3c72-2000-0000-9fd9-51749b140000 pid=5275 clone guuid=c90f3c72-2000-0000-9fd9-51749b140000 pid=5275->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 320B guuid=c90f3c72-2000-0000-9fd9-51749b140000 pid=5275->8ecec4bc-f136-5a18-8c95-3a3c69dcd569 con guuid=b8ac5f72-2000-0000-9fd9-51749d140000 pid=5277 /tmp/juliana707 guuid=c90f3c72-2000-0000-9fd9-51749b140000 pid=5275->guuid=b8ac5f72-2000-0000-9fd9-51749d140000 pid=5277 clone guuid=d19b6772-2000-0000-9fd9-51749e140000 pid=5278 /tmp/juliana707 guuid=c90f3c72-2000-0000-9fd9-51749b140000 pid=5275->guuid=d19b6772-2000-0000-9fd9-51749e140000 pid=5278 clone guuid=72a44d72-2000-0000-9fd9-51749c140000 pid=5276->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 148B guuid=c01b917d-2000-0000-9fd9-5174a0140000 pid=5280->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 97B guuid=8ef5c28a-2000-0000-9fd9-5174a4140000 pid=5284->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=8ef5c28a-2000-0000-9fd9-5174a4140000 pid=5284->b2d8e54b-c731-5e9d-91ce-9be6b900c2bd con guuid=ed217ab6-2100-0000-9fd9-5174b5140000 pid=5301 /tmp/juliana707 guuid=8ef5c28a-2000-0000-9fd9-5174a4140000 pid=5284->guuid=ed217ab6-2100-0000-9fd9-5174b5140000 pid=5301 clone guuid=943e90b6-2100-0000-9fd9-5174b6140000 pid=5302 /tmp/juliana707 dns net send-data zombie guuid=8ef5c28a-2000-0000-9fd9-5174a4140000 pid=5284->guuid=943e90b6-2100-0000-9fd9-5174b6140000 pid=5302 clone guuid=943e90b6-2100-0000-9fd9-5174b6140000 pid=5302->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 160B guuid=943e90b6-2100-0000-9fd9-5174b6140000 pid=5302->8ecec4bc-f136-5a18-8c95-3a3c69dcd569 con guuid=3be1abb6-2100-0000-9fd9-5174b7140000 pid=5303 /tmp/juliana707 guuid=943e90b6-2100-0000-9fd9-5174b6140000 pid=5302->guuid=3be1abb6-2100-0000-9fd9-5174b7140000 pid=5303 clone guuid=85cbb7b6-2100-0000-9fd9-5174b8140000 pid=5304 /tmp/juliana707 guuid=943e90b6-2100-0000-9fd9-5174b6140000 pid=5302->guuid=85cbb7b6-2100-0000-9fd9-5174b8140000 pid=5304 clone guuid=21c6c5b6-2100-0000-9fd9-5174b9140000 pid=5305->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 149B guuid=a940d5c2-2100-0000-9fd9-5174ba140000 pid=5306->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 98B guuid=c993ffd0-2100-0000-9fd9-5174bd140000 pid=5309->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c993ffd0-2100-0000-9fd9-5174bd140000 pid=5309->b2d8e54b-c731-5e9d-91ce-9be6b900c2bd con guuid=1382949e-2400-0000-9fd9-5174be140000 pid=5310 /tmp/juliana707 guuid=c993ffd0-2100-0000-9fd9-5174bd140000 pid=5309->guuid=1382949e-2400-0000-9fd9-5174be140000 pid=5310 clone guuid=13eca19e-2400-0000-9fd9-5174bf140000 pid=5311 /tmp/juliana707 dns net send-data zombie guuid=c993ffd0-2100-0000-9fd9-5174bd140000 pid=5309->guuid=13eca19e-2400-0000-9fd9-5174bf140000 pid=5311 clone guuid=13eca19e-2400-0000-9fd9-5174bf140000 pid=5311->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 160B guuid=13eca19e-2400-0000-9fd9-5174bf140000 pid=5311->8ecec4bc-f136-5a18-8c95-3a3c69dcd569 con guuid=ceacb19e-2400-0000-9fd9-5174c0140000 pid=5312 /tmp/juliana707 guuid=13eca19e-2400-0000-9fd9-5174bf140000 pid=5311->guuid=ceacb19e-2400-0000-9fd9-5174c0140000 pid=5312 clone guuid=f076b89e-2400-0000-9fd9-5174c1140000 pid=5313 /tmp/juliana707 guuid=13eca19e-2400-0000-9fd9-5174bf140000 pid=5311->guuid=f076b89e-2400-0000-9fd9-5174c1140000 pid=5313 clone guuid=7aceba9e-2400-0000-9fd9-5174c2140000 pid=5314->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 149B guuid=abc351aa-2400-0000-9fd9-5174c3140000 pid=5315->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 98B guuid=b9dc3cb9-2400-0000-9fd9-5174c6140000 pid=5318->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b9dc3cb9-2400-0000-9fd9-5174c6140000 pid=5318->b2d8e54b-c731-5e9d-91ce-9be6b900c2bd con guuid=292c6787-2700-0000-9fd9-5174c7140000 pid=5319 /tmp/juliana707 zombie guuid=b9dc3cb9-2400-0000-9fd9-5174c6140000 pid=5318->guuid=292c6787-2700-0000-9fd9-5174c7140000 pid=5319 clone guuid=8acb6b87-2700-0000-9fd9-5174c8140000 pid=5320 /tmp/juliana707 dns net send-data zombie guuid=b9dc3cb9-2400-0000-9fd9-5174c6140000 pid=5318->guuid=8acb6b87-2700-0000-9fd9-5174c8140000 pid=5320 clone guuid=8acb6b87-2700-0000-9fd9-5174c8140000 pid=5320->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 320B guuid=8acb6b87-2700-0000-9fd9-5174c8140000 pid=5320->8ecec4bc-f136-5a18-8c95-3a3c69dcd569 con guuid=c1d57e87-2700-0000-9fd9-5174ca140000 pid=5322 /tmp/juliana707 guuid=8acb6b87-2700-0000-9fd9-5174c8140000 pid=5320->guuid=c1d57e87-2700-0000-9fd9-5174ca140000 pid=5322 clone guuid=48228787-2700-0000-9fd9-5174cb140000 pid=5323 /tmp/juliana707 guuid=8acb6b87-2700-0000-9fd9-5174c8140000 pid=5320->guuid=48228787-2700-0000-9fd9-5174cb140000 pid=5323 clone guuid=91507c87-2700-0000-9fd9-5174c9140000 pid=5321->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 149B guuid=13f8f392-2700-0000-9fd9-5174cc140000 pid=5324->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 98B guuid=a5dbcca2-2700-0000-9fd9-5174cf140000 pid=5327->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a5dbcca2-2700-0000-9fd9-5174cf140000 pid=5327->b2d8e54b-c731-5e9d-91ce-9be6b900c2bd con guuid=b6ade6cd-2800-0000-9fd9-5174da140000 pid=5338 /tmp/juliana707 guuid=a5dbcca2-2700-0000-9fd9-5174cf140000 pid=5327->guuid=b6ade6cd-2800-0000-9fd9-5174da140000 pid=5338 clone guuid=782cebcd-2800-0000-9fd9-5174db140000 pid=5339 /tmp/juliana707 dns net send-data zombie guuid=a5dbcca2-2700-0000-9fd9-5174cf140000 pid=5327->guuid=782cebcd-2800-0000-9fd9-5174db140000 pid=5339 clone guuid=782cebcd-2800-0000-9fd9-5174db140000 pid=5339->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 160B guuid=782cebcd-2800-0000-9fd9-5174db140000 pid=5339->8ecec4bc-f136-5a18-8c95-3a3c69dcd569 con guuid=b7b5f8cd-2800-0000-9fd9-5174dc140000 pid=5340 /tmp/juliana707 guuid=782cebcd-2800-0000-9fd9-5174db140000 pid=5339->guuid=b7b5f8cd-2800-0000-9fd9-5174dc140000 pid=5340 clone guuid=6563fecd-2800-0000-9fd9-5174dd140000 pid=5341 /tmp/juliana707 guuid=782cebcd-2800-0000-9fd9-5174db140000 pid=5339->guuid=6563fecd-2800-0000-9fd9-5174dd140000 pid=5341 clone guuid=4b86adfb-2800-0000-9fd9-5174de140000 pid=5342->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 148B guuid=426b350a-2900-0000-9fd9-5174df140000 pid=5343->a6d4064a-5629-5acb-a3fd-b3dd7d9f424a send: 97B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d11834e2f999c8a7517b37d7c4d7b8d2180cfd07aeed0ec04b09b8c8115ea95b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d11834e2f999c8a7517b37d7c4d7b8d2180cfd07aeed0ec04b09b8c8115ea95b/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/d11834e2f999c8a7517b37d7c4d7b8d2180cfd07aeed0ec04b09b8c8115ea95b
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-02-01 07:35:49 UTC
File Type:
Text (Shell)
AV detection:
21 of 36 (58.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2emdjyxzthekoul3g7l4jv5y2imaz7ihv3wq5qclbg4mqek6vfnq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/260201-jnabwad17b/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Reads process memory
Enumerates active TCP sockets
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d11834e2f999/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/d11834e2f999c8a7517b37d7c4d7b8d2180cfd07aeed0ec04b09b8c8115ea95b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh d11834e2f999c8a7517b37d7c4d7b8d2180cfd07aeed0ec04b09b8c8115ea95b

(this sample)

Mirai

elf 4c19acf73b97c7c0807addc89262ca193a5ee0e876350d229f6bc017058a9487

  
URLhaus
https://urlhaus.abuse.ch/url/3767139/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3767170/
  
Dropping
MD5 69bdc0e97551c714ddc86dbd7e21e919
  
Dropping
SHA256 4c19acf73b97c7c0807addc89262ca193a5ee0e876350d229f6bc017058a9487

Comments