MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1bd69626e207679d3b239d6925dafebc466a587a564ebafc3de70a3c8ec6582. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1bd69626e207679d3b239d6925dafebc466a587a564ebafc3de70a3c8ec6582
SHA3-384 hash: 4e3ce4b2921de41b45949d0341ad42dc69e39f85b716c822996b7bc70559ef70a268a49bd33cd9ad63582c478051517b
SHA1 hash: 154a6ce2d059efaaafbcfb0218a4068d6fe17b83
MD5 hash: 236256ce34eba7f94e82f9535433cbde
humanhash: chicken-angel-angel-august
File name:thinkphp
Download: download sample
Signature Mirai
Create hunting rule
File size:4'863 bytes
First seen:2025-12-19 12:59:46 UTC
Last seen:2025-12-19 15:45:14 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vUhMV4kPUq1V4jUrHrWV4KUNoV4YUEpEEV4EEUJkV4kUq1V4jUOZV43UzSV46UD3:vbFpsPxLdzOEpEbnZYbCDhjP1SDGDXbK
TLSH T141A10DE675B5A77A6DB0ED7375D6C642F14060A6E0DA8C0BF2D1F0E8084EF71E494B82
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x860134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips3a07b60b7bf3cbd9767a86a76a77e5fccb5adf9dee1dc7764b751c0a1f4c4d97 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsln/an/aelf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm47bc9d623a3eb1ba73c46550a4207ea095e39d40f97ce628de43834183da6ad7 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm506426a43bc706deb297ee11894e1c87acc0a4231a60b0dfbce4098b871b719b2 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm62c85afccbe6f0e275c639e98db4c4eec6d910bd277a1fe596a3252163b22d860 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7d945325d0279ea26eb1572d3454980a1953721baf9faae04fcf991d27969b6c8 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc051887bfe592e3f5059d7316f2913e13ead1da80061930de8236c4087cadc994 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k2ff7d666206bcb9e440f017a8538337330826fcf9dc1f0542ee062ebd148387d Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc4b0886c739672baa51a2b187f93271e1c15b56450a29a4d39d6b7709152aa645 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i68647e7f0fdd1ee38d00cc134014546c43db09eb2993bc1318cc76aaa64e595ea9f Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4d0f0ed32a8d834ef6c4aeaa382275e0a26f90898dd304f00fbffab51d964ec0e Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc62740c7d5c2cbaed0adbbba12ed865ee2136fae9528a50f296dee8365b488bb9 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x648df69a4bbd21d9f80b80204e56fb586221ef559303b64eb2c443b93ea234d957 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
51
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/69454c703f8fdbf8e94c1847/reports/28ab9cc2-d5cd-456a-8dbc-2f4882cda207/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-12-19T10:10:00Z UTC
Last seen:
2025-12-20T00:06:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen
Link:
https://opentip.kaspersky.com/d1bd69626e207679d3b239d6925dafebc466a587a564ebafc3de70a3c8ec6582/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/719ecc72-8d7d-4ead-a494-d75213adf716
Behavior Graph:
Download SVG
%3 guuid=e57ac2a0-1700-0000-0811-f5e3cf0c0000 pid=3279 /usr/bin/sudo guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286 /tmp/sample.bin guuid=e57ac2a0-1700-0000-0811-f5e3cf0c0000 pid=3279->guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286 execve guuid=b09817a3-1700-0000-0811-f5e3d90c0000 pid=3289 /usr/bin/wget net send-data write-file guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=b09817a3-1700-0000-0811-f5e3d90c0000 pid=3289 execve guuid=2d5bbfb5-1700-0000-0811-f5e3fb0c0000 pid=3323 /usr/bin/curl net send-data write-file guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=2d5bbfb5-1700-0000-0811-f5e3fb0c0000 pid=3323 execve guuid=a40fc6cd-1700-0000-0811-f5e32a0d0000 pid=3370 /usr/bin/cat guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=a40fc6cd-1700-0000-0811-f5e32a0d0000 pid=3370 execve guuid=4fbb1ace-1700-0000-0811-f5e32b0d0000 pid=3371 /usr/bin/chmod guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=4fbb1ace-1700-0000-0811-f5e32b0d0000 pid=3371 execve guuid=9bb85cce-1700-0000-0811-f5e32d0d0000 pid=3373 /tmp/76d32be0 net guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=9bb85cce-1700-0000-0811-f5e32d0d0000 pid=3373 execve guuid=92a38cce-1700-0000-0811-f5e3310d0000 pid=3377 /usr/bin/wget net send-data write-file guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=92a38cce-1700-0000-0811-f5e3310d0000 pid=3377 execve guuid=0adc50e6-1700-0000-0811-f5e36c0d0000 pid=3436 /usr/bin/curl net send-data write-file guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=0adc50e6-1700-0000-0811-f5e36c0d0000 pid=3436 execve guuid=676346ff-1700-0000-0811-f5e3b30d0000 pid=3507 /usr/bin/bash guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=676346ff-1700-0000-0811-f5e3b30d0000 pid=3507 clone guuid=600c64ff-1700-0000-0811-f5e3b40d0000 pid=3508 /usr/bin/chmod guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=600c64ff-1700-0000-0811-f5e3b40d0000 pid=3508 execve guuid=448ff3ff-1700-0000-0811-f5e3b70d0000 pid=3511 /tmp/76d32be0 net guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=448ff3ff-1700-0000-0811-f5e3b70d0000 pid=3511 execve guuid=950652ad-1d00-0000-0811-f5e39c140000 pid=5276 /usr/bin/wget net guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=950652ad-1d00-0000-0811-f5e39c140000 pid=5276 execve guuid=91fa21af-1d00-0000-0811-f5e3a1140000 pid=5281 /usr/bin/curl net guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=91fa21af-1d00-0000-0811-f5e3a1140000 pid=5281 execve guuid=af2868b2-1d00-0000-0811-f5e3a2140000 pid=5282 /usr/bin/bash guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=af2868b2-1d00-0000-0811-f5e3a2140000 pid=5282 clone guuid=a25d80b2-1d00-0000-0811-f5e3a3140000 pid=5283 /usr/bin/chmod guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=a25d80b2-1d00-0000-0811-f5e3a3140000 pid=5283 execve guuid=6ded98b5-1d00-0000-0811-f5e3a4140000 pid=5284 /tmp/76d32be0 net guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=6ded98b5-1d00-0000-0811-f5e3a4140000 pid=5284 execve guuid=8b585863-2300-0000-0811-f5e3a7140000 pid=5287 /usr/bin/wget net guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=8b585863-2300-0000-0811-f5e3a7140000 pid=5287 execve guuid=c56fae65-2300-0000-0811-f5e3ab140000 pid=5291 /usr/bin/curl net guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=c56fae65-2300-0000-0811-f5e3ab140000 pid=5291 execve guuid=4de04a69-2300-0000-0811-f5e3ac140000 pid=5292 /usr/bin/bash guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=4de04a69-2300-0000-0811-f5e3ac140000 pid=5292 clone guuid=cbe46c69-2300-0000-0811-f5e3ad140000 pid=5293 /usr/bin/chmod guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=cbe46c69-2300-0000-0811-f5e3ad140000 pid=5293 execve guuid=70c4e669-2300-0000-0811-f5e3ae140000 pid=5294 /tmp/76d32be0 net guuid=593252a2-1700-0000-0811-f5e3d60c0000 pid=3286->guuid=70c4e669-2300-0000-0811-f5e3ae140000 pid=5294 execve 28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 158.94.210.88:80 guuid=b09817a3-1700-0000-0811-f5e3d90c0000 pid=3289->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=2d5bbfb5-1700-0000-0811-f5e3fb0c0000 pid=3323->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=9bb85cce-1700-0000-0811-f5e32d0d0000 pid=3373->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ee4880ce-1700-0000-0811-f5e32e0d0000 pid=3374 /tmp/76d32be0 dns net send-data zombie guuid=9bb85cce-1700-0000-0811-f5e32d0d0000 pid=3373->guuid=ee4880ce-1700-0000-0811-f5e32e0d0000 pid=3374 clone guuid=ee4880ce-1700-0000-0811-f5e32e0d0000 pid=3374->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 28B 2ac2249c-25bc-5019-a88f-33a6c2731b07 cnc.504.su:56999 guuid=ee4880ce-1700-0000-0811-f5e32e0d0000 pid=3374->2ac2249c-25bc-5019-a88f-33a6c2731b07 con guuid=289989ce-1700-0000-0811-f5e3300d0000 pid=3376 /tmp/76d32be0 guuid=ee4880ce-1700-0000-0811-f5e32e0d0000 pid=3374->guuid=289989ce-1700-0000-0811-f5e3300d0000 pid=3376 clone guuid=25d38ece-1700-0000-0811-f5e3320d0000 pid=3378 /tmp/76d32be0 net net-scan send-data zombie guuid=ee4880ce-1700-0000-0811-f5e32e0d0000 pid=3374->guuid=25d38ece-1700-0000-0811-f5e3320d0000 pid=3378 clone guuid=a90292ce-1700-0000-0811-f5e3330d0000 pid=3379 /tmp/76d32be0 net net-scan send-data zombie guuid=ee4880ce-1700-0000-0811-f5e32e0d0000 pid=3374->guuid=a90292ce-1700-0000-0811-f5e3330d0000 pid=3379 clone guuid=725096ce-1700-0000-0811-f5e3340d0000 pid=3380 /tmp/76d32be0 guuid=ee4880ce-1700-0000-0811-f5e32e0d0000 pid=3374->guuid=725096ce-1700-0000-0811-f5e3340d0000 pid=3380 clone 4bcd05e0-7ebf-53bb-9cc8-c008d3256770 cnc.504.su:80 guuid=92a38cce-1700-0000-0811-f5e3310d0000 pid=3377->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 198B guuid=25d38ece-1700-0000-0811-f5e3320d0000 pid=3378->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 271ee878-5aa9-505b-aa02-11cb89ba5c55 195.60.169.194:23 guuid=25d38ece-1700-0000-0811-f5e3320d0000 pid=3378->271ee878-5aa9-505b-aa02-11cb89ba5c55 send: 40B guuid=25d38ece-1700-0000-0811-f5e3320d0000 pid=3378|send-data send-data to 4097 IP addresses review logs to see them all guuid=25d38ece-1700-0000-0811-f5e3320d0000 pid=3378->guuid=25d38ece-1700-0000-0811-f5e3320d0000 pid=3378|send-data send guuid=a90292ce-1700-0000-0811-f5e3330d0000 pid=3379->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a90292ce-1700-0000-0811-f5e3330d0000 pid=3379|send-data send-data to 4097 IP addresses review logs to see them all guuid=a90292ce-1700-0000-0811-f5e3330d0000 pid=3379->guuid=a90292ce-1700-0000-0811-f5e3330d0000 pid=3379|send-data send guuid=0adc50e6-1700-0000-0811-f5e36c0d0000 pid=3436->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 send: 147B guuid=448ff3ff-1700-0000-0811-f5e3b70d0000 pid=3511->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 5fbefa0b-74db-5ddb-909f-7c8f89ca1384 0.0.0.0:46157 guuid=448ff3ff-1700-0000-0811-f5e3b70d0000 pid=3511->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=05f930ad-1d00-0000-0811-f5e39b140000 pid=5275 /tmp/76d32be0 net send-data zombie guuid=448ff3ff-1700-0000-0811-f5e3b70d0000 pid=3511->guuid=05f930ad-1d00-0000-0811-f5e39b140000 pid=5275 clone guuid=05f930ad-1d00-0000-0811-f5e39b140000 pid=5275->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=3d1954ad-1d00-0000-0811-f5e39d140000 pid=5277 /tmp/76d32be0 guuid=05f930ad-1d00-0000-0811-f5e39b140000 pid=5275->guuid=3d1954ad-1d00-0000-0811-f5e39d140000 pid=5277 clone guuid=b9bc5fad-1d00-0000-0811-f5e39e140000 pid=5278 /tmp/76d32be0 net net-scan send-data zombie guuid=05f930ad-1d00-0000-0811-f5e39b140000 pid=5275->guuid=b9bc5fad-1d00-0000-0811-f5e39e140000 pid=5278 clone guuid=939c6aad-1d00-0000-0811-f5e39f140000 pid=5279 /tmp/76d32be0 net net-scan send-data zombie guuid=05f930ad-1d00-0000-0811-f5e39b140000 pid=5275->guuid=939c6aad-1d00-0000-0811-f5e39f140000 pid=5279 clone guuid=35987ead-1d00-0000-0811-f5e3a0140000 pid=5280 /tmp/76d32be0 guuid=05f930ad-1d00-0000-0811-f5e39b140000 pid=5275->guuid=35987ead-1d00-0000-0811-f5e3a0140000 pid=5280 clone guuid=950652ad-1d00-0000-0811-f5e39c140000 pid=5276->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=b9bc5fad-1d00-0000-0811-f5e39e140000 pid=5278->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b9bc5fad-1d00-0000-0811-f5e39e140000 pid=5278|send-data send-data to 4097 IP addresses review logs to see them all guuid=b9bc5fad-1d00-0000-0811-f5e39e140000 pid=5278->guuid=b9bc5fad-1d00-0000-0811-f5e39e140000 pid=5278|send-data send guuid=939c6aad-1d00-0000-0811-f5e39f140000 pid=5279->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=939c6aad-1d00-0000-0811-f5e39f140000 pid=5279|send-data send-data to 4097 IP addresses review logs to see them all guuid=939c6aad-1d00-0000-0811-f5e39f140000 pid=5279->guuid=939c6aad-1d00-0000-0811-f5e39f140000 pid=5279|send-data send guuid=91fa21af-1d00-0000-0811-f5e3a1140000 pid=5281->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=6ded98b5-1d00-0000-0811-f5e3a4140000 pid=5284->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=6ded98b5-1d00-0000-0811-f5e3a4140000 pid=5284->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con guuid=695d3c63-2300-0000-0811-f5e3a5140000 pid=5285 /tmp/76d32be0 net send-data zombie guuid=6ded98b5-1d00-0000-0811-f5e3a4140000 pid=5284->guuid=695d3c63-2300-0000-0811-f5e3a5140000 pid=5285 clone guuid=695d3c63-2300-0000-0811-f5e3a5140000 pid=5285->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 56B guuid=03705763-2300-0000-0811-f5e3a6140000 pid=5286 /tmp/76d32be0 guuid=695d3c63-2300-0000-0811-f5e3a5140000 pid=5285->guuid=03705763-2300-0000-0811-f5e3a6140000 pid=5286 clone guuid=13be6063-2300-0000-0811-f5e3a8140000 pid=5288 /tmp/76d32be0 net net-scan send-data zombie guuid=695d3c63-2300-0000-0811-f5e3a5140000 pid=5285->guuid=13be6063-2300-0000-0811-f5e3a8140000 pid=5288 clone guuid=7bb36a63-2300-0000-0811-f5e3a9140000 pid=5289 /tmp/76d32be0 net net-scan send-data zombie guuid=695d3c63-2300-0000-0811-f5e3a5140000 pid=5285->guuid=7bb36a63-2300-0000-0811-f5e3a9140000 pid=5289 clone guuid=84fa7563-2300-0000-0811-f5e3aa140000 pid=5290 /tmp/76d32be0 guuid=695d3c63-2300-0000-0811-f5e3a5140000 pid=5285->guuid=84fa7563-2300-0000-0811-f5e3aa140000 pid=5290 clone guuid=8b585863-2300-0000-0811-f5e3a7140000 pid=5287->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=13be6063-2300-0000-0811-f5e3a8140000 pid=5288->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=13be6063-2300-0000-0811-f5e3a8140000 pid=5288|send-data send-data to 4097 IP addresses review logs to see them all guuid=13be6063-2300-0000-0811-f5e3a8140000 pid=5288->guuid=13be6063-2300-0000-0811-f5e3a8140000 pid=5288|send-data send guuid=7bb36a63-2300-0000-0811-f5e3a9140000 pid=5289->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=7bb36a63-2300-0000-0811-f5e3a9140000 pid=5289|send-data send-data to 4097 IP addresses review logs to see them all guuid=7bb36a63-2300-0000-0811-f5e3a9140000 pid=5289->guuid=7bb36a63-2300-0000-0811-f5e3a9140000 pid=5289|send-data send guuid=c56fae65-2300-0000-0811-f5e3ab140000 pid=5291->4bcd05e0-7ebf-53bb-9cc8-c008d3256770 con guuid=70c4e669-2300-0000-0811-f5e3ae140000 pid=5294->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=70c4e669-2300-0000-0811-f5e3ae140000 pid=5294->5fbefa0b-74db-5ddb-909f-7c8f89ca1384 con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d1bd69626e207679d3b239d6925dafebc466a587a564ebafc3de70a3c8ec6582
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1bd69626e207679d3b239d6925dafebc466a587a564ebafc3de70a3c8ec6582/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/d1bd69626e207679d3b239d6925dafebc466a587a564ebafc3de70a3c8ec6582
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-12-19 13:00:32 UTC
File Type:
Text (Shell)
AV detection:
18 of 24 (75.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2g6wsytoeb3htu5shhljexnp5pcgnjmhuvsoxl6d3zykhshmmwba._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:unstable antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/251219-p8zp6acn6z/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (66678) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware Config
C2 Extraction:
cnc.504.su
scan.504.su
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1bd69626e20/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1bd69626e207679d3b239d6925dafebc466a587a564ebafc3de70a3c8ec6582

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh d1bd69626e207679d3b239d6925dafebc466a587a564ebafc3de70a3c8ec6582

(this sample)

Mirai

elf 0134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8

  
URLhaus
https://urlhaus.abuse.ch/url/3669696/
  
Delivery method
Distributed via web download
  
Dropping
MD5 36207ad6597e99c6826a0f960122c7b6
  
Dropping
SHA256 0134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8
  
URLhaus
https://urlhaus.abuse.ch/url/3725845/
  
URLhaus
https://urlhaus.abuse.ch/url/3669695/

Comments