MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1f58617f3a7820f3c37bc22d8dcf4345c4a9d2e0a511385fff55465cd0ddb7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1f58617f3a7820f3c37bc22d8dcf4345c4a9d2e0a511385fff55465cd0ddb7d
SHA3-384 hash: fe0220994c0a164c658c4ce3781dae0684366e0e3e89c7c342c56133bf80207d2a4cf055aef06a93db82780f0550bade
SHA1 hash: a71122b0b088fb6a9c2666beca2763b54d70a8a7
MD5 hash: 987a7bc60293c9f254af413290c989a4
humanhash: juliet-fruit-item-high
File name:1.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'347 bytes
First seen:2025-09-16 21:15:56 UTC
Last seen:2025-09-17 10:20:26 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 24:YSdIZdIQZsSdIgdIdbhSdITdIqkSdIQdItlfSdIedI7msSdIydInTSdIXndIXGgS:Y2NQt3zfi1KHLUJ9F09sBgJslk
TLSH T1B0616DF703B906736CB289D622BA444471D1C19B59CEAF76ABDC34A40E8DECC7C52A52
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://41.216.189.108/00101010101001/morte.x86eb9a8d69e1d6cf3e86860b5d91104b858ade924228d071dbe5496cce62fae767 Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.mips9e3a5beb39f0f1d9b3f504701e938187cb333b5db08295a4accd43d273ead784 Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.arc1f798b92dbd5bbbcc598b59a5cf30db8389a04fb751fce08610b146c391fc429 Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.i468n/an/aelf ua-wget
http://41.216.189.108/00101010101001/morte.i6866c788438c08bdcbd1ec4218c4bd927044faad9d8554d917fce5cc4c101a0d17a Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.x86_643af40b5a3d850ee6d5bf827fd7d0ee0b52924e6914afc2e779d43228d19bc519 Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.mpsl30422e84b03c2bc2bdc6918beb432067bc782fd947dcd0a6c388af905fd34367 Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.armf6ec77abe2e518f31cdcd64ebbecf43f7e8fb167b680a7281cb167f6171529bf Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.arm562aa6cb6ffa0cf504df63b17f68d262e6d416a95d2e1c8359e080e5797429a85 Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.arm6da32c7587d5e92c90dbf300d3a846cb485c3c718043ef3442c2a0f6d717ccb99 Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.arm7de6e8f7300f52785f0c2f37be043a0be6768368c1d1ecb48eb956a6fb71738e8 Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.ppc37045a357173998ba8c15b10e36ac48a538482ac82b25a50f54dc6ba3c05c71a Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.spc0f5532eb67be29a3c2cfcabab8f25327e54c1cb136fd2f623f0bd57da30d0ffd Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.m68k49f17558034fb80ab6c8fb730c0c29d980550008ea85882e230c918a35038b18 Miraielf geofenced mirai opendir ua-wget USA
http://41.216.189.108/00101010101001/morte.sh45386cb300a953d7700dffd314df6750e5a5ccfc9c3fd6b9b22bc7063cbec2543 Miraielf geofenced mirai opendir ua-wget USA

Intelligence

File Origin
# of uploads :
2
# of downloads :
58
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-09-16T19:30:00Z UTC
Last seen:
2025-09-16T19:30:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/d1f58617f3a7820f3c37bc22d8dcf4345c4a9d2e0a511385fff55465cd0ddb7d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/e3d8a747-371b-4bb9-a41e-d2fc30b2a874
Behavior Graph:
Download SVG
%3 guuid=f5f86e3f-1800-0000-76c2-b577850c0000 pid=3205 /usr/bin/sudo guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210 /tmp/sample.bin guuid=f5f86e3f-1800-0000-76c2-b577850c0000 pid=3205->guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210 execve guuid=5956b741-1800-0000-76c2-b5778c0c0000 pid=3212 /usr/bin/cp guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=5956b741-1800-0000-76c2-b5778c0c0000 pid=3212 execve guuid=fd8f5e47-1800-0000-76c2-b577990c0000 pid=3225 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=fd8f5e47-1800-0000-76c2-b577990c0000 pid=3225 execve guuid=41809550-1800-0000-76c2-b5779f0c0000 pid=3231 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=41809550-1800-0000-76c2-b5779f0c0000 pid=3231 execve guuid=d69bb55b-1800-0000-76c2-b577b00c0000 pid=3248 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=d69bb55b-1800-0000-76c2-b577b00c0000 pid=3248 execve guuid=9b05135c-1800-0000-76c2-b577b10c0000 pid=3249 /tmp/morte.x86 net guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=9b05135c-1800-0000-76c2-b577b10c0000 pid=3249 execve guuid=2b2d6e89-1900-0000-76c2-b577e10e0000 pid=3809 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=2b2d6e89-1900-0000-76c2-b577e10e0000 pid=3809 execve guuid=0754cc89-1900-0000-76c2-b577e20e0000 pid=3810 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=0754cc89-1900-0000-76c2-b577e20e0000 pid=3810 execve guuid=0d789f8f-1900-0000-76c2-b577ef0e0000 pid=3823 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=0d789f8f-1900-0000-76c2-b577ef0e0000 pid=3823 execve guuid=16e32496-1900-0000-76c2-b577040f0000 pid=3844 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=16e32496-1900-0000-76c2-b577040f0000 pid=3844 execve guuid=944f6796-1900-0000-76c2-b577060f0000 pid=3846 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=944f6796-1900-0000-76c2-b577060f0000 pid=3846 clone guuid=c69ce997-1900-0000-76c2-b5770d0f0000 pid=3853 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=c69ce997-1900-0000-76c2-b5770d0f0000 pid=3853 execve guuid=500eb59b-1900-0000-76c2-b577190f0000 pid=3865 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=500eb59b-1900-0000-76c2-b577190f0000 pid=3865 execve guuid=612a18a3-1900-0000-76c2-b5772c0f0000 pid=3884 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=612a18a3-1900-0000-76c2-b5772c0f0000 pid=3884 execve guuid=67f40cac-1900-0000-76c2-b577450f0000 pid=3909 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=67f40cac-1900-0000-76c2-b577450f0000 pid=3909 execve guuid=29435eac-1900-0000-76c2-b577470f0000 pid=3911 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=29435eac-1900-0000-76c2-b577470f0000 pid=3911 clone guuid=9cdd03ad-1900-0000-76c2-b5774b0f0000 pid=3915 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=9cdd03ad-1900-0000-76c2-b5774b0f0000 pid=3915 execve guuid=9bc5d3ae-1900-0000-76c2-b577510f0000 pid=3921 /usr/bin/wget net send-data guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=9bc5d3ae-1900-0000-76c2-b577510f0000 pid=3921 execve guuid=946e25b2-1900-0000-76c2-b577630f0000 pid=3939 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=946e25b2-1900-0000-76c2-b577630f0000 pid=3939 execve guuid=6f58a3b7-1900-0000-76c2-b577770f0000 pid=3959 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=6f58a3b7-1900-0000-76c2-b577770f0000 pid=3959 execve guuid=bad907b8-1900-0000-76c2-b577780f0000 pid=3960 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=bad907b8-1900-0000-76c2-b577780f0000 pid=3960 clone guuid=bebc33b8-1900-0000-76c2-b577790f0000 pid=3961 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=bebc33b8-1900-0000-76c2-b577790f0000 pid=3961 execve guuid=d70ebcb8-1900-0000-76c2-b5777a0f0000 pid=3962 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=d70ebcb8-1900-0000-76c2-b5777a0f0000 pid=3962 execve guuid=fe42fdbe-1900-0000-76c2-b577910f0000 pid=3985 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=fe42fdbe-1900-0000-76c2-b577910f0000 pid=3985 execve guuid=e452d7c5-1900-0000-76c2-b577a50f0000 pid=4005 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=e452d7c5-1900-0000-76c2-b577a50f0000 pid=4005 execve guuid=ccb219c6-1900-0000-76c2-b577a80f0000 pid=4008 /tmp/morte.i686 net guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=ccb219c6-1900-0000-76c2-b577a80f0000 pid=4008 execve guuid=5e690c3e-1a00-0000-76c2-b577df100000 pid=4319 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=5e690c3e-1a00-0000-76c2-b577df100000 pid=4319 execve guuid=04a0693e-1a00-0000-76c2-b577e3100000 pid=4323 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=04a0693e-1a00-0000-76c2-b577e3100000 pid=4323 execve guuid=e9411d45-1a00-0000-76c2-b577f6100000 pid=4342 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=e9411d45-1a00-0000-76c2-b577f6100000 pid=4342 execve guuid=9373e24f-1a00-0000-76c2-b57713110000 pid=4371 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=9373e24f-1a00-0000-76c2-b57713110000 pid=4371 execve guuid=4c4e3d50-1a00-0000-76c2-b57715110000 pid=4373 /tmp/morte.x86_64 mprotect-exec net guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=4c4e3d50-1a00-0000-76c2-b57715110000 pid=4373 execve guuid=9d4b48c8-1a00-0000-76c2-b57730120000 pid=4656 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=9d4b48c8-1a00-0000-76c2-b57730120000 pid=4656 execve guuid=5302e8c8-1a00-0000-76c2-b57731120000 pid=4657 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=5302e8c8-1a00-0000-76c2-b57731120000 pid=4657 execve guuid=2ed625cf-1a00-0000-76c2-b5774b120000 pid=4683 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=2ed625cf-1a00-0000-76c2-b5774b120000 pid=4683 execve guuid=2e8a8bd5-1a00-0000-76c2-b57768120000 pid=4712 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=2e8a8bd5-1a00-0000-76c2-b57768120000 pid=4712 execve guuid=86f9d2d5-1a00-0000-76c2-b5776a120000 pid=4714 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=86f9d2d5-1a00-0000-76c2-b5776a120000 pid=4714 clone guuid=f24664d6-1a00-0000-76c2-b5776e120000 pid=4718 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=f24664d6-1a00-0000-76c2-b5776e120000 pid=4718 execve guuid=f23558d9-1a00-0000-76c2-b5777e120000 pid=4734 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=f23558d9-1a00-0000-76c2-b5777e120000 pid=4734 execve guuid=b1ed47df-1a00-0000-76c2-b57794120000 pid=4756 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=b1ed47df-1a00-0000-76c2-b57794120000 pid=4756 execve guuid=be1744e6-1a00-0000-76c2-b5779d120000 pid=4765 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=be1744e6-1a00-0000-76c2-b5779d120000 pid=4765 execve guuid=9d1fade6-1a00-0000-76c2-b577a1120000 pid=4769 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=9d1fade6-1a00-0000-76c2-b577a1120000 pid=4769 clone guuid=288dbae8-1a00-0000-76c2-b577a9120000 pid=4777 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=288dbae8-1a00-0000-76c2-b577a9120000 pid=4777 execve guuid=0deaffe8-1a00-0000-76c2-b577ab120000 pid=4779 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=0deaffe8-1a00-0000-76c2-b577ab120000 pid=4779 execve guuid=4e974ced-1a00-0000-76c2-b577bf120000 pid=4799 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=4e974ced-1a00-0000-76c2-b577bf120000 pid=4799 execve guuid=8b4e05f3-1a00-0000-76c2-b577d6120000 pid=4822 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=8b4e05f3-1a00-0000-76c2-b577d6120000 pid=4822 execve guuid=ade95af3-1a00-0000-76c2-b577d8120000 pid=4824 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=ade95af3-1a00-0000-76c2-b577d8120000 pid=4824 clone guuid=2796f6f3-1a00-0000-76c2-b577dc120000 pid=4828 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=2796f6f3-1a00-0000-76c2-b577dc120000 pid=4828 execve guuid=488746f4-1a00-0000-76c2-b577de120000 pid=4830 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=488746f4-1a00-0000-76c2-b577de120000 pid=4830 execve guuid=c8cbd1f9-1a00-0000-76c2-b577f3120000 pid=4851 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=c8cbd1f9-1a00-0000-76c2-b577f3120000 pid=4851 execve guuid=a0143103-1b00-0000-76c2-b57710130000 pid=4880 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=a0143103-1b00-0000-76c2-b57710130000 pid=4880 execve guuid=4e638d03-1b00-0000-76c2-b57712130000 pid=4882 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=4e638d03-1b00-0000-76c2-b57712130000 pid=4882 clone guuid=02ff2d04-1b00-0000-76c2-b57716130000 pid=4886 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=02ff2d04-1b00-0000-76c2-b57716130000 pid=4886 execve guuid=2f779a04-1b00-0000-76c2-b57718130000 pid=4888 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=2f779a04-1b00-0000-76c2-b57718130000 pid=4888 execve guuid=2dc3590a-1b00-0000-76c2-b57729130000 pid=4905 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=2dc3590a-1b00-0000-76c2-b57729130000 pid=4905 execve guuid=5635cd12-1b00-0000-76c2-b57748130000 pid=4936 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=5635cd12-1b00-0000-76c2-b57748130000 pid=4936 execve guuid=c2873613-1b00-0000-76c2-b5774a130000 pid=4938 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=c2873613-1b00-0000-76c2-b5774a130000 pid=4938 clone guuid=68b5fb13-1b00-0000-76c2-b57750130000 pid=4944 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=68b5fb13-1b00-0000-76c2-b57750130000 pid=4944 execve guuid=4a216014-1b00-0000-76c2-b57753130000 pid=4947 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=4a216014-1b00-0000-76c2-b57753130000 pid=4947 execve guuid=64d57e1a-1b00-0000-76c2-b57766130000 pid=4966 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=64d57e1a-1b00-0000-76c2-b57766130000 pid=4966 execve guuid=f0015a21-1b00-0000-76c2-b5777f130000 pid=4991 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=f0015a21-1b00-0000-76c2-b5777f130000 pid=4991 execve guuid=631eaf21-1b00-0000-76c2-b57781130000 pid=4993 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=631eaf21-1b00-0000-76c2-b57781130000 pid=4993 clone guuid=2f7e4922-1b00-0000-76c2-b57786130000 pid=4998 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=2f7e4922-1b00-0000-76c2-b57786130000 pid=4998 execve guuid=c3463d26-1b00-0000-76c2-b57791130000 pid=5009 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=c3463d26-1b00-0000-76c2-b57791130000 pid=5009 execve guuid=ffb74633-1b00-0000-76c2-b577aa130000 pid=5034 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=ffb74633-1b00-0000-76c2-b577aa130000 pid=5034 execve guuid=f9fe0c3c-1b00-0000-76c2-b577bf130000 pid=5055 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=f9fe0c3c-1b00-0000-76c2-b577bf130000 pid=5055 execve guuid=17c8873c-1b00-0000-76c2-b577c1130000 pid=5057 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=17c8873c-1b00-0000-76c2-b577c1130000 pid=5057 clone guuid=3639683d-1b00-0000-76c2-b577c5130000 pid=5061 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=3639683d-1b00-0000-76c2-b577c5130000 pid=5061 execve guuid=7646253f-1b00-0000-76c2-b577cb130000 pid=5067 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=7646253f-1b00-0000-76c2-b577cb130000 pid=5067 execve guuid=a8063846-1b00-0000-76c2-b577db130000 pid=5083 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=a8063846-1b00-0000-76c2-b577db130000 pid=5083 execve guuid=440b886e-1b00-0000-76c2-b57741140000 pid=5185 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=440b886e-1b00-0000-76c2-b57741140000 pid=5185 execve guuid=e4b7ec6e-1b00-0000-76c2-b57743140000 pid=5187 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=e4b7ec6e-1b00-0000-76c2-b57743140000 pid=5187 clone guuid=aa5add6f-1b00-0000-76c2-b57746140000 pid=5190 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=aa5add6f-1b00-0000-76c2-b57746140000 pid=5190 execve guuid=529f6570-1b00-0000-76c2-b57749140000 pid=5193 /usr/bin/wget net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=529f6570-1b00-0000-76c2-b57749140000 pid=5193 execve guuid=1823d378-1b00-0000-76c2-b5774f140000 pid=5199 /usr/bin/curl net send-data write-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=1823d378-1b00-0000-76c2-b5774f140000 pid=5199 execve guuid=2fe5e57f-1b00-0000-76c2-b57755140000 pid=5205 /usr/bin/chmod guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=2fe5e57f-1b00-0000-76c2-b57755140000 pid=5205 execve guuid=0fdf7780-1b00-0000-76c2-b57756140000 pid=5206 /usr/bin/bash guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=0fdf7780-1b00-0000-76c2-b57756140000 pid=5206 clone guuid=50274b81-1b00-0000-76c2-b5775a140000 pid=5210 /usr/bin/rm delete-file guuid=7b645941-1800-0000-76c2-b5778a0c0000 pid=3210->guuid=50274b81-1b00-0000-76c2-b5775a140000 pid=5210 execve a4e02df3-c7fa-5be2-b410-afe687812c07 41.216.189.108:80 guuid=fd8f5e47-1800-0000-76c2-b577990c0000 pid=3225->a4e02df3-c7fa-5be2-b410-afe687812c07 send: 153B guuid=41809550-1800-0000-76c2-b5779f0c0000 pid=3231->a4e02df3-c7fa-5be2-b410-afe687812c07 send: 102B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=9b05135c-1800-0000-76c2-b577b10c0000 pid=3249->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=6324e15c-1800-0000-76c2-b577b20c0000 pid=3250 /tmp/morte.x86 guuid=9b05135c-1800-0000-76c2-b577b10c0000 pid=3249->guuid=6324e15c-1800-0000-76c2-b577b20c0000 pid=3250 clone guuid=20aa5b89-1900-0000-76c2-b577df0e0000 pid=3807 /tmp/morte.x86 guuid=9b05135c-1800-0000-76c2-b577b10c0000 pid=3249->guuid=20aa5b89-1900-0000-76c2-b577df0e0000 pid=3807 clone guuid=fca66289-1900-0000-76c2-b577e00e0000 pid=3808 /tmp/morte.x86 net send-data zombie guuid=9b05135c-1800-0000-76c2-b577b10c0000 pid=3249->guuid=fca66289-1900-0000-76c2-b577e00e0000 pid=3808 clone guuid=af5ee75c-1800-0000-76c2-b577b30c0000 pid=3251 /tmp/morte.x86 guuid=6324e15c-1800-0000-76c2-b577b20c0000 pid=3250->guuid=af5ee75c-1800-0000-76c2-b577b30c0000 pid=3251 clone guuid=9e1af05c-1800-0000-76c2-b577b40c0000 pid=3252 /tmp/morte.x86 dns net send-data zombie guuid=6324e15c-1800-0000-76c2-b577b20c0000 pid=3250->guuid=9e1af05c-1800-0000-76c2-b577b40c0000 pid=3252 clone guuid=9e1af05c-1800-0000-76c2-b577b40c0000 pid=3252->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 38B 9100b4d0-14a4-53cd-985b-6775576e0a99 erfffxz.bounceme.net:12121 guuid=9e1af05c-1800-0000-76c2-b577b40c0000 pid=3252->9100b4d0-14a4-53cd-985b-6775576e0a99 send: 15B guuid=fca66289-1900-0000-76c2-b577e00e0000 pid=3808->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 195B b8eb6b8d-f0a1-539d-9429-8be3c479f339 erfffxz.bounceme.net:80 guuid=fca66289-1900-0000-76c2-b577e00e0000 pid=3808->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 15B guuid=0754cc89-1900-0000-76c2-b577e20e0000 pid=3810->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 154B guuid=0d789f8f-1900-0000-76c2-b577ef0e0000 pid=3823->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 103B guuid=500eb59b-1900-0000-76c2-b577190f0000 pid=3865->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 153B guuid=612a18a3-1900-0000-76c2-b5772c0f0000 pid=3884->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 102B guuid=9bc5d3ae-1900-0000-76c2-b577510f0000 pid=3921->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 154B guuid=946e25b2-1900-0000-76c2-b577630f0000 pid=3939->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 103B guuid=d70ebcb8-1900-0000-76c2-b5777a0f0000 pid=3962->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 154B guuid=fe42fdbe-1900-0000-76c2-b577910f0000 pid=3985->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 103B guuid=ccb219c6-1900-0000-76c2-b577a80f0000 pid=4008->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con f77ebf5e-2af7-5b09-86f4-388588a8b445 0.0.0.0:12121 guuid=ccb219c6-1900-0000-76c2-b577a80f0000 pid=4008->f77ebf5e-2af7-5b09-86f4-388588a8b445 con guuid=04a0693e-1a00-0000-76c2-b577e3100000 pid=4323->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 156B guuid=e9411d45-1a00-0000-76c2-b577f6100000 pid=4342->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 105B guuid=4c4e3d50-1a00-0000-76c2-b57715110000 pid=4373->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4c4e3d50-1a00-0000-76c2-b57715110000 pid=4373->f77ebf5e-2af7-5b09-86f4-388588a8b445 con guuid=5302e8c8-1a00-0000-76c2-b57731120000 pid=4657->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 154B guuid=2ed625cf-1a00-0000-76c2-b5774b120000 pid=4683->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 103B guuid=f23558d9-1a00-0000-76c2-b5777e120000 pid=4734->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 153B guuid=b1ed47df-1a00-0000-76c2-b57794120000 pid=4756->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 102B guuid=0deaffe8-1a00-0000-76c2-b577ab120000 pid=4779->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 154B guuid=4e974ced-1a00-0000-76c2-b577bf120000 pid=4799->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 103B guuid=488746f4-1a00-0000-76c2-b577de120000 pid=4830->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 154B guuid=c8cbd1f9-1a00-0000-76c2-b577f3120000 pid=4851->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 103B guuid=2f779a04-1b00-0000-76c2-b57718130000 pid=4888->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 154B guuid=2dc3590a-1b00-0000-76c2-b57729130000 pid=4905->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 103B guuid=4a216014-1b00-0000-76c2-b57753130000 pid=4947->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 153B guuid=64d57e1a-1b00-0000-76c2-b57766130000 pid=4966->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 102B guuid=c3463d26-1b00-0000-76c2-b57791130000 pid=5009->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 153B guuid=ffb74633-1b00-0000-76c2-b577aa130000 pid=5034->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 102B guuid=7646253f-1b00-0000-76c2-b577cb130000 pid=5067->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 154B guuid=a8063846-1b00-0000-76c2-b577db130000 pid=5083->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 103B guuid=529f6570-1b00-0000-76c2-b57749140000 pid=5193->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 153B guuid=1823d378-1b00-0000-76c2-b5774f140000 pid=5199->b8eb6b8d-f0a1-539d-9429-8be3c479f339 send: 102B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d1f58617f3a7820f3c37bc22d8dcf4345c4a9d2e0a511385fff55465cd0ddb7d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1f58617f3a7820f3c37bc22d8dcf4345c4a9d2e0a511385fff55465cd0ddb7d/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/d1f58617f3a7820f3c37bc22d8dcf4345c4a9d2e0a511385fff55465cd0ddb7d
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 21:19:46 UTC
File Type:
Text (Shell)
AV detection:
16 of 24 (66.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2h2ymf7tu6ba6pbxxqrnrxhugroevhjobjirhbp76vkgltin3n6q._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/250916-z4evas1vcs/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
erfffxz.bounceme.net
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d1f58617f3a7820f3c37bc22d8dcf4345c4a9d2e0a511385fff55465cd0ddb7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh d1f58617f3a7820f3c37bc22d8dcf4345c4a9d2e0a511385fff55465cd0ddb7d

(this sample)

Mirai

elf 5fcf5f345dfcdb96d550eaeea6c29d1cc3256846af01876f17a9f5ebdd35e5b6

  
URLhaus
https://urlhaus.abuse.ch/url/3614582/
  
Delivery method
Distributed via web download
  
Dropping
MD5 f30e025bbc52f40697d2aeb855fd2b82
  
Dropping
SHA256 5fcf5f345dfcdb96d550eaeea6c29d1cc3256846af01876f17a9f5ebdd35e5b6

Comments