MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722
SHA3-384 hash: 5633b0d3c61fe12d7ec05dd7189c70e3455ab5339a9e1bc9743ead09335a8708528b727651d7cdf9ac5c14b8e1f722b8
SHA1 hash: 1ff8dc2bd97826ea9e52571b5657afba9ebadcf0
MD5 hash: 778982d1dd4450024287c3164e7618e1
humanhash: cold-blue-juliet-black
File name:lg
Download: download sample
Signature Mirai
Create hunting rule
File size:4'788 bytes
First seen:2025-11-24 18:13:03 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vUhMV4k2Uq1V46UrHrWV4vUNoV4BUEpEEV4EtUJkV4NUq1V46UOZV4+UzSV4/UDv:vbgp1PsL4zOEptbOZBbnD8j21XD7DeRE
TLSH T1E5A10AE674B4977A6DB0ED7372D6C643B140A0AAE0D68C0BF2D1F0E8044EF61F484B82
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x8606f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mipsabb44bb778d3eb33722c8ff7858138a4353d8f46c73995602d2d84715e295b18 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsl9e715465d9cc0b6987d27bc3bdc7abe122bca168ff708d2ec0c2441263ad70fe Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm2de20b3347d90622f88ecd1675c009ab4b3a00eb12b454f72bc30d8f37511c26 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm52e1e849fc65cd435d469dcfea490d2481eff33e553e0960cd9e0456ae50c0bf9 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm619f25bc863a4691eae2074524c2f6624e9a735920f19d0adb745870addce4aa0 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7da87a874b834cfb9fc525ce39cd6c8ac65e118c0f401a9fbe9107bdc9c61dbe2 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc961a10b6fcdd3bf9cb2eb496ea4458bac31b6891f1cdce4af92b3aa6dfa9e93f Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68kf4b928db067a0faa140e8fa79a2338315d998130414088617eaac7cc216872f7 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc44ab9070ccf7753d5e0cd3eba8625f2eed3e4f382bcb5789049efd299d84e633 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i686f9d11add2e36cc30580e4e9ff6886a4235188b9132ce02f127ed02b06b578eee Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh479e05b52966b9df23bd75d3b953b346c354916469522876a7f1bc653f8146261 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc294e36334bce82e0ea0289773fb352aa6ebc5d3572d2d15839846a953c9469c4 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_64n/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6924a041c4bd66164273d320/reports/74237a86-d7cb-4f3b-9653-e88ed753aa79/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-24T15:18:00Z UTC
Last seen:
2025-11-25T00:57:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/c05b0bef-de66-4448-bd6a-87859f1f8a70
Behavior Graph:
Download SVG
%3 guuid=bad7d004-1600-0000-1e98-ef7d7a0c0000 pid=3194 /usr/bin/sudo guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200 /tmp/sample.bin guuid=bad7d004-1600-0000-1e98-ef7d7a0c0000 pid=3194->guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200 execve guuid=e5208807-1600-0000-1e98-ef7d810c0000 pid=3201 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e5208807-1600-0000-1e98-ef7d810c0000 pid=3201 execve guuid=bd0ca310-1600-0000-1e98-ef7d8c0c0000 pid=3212 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=bd0ca310-1600-0000-1e98-ef7d8c0c0000 pid=3212 execve guuid=ce11e71e-1600-0000-1e98-ef7d8e0c0000 pid=3214 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=ce11e71e-1600-0000-1e98-ef7d8e0c0000 pid=3214 execve guuid=aa3a321f-1600-0000-1e98-ef7d910c0000 pid=3217 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=aa3a321f-1600-0000-1e98-ef7d910c0000 pid=3217 execve guuid=4904711f-1600-0000-1e98-ef7d930c0000 pid=3219 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=4904711f-1600-0000-1e98-ef7d930c0000 pid=3219 clone guuid=9761951f-1600-0000-1e98-ef7d940c0000 pid=3220 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=9761951f-1600-0000-1e98-ef7d940c0000 pid=3220 execve guuid=fb90b825-1600-0000-1e98-ef7da00c0000 pid=3232 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=fb90b825-1600-0000-1e98-ef7da00c0000 pid=3232 execve guuid=0a523530-1600-0000-1e98-ef7dab0c0000 pid=3243 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0a523530-1600-0000-1e98-ef7dab0c0000 pid=3243 execve guuid=1bf2a130-1600-0000-1e98-ef7dad0c0000 pid=3245 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=1bf2a130-1600-0000-1e98-ef7dad0c0000 pid=3245 execve guuid=99730031-1600-0000-1e98-ef7db00c0000 pid=3248 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=99730031-1600-0000-1e98-ef7db00c0000 pid=3248 clone guuid=28f02f31-1600-0000-1e98-ef7db10c0000 pid=3249 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=28f02f31-1600-0000-1e98-ef7db10c0000 pid=3249 execve guuid=fc66fc37-1600-0000-1e98-ef7dc00c0000 pid=3264 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=fc66fc37-1600-0000-1e98-ef7dc00c0000 pid=3264 execve guuid=54c32541-1600-0000-1e98-ef7dd80c0000 pid=3288 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=54c32541-1600-0000-1e98-ef7dd80c0000 pid=3288 execve guuid=22f46b41-1600-0000-1e98-ef7dda0c0000 pid=3290 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=22f46b41-1600-0000-1e98-ef7dda0c0000 pid=3290 execve guuid=4997ac41-1600-0000-1e98-ef7ddc0c0000 pid=3292 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=4997ac41-1600-0000-1e98-ef7ddc0c0000 pid=3292 clone guuid=ebb7ce41-1600-0000-1e98-ef7ddd0c0000 pid=3293 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=ebb7ce41-1600-0000-1e98-ef7ddd0c0000 pid=3293 execve guuid=82755e48-1600-0000-1e98-ef7df20c0000 pid=3314 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=82755e48-1600-0000-1e98-ef7df20c0000 pid=3314 execve guuid=f2752452-1600-0000-1e98-ef7d090d0000 pid=3337 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=f2752452-1600-0000-1e98-ef7d090d0000 pid=3337 execve guuid=a23e6752-1600-0000-1e98-ef7d0a0d0000 pid=3338 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=a23e6752-1600-0000-1e98-ef7d0a0d0000 pid=3338 execve guuid=9021bb52-1600-0000-1e98-ef7d0c0d0000 pid=3340 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=9021bb52-1600-0000-1e98-ef7d0c0d0000 pid=3340 clone guuid=a786f152-1600-0000-1e98-ef7d0e0d0000 pid=3342 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=a786f152-1600-0000-1e98-ef7d0e0d0000 pid=3342 execve guuid=3f59a159-1600-0000-1e98-ef7d110d0000 pid=3345 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=3f59a159-1600-0000-1e98-ef7d110d0000 pid=3345 execve guuid=0f19a562-1600-0000-1e98-ef7d1f0d0000 pid=3359 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0f19a562-1600-0000-1e98-ef7d1f0d0000 pid=3359 execve guuid=e6a30263-1600-0000-1e98-ef7d210d0000 pid=3361 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e6a30263-1600-0000-1e98-ef7d210d0000 pid=3361 execve guuid=f90f7663-1600-0000-1e98-ef7d230d0000 pid=3363 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=f90f7663-1600-0000-1e98-ef7d230d0000 pid=3363 clone guuid=3314ab63-1600-0000-1e98-ef7d250d0000 pid=3365 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=3314ab63-1600-0000-1e98-ef7d250d0000 pid=3365 execve guuid=84567e6a-1600-0000-1e98-ef7d310d0000 pid=3377 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=84567e6a-1600-0000-1e98-ef7d310d0000 pid=3377 execve guuid=7e286874-1600-0000-1e98-ef7d430d0000 pid=3395 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=7e286874-1600-0000-1e98-ef7d430d0000 pid=3395 execve guuid=c8bc2575-1600-0000-1e98-ef7d450d0000 pid=3397 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=c8bc2575-1600-0000-1e98-ef7d450d0000 pid=3397 execve guuid=31a09775-1600-0000-1e98-ef7d460d0000 pid=3398 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=31a09775-1600-0000-1e98-ef7d460d0000 pid=3398 clone guuid=25ec8076-1600-0000-1e98-ef7d480d0000 pid=3400 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=25ec8076-1600-0000-1e98-ef7d480d0000 pid=3400 execve guuid=7171eb7e-1600-0000-1e98-ef7d5a0d0000 pid=3418 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=7171eb7e-1600-0000-1e98-ef7d5a0d0000 pid=3418 execve guuid=187cb487-1600-0000-1e98-ef7d6d0d0000 pid=3437 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=187cb487-1600-0000-1e98-ef7d6d0d0000 pid=3437 execve guuid=a4e64088-1600-0000-1e98-ef7d6f0d0000 pid=3439 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=a4e64088-1600-0000-1e98-ef7d6f0d0000 pid=3439 execve guuid=3bf8c388-1600-0000-1e98-ef7d710d0000 pid=3441 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=3bf8c388-1600-0000-1e98-ef7d710d0000 pid=3441 clone guuid=822cff88-1600-0000-1e98-ef7d720d0000 pid=3442 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=822cff88-1600-0000-1e98-ef7d720d0000 pid=3442 execve guuid=5886eb8f-1600-0000-1e98-ef7d820d0000 pid=3458 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=5886eb8f-1600-0000-1e98-ef7d820d0000 pid=3458 execve guuid=0b021999-1600-0000-1e98-ef7d940d0000 pid=3476 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0b021999-1600-0000-1e98-ef7d940d0000 pid=3476 execve guuid=92159699-1600-0000-1e98-ef7d960d0000 pid=3478 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=92159699-1600-0000-1e98-ef7d960d0000 pid=3478 execve guuid=e479039a-1600-0000-1e98-ef7d980d0000 pid=3480 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e479039a-1600-0000-1e98-ef7d980d0000 pid=3480 clone guuid=ef0e479a-1600-0000-1e98-ef7d9a0d0000 pid=3482 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=ef0e479a-1600-0000-1e98-ef7d9a0d0000 pid=3482 execve guuid=0a250aa1-1600-0000-1e98-ef7da90d0000 pid=3497 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0a250aa1-1600-0000-1e98-ef7da90d0000 pid=3497 execve guuid=cf05b0aa-1600-0000-1e98-ef7dbe0d0000 pid=3518 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=cf05b0aa-1600-0000-1e98-ef7dbe0d0000 pid=3518 execve guuid=7b623dab-1600-0000-1e98-ef7dc00d0000 pid=3520 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=7b623dab-1600-0000-1e98-ef7dc00d0000 pid=3520 execve guuid=0f9cbeab-1600-0000-1e98-ef7dc20d0000 pid=3522 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0f9cbeab-1600-0000-1e98-ef7dc20d0000 pid=3522 clone guuid=35eefcab-1600-0000-1e98-ef7dc30d0000 pid=3523 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=35eefcab-1600-0000-1e98-ef7dc30d0000 pid=3523 execve guuid=0bc3b6b2-1600-0000-1e98-ef7dcd0d0000 pid=3533 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0bc3b6b2-1600-0000-1e98-ef7dcd0d0000 pid=3533 execve guuid=4c12ccb9-1600-0000-1e98-ef7ddd0d0000 pid=3549 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=4c12ccb9-1600-0000-1e98-ef7ddd0d0000 pid=3549 execve guuid=877a16ba-1600-0000-1e98-ef7ddf0d0000 pid=3551 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=877a16ba-1600-0000-1e98-ef7ddf0d0000 pid=3551 execve guuid=e4ec63ba-1600-0000-1e98-ef7de10d0000 pid=3553 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e4ec63ba-1600-0000-1e98-ef7de10d0000 pid=3553 clone guuid=e3928cba-1600-0000-1e98-ef7de30d0000 pid=3555 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e3928cba-1600-0000-1e98-ef7de30d0000 pid=3555 execve guuid=a106d8c1-1600-0000-1e98-ef7df10d0000 pid=3569 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=a106d8c1-1600-0000-1e98-ef7df10d0000 pid=3569 execve guuid=198f38ca-1600-0000-1e98-ef7df20d0000 pid=3570 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=198f38ca-1600-0000-1e98-ef7df20d0000 pid=3570 execve guuid=26dfe0ca-1600-0000-1e98-ef7df30d0000 pid=3571 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=26dfe0ca-1600-0000-1e98-ef7df30d0000 pid=3571 execve guuid=9cad74cb-1600-0000-1e98-ef7df40d0000 pid=3572 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=9cad74cb-1600-0000-1e98-ef7df40d0000 pid=3572 clone guuid=99dacbcb-1600-0000-1e98-ef7df50d0000 pid=3573 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=99dacbcb-1600-0000-1e98-ef7df50d0000 pid=3573 execve guuid=be894fd3-1600-0000-1e98-ef7df60d0000 pid=3574 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=be894fd3-1600-0000-1e98-ef7df60d0000 pid=3574 execve guuid=4eb674dc-1600-0000-1e98-ef7dfd0d0000 pid=3581 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=4eb674dc-1600-0000-1e98-ef7dfd0d0000 pid=3581 execve guuid=40bddbdc-1600-0000-1e98-ef7dfe0d0000 pid=3582 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=40bddbdc-1600-0000-1e98-ef7dfe0d0000 pid=3582 execve guuid=fb493add-1600-0000-1e98-ef7dff0d0000 pid=3583 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=fb493add-1600-0000-1e98-ef7dff0d0000 pid=3583 clone guuid=5cad66dd-1600-0000-1e98-ef7d000e0000 pid=3584 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=5cad66dd-1600-0000-1e98-ef7d000e0000 pid=3584 execve guuid=ed6607e4-1600-0000-1e98-ef7d0e0e0000 pid=3598 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=ed6607e4-1600-0000-1e98-ef7d0e0e0000 pid=3598 execve guuid=24795fef-1600-0000-1e98-ef7d290e0000 pid=3625 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=24795fef-1600-0000-1e98-ef7d290e0000 pid=3625 execve guuid=41d0dfef-1600-0000-1e98-ef7d2b0e0000 pid=3627 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=41d0dfef-1600-0000-1e98-ef7d2b0e0000 pid=3627 execve guuid=016c62f0-1600-0000-1e98-ef7d2c0e0000 pid=3628 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=016c62f0-1600-0000-1e98-ef7d2c0e0000 pid=3628 clone guuid=be45a9f0-1600-0000-1e98-ef7d2e0e0000 pid=3630 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=be45a9f0-1600-0000-1e98-ef7d2e0e0000 pid=3630 execve guuid=f3e247f8-1600-0000-1e98-ef7d3d0e0000 pid=3645 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=f3e247f8-1600-0000-1e98-ef7d3d0e0000 pid=3645 execve guuid=f2793400-1700-0000-1e98-ef7d4d0e0000 pid=3661 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=f2793400-1700-0000-1e98-ef7d4d0e0000 pid=3661 execve guuid=e7f0c800-1700-0000-1e98-ef7d4f0e0000 pid=3663 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e7f0c800-1700-0000-1e98-ef7d4f0e0000 pid=3663 execve guuid=77ef3801-1700-0000-1e98-ef7d510e0000 pid=3665 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=77ef3801-1700-0000-1e98-ef7d510e0000 pid=3665 clone 28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 158.94.210.88:80 guuid=e5208807-1600-0000-1e98-ef7d810c0000 pid=3201->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=bd0ca310-1600-0000-1e98-ef7d8c0c0000 pid=3212->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=9761951f-1600-0000-1e98-ef7d940c0000 pid=3220->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=fb90b825-1600-0000-1e98-ef7da00c0000 pid=3232->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=28f02f31-1600-0000-1e98-ef7db10c0000 pid=3249->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=fc66fc37-1600-0000-1e98-ef7dc00c0000 pid=3264->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=ebb7ce41-1600-0000-1e98-ef7ddd0c0000 pid=3293->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=82755e48-1600-0000-1e98-ef7df20c0000 pid=3314->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=a786f152-1600-0000-1e98-ef7d0e0d0000 pid=3342->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=3f59a159-1600-0000-1e98-ef7d110d0000 pid=3345->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=3314ab63-1600-0000-1e98-ef7d250d0000 pid=3365->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=84567e6a-1600-0000-1e98-ef7d310d0000 pid=3377->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=25ec8076-1600-0000-1e98-ef7d480d0000 pid=3400->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=7171eb7e-1600-0000-1e98-ef7d5a0d0000 pid=3418->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=822cff88-1600-0000-1e98-ef7d720d0000 pid=3442->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=5886eb8f-1600-0000-1e98-ef7d820d0000 pid=3458->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=ef0e479a-1600-0000-1e98-ef7d9a0d0000 pid=3482->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=0a250aa1-1600-0000-1e98-ef7da90d0000 pid=3497->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=35eefcab-1600-0000-1e98-ef7dc30d0000 pid=3523->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=0bc3b6b2-1600-0000-1e98-ef7dcd0d0000 pid=3533->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=e3928cba-1600-0000-1e98-ef7de30d0000 pid=3555->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=a106d8c1-1600-0000-1e98-ef7df10d0000 pid=3569->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=99dacbcb-1600-0000-1e98-ef7df50d0000 pid=3573->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=be894fd3-1600-0000-1e98-ef7df60d0000 pid=3574->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=5cad66dd-1600-0000-1e98-ef7d000e0000 pid=3584->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=ed6607e4-1600-0000-1e98-ef7d0e0e0000 pid=3598->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=be45a9f0-1600-0000-1e98-ef7d2e0e0000 pid=3630->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 200B guuid=f3e247f8-1600-0000-1e98-ef7d3d0e0000 pid=3645->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 149B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-11-24 18:13:26 UTC
File Type:
Text (Shell)
AV detection:
24 of 37 (64.86%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3mngnqtg4lorlqcbymoqb36tpnhnhc2oivrynffpbrlc5vlnk4ra._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux
Link:
https://tria.ge/reports/251124-wtwtaatkel/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
File and Directory Permissions Modification
Executes dropped EXE
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db1a66c266e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722

(this sample)

Mirai

elf 4659da87326851decd5d67b743d9924f09ef8b000c91c63f15ede42a45919120

Mirai

elf 06f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97

  
URLhaus
https://urlhaus.abuse.ch/url/3669727/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3669711/
  
Dropping
MD5 d890af588619b95e8c751535bc58ac46
  
Dropping
SHA256 06f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97

Comments