MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722
SHA3-384 hash: 5633b0d3c61fe12d7ec05dd7189c70e3455ab5339a9e1bc9743ead09335a8708528b727651d7cdf9ac5c14b8e1f722b8
SHA1 hash: 1ff8dc2bd97826ea9e52571b5657afba9ebadcf0
MD5 hash: 778982d1dd4450024287c3164e7618e1
humanhash: cold-blue-juliet-black
File name:lg
Download: download sample
Signature Mirai
Create hunting rule
File size:4'788 bytes
First seen:2025-11-24 18:13:03 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vUhMV4k2Uq1V46UrHrWV4vUNoV4BUEpEEV4EtUJkV4NUq1V46UOZV4+UzSV4/UDv:vbgp1PsL4zOEptbOZBbnD8j21XD7DeRE
TLSH T1E5A10AE674B4977A6DB0ED7372D6C643B140A0AAE0D68C0BF2D1F0E8044EF61F484B82
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x860134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mips3a07b60b7bf3cbd9767a86a76a77e5fccb5adf9dee1dc7764b751c0a1f4c4d97 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.mpsln/an/aelf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm47bc9d623a3eb1ba73c46550a4207ea095e39d40f97ce628de43834183da6ad7 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm506426a43bc706deb297ee11894e1c87acc0a4231a60b0dfbce4098b871b719b2 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm62c85afccbe6f0e275c639e98db4c4eec6d910bd277a1fe596a3252163b22d860 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm7d945325d0279ea26eb1572d3454980a1953721baf9faae04fcf991d27969b6c8 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.ppc051887bfe592e3f5059d7316f2913e13ead1da80061930de8236c4087cadc994 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.m68k2ff7d666206bcb9e440f017a8538337330826fcf9dc1f0542ee062ebd148387d Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.spc4b0886c739672baa51a2b187f93271e1c15b56450a29a4d39d6b7709152aa645 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.i68647e7f0fdd1ee38d00cc134014546c43db09eb2993bc1318cc76aaa64e595ea9f Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.sh4d0f0ed32a8d834ef6c4aeaa382275e0a26f90898dd304f00fbffab51d964ec0e Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arc62740c7d5c2cbaed0adbbba12ed865ee2136fae9528a50f296dee8365b488bb9 Miraielf mirai ua-wget
http://158.94.210.88/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.x86_648df69a4bbd21d9f80b80204e56fb586221ef559303b64eb2c443b93ea234d957 Miraimirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6924a041c4bd66164273d320/reports/74237a86-d7cb-4f3b-9653-e88ed753aa79/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-24T15:18:00Z UTC
Last seen:
2025-11-25T00:57:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/c05b0bef-de66-4448-bd6a-87859f1f8a70
Behavior Graph:
Download SVG
%3 guuid=bad7d004-1600-0000-1e98-ef7d7a0c0000 pid=3194 /usr/bin/sudo guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200 /tmp/sample.bin guuid=bad7d004-1600-0000-1e98-ef7d7a0c0000 pid=3194->guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200 execve guuid=e5208807-1600-0000-1e98-ef7d810c0000 pid=3201 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e5208807-1600-0000-1e98-ef7d810c0000 pid=3201 execve guuid=bd0ca310-1600-0000-1e98-ef7d8c0c0000 pid=3212 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=bd0ca310-1600-0000-1e98-ef7d8c0c0000 pid=3212 execve guuid=ce11e71e-1600-0000-1e98-ef7d8e0c0000 pid=3214 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=ce11e71e-1600-0000-1e98-ef7d8e0c0000 pid=3214 execve guuid=aa3a321f-1600-0000-1e98-ef7d910c0000 pid=3217 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=aa3a321f-1600-0000-1e98-ef7d910c0000 pid=3217 execve guuid=4904711f-1600-0000-1e98-ef7d930c0000 pid=3219 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=4904711f-1600-0000-1e98-ef7d930c0000 pid=3219 clone guuid=9761951f-1600-0000-1e98-ef7d940c0000 pid=3220 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=9761951f-1600-0000-1e98-ef7d940c0000 pid=3220 execve guuid=fb90b825-1600-0000-1e98-ef7da00c0000 pid=3232 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=fb90b825-1600-0000-1e98-ef7da00c0000 pid=3232 execve guuid=0a523530-1600-0000-1e98-ef7dab0c0000 pid=3243 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0a523530-1600-0000-1e98-ef7dab0c0000 pid=3243 execve guuid=1bf2a130-1600-0000-1e98-ef7dad0c0000 pid=3245 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=1bf2a130-1600-0000-1e98-ef7dad0c0000 pid=3245 execve guuid=99730031-1600-0000-1e98-ef7db00c0000 pid=3248 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=99730031-1600-0000-1e98-ef7db00c0000 pid=3248 clone guuid=28f02f31-1600-0000-1e98-ef7db10c0000 pid=3249 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=28f02f31-1600-0000-1e98-ef7db10c0000 pid=3249 execve guuid=fc66fc37-1600-0000-1e98-ef7dc00c0000 pid=3264 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=fc66fc37-1600-0000-1e98-ef7dc00c0000 pid=3264 execve guuid=54c32541-1600-0000-1e98-ef7dd80c0000 pid=3288 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=54c32541-1600-0000-1e98-ef7dd80c0000 pid=3288 execve guuid=22f46b41-1600-0000-1e98-ef7dda0c0000 pid=3290 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=22f46b41-1600-0000-1e98-ef7dda0c0000 pid=3290 execve guuid=4997ac41-1600-0000-1e98-ef7ddc0c0000 pid=3292 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=4997ac41-1600-0000-1e98-ef7ddc0c0000 pid=3292 clone guuid=ebb7ce41-1600-0000-1e98-ef7ddd0c0000 pid=3293 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=ebb7ce41-1600-0000-1e98-ef7ddd0c0000 pid=3293 execve guuid=82755e48-1600-0000-1e98-ef7df20c0000 pid=3314 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=82755e48-1600-0000-1e98-ef7df20c0000 pid=3314 execve guuid=f2752452-1600-0000-1e98-ef7d090d0000 pid=3337 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=f2752452-1600-0000-1e98-ef7d090d0000 pid=3337 execve guuid=a23e6752-1600-0000-1e98-ef7d0a0d0000 pid=3338 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=a23e6752-1600-0000-1e98-ef7d0a0d0000 pid=3338 execve guuid=9021bb52-1600-0000-1e98-ef7d0c0d0000 pid=3340 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=9021bb52-1600-0000-1e98-ef7d0c0d0000 pid=3340 clone guuid=a786f152-1600-0000-1e98-ef7d0e0d0000 pid=3342 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=a786f152-1600-0000-1e98-ef7d0e0d0000 pid=3342 execve guuid=3f59a159-1600-0000-1e98-ef7d110d0000 pid=3345 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=3f59a159-1600-0000-1e98-ef7d110d0000 pid=3345 execve guuid=0f19a562-1600-0000-1e98-ef7d1f0d0000 pid=3359 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0f19a562-1600-0000-1e98-ef7d1f0d0000 pid=3359 execve guuid=e6a30263-1600-0000-1e98-ef7d210d0000 pid=3361 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e6a30263-1600-0000-1e98-ef7d210d0000 pid=3361 execve guuid=f90f7663-1600-0000-1e98-ef7d230d0000 pid=3363 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=f90f7663-1600-0000-1e98-ef7d230d0000 pid=3363 clone guuid=3314ab63-1600-0000-1e98-ef7d250d0000 pid=3365 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=3314ab63-1600-0000-1e98-ef7d250d0000 pid=3365 execve guuid=84567e6a-1600-0000-1e98-ef7d310d0000 pid=3377 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=84567e6a-1600-0000-1e98-ef7d310d0000 pid=3377 execve guuid=7e286874-1600-0000-1e98-ef7d430d0000 pid=3395 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=7e286874-1600-0000-1e98-ef7d430d0000 pid=3395 execve guuid=c8bc2575-1600-0000-1e98-ef7d450d0000 pid=3397 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=c8bc2575-1600-0000-1e98-ef7d450d0000 pid=3397 execve guuid=31a09775-1600-0000-1e98-ef7d460d0000 pid=3398 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=31a09775-1600-0000-1e98-ef7d460d0000 pid=3398 clone guuid=25ec8076-1600-0000-1e98-ef7d480d0000 pid=3400 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=25ec8076-1600-0000-1e98-ef7d480d0000 pid=3400 execve guuid=7171eb7e-1600-0000-1e98-ef7d5a0d0000 pid=3418 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=7171eb7e-1600-0000-1e98-ef7d5a0d0000 pid=3418 execve guuid=187cb487-1600-0000-1e98-ef7d6d0d0000 pid=3437 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=187cb487-1600-0000-1e98-ef7d6d0d0000 pid=3437 execve guuid=a4e64088-1600-0000-1e98-ef7d6f0d0000 pid=3439 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=a4e64088-1600-0000-1e98-ef7d6f0d0000 pid=3439 execve guuid=3bf8c388-1600-0000-1e98-ef7d710d0000 pid=3441 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=3bf8c388-1600-0000-1e98-ef7d710d0000 pid=3441 clone guuid=822cff88-1600-0000-1e98-ef7d720d0000 pid=3442 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=822cff88-1600-0000-1e98-ef7d720d0000 pid=3442 execve guuid=5886eb8f-1600-0000-1e98-ef7d820d0000 pid=3458 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=5886eb8f-1600-0000-1e98-ef7d820d0000 pid=3458 execve guuid=0b021999-1600-0000-1e98-ef7d940d0000 pid=3476 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0b021999-1600-0000-1e98-ef7d940d0000 pid=3476 execve guuid=92159699-1600-0000-1e98-ef7d960d0000 pid=3478 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=92159699-1600-0000-1e98-ef7d960d0000 pid=3478 execve guuid=e479039a-1600-0000-1e98-ef7d980d0000 pid=3480 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e479039a-1600-0000-1e98-ef7d980d0000 pid=3480 clone guuid=ef0e479a-1600-0000-1e98-ef7d9a0d0000 pid=3482 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=ef0e479a-1600-0000-1e98-ef7d9a0d0000 pid=3482 execve guuid=0a250aa1-1600-0000-1e98-ef7da90d0000 pid=3497 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0a250aa1-1600-0000-1e98-ef7da90d0000 pid=3497 execve guuid=cf05b0aa-1600-0000-1e98-ef7dbe0d0000 pid=3518 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=cf05b0aa-1600-0000-1e98-ef7dbe0d0000 pid=3518 execve guuid=7b623dab-1600-0000-1e98-ef7dc00d0000 pid=3520 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=7b623dab-1600-0000-1e98-ef7dc00d0000 pid=3520 execve guuid=0f9cbeab-1600-0000-1e98-ef7dc20d0000 pid=3522 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0f9cbeab-1600-0000-1e98-ef7dc20d0000 pid=3522 clone guuid=35eefcab-1600-0000-1e98-ef7dc30d0000 pid=3523 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=35eefcab-1600-0000-1e98-ef7dc30d0000 pid=3523 execve guuid=0bc3b6b2-1600-0000-1e98-ef7dcd0d0000 pid=3533 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=0bc3b6b2-1600-0000-1e98-ef7dcd0d0000 pid=3533 execve guuid=4c12ccb9-1600-0000-1e98-ef7ddd0d0000 pid=3549 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=4c12ccb9-1600-0000-1e98-ef7ddd0d0000 pid=3549 execve guuid=877a16ba-1600-0000-1e98-ef7ddf0d0000 pid=3551 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=877a16ba-1600-0000-1e98-ef7ddf0d0000 pid=3551 execve guuid=e4ec63ba-1600-0000-1e98-ef7de10d0000 pid=3553 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e4ec63ba-1600-0000-1e98-ef7de10d0000 pid=3553 clone guuid=e3928cba-1600-0000-1e98-ef7de30d0000 pid=3555 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e3928cba-1600-0000-1e98-ef7de30d0000 pid=3555 execve guuid=a106d8c1-1600-0000-1e98-ef7df10d0000 pid=3569 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=a106d8c1-1600-0000-1e98-ef7df10d0000 pid=3569 execve guuid=198f38ca-1600-0000-1e98-ef7df20d0000 pid=3570 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=198f38ca-1600-0000-1e98-ef7df20d0000 pid=3570 execve guuid=26dfe0ca-1600-0000-1e98-ef7df30d0000 pid=3571 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=26dfe0ca-1600-0000-1e98-ef7df30d0000 pid=3571 execve guuid=9cad74cb-1600-0000-1e98-ef7df40d0000 pid=3572 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=9cad74cb-1600-0000-1e98-ef7df40d0000 pid=3572 clone guuid=99dacbcb-1600-0000-1e98-ef7df50d0000 pid=3573 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=99dacbcb-1600-0000-1e98-ef7df50d0000 pid=3573 execve guuid=be894fd3-1600-0000-1e98-ef7df60d0000 pid=3574 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=be894fd3-1600-0000-1e98-ef7df60d0000 pid=3574 execve guuid=4eb674dc-1600-0000-1e98-ef7dfd0d0000 pid=3581 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=4eb674dc-1600-0000-1e98-ef7dfd0d0000 pid=3581 execve guuid=40bddbdc-1600-0000-1e98-ef7dfe0d0000 pid=3582 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=40bddbdc-1600-0000-1e98-ef7dfe0d0000 pid=3582 execve guuid=fb493add-1600-0000-1e98-ef7dff0d0000 pid=3583 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=fb493add-1600-0000-1e98-ef7dff0d0000 pid=3583 clone guuid=5cad66dd-1600-0000-1e98-ef7d000e0000 pid=3584 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=5cad66dd-1600-0000-1e98-ef7d000e0000 pid=3584 execve guuid=ed6607e4-1600-0000-1e98-ef7d0e0e0000 pid=3598 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=ed6607e4-1600-0000-1e98-ef7d0e0e0000 pid=3598 execve guuid=24795fef-1600-0000-1e98-ef7d290e0000 pid=3625 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=24795fef-1600-0000-1e98-ef7d290e0000 pid=3625 execve guuid=41d0dfef-1600-0000-1e98-ef7d2b0e0000 pid=3627 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=41d0dfef-1600-0000-1e98-ef7d2b0e0000 pid=3627 execve guuid=016c62f0-1600-0000-1e98-ef7d2c0e0000 pid=3628 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=016c62f0-1600-0000-1e98-ef7d2c0e0000 pid=3628 clone guuid=be45a9f0-1600-0000-1e98-ef7d2e0e0000 pid=3630 /usr/bin/wget net send-data guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=be45a9f0-1600-0000-1e98-ef7d2e0e0000 pid=3630 execve guuid=f3e247f8-1600-0000-1e98-ef7d3d0e0000 pid=3645 /usr/bin/curl net send-data write-file guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=f3e247f8-1600-0000-1e98-ef7d3d0e0000 pid=3645 execve guuid=f2793400-1700-0000-1e98-ef7d4d0e0000 pid=3661 /usr/bin/cat guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=f2793400-1700-0000-1e98-ef7d4d0e0000 pid=3661 execve guuid=e7f0c800-1700-0000-1e98-ef7d4f0e0000 pid=3663 /usr/bin/chmod guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=e7f0c800-1700-0000-1e98-ef7d4f0e0000 pid=3663 execve guuid=77ef3801-1700-0000-1e98-ef7d510e0000 pid=3665 /usr/bin/bash guuid=82d41c07-1600-0000-1e98-ef7d800c0000 pid=3200->guuid=77ef3801-1700-0000-1e98-ef7d510e0000 pid=3665 clone 28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 158.94.210.88:80 guuid=e5208807-1600-0000-1e98-ef7d810c0000 pid=3201->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=bd0ca310-1600-0000-1e98-ef7d8c0c0000 pid=3212->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=9761951f-1600-0000-1e98-ef7d940c0000 pid=3220->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=fb90b825-1600-0000-1e98-ef7da00c0000 pid=3232->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=28f02f31-1600-0000-1e98-ef7db10c0000 pid=3249->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=fc66fc37-1600-0000-1e98-ef7dc00c0000 pid=3264->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=ebb7ce41-1600-0000-1e98-ef7ddd0c0000 pid=3293->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=82755e48-1600-0000-1e98-ef7df20c0000 pid=3314->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=a786f152-1600-0000-1e98-ef7d0e0d0000 pid=3342->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=3f59a159-1600-0000-1e98-ef7d110d0000 pid=3345->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=3314ab63-1600-0000-1e98-ef7d250d0000 pid=3365->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=84567e6a-1600-0000-1e98-ef7d310d0000 pid=3377->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=25ec8076-1600-0000-1e98-ef7d480d0000 pid=3400->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=7171eb7e-1600-0000-1e98-ef7d5a0d0000 pid=3418->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=822cff88-1600-0000-1e98-ef7d720d0000 pid=3442->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=5886eb8f-1600-0000-1e98-ef7d820d0000 pid=3458->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=ef0e479a-1600-0000-1e98-ef7d9a0d0000 pid=3482->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=0a250aa1-1600-0000-1e98-ef7da90d0000 pid=3497->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=35eefcab-1600-0000-1e98-ef7dc30d0000 pid=3523->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=0bc3b6b2-1600-0000-1e98-ef7dcd0d0000 pid=3533->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=e3928cba-1600-0000-1e98-ef7de30d0000 pid=3555->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 198B guuid=a106d8c1-1600-0000-1e98-ef7df10d0000 pid=3569->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 147B guuid=99dacbcb-1600-0000-1e98-ef7df50d0000 pid=3573->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=be894fd3-1600-0000-1e98-ef7df60d0000 pid=3574->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=5cad66dd-1600-0000-1e98-ef7d000e0000 pid=3584->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 197B guuid=ed6607e4-1600-0000-1e98-ef7d0e0e0000 pid=3598->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 146B guuid=be45a9f0-1600-0000-1e98-ef7d2e0e0000 pid=3630->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 200B guuid=f3e247f8-1600-0000-1e98-ef7d3d0e0000 pid=3645->28ee2c59-94a6-5756-a2b6-fa7fcfec6d46 send: 149B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-11-24 18:13:26 UTC
File Type:
Text (Shell)
AV detection:
24 of 37 (64.86%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3mngnqtg4lorlqcbymoqb36tpnhnhc2oivrynffpbrlc5vlnk4ra._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux
Link:
https://tria.ge/reports/251124-wtwtaatkel/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
File and Directory Permissions Modification
Executes dropped EXE
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/db1a66c266e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh db1a66c266e2dd15c041c31d00efd37b4ed38b4e45638694af0c562ed56d5722

(this sample)

Mirai

elf 4659da87326851decd5d67b743d9924f09ef8b000c91c63f15ede42a45919120

Mirai

elf 06f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97

  
URLhaus
https://urlhaus.abuse.ch/url/3669727/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3669711/
  
Dropping
MD5 d890af588619b95e8c751535bc58ac46
  
Dropping
SHA256 06f6c2e48fe50cc39e412f309f22053e06db1aae20c68452dbc0c813bacfaa97

Comments