MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e12cb5f37c5e7e4c2e9d7921f0d83f778ccab0354f38eaa8749e066eee703994. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e12cb5f37c5e7e4c2e9d7921f0d83f778ccab0354f38eaa8749e066eee703994
SHA3-384 hash: 42497e604b39976ed5f49e01642d0a83aae83747cf89b4f69026d5c2151e1426b2a2e9e470ecf86d91243869152cfb19
SHA1 hash: ffef918aa830711af67d87b23d260b7d3e54b670
MD5 hash: 09351db6221b9f704e95a1977942365d
humanhash: nine-minnesota-winner-pluto
File name:sora.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'695 bytes
First seen:2025-10-14 20:15:09 UTC
Last seen:2025-11-19 10:51:19 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 24:vCOSzaIOSVOSXOSlOSpTwkaUoOSXoOSVOSbiOSTOSZOSGawg9OSsOStPOl:vCR7RVRXRlRNaRXoRVR2RTRZRLlRsRNe
TLSH T1265154C5B31107717FE25E7679B4945CF2C4E1D2BEC49A89D8ECB8A9C48EF1824A0563
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://64.91.237.162/bins/sora.x869209da6b229bc24256cf26833723fc3a7c89272a5af754861c095d350b99de10 Miraimirai opendir
http://64.91.237.162/bins/sora.mips29c7491b527a0e18a776b8cc1831a8ba4b97d917fd76d047c96cc5ae21a79924 Miraimirai opendir
http://64.91.237.162/bins/sora.x86_647e8a271658bd0f9be6bf33a2ea92ce4fad4774aafac33c5b2caedf6417fd15ac Miraimirai opendir
http://64.91.237.162/bins/sora.i468n/an/aelf ua-wget
http://64.91.237.162/bins/sora.i68692575fbaacd79518241425e42a4cdacbf65def900864a48fc0b27504f78cbff4 Miraimirai opendir
http://64.91.237.162/bins/sora.mpsla3b52b958c8ea783c24f7a02fb57b5228fc1969791021519b42e14e58124e30d Miraimirai opendir
http://64.91.237.162/bins/sora.arm4n/an/aelf ua-wget
http://64.91.237.162/bins/sora.arm56357efa12b55a6c1f2d555f6dbbe40a0ed2d5c1e2dced815347fa98881eeefcb Miraimirai opendir
http://64.91.237.162/bins/sora.arm6579e9db35f7d3e276a6fd3b2bb98091a12c58d4cb0cd0ed3ae3cdbfd19304b0a Miraimirai opendir
http://64.91.237.162/bins/sora.arm7a2a3eda8d88cb807ffc26480a5a40cf79ac74b135b8aadaa225fed856da77cef Miraimirai opendir
http://64.91.237.162/bins/sora.ppc773298e6d3a314ffe9554eeea412ac65fbb16cf4030acf0e2553c42a1f159bb2 Miraimirai opendir
http://64.91.237.162/bins/sora.ppc440fpn/an/aelf ua-wget
http://64.91.237.162/bins/sora.m68ka25e8659220a59deaae914fc945fa6b31667bc0c7146a968bec1c4be9ffee9ed Miraimirai opendir
http://64.91.237.162/bins/sora.sh40dd50416937f0bbb202464b09fb982739b34bde7d11834b78a137fc4659502de Miraimirai opendir

Intelligence

File Origin
# of uploads :
2
# of downloads :
33
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-14T17:42:00Z UTC
Last seen:
2025-10-14T19:09:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e12cb5f37c5e7e4c2e9d7921f0d83f778ccab0354f38eaa8749e066eee703994/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/e77236b3-ed1a-4c53-b483-ab92d40e8954
Behavior Graph:
Download SVG
%3 guuid=962e459c-1800-0000-2773-638d37060000 pid=1591 /usr/bin/sudo guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600 /tmp/sample.bin guuid=962e459c-1800-0000-2773-638d37060000 pid=1591->guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600 execve guuid=eb3e059f-1800-0000-2773-638d43060000 pid=1603 /usr/bin/wget net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=eb3e059f-1800-0000-2773-638d43060000 pid=1603 execve guuid=358697b5-1800-0000-2773-638d88060000 pid=1672 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=358697b5-1800-0000-2773-638d88060000 pid=1672 execve guuid=ced7bdd1-1800-0000-2773-638dcd060000 pid=1741 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=ced7bdd1-1800-0000-2773-638dcd060000 pid=1741 execve guuid=d68d06d2-1800-0000-2773-638dcf060000 pid=1743 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=d68d06d2-1800-0000-2773-638dcf060000 pid=1743 execve guuid=96214cd2-1800-0000-2773-638dd0060000 pid=1744 /tmp/robben net guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=96214cd2-1800-0000-2773-638dd0060000 pid=1744 execve guuid=b0b415d6-1800-0000-2773-638ddc060000 pid=1756 /usr/bin/wget net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=b0b415d6-1800-0000-2773-638ddc060000 pid=1756 execve guuid=5dd8aeec-1800-0000-2773-638d0a070000 pid=1802 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=5dd8aeec-1800-0000-2773-638d0a070000 pid=1802 execve guuid=9ceec803-1900-0000-2773-638d43070000 pid=1859 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=9ceec803-1900-0000-2773-638d43070000 pid=1859 execve guuid=3bf93d04-1900-0000-2773-638d46070000 pid=1862 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=3bf93d04-1900-0000-2773-638d46070000 pid=1862 execve guuid=d1d19404-1900-0000-2773-638d47070000 pid=1863 /usr/bin/bash guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=d1d19404-1900-0000-2773-638d47070000 pid=1863 clone guuid=91d95805-1900-0000-2773-638d49070000 pid=1865 /usr/bin/wget net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=91d95805-1900-0000-2773-638d49070000 pid=1865 execve guuid=bc68671a-1900-0000-2773-638d74070000 pid=1908 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=bc68671a-1900-0000-2773-638d74070000 pid=1908 execve guuid=64cc8831-1900-0000-2773-638da2070000 pid=1954 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=64cc8831-1900-0000-2773-638da2070000 pid=1954 execve guuid=0136fe31-1900-0000-2773-638da5070000 pid=1957 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=0136fe31-1900-0000-2773-638da5070000 pid=1957 execve guuid=2de24832-1900-0000-2773-638da6070000 pid=1958 /tmp/robben mprotect-exec net guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=2de24832-1900-0000-2773-638da6070000 pid=1958 execve guuid=e96ee834-1900-0000-2773-638da7070000 pid=1959 /usr/bin/wget net send-data guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=e96ee834-1900-0000-2773-638da7070000 pid=1959 execve guuid=4355bf43-1900-0000-2773-638dc3070000 pid=1987 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=4355bf43-1900-0000-2773-638dc3070000 pid=1987 execve guuid=619d9b54-1900-0000-2773-638dcf070000 pid=1999 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=619d9b54-1900-0000-2773-638dcf070000 pid=1999 execve guuid=f7392555-1900-0000-2773-638dd1070000 pid=2001 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=f7392555-1900-0000-2773-638dd1070000 pid=2001 execve guuid=952b9055-1900-0000-2773-638dd3070000 pid=2003 /usr/bin/bash guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=952b9055-1900-0000-2773-638dd3070000 pid=2003 clone guuid=d285be55-1900-0000-2773-638dd4070000 pid=2004 /usr/bin/wget net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=d285be55-1900-0000-2773-638dd4070000 pid=2004 execve guuid=6acb966c-1900-0000-2773-638dec070000 pid=2028 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=6acb966c-1900-0000-2773-638dec070000 pid=2028 execve guuid=09243486-1900-0000-2773-638d26080000 pid=2086 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=09243486-1900-0000-2773-638d26080000 pid=2086 execve guuid=5bd58386-1900-0000-2773-638d27080000 pid=2087 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=5bd58386-1900-0000-2773-638d27080000 pid=2087 execve guuid=3c03c886-1900-0000-2773-638d29080000 pid=2089 /tmp/robben net guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=3c03c886-1900-0000-2773-638d29080000 pid=2089 execve guuid=f8a88289-1900-0000-2773-638d2f080000 pid=2095 /usr/bin/wget net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=f8a88289-1900-0000-2773-638d2f080000 pid=2095 execve guuid=f0fc9a9e-1900-0000-2773-638d30080000 pid=2096 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=f0fc9a9e-1900-0000-2773-638d30080000 pid=2096 execve guuid=963174b5-1900-0000-2773-638d51080000 pid=2129 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=963174b5-1900-0000-2773-638d51080000 pid=2129 execve guuid=7a4d56b6-1900-0000-2773-638d54080000 pid=2132 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=7a4d56b6-1900-0000-2773-638d54080000 pid=2132 execve guuid=5b8eaeb6-1900-0000-2773-638d55080000 pid=2133 /usr/bin/bash guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=5b8eaeb6-1900-0000-2773-638d55080000 pid=2133 clone guuid=a5b68cb7-1900-0000-2773-638d57080000 pid=2135 /usr/bin/wget net send-data guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=a5b68cb7-1900-0000-2773-638d57080000 pid=2135 execve guuid=bae5fcc5-1900-0000-2773-638d7b080000 pid=2171 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=bae5fcc5-1900-0000-2773-638d7b080000 pid=2171 execve guuid=602464d7-1900-0000-2773-638dad080000 pid=2221 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=602464d7-1900-0000-2773-638dad080000 pid=2221 execve guuid=8e4fbfd7-1900-0000-2773-638daf080000 pid=2223 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=8e4fbfd7-1900-0000-2773-638daf080000 pid=2223 execve guuid=513322d8-1900-0000-2773-638db1080000 pid=2225 /usr/bin/bash guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=513322d8-1900-0000-2773-638db1080000 pid=2225 clone guuid=c79e4dd8-1900-0000-2773-638db3080000 pid=2227 /usr/bin/wget net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=c79e4dd8-1900-0000-2773-638db3080000 pid=2227 execve guuid=844a0bee-1900-0000-2773-638dea080000 pid=2282 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=844a0bee-1900-0000-2773-638dea080000 pid=2282 execve guuid=d121c104-1a00-0000-2773-638d0f090000 pid=2319 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=d121c104-1a00-0000-2773-638d0f090000 pid=2319 execve guuid=3a1e2805-1a00-0000-2773-638d11090000 pid=2321 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=3a1e2805-1a00-0000-2773-638d11090000 pid=2321 execve guuid=88f48605-1a00-0000-2773-638d13090000 pid=2323 /usr/bin/bash guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=88f48605-1a00-0000-2773-638d13090000 pid=2323 clone guuid=b3ad3d06-1a00-0000-2773-638d17090000 pid=2327 /usr/bin/wget net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=b3ad3d06-1a00-0000-2773-638d17090000 pid=2327 execve guuid=dc9bc01b-1a00-0000-2773-638d2d090000 pid=2349 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=dc9bc01b-1a00-0000-2773-638d2d090000 pid=2349 execve guuid=c334f831-1a00-0000-2773-638d53090000 pid=2387 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=c334f831-1a00-0000-2773-638d53090000 pid=2387 execve guuid=60fe5e32-1a00-0000-2773-638d55090000 pid=2389 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=60fe5e32-1a00-0000-2773-638d55090000 pid=2389 execve guuid=ddd1d532-1a00-0000-2773-638d56090000 pid=2390 /usr/bin/bash guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=ddd1d532-1a00-0000-2773-638d56090000 pid=2390 clone guuid=8fc11034-1a00-0000-2773-638d58090000 pid=2392 /usr/bin/wget net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=8fc11034-1a00-0000-2773-638d58090000 pid=2392 execve guuid=ad116250-1a00-0000-2773-638d88090000 pid=2440 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=ad116250-1a00-0000-2773-638d88090000 pid=2440 execve guuid=45eef86d-1a00-0000-2773-638dbf090000 pid=2495 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=45eef86d-1a00-0000-2773-638dbf090000 pid=2495 execve guuid=53638e6e-1a00-0000-2773-638dc1090000 pid=2497 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=53638e6e-1a00-0000-2773-638dc1090000 pid=2497 execve guuid=56db1e6f-1a00-0000-2773-638dc3090000 pid=2499 /usr/bin/bash guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=56db1e6f-1a00-0000-2773-638dc3090000 pid=2499 clone guuid=e3ed9471-1a00-0000-2773-638dc7090000 pid=2503 /usr/bin/wget net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=e3ed9471-1a00-0000-2773-638dc7090000 pid=2503 execve guuid=afceab86-1a00-0000-2773-638df2090000 pid=2546 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=afceab86-1a00-0000-2773-638df2090000 pid=2546 execve guuid=2796439e-1a00-0000-2773-638d1c0a0000 pid=2588 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=2796439e-1a00-0000-2773-638d1c0a0000 pid=2588 execve guuid=749b919e-1a00-0000-2773-638d1e0a0000 pid=2590 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=749b919e-1a00-0000-2773-638d1e0a0000 pid=2590 execve guuid=074e099f-1a00-0000-2773-638d200a0000 pid=2592 /usr/bin/bash guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=074e099f-1a00-0000-2773-638d200a0000 pid=2592 clone guuid=cb3bac9f-1a00-0000-2773-638d240a0000 pid=2596 /usr/bin/wget net send-data guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=cb3bac9f-1a00-0000-2773-638d240a0000 pid=2596 execve guuid=2c4d05ae-1a00-0000-2773-638d3e0a0000 pid=2622 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=2c4d05ae-1a00-0000-2773-638d3e0a0000 pid=2622 execve guuid=f4dbbdbe-1a00-0000-2773-638d5f0a0000 pid=2655 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=f4dbbdbe-1a00-0000-2773-638d5f0a0000 pid=2655 execve guuid=534250bf-1a00-0000-2773-638d610a0000 pid=2657 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=534250bf-1a00-0000-2773-638d610a0000 pid=2657 execve guuid=1f4017c0-1a00-0000-2773-638d630a0000 pid=2659 /usr/bin/bash guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=1f4017c0-1a00-0000-2773-638d630a0000 pid=2659 clone guuid=01ab50c0-1a00-0000-2773-638d640a0000 pid=2660 /usr/bin/wget net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=01ab50c0-1a00-0000-2773-638d640a0000 pid=2660 execve guuid=e474fbdc-1a00-0000-2773-638da90a0000 pid=2729 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=e474fbdc-1a00-0000-2773-638da90a0000 pid=2729 execve guuid=0c9092fa-1a00-0000-2773-638def0a0000 pid=2799 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=0c9092fa-1a00-0000-2773-638def0a0000 pid=2799 execve guuid=dc1011fb-1a00-0000-2773-638df10a0000 pid=2801 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=dc1011fb-1a00-0000-2773-638df10a0000 pid=2801 execve guuid=d84f7dfb-1a00-0000-2773-638df30a0000 pid=2803 /usr/bin/bash guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=d84f7dfb-1a00-0000-2773-638df30a0000 pid=2803 clone guuid=a2e01afc-1a00-0000-2773-638df60a0000 pid=2806 /usr/bin/wget net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=a2e01afc-1a00-0000-2773-638df60a0000 pid=2806 execve guuid=49e45219-1b00-0000-2773-638d150b0000 pid=2837 /usr/bin/curl net send-data write-file guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=49e45219-1b00-0000-2773-638d150b0000 pid=2837 execve guuid=95685d38-1b00-0000-2773-638d450b0000 pid=2885 /usr/bin/cat guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=95685d38-1b00-0000-2773-638d450b0000 pid=2885 execve guuid=f84cd738-1b00-0000-2773-638d460b0000 pid=2886 /usr/bin/chmod guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=f84cd738-1b00-0000-2773-638d460b0000 pid=2886 execve guuid=48eb3039-1b00-0000-2773-638d470b0000 pid=2887 /usr/bin/bash guuid=bbcba49e-1800-0000-2773-638d40060000 pid=1600->guuid=48eb3039-1b00-0000-2773-638d470b0000 pid=2887 clone 10651e68-131f-5e6d-a670-1d19a7120e88 64.91.237.162:80 guuid=eb3e059f-1800-0000-2773-638d43060000 pid=1603->10651e68-131f-5e6d-a670-1d19a7120e88 send: 141B guuid=358697b5-1800-0000-2773-638d88060000 pid=1672->10651e68-131f-5e6d-a670-1d19a7120e88 send: 90B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=96214cd2-1800-0000-2773-638dd0060000 pid=1744->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b0b415d6-1800-0000-2773-638ddc060000 pid=1756->10651e68-131f-5e6d-a670-1d19a7120e88 send: 142B guuid=5dd8aeec-1800-0000-2773-638d0a070000 pid=1802->10651e68-131f-5e6d-a670-1d19a7120e88 send: 91B guuid=91d95805-1900-0000-2773-638d49070000 pid=1865->10651e68-131f-5e6d-a670-1d19a7120e88 send: 144B guuid=bc68671a-1900-0000-2773-638d74070000 pid=1908->10651e68-131f-5e6d-a670-1d19a7120e88 send: 93B guuid=2de24832-1900-0000-2773-638da6070000 pid=1958->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e96ee834-1900-0000-2773-638da7070000 pid=1959->10651e68-131f-5e6d-a670-1d19a7120e88 send: 142B guuid=4355bf43-1900-0000-2773-638dc3070000 pid=1987->10651e68-131f-5e6d-a670-1d19a7120e88 send: 91B guuid=d285be55-1900-0000-2773-638dd4070000 pid=2004->10651e68-131f-5e6d-a670-1d19a7120e88 send: 142B guuid=6acb966c-1900-0000-2773-638dec070000 pid=2028->10651e68-131f-5e6d-a670-1d19a7120e88 send: 91B guuid=3c03c886-1900-0000-2773-638d29080000 pid=2089->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=f8a88289-1900-0000-2773-638d2f080000 pid=2095->10651e68-131f-5e6d-a670-1d19a7120e88 send: 142B guuid=f0fc9a9e-1900-0000-2773-638d30080000 pid=2096->10651e68-131f-5e6d-a670-1d19a7120e88 send: 91B guuid=a5b68cb7-1900-0000-2773-638d57080000 pid=2135->10651e68-131f-5e6d-a670-1d19a7120e88 send: 142B guuid=bae5fcc5-1900-0000-2773-638d7b080000 pid=2171->10651e68-131f-5e6d-a670-1d19a7120e88 send: 91B guuid=c79e4dd8-1900-0000-2773-638db3080000 pid=2227->10651e68-131f-5e6d-a670-1d19a7120e88 send: 142B guuid=844a0bee-1900-0000-2773-638dea080000 pid=2282->10651e68-131f-5e6d-a670-1d19a7120e88 send: 91B guuid=b3ad3d06-1a00-0000-2773-638d17090000 pid=2327->10651e68-131f-5e6d-a670-1d19a7120e88 send: 142B guuid=dc9bc01b-1a00-0000-2773-638d2d090000 pid=2349->10651e68-131f-5e6d-a670-1d19a7120e88 send: 91B guuid=8fc11034-1a00-0000-2773-638d58090000 pid=2392->10651e68-131f-5e6d-a670-1d19a7120e88 send: 142B guuid=ad116250-1a00-0000-2773-638d88090000 pid=2440->10651e68-131f-5e6d-a670-1d19a7120e88 send: 91B guuid=e3ed9471-1a00-0000-2773-638dc7090000 pid=2503->10651e68-131f-5e6d-a670-1d19a7120e88 send: 141B guuid=afceab86-1a00-0000-2773-638df2090000 pid=2546->10651e68-131f-5e6d-a670-1d19a7120e88 send: 90B guuid=cb3bac9f-1a00-0000-2773-638d240a0000 pid=2596->10651e68-131f-5e6d-a670-1d19a7120e88 send: 146B guuid=2c4d05ae-1a00-0000-2773-638d3e0a0000 pid=2622->10651e68-131f-5e6d-a670-1d19a7120e88 send: 95B guuid=01ab50c0-1a00-0000-2773-638d640a0000 pid=2660->10651e68-131f-5e6d-a670-1d19a7120e88 send: 142B guuid=e474fbdc-1a00-0000-2773-638da90a0000 pid=2729->10651e68-131f-5e6d-a670-1d19a7120e88 send: 91B guuid=a2e01afc-1a00-0000-2773-638df60a0000 pid=2806->10651e68-131f-5e6d-a670-1d19a7120e88 send: 141B guuid=49e45219-1b00-0000-2773-638d150b0000 pid=2837->10651e68-131f-5e6d-a670-1d19a7120e88 send: 90B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e12cb5f37c5e7e4c2e9d7921f0d83f778ccab0354f38eaa8749e066eee703994
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e12cb5f37c5e7e4c2e9d7921f0d83f778ccab0354f38eaa8749e066eee703994/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 20:27:32 UTC
File Type:
Text (Shell)
AV detection:
23 of 38 (60.53%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ewll434lz7eylu5peq7bwb7o6gmvmbvj44ovkdutydg53tqhgka._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:sora antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251014-y5t5yatsct/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
UPX packed file
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (43464) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e12cb5f37c5e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/e12cb5f37c5e7e4c2e9d7921f0d83f778ccab0354f38eaa8749e066eee703994

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh e12cb5f37c5e7e4c2e9d7921f0d83f778ccab0354f38eaa8749e066eee703994

(this sample)

Mirai

elf 9209da6b229bc24256cf26833723fc3a7c89272a5af754861c095d350b99de10

  
URLhaus
https://urlhaus.abuse.ch/url/3678196/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3678210/
  
URLhaus
https://urlhaus.abuse.ch/url/3678212/
  
URLhaus
https://urlhaus.abuse.ch/url/3678214/
  
URLhaus
https://urlhaus.abuse.ch/url/3678216/
  
URLhaus
https://urlhaus.abuse.ch/url/3678217/
  
URLhaus
https://urlhaus.abuse.ch/url/3678223/
  
URLhaus
https://urlhaus.abuse.ch/url/3678228/
  
Dropping
MD5 4e24204e7b5dc8623a078e30669fdead
  
Dropping
SHA256 9209da6b229bc24256cf26833723fc3a7c89272a5af754861c095d350b99de10

Comments