MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e85e295ea489ab1650f656897ee0fd9d4e1ff1f115b2f6af7fa90eb6e469112a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e85e295ea489ab1650f656897ee0fd9d4e1ff1f115b2f6af7fa90eb6e469112a
SHA3-384 hash: 403715ddd55b6e891d68e84232b20ac7b810939e81e4a06ff7bd31ea3173f1d763fbd4dd1c69fdd4d4698dbd3c00f08f
SHA1 hash: 6de6e9eff4c1257097c36588be2701e69656ad2a
MD5 hash: bafe25262024e07ea9a663511edee8f6
humanhash: fruit-may-pip-table
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'479 bytes
First seen:2026-03-30 12:45:55 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:ipfqfipfgfN4pfxfipf1fapfxVfxUpfxXfxApffOfApfEfapfhfipf4f/4pfnfCn:ixcixiN4xJixNaxxtxUxxvxAx4AxGaxz
TLSH T1CB514EC922D25032AEFAD97373B98544B9A0508735C67E489CEC38F4C68CD46A5C5BE7
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.139.64//arc9f231e84ed3e25365ba6b42ef20deaa1321331954228b8928910a874b38f6296 Miraiarc elf mirai ua-wget
http://176.65.139.64//x86ab6132b08cb8dd8ffcfbe47b39f44029d8cb3fa99d84c05e75b17338fee51357 Miraielf mirai ua-wget x86
http://176.65.139.64//x86_64af13b739773d218822065ab005d7eb7a7ff013b40c498dddc072dad0951f4793 Miraielf mirai ua-wget x86
http://176.65.139.64//i686fe670335a7b4191791ed95670f5e1fa40560169d5872d8b88d82f09ec9f9d5f1 Miraielf mirai ua-wget x86
http://176.65.139.64//mipse4a6d32addb98d951d353880e05a080fa8cdeda2118b8e7937832fa9417c8e60 Miraielf mips mirai ua-wget
http://176.65.139.64//mips64n/an/an/a
http://176.65.139.64//mpsl446f4e4d25f2b3a99a034b1fb2b4b0fee48a82ba02346f068f2bbf5238e38f21 Miraielf mips mirai ua-wget
http://176.65.139.64//armn/an/an/a
http://176.65.139.64//arm54885331407de9b6c53c1745baf61d02cee868378f20e9d4e52f9319af7e57d62 Miraiarm elf mirai ua-wget
http://176.65.139.64//arm6c2acf0de72dfd618430422265f411c51618fbeb721cf8460c4cf34e1e3b70077 Miraiarm elf mirai ua-wget
http://176.65.139.64//arm796f0ddb6fbf3fc415f57ddb5bcd0b815e0d7b40b9106003bcbb899d129035bc9 Miraiarm elf mirai ua-wget
http://176.65.139.64//ppcc74e8151940f4afed1ac9503af18f0d93d7ea95f41de82e14f948570c5c79947 Miraielf mirai PowerPC ua-wget
http://176.65.139.64//sparcn/an/an/a
http://176.65.139.64//m68k4e965cf78d36680d88890fc0df2e41d81f289c407eae66bb4749532f04240e92 Miraielf m68k mirai ua-wget
http://176.65.139.64//sh412bad2f53d559715b93055ddcc760356e5d190dcbf9c0756d1ec46eecbfdf179 Miraielf mirai SuperH ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
busybox medusa mirai
Link:
https://www.filescan.io/uploads/69ca709a972c219c8d722d01/reports/69a0ec47-ff4f-4e34-8981-8dbe653bde3a/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-03-30T09:50:00Z UTC
Last seen:
2026-03-30T19:54:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/e85e295ea489ab1650f656897ee0fd9d4e1ff1f115b2f6af7fa90eb6e469112a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d0d94e9a-35be-41d9-a3f2-bfaa733d590c
Behavior Graph:
Download SVG
%3 guuid=2eeed498-1600-0000-cee8-0b8a430e0000 pid=3651 /usr/bin/sudo guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656 /tmp/sample.bin guuid=2eeed498-1600-0000-cee8-0b8a430e0000 pid=3651->guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656 execve guuid=e30f409b-1600-0000-cee8-0b8a490e0000 pid=3657 /usr/bin/cp guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=e30f409b-1600-0000-cee8-0b8a490e0000 pid=3657 execve guuid=f0d3a1a0-1600-0000-cee8-0b8a4d0e0000 pid=3661 /usr/bin/wget net send-data write-file guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=f0d3a1a0-1600-0000-cee8-0b8a4d0e0000 pid=3661 execve guuid=706f6da7-1600-0000-cee8-0b8a570e0000 pid=3671 /usr/bin/curl net send-data write-file guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=706f6da7-1600-0000-cee8-0b8a570e0000 pid=3671 execve guuid=f76632b8-1600-0000-cee8-0b8a900e0000 pid=3728 /usr/bin/cat guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=f76632b8-1600-0000-cee8-0b8a900e0000 pid=3728 execve guuid=59a087b8-1600-0000-cee8-0b8a910e0000 pid=3729 /usr/bin/chmod guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=59a087b8-1600-0000-cee8-0b8a910e0000 pid=3729 execve guuid=f9b5d1b8-1600-0000-cee8-0b8a950e0000 pid=3733 /usr/bin/bash guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=f9b5d1b8-1600-0000-cee8-0b8a950e0000 pid=3733 clone guuid=7bdb71b9-1600-0000-cee8-0b8a980e0000 pid=3736 /usr/bin/wget net send-data write-file guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=7bdb71b9-1600-0000-cee8-0b8a980e0000 pid=3736 execve guuid=fdf1b9bc-1600-0000-cee8-0b8aa80e0000 pid=3752 /usr/bin/curl net send-data write-file guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=fdf1b9bc-1600-0000-cee8-0b8aa80e0000 pid=3752 execve guuid=2ef2bec1-1600-0000-cee8-0b8abb0e0000 pid=3771 /usr/bin/cat guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=2ef2bec1-1600-0000-cee8-0b8abb0e0000 pid=3771 execve guuid=a7461cc2-1600-0000-cee8-0b8abf0e0000 pid=3775 /usr/bin/chmod guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=a7461cc2-1600-0000-cee8-0b8abf0e0000 pid=3775 execve guuid=7b9e60c2-1600-0000-cee8-0b8ac20e0000 pid=3778 /tmp/FuckYou net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=7b9e60c2-1600-0000-cee8-0b8ac20e0000 pid=3778 execve guuid=41b0bfc2-1600-0000-cee8-0b8ac70e0000 pid=3783 /usr/bin/wget net send-data write-file guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=41b0bfc2-1600-0000-cee8-0b8ac70e0000 pid=3783 execve guuid=f175a2ce-1600-0000-cee8-0b8aca0e0000 pid=3786 /usr/bin/curl net send-data write-file guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=f175a2ce-1600-0000-cee8-0b8aca0e0000 pid=3786 execve guuid=3be64ed6-1600-0000-cee8-0b8aed0e0000 pid=3821 /usr/bin/bash guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=3be64ed6-1600-0000-cee8-0b8aed0e0000 pid=3821 clone guuid=29b367d6-1600-0000-cee8-0b8aef0e0000 pid=3823 /usr/bin/chmod guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=29b367d6-1600-0000-cee8-0b8aef0e0000 pid=3823 execve guuid=ff41acd6-1600-0000-cee8-0b8af10e0000 pid=3825 /tmp/FuckYou net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=ff41acd6-1600-0000-cee8-0b8af10e0000 pid=3825 execve guuid=aa09d807-1800-0000-cee8-0b8a8f130000 pid=5007 /usr/bin/wget net send-data write-file guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=aa09d807-1800-0000-cee8-0b8a8f130000 pid=5007 execve guuid=27c49d0f-1800-0000-cee8-0b8aa8130000 pid=5032 /usr/bin/curl net send-data write-file guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=27c49d0f-1800-0000-cee8-0b8aa8130000 pid=5032 execve guuid=71cb8616-1800-0000-cee8-0b8aa9130000 pid=5033 /usr/bin/bash guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=71cb8616-1800-0000-cee8-0b8aa9130000 pid=5033 clone guuid=4865b916-1800-0000-cee8-0b8aac130000 pid=5036 /usr/bin/chmod guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=4865b916-1800-0000-cee8-0b8aac130000 pid=5036 execve guuid=3bca4e17-1800-0000-cee8-0b8aae130000 pid=5038 /tmp/FuckYou net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=3bca4e17-1800-0000-cee8-0b8aae130000 pid=5038 execve guuid=36c0204f-1900-0000-cee8-0b8a8d140000 pid=5261 /usr/bin/wget net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=36c0204f-1900-0000-cee8-0b8a8d140000 pid=5261 execve guuid=015c8658-1900-0000-cee8-0b8a90140000 pid=5264 /usr/bin/curl net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=015c8658-1900-0000-cee8-0b8a90140000 pid=5264 execve guuid=3d85c561-1900-0000-cee8-0b8a91140000 pid=5265 /usr/bin/bash guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=3d85c561-1900-0000-cee8-0b8a91140000 pid=5265 clone guuid=80fbee61-1900-0000-cee8-0b8a92140000 pid=5266 /usr/bin/chmod guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=80fbee61-1900-0000-cee8-0b8a92140000 pid=5266 execve guuid=925a5c62-1900-0000-cee8-0b8a93140000 pid=5267 /tmp/FuckYou net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=925a5c62-1900-0000-cee8-0b8a93140000 pid=5267 execve guuid=a08c5995-1a00-0000-cee8-0b8ab6140000 pid=5302 /usr/bin/wget net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=a08c5995-1a00-0000-cee8-0b8ab6140000 pid=5302 execve guuid=a5915397-1a00-0000-cee8-0b8ab9140000 pid=5305 /usr/bin/curl net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=a5915397-1a00-0000-cee8-0b8ab9140000 pid=5305 execve guuid=d38f909b-1a00-0000-cee8-0b8aba140000 pid=5306 /usr/bin/bash guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=d38f909b-1a00-0000-cee8-0b8aba140000 pid=5306 clone guuid=7a78ac9b-1a00-0000-cee8-0b8abb140000 pid=5307 /usr/bin/chmod guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=7a78ac9b-1a00-0000-cee8-0b8abb140000 pid=5307 execve guuid=d702f19b-1a00-0000-cee8-0b8abc140000 pid=5308 /tmp/FuckYou net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=d702f19b-1a00-0000-cee8-0b8abc140000 pid=5308 execve guuid=5a563ccf-1b00-0000-cee8-0b8abf140000 pid=5311 /usr/bin/wget net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=5a563ccf-1b00-0000-cee8-0b8abf140000 pid=5311 execve guuid=e68debd0-1b00-0000-cee8-0b8ac2140000 pid=5314 /usr/bin/curl net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=e68debd0-1b00-0000-cee8-0b8ac2140000 pid=5314 execve guuid=8a9639d3-1b00-0000-cee8-0b8ac3140000 pid=5315 /usr/bin/bash guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=8a9639d3-1b00-0000-cee8-0b8ac3140000 pid=5315 clone guuid=64f34ed3-1b00-0000-cee8-0b8ac4140000 pid=5316 /usr/bin/chmod guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=64f34ed3-1b00-0000-cee8-0b8ac4140000 pid=5316 execve guuid=a93190d3-1b00-0000-cee8-0b8ac5140000 pid=5317 /tmp/FuckYou net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=a93190d3-1b00-0000-cee8-0b8ac5140000 pid=5317 execve guuid=8abf6a78-2100-0000-cee8-0b8ac7140000 pid=5319 /usr/bin/wget net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=8abf6a78-2100-0000-cee8-0b8ac7140000 pid=5319 execve guuid=2ca3d17b-2100-0000-cee8-0b8acb140000 pid=5323 /usr/bin/curl net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=2ca3d17b-2100-0000-cee8-0b8acb140000 pid=5323 execve guuid=b6effa7d-2100-0000-cee8-0b8acc140000 pid=5324 /usr/bin/bash guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=b6effa7d-2100-0000-cee8-0b8acc140000 pid=5324 clone guuid=6b5c1d7e-2100-0000-cee8-0b8acd140000 pid=5325 /usr/bin/chmod guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=6b5c1d7e-2100-0000-cee8-0b8acd140000 pid=5325 execve guuid=ec984985-2100-0000-cee8-0b8ace140000 pid=5326 /tmp/FuckYou net guuid=aca0a59a-1600-0000-cee8-0b8a480e0000 pid=3656->guuid=ec984985-2100-0000-cee8-0b8ace140000 pid=5326 execve d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f 176.65.139.64:80 guuid=f0d3a1a0-1600-0000-cee8-0b8a4d0e0000 pid=3661->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f send: 132B guuid=706f6da7-1600-0000-cee8-0b8a570e0000 pid=3671->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f send: 81B guuid=7bdb71b9-1600-0000-cee8-0b8a980e0000 pid=3736->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f send: 132B guuid=fdf1b9bc-1600-0000-cee8-0b8aa80e0000 pid=3752->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f send: 81B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=7b9e60c2-1600-0000-cee8-0b8ac20e0000 pid=3778->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ee1ba1c2-1600-0000-cee8-0b8ac30e0000 pid=3779 /tmp/FuckYou dns net send-data zombie guuid=7b9e60c2-1600-0000-cee8-0b8ac20e0000 pid=3778->guuid=ee1ba1c2-1600-0000-cee8-0b8ac30e0000 pid=3779 clone guuid=ee1ba1c2-1600-0000-cee8-0b8ac30e0000 pid=3779->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 105B b37a3db9-3d57-5fd5-b96c-ceb02930d671 176.65.139.64:38241 guuid=ee1ba1c2-1600-0000-cee8-0b8ac30e0000 pid=3779->b37a3db9-3d57-5fd5-b96c-ceb02930d671 send: 5B guuid=63fcb1c2-1600-0000-cee8-0b8ac40e0000 pid=3780 /tmp/FuckYou guuid=ee1ba1c2-1600-0000-cee8-0b8ac30e0000 pid=3779->guuid=63fcb1c2-1600-0000-cee8-0b8ac40e0000 pid=3780 clone guuid=778db5c2-1600-0000-cee8-0b8ac50e0000 pid=3781 /tmp/FuckYou net net-scan send-data guuid=ee1ba1c2-1600-0000-cee8-0b8ac30e0000 pid=3779->guuid=778db5c2-1600-0000-cee8-0b8ac50e0000 pid=3781 clone guuid=8972bec2-1600-0000-cee8-0b8ac60e0000 pid=3782 /tmp/FuckYou net net-scan send-data guuid=ee1ba1c2-1600-0000-cee8-0b8ac30e0000 pid=3779->guuid=8972bec2-1600-0000-cee8-0b8ac60e0000 pid=3782 clone guuid=778db5c2-1600-0000-cee8-0b8ac50e0000 pid=3781->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=778db5c2-1600-0000-cee8-0b8ac50e0000 pid=3781|send-data send-data to 256 IP addresses review logs to see them all guuid=778db5c2-1600-0000-cee8-0b8ac50e0000 pid=3781->guuid=778db5c2-1600-0000-cee8-0b8ac50e0000 pid=3781|send-data send guuid=8972bec2-1600-0000-cee8-0b8ac60e0000 pid=3782->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=8972bec2-1600-0000-cee8-0b8ac60e0000 pid=3782|send-data send-data to 512 IP addresses review logs to see them all guuid=8972bec2-1600-0000-cee8-0b8ac60e0000 pid=3782->guuid=8972bec2-1600-0000-cee8-0b8ac60e0000 pid=3782|send-data send guuid=41b0bfc2-1600-0000-cee8-0b8ac70e0000 pid=3783->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f send: 135B guuid=f175a2ce-1600-0000-cee8-0b8aca0e0000 pid=3786->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f send: 84B guuid=ff41acd6-1600-0000-cee8-0b8af10e0000 pid=3825->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 4945e811-daa2-5999-bd89-4cdaa6badb43 0.0.0.0:8345 guuid=ff41acd6-1600-0000-cee8-0b8af10e0000 pid=3825->4945e811-daa2-5999-bd89-4cdaa6badb43 con guuid=b17acc07-1800-0000-cee8-0b8a8e130000 pid=5006 /tmp/FuckYou dns net send-data zombie guuid=ff41acd6-1600-0000-cee8-0b8af10e0000 pid=3825->guuid=b17acc07-1800-0000-cee8-0b8a8e130000 pid=5006 clone guuid=b17acc07-1800-0000-cee8-0b8a8e130000 pid=5006->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 105B guuid=b17acc07-1800-0000-cee8-0b8a8e130000 pid=5006->b37a3db9-3d57-5fd5-b96c-ceb02930d671 send: 5B guuid=7000df07-1800-0000-cee8-0b8a90130000 pid=5008 /tmp/FuckYou guuid=b17acc07-1800-0000-cee8-0b8a8e130000 pid=5006->guuid=7000df07-1800-0000-cee8-0b8a90130000 pid=5008 clone guuid=43bbe407-1800-0000-cee8-0b8a91130000 pid=5009 /tmp/FuckYou net net-scan send-data guuid=b17acc07-1800-0000-cee8-0b8a8e130000 pid=5006->guuid=43bbe407-1800-0000-cee8-0b8a91130000 pid=5009 clone guuid=aadde907-1800-0000-cee8-0b8a92130000 pid=5010 /tmp/FuckYou net net-scan send-data guuid=b17acc07-1800-0000-cee8-0b8a8e130000 pid=5006->guuid=aadde907-1800-0000-cee8-0b8a92130000 pid=5010 clone guuid=aa09d807-1800-0000-cee8-0b8a8f130000 pid=5007->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f send: 133B guuid=43bbe407-1800-0000-cee8-0b8a91130000 pid=5009->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=43bbe407-1800-0000-cee8-0b8a91130000 pid=5009|send-data send-data to 256 IP addresses review logs to see them all guuid=43bbe407-1800-0000-cee8-0b8a91130000 pid=5009->guuid=43bbe407-1800-0000-cee8-0b8a91130000 pid=5009|send-data send guuid=aadde907-1800-0000-cee8-0b8a92130000 pid=5010->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=aadde907-1800-0000-cee8-0b8a92130000 pid=5010|send-data send-data to 512 IP addresses review logs to see them all guuid=aadde907-1800-0000-cee8-0b8a92130000 pid=5010->guuid=aadde907-1800-0000-cee8-0b8a92130000 pid=5010|send-data send guuid=27c49d0f-1800-0000-cee8-0b8aa8130000 pid=5032->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f send: 82B guuid=3bca4e17-1800-0000-cee8-0b8aae130000 pid=5038->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=3bca4e17-1800-0000-cee8-0b8aae130000 pid=5038->4945e811-daa2-5999-bd89-4cdaa6badb43 con guuid=2564fc4e-1900-0000-cee8-0b8a8b140000 pid=5259 /tmp/FuckYou dns net send-data zombie guuid=3bca4e17-1800-0000-cee8-0b8aae130000 pid=5038->guuid=2564fc4e-1900-0000-cee8-0b8a8b140000 pid=5259 clone guuid=2564fc4e-1900-0000-cee8-0b8a8b140000 pid=5259->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 105B guuid=2564fc4e-1900-0000-cee8-0b8a8b140000 pid=5259->b37a3db9-3d57-5fd5-b96c-ceb02930d671 con guuid=0b79184f-1900-0000-cee8-0b8a8c140000 pid=5260 /tmp/FuckYou guuid=2564fc4e-1900-0000-cee8-0b8a8b140000 pid=5259->guuid=0b79184f-1900-0000-cee8-0b8a8c140000 pid=5260 clone guuid=b6c9204f-1900-0000-cee8-0b8a8e140000 pid=5262 /tmp/FuckYou net net-scan send-data guuid=2564fc4e-1900-0000-cee8-0b8a8b140000 pid=5259->guuid=b6c9204f-1900-0000-cee8-0b8a8e140000 pid=5262 clone guuid=2aae274f-1900-0000-cee8-0b8a8f140000 pid=5263 /tmp/FuckYou net net-scan send-data guuid=2564fc4e-1900-0000-cee8-0b8a8b140000 pid=5259->guuid=2aae274f-1900-0000-cee8-0b8a8f140000 pid=5263 clone guuid=b6c9204f-1900-0000-cee8-0b8a8e140000 pid=5262->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b6c9204f-1900-0000-cee8-0b8a8e140000 pid=5262|send-data send-data to 1280 IP addresses review logs to see them all guuid=b6c9204f-1900-0000-cee8-0b8a8e140000 pid=5262->guuid=b6c9204f-1900-0000-cee8-0b8a8e140000 pid=5262|send-data send guuid=36c0204f-1900-0000-cee8-0b8a8d140000 pid=5261->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f con guuid=2aae274f-1900-0000-cee8-0b8a8f140000 pid=5263->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=2aae274f-1900-0000-cee8-0b8a8f140000 pid=5263|send-data send-data to 2560 IP addresses review logs to see them all guuid=2aae274f-1900-0000-cee8-0b8a8f140000 pid=5263->guuid=2aae274f-1900-0000-cee8-0b8a8f140000 pid=5263|send-data send guuid=015c8658-1900-0000-cee8-0b8a90140000 pid=5264->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f con guuid=925a5c62-1900-0000-cee8-0b8a93140000 pid=5267->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=925a5c62-1900-0000-cee8-0b8a93140000 pid=5267->4945e811-daa2-5999-bd89-4cdaa6badb43 con guuid=1b1e4c95-1a00-0000-cee8-0b8ab4140000 pid=5300 /tmp/FuckYou dns net send-data zombie guuid=925a5c62-1900-0000-cee8-0b8a93140000 pid=5267->guuid=1b1e4c95-1a00-0000-cee8-0b8ab4140000 pid=5300 clone guuid=1b1e4c95-1a00-0000-cee8-0b8ab4140000 pid=5300->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 105B guuid=1b1e4c95-1a00-0000-cee8-0b8ab4140000 pid=5300->b37a3db9-3d57-5fd5-b96c-ceb02930d671 con guuid=7bf55895-1a00-0000-cee8-0b8ab5140000 pid=5301 /tmp/FuckYou guuid=1b1e4c95-1a00-0000-cee8-0b8ab4140000 pid=5300->guuid=7bf55895-1a00-0000-cee8-0b8ab5140000 pid=5301 clone guuid=e1ed5b95-1a00-0000-cee8-0b8ab7140000 pid=5303 /tmp/FuckYou net net-scan send-data guuid=1b1e4c95-1a00-0000-cee8-0b8ab4140000 pid=5300->guuid=e1ed5b95-1a00-0000-cee8-0b8ab7140000 pid=5303 clone guuid=4cbf6095-1a00-0000-cee8-0b8ab8140000 pid=5304 /tmp/FuckYou net net-scan send-data guuid=1b1e4c95-1a00-0000-cee8-0b8ab4140000 pid=5300->guuid=4cbf6095-1a00-0000-cee8-0b8ab8140000 pid=5304 clone guuid=a08c5995-1a00-0000-cee8-0b8ab6140000 pid=5302->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f con guuid=e1ed5b95-1a00-0000-cee8-0b8ab7140000 pid=5303->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e1ed5b95-1a00-0000-cee8-0b8ab7140000 pid=5303|send-data send-data to 1280 IP addresses review logs to see them all guuid=e1ed5b95-1a00-0000-cee8-0b8ab7140000 pid=5303->guuid=e1ed5b95-1a00-0000-cee8-0b8ab7140000 pid=5303|send-data send guuid=4cbf6095-1a00-0000-cee8-0b8ab8140000 pid=5304->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4cbf6095-1a00-0000-cee8-0b8ab8140000 pid=5304|send-data send-data to 2560 IP addresses review logs to see them all guuid=4cbf6095-1a00-0000-cee8-0b8ab8140000 pid=5304->guuid=4cbf6095-1a00-0000-cee8-0b8ab8140000 pid=5304|send-data send guuid=a5915397-1a00-0000-cee8-0b8ab9140000 pid=5305->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f con guuid=d702f19b-1a00-0000-cee8-0b8abc140000 pid=5308->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d702f19b-1a00-0000-cee8-0b8abc140000 pid=5308->4945e811-daa2-5999-bd89-4cdaa6badb43 con guuid=cff92ccf-1b00-0000-cee8-0b8abd140000 pid=5309 /tmp/FuckYou dns net send-data zombie guuid=d702f19b-1a00-0000-cee8-0b8abc140000 pid=5308->guuid=cff92ccf-1b00-0000-cee8-0b8abd140000 pid=5309 clone guuid=cff92ccf-1b00-0000-cee8-0b8abd140000 pid=5309->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 84B guuid=a78f39cf-1b00-0000-cee8-0b8abe140000 pid=5310 /tmp/FuckYou guuid=cff92ccf-1b00-0000-cee8-0b8abd140000 pid=5309->guuid=a78f39cf-1b00-0000-cee8-0b8abe140000 pid=5310 clone guuid=9c213ecf-1b00-0000-cee8-0b8ac0140000 pid=5312 /tmp/FuckYou net net-scan send-data zombie guuid=cff92ccf-1b00-0000-cee8-0b8abd140000 pid=5309->guuid=9c213ecf-1b00-0000-cee8-0b8ac0140000 pid=5312 clone guuid=81ad41cf-1b00-0000-cee8-0b8ac1140000 pid=5313 /tmp/FuckYou net net-scan send-data zombie guuid=cff92ccf-1b00-0000-cee8-0b8abd140000 pid=5309->guuid=81ad41cf-1b00-0000-cee8-0b8ac1140000 pid=5313 clone guuid=5a563ccf-1b00-0000-cee8-0b8abf140000 pid=5311->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f con guuid=9c213ecf-1b00-0000-cee8-0b8ac0140000 pid=5312->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=9c213ecf-1b00-0000-cee8-0b8ac0140000 pid=5312|send-data send-data to 4097 IP addresses review logs to see them all guuid=9c213ecf-1b00-0000-cee8-0b8ac0140000 pid=5312->guuid=9c213ecf-1b00-0000-cee8-0b8ac0140000 pid=5312|send-data send guuid=81ad41cf-1b00-0000-cee8-0b8ac1140000 pid=5313->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=81ad41cf-1b00-0000-cee8-0b8ac1140000 pid=5313|send-data send-data to 4097 IP addresses review logs to see them all guuid=81ad41cf-1b00-0000-cee8-0b8ac1140000 pid=5313->guuid=81ad41cf-1b00-0000-cee8-0b8ac1140000 pid=5313|send-data send guuid=e68debd0-1b00-0000-cee8-0b8ac2140000 pid=5314->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f con guuid=a93190d3-1b00-0000-cee8-0b8ac5140000 pid=5317->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a93190d3-1b00-0000-cee8-0b8ac5140000 pid=5317->4945e811-daa2-5999-bd89-4cdaa6badb43 con guuid=b1895a78-2100-0000-cee8-0b8ac6140000 pid=5318 /tmp/FuckYou net send-data zombie guuid=a93190d3-1b00-0000-cee8-0b8ac5140000 pid=5317->guuid=b1895a78-2100-0000-cee8-0b8ac6140000 pid=5318 clone guuid=b1895a78-2100-0000-cee8-0b8ac6140000 pid=5318->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 42B guuid=01f56a78-2100-0000-cee8-0b8ac8140000 pid=5320 /tmp/FuckYou guuid=b1895a78-2100-0000-cee8-0b8ac6140000 pid=5318->guuid=01f56a78-2100-0000-cee8-0b8ac8140000 pid=5320 clone guuid=98ef6f78-2100-0000-cee8-0b8ac9140000 pid=5321 /tmp/FuckYou net net-scan send-data zombie guuid=b1895a78-2100-0000-cee8-0b8ac6140000 pid=5318->guuid=98ef6f78-2100-0000-cee8-0b8ac9140000 pid=5321 clone guuid=e4df7378-2100-0000-cee8-0b8aca140000 pid=5322 /tmp/FuckYou net net-scan send-data zombie guuid=b1895a78-2100-0000-cee8-0b8ac6140000 pid=5318->guuid=e4df7378-2100-0000-cee8-0b8aca140000 pid=5322 clone guuid=8abf6a78-2100-0000-cee8-0b8ac7140000 pid=5319->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f con guuid=98ef6f78-2100-0000-cee8-0b8ac9140000 pid=5321->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=98ef6f78-2100-0000-cee8-0b8ac9140000 pid=5321|send-data send-data to 4097 IP addresses review logs to see them all guuid=98ef6f78-2100-0000-cee8-0b8ac9140000 pid=5321->guuid=98ef6f78-2100-0000-cee8-0b8ac9140000 pid=5321|send-data send guuid=e4df7378-2100-0000-cee8-0b8aca140000 pid=5322->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e4df7378-2100-0000-cee8-0b8aca140000 pid=5322|send-data send-data to 4097 IP addresses review logs to see them all guuid=e4df7378-2100-0000-cee8-0b8aca140000 pid=5322->guuid=e4df7378-2100-0000-cee8-0b8aca140000 pid=5322|send-data send guuid=2ca3d17b-2100-0000-cee8-0b8acb140000 pid=5323->d7090cb0-ea11-5dae-b9ab-7fa7aa2d404f con guuid=ec984985-2100-0000-cee8-0b8ace140000 pid=5326->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ec984985-2100-0000-cee8-0b8ace140000 pid=5326->4945e811-daa2-5999-bd89-4cdaa6badb43 con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e85e295ea489ab1650f656897ee0fd9d4e1ff1f115b2f6af7fa90eb6e469112a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e85e295ea489ab1650f656897ee0fd9d4e1ff1f115b2f6af7fa90eb6e469112a/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/e85e295ea489ab1650f656897ee0fd9d4e1ff1f115b2f6af7fa90eb6e469112a
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-03-30 12:41:34 UTC
File Type:
Text (Shell)
AV detection:
21 of 36 (58.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5bpcsxvergvrmuhwk2ex5yh5tvhb74prcwzpnl37vehlnzdjceva._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:botnet antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/260330-pzq2naey6t/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (86781) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e85e295ea489/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e85e295ea489ab1650f656897ee0fd9d4e1ff1f115b2f6af7fa90eb6e469112a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh e85e295ea489ab1650f656897ee0fd9d4e1ff1f115b2f6af7fa90eb6e469112a

(this sample)

Mirai

elf 9f231e84ed3e25365ba6b42ef20deaa1321331954228b8928910a874b38f6296

  
URLhaus
https://urlhaus.abuse.ch/url/3808365/
  
Delivery method
Distributed via web download
  
Dropping
MD5 1e7b96e195f4f109bf1f14b468a67606
  
Dropping
SHA256 9f231e84ed3e25365ba6b42ef20deaa1321331954228b8928910a874b38f6296

Comments