MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13a07121d74dafa9f2ba4bb2d64fe8a9be9dd1827b8eb4aaf154299958c62b2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	13a07121d74dafa9f2ba4bb2d64fe8a9be9dd1827b8eb4aaf154299958c62b2e
SHA3-384 hash:	5082eda98dc1fbbb457f9290e54f3ef3dc66ae5bd340f9235a0ef9ec52b69ff5f5386572b3cfaf8228fddf6b85142897
SHA1 hash:	543cd009fb5bb7d49715552fce514f8aec6e4a48
MD5 hash:	571f92bcbccca4330e476cd999aaa1a7
humanhash:	magazine-jersey-nine-missouri
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'940 bytes
First seen:	2025-09-08 14:22:43 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vpx70x7N7hpxvx6GpxgnxzPpxfxKWpx1xoUpx71x7o7UpxfOx3bpxEx9Rpxhxcg3:vT7q7N7hTZ6GTgxzPTJKWTnoUT7n7o7+
TLSH	T1B751D6C582846D302DB7EB13F7B6C128308190979CEA7F99D9CCFAE8869ED147148B53
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.149.23/hiddenbin/boatnet.x86	ad6587e8cd903beda37a7ebbcdf5fce2931a8ac91b462fca04e042ae2d75d6b8	Mirai	elf mirai ua-wget
http://176.65.149.23/hiddenbin/boatnet.mips	c6387ca4478a96ab000530098b2ed43e8413853dddb5db6b238d1ad97145ea9f	Mirai	elf mirai ua-wget
http://176.65.149.23/hiddenbin/boatnet.arc	48287062699959950e419d9d411c6b77676f590f1c1dc61b63196c900538c3b4	Mirai	elf mirai ua-wget
http://176.65.149.23/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://176.65.149.23/hiddenbin/boatnet.i686	n/a	n/a	elf ua-wget
http://176.65.149.23/hiddenbin/boatnet.x86_64	n/a	n/a	elf ua-wget
http://176.65.149.23/hiddenbin/boatnet.mpsl	49295efe77ab2354c10389128a0e642a9b1105b76e5959a3a978c4fcf5d46432	Mirai	32-bit elf mirai Mozi
http://176.65.149.23/hiddenbin/boatnet.arm	dc5277aba17d1ac2774b1e3e41cfc06610ae208518045f54c8cc552ac31b4227	Mirai	elf mirai ua-wget
http://176.65.149.23/hiddenbin/boatnet.arm5	395dc40310b3f119b6e9f58134295f3846a97cae22afbebe83dc84ad2e1878fb	Mirai	elf mirai ua-wget
http://176.65.149.23/hiddenbin/boatnet.arm6	248b51a4f77c442decae3c247009b9a31b7bc8af6a2203196e5f2d583dfceec2	Mirai	elf mirai ua-wget
http://176.65.149.23/hiddenbin/boatnet.arm7	dc42fcb7587dbfcf39bd7e6ea9c731d0351f7e02c8a3eaffd74cc26297cd7944	Mirai	elf mirai ua-wget
http://176.65.149.23/hiddenbin/boatnet.ppc	f3cb6f12228a5191515645660fc1dc6e00d87e2dfa97f54fa02f133e2a73f154	Mirai	elf mirai ua-wget
http://176.65.149.23/hiddenbin/boatnet.spc	n/a	n/a	elf ua-wget
http://176.65.149.23/hiddenbin/boatnet.m68k	5a350ad8524816744b8fd9bbc6e95157d7b347f91fc23afc9adb4876c20bd3e4	Mirai	elf mirai ua-wget
http://176.65.149.23/hiddenbin/boatnet.sh4	4f30c9c1e8679bfdf29ac44f315ee78543c56a82c69880d0af06cb44b648e698	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-07T15:21:00Z UTC

Last seen:

2025-09-07T15:21:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen

Link:

https://opentip.kaspersky.com/13a07121d74dafa9f2ba4bb2d64fe8a9be9dd1827b8eb4aaf154299958c62b2e/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/80c71f6f-05b0-4e2b-83e9-4301ecacdd98

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/13a07121d74dafa9f2ba4bb2d64fe8a9be9dd1827b8eb4aaf154299958c62b2e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/13a07121d74dafa9f2ba4bb2d64fe8a9be9dd1827b8eb4aaf154299958c62b2e/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/13a07121d74dafa9f2ba4bb2d64fe8a9be9dd1827b8eb4aaf154299958c62b2e

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-09-07 21:01:55 UTC

File Type:

Text (Shell)

AV detection:

24 of 37 (64.86%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=coqhcioxjwx2t4v2joznmt7ivg7j3umcpohljkxrkquzswggfmxa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250908-rqd2vadm8y/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/13a07121d74d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/13a07121d74dafa9f2ba4bb2d64fe8a9be9dd1827b8eb4aaf154299958c62b2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.