MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bec14536fc435a53720be6dc8d5a75b39608b8a5876f772e83cf539bb5676f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	1bec14536fc435a53720be6dc8d5a75b39608b8a5876f772e83cf539bb5676f3
SHA3-384 hash:	10a5b8f5837f66e2a3802721ed96be3ce475c319001567316b65e27be4127056097c8fbbb1148f117f02865a93189674
SHA1 hash:	09fd8151642c280604ed442934f37a11b4956362
MD5 hash:	d79768b83e2083d0803f5888a08af332
humanhash:	minnesota-charlie-whiskey-kentucky
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'970 bytes
First seen:	2025-08-11 23:58:50 UTC
Last seen:	2025-08-12 00:04:07 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:v/7s7N7h/F6G/gNzP/1KW/zoU/7z7o7U/fu3b/89R/Hcg/YpV/NSO/Z+C/+fT/GW:v/7s7N7h/F6G/gNzP/1KW/zoU/7z7o7k
TLSH	T1E551678581044D702CA36A57E6B76168729E9467E8F9EF8AD9E4BFE8034FF307540723
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.213.240.31/hiddenbin/boatnet.x86	1be29695bd3bbeebc245067dcfc8adaf5ce6adc117be15573184ff4439383f1c	Mirai	elf mirai ua-wget
http://185.213.240.31/hiddenbin/boatnet.mips	faabb1bc1a5cbfec613667b378649a01e439bcf319a4ddea8be71d653ed25224	Mirai	elf mirai ua-wget
http://185.213.240.31/hiddenbin/boatnet.arc	9883f22757e4145e218c7daca70086001bc35824f84677e4b2cd6f2fb67223f0	Mirai	elf mirai ua-wget
http://185.213.240.31/hiddenbin/boatnet.i468	n/a	n/a	n/a
http://185.213.240.31/hiddenbin/boatnet.i686	n/a	n/a	n/a
http://185.213.240.31/hiddenbin/boatnet.x86_64	n/a	n/a	n/a
http://185.213.240.31/hiddenbin/boatnet.mpsl	e1ca558673c529e8663bd7c25c7c08091bd95e84f241608aff6dec09af817b96	Mirai	elf mirai ua-wget
http://185.213.240.31/hiddenbin/boatnet.arm	bda14fe3c813b2974961bd8cfb81e4b60fdfe1e85f9efb563f929ae04fe7b59b	Mirai	elf mirai ua-wget
http://185.213.240.31/hiddenbin/boatnet.arm5	0af847c9e7745774946782b54488597eaa729a6115ba68cddc11e1cde7a26cd6	Mirai	elf mirai ua-wget
http://185.213.240.31/hiddenbin/boatnet.arm6	1e040e437db14c5f372f39f99dade184d42ac06f67767f13be8745f8679ddffd	Mirai	elf mirai ua-wget
http://185.213.240.31/hiddenbin/boatnet.arm7	b9fda4c11126f5bec2b8453fd2ddcb01bcef6f6fd70cc75bee6b392759851351	Mirai	elf mirai ua-wget
http://185.213.240.31/hiddenbin/boatnet.ppc	643629378be2250e8036b86592d6651233579a3e852f228c57e1c8c7f878890f	Mirai	elf mirai ua-wget
http://185.213.240.31/hiddenbin/boatnet.spc	56ea1a0727f9f1a90407d7170c4e27d5a529d97d3b3117b6b34dc81773f764d5	Mirai	elf mirai ua-wget
http://185.213.240.31/hiddenbin/boatnet.m68k	4a73874fe4c0ef28b52029721c2996d0c99941cc82445cb96dd263f801a676ad	Mirai	elf mirai ua-wget
http://185.213.240.31/hiddenbin/boatnet.sh4	feac50be0d4473b8ad486ae19f4eb64c11f00de45eb620e269a2d3a776766c75	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/b2d51f5c-eb29-4153-bb33-e6f19b108849

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/1bec14536fc435a53720be6dc8d5a75b39608b8a5876f772e83cf539bb5676f3

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1bec14536fc435a53720be6dc8d5a75b39608b8a5876f772e83cf539bb5676f3/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/1bec14536fc435a53720be6dc8d5a75b39608b8a5876f772e83cf539bb5676f3

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-08-11 13:47:58 UTC

File Type:

Text (Shell)

AV detection:

23 of 36 (63.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dpwbiu3pyq22knzaxzw4rvnhlm4wbc4klb3po4xiht2tto2wo3zq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250811-31y1jstpx3/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1bec14536fc4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/1bec14536fc435a53720be6dc8d5a75b39608b8a5876f772e83cf539bb5676f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.