MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c2b8665753ea3f52ac1039dc1858cf37e14adbf6fa3de28366afcf3a02fac06. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	2c2b8665753ea3f52ac1039dc1858cf37e14adbf6fa3de28366afcf3a02fac06
SHA3-384 hash:	1a090003a66bece778255d4a276bbf29eda20a338cd9fcd77cfe3d6af3c5ebaafa62033b8891976611fed8e5fdbaae44
SHA1 hash:	86fd0601c31eb419a20d0c5dfbdbd6969a5bf86f
MD5 hash:	5696b658faa38c4223b2c7ee710bd069
humanhash:	wolfram-foxtrot-fanta-lamp
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'970 bytes
First seen:	2025-08-14 18:18:59 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:v3707N7h3p6G3ghzP3ZKW3LoU37L7o7U3fi3b3E9R3Pcg3QpV3hSO3t+C3yfT3qq:v3707N7h3p6G3ghzP3ZKW3LoU37L7o78
TLSH	T14E512BC5A10ACC709CBB6A33EBF6512C708594D318E9EFA5DDF4BAE00A4EE547184763
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://160.250.136.71/hiddenbin/boatnet.x86	f9a60840834fdd426a9e46af2fb1616e83eb911f73daf9b26fa03d1a30410075	Mirai	elf geofenced mirai opendir ua-wget USA
http://160.250.136.71/hiddenbin/boatnet.mips	6709e3fb2962202b2344880ededa05ed6b0fde077e4ab14241516bdd42b55e30	Mirai	elf geofenced mirai opendir ua-wget USA
http://160.250.136.71/hiddenbin/boatnet.arc	f0c3f05738c9f6007be6038137f97c3a31c7e5a8cb6d3d83f0e00b72c910a4df	Mirai	elf geofenced mirai opendir ua-wget USA
http://160.250.136.71/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://160.250.136.71/hiddenbin/boatnet.i686	n/a	n/a	elf ua-wget
http://160.250.136.71/hiddenbin/boatnet.x86_64	n/a	n/a	elf ua-wget
http://160.250.136.71/hiddenbin/boatnet.mpsl	943965a752da989e45cc2a12d2e4f489e916514b37cb0c038c1d53eed4bcbf7b	Mirai	elf geofenced mirai opendir ua-wget USA
http://160.250.136.71/hiddenbin/boatnet.arm	43544b5f571d5e03dfecd1699b13c7d40f32c0eb44bb6f19aaf6c4f6c249ea1e	Mirai	32-bit elf mirai Mozi
http://160.250.136.71/hiddenbin/boatnet.arm5	faec8e4725d69572a7e8e1edda1ac0845c45c94a2779c89d61bf05d8110f0184	Mirai	elf geofenced mirai opendir ua-wget USA
http://160.250.136.71/hiddenbin/boatnet.arm6	8f2b677353fcdb5779480a9c55e2f8e1e733e5d1ce05bf928ad71d2befb1a744	Mirai	elf geofenced mirai opendir ua-wget USA
http://160.250.136.71/hiddenbin/boatnet.arm7	591efb50a59c1d5fc51ac381146dd165a035d51afba5156e6ce40f065efaf9fd	Mirai	32-bit elf mirai Mozi
http://160.250.136.71/hiddenbin/boatnet.ppc	0ab46374a0a63bc1f10f9a71e665dc4b3aac3a9d89322f67235cdeef21c8dd26	Mirai	elf geofenced mirai opendir ua-wget USA
http://160.250.136.71/hiddenbin/boatnet.spc	n/a	n/a	elf ua-wget
http://160.250.136.71/hiddenbin/boatnet.m68k	94db04573d85514589132a61506ff05265d27c0113bcd40ca1f0d9bfbfa479fc	Mirai	elf geofenced mirai opendir ua-wget USA
http://160.250.136.71/hiddenbin/boatnet.sh4	f27c7521168d0d85dfeb0660f42cf590e854dd589dff45b3bd89b0159e44926c	Mirai	elf geofenced mirai opendir ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/2c2b8665753ea3f52ac1039dc1858cf37e14adbf6fa3de28366afcf3a02fac06

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2c2b8665753ea3f52ac1039dc1858cf37e14adbf6fa3de28366afcf3a02fac06/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/2c2b8665753ea3f52ac1039dc1858cf37e14adbf6fa3de28366afcf3a02fac06

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-08-14 17:47:04 UTC

File Type:

Text (Shell)

AV detection:

18 of 24 (75.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fqvymzlvh2r7kkwbaoo4dbmm6n7bjln7n6r54kbwnl6phibpvqda._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250814-wyncpsyzh1/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2c2b8665753e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/2c2b8665753ea3f52ac1039dc1858cf37e14adbf6fa3de28366afcf3a02fac06

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.