MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33f83dc5555afc3222686934a3d4fe0c227e592fb7a40c2b2155540dd2630746. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	33f83dc5555afc3222686934a3d4fe0c227e592fb7a40c2b2155540dd2630746
SHA3-384 hash:	dd7eb964f814488aad9a7b8b5f83a7b811952093759aa1a3e1ca153e2046d28fe830af10ed25117cc84942433da1cee4
SHA1 hash:	cf8cd22ccad5bad50a4d827b403e07349b190ff9
MD5 hash:	4f464a9b411790d7635520127d159d08
humanhash:	west-montana-california-texas
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'064 bytes
First seen:	2026-02-15 22:16:26 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ipMvMQzLpMVM0zLpMSMwzLpMaMwzLpMMMszLpMuMEzLpMoOMzEzLpM9MEzLpM6MX:iO3g3d3N3b3R3VE3k3t3M3j3N3x3C3Iz
TLSH	T11651B1A5E2814232AFB9A59379B681447182DAE25CC97D13F2FCBCB885CDE0475817C3
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.148.189/HideChaotic/sora.arc	ea22176d9a339d8f053e388c62801457369e3042608f1cd78184cf56abc045d5	Mirai	mirai opendir
http://176.65.148.189/HideChaotic/sora.x86	58ef677ddfe8c476f236176231880ec76c00f019a5bf3c85e4c7a60eb457cadb	Mirai	mirai opendir
http://176.65.148.189/HideChaotic/sora.x86_64	f71b9ccce705ae0f84546f6e8d9b66a5e98f96d4996f2c176fcea3773d256a7a	Mirai	mirai opendir
http://176.65.148.189/HideChaotic/sora.i686	4a4793f97f1b492d648733fbab1e560b0cd4d4e664701733a7e97d0b6042556d	Mirai	mirai opendir
http://176.65.148.189/HideChaotic/sora.mips	dea7b3f9c4e806083414bb90b3d6a326ef46313b821963ac633479b784560e09	Mirai	mirai opendir
http://176.65.148.189/HideChaotic/sora.mips64	n/a	n/a	elf ua-wget
http://176.65.148.189/HideChaotic/sora.mpsl	e74b52e34a8fff53883595b683a42b880e1cc425e6a6d259c0137cfb0bd472e7	Mirai	mirai opendir
http://176.65.148.189/HideChaotic/sora.arm	c78f27b4208ad3049c1d0ecb502b3ea3ea6e215cafff856abc2214c3e867a4cd	Mirai	mirai opendir
http://176.65.148.189/HideChaotic/sora.arm5	n/a	n/a	elf ua-wget
http://176.65.148.189/HideChaotic/sora.arm6	n/a	n/a	elf ua-wget
http://176.65.148.189/HideChaotic/sora.arm7	n/a	n/a	elf ua-wget
http://176.65.148.189/HideChaotic/sora.ppc	520e1e931a87fa4df3a7fa7698ac8d98725ccf17c9cc33fe1e1cfc3702faa39e	Mirai	mirai opendir
http://176.65.148.189/HideChaotic/sora.sparc	n/a	n/a	elf ua-wget
http://176.65.148.189/HideChaotic/sora.m68k	9eb2ed94c54993784b23b9f654ecde936b7d5a844703e6361507fa4468f2cd2c	Mirai	mirai opendir
http://176.65.148.189/HideChaotic/sora.sh4	eee7c1c7bcc00f8ffbbc25eccebaaa6bf18de6afb30265327f9ce1d18e717e25	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

Link:

https://opentip.kaspersky.com/33f83dc5555afc3222686934a3d4fe0c227e592fb7a40c2b2155540dd2630746/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/d22e896d-5183-40a5-9b87-51a30c7fac84

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/33f83dc5555afc3222686934a3d4fe0c227e592fb7a40c2b2155540dd2630746

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/33f83dc5555afc3222686934a3d4fe0c227e592fb7a40c2b2155540dd2630746/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-02-15 23:21:06 UTC

AV detection:

23 of 38 (60.53%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gp4d3rkvll6deitine2khvh6bqrh4wjpw6saykzbkvka3utda5da._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260215-17lyfsdz2a/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

UPX packed file

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/33f83dc5555a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/33f83dc5555afc3222686934a3d4fe0c227e592fb7a40c2b2155540dd2630746

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh