MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f2a0609f064f1145d36edde0df4b1f58eb7dfb67e6f19941961e1d4cc6ec134. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f2a0609f064f1145d36edde0df4b1f58eb7dfb67e6f19941961e1d4cc6ec134
SHA3-384 hash: f3ff50eaf9e8361bcae5b56f752627f27baa2f38cb62c58518fab8ada47704f18dbcf6aeb6bbb5db9875d37388edc9a6
SHA1 hash: 330233917e1dae5eef2f6a3b6979d74e212c00cb
MD5 hash: ca7deb1da470c09df5c889c21bd94f33
humanhash: johnny-uncle-social-bravo
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'814 bytes
First seen:2025-05-26 03:06:10 UTC
Last seen:2025-05-26 18:30:30 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 96:iR3f34x3y3M3MB3CE333S313M3w3Y3f3swz:uPIxC8cBznCl8AIP8W
TLSH T159715DD5C81222B81C999762E9BB12AAF081B3D235E77E4BB7C828F471CCF41B485DD1
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc140a0279764f4a4c5f7bfc569d451f94c8b7c0a2bed38e65e329d0f920e6613d Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86d49d06e59412f92a1eae5f0ef66bdf36a7497151983bdfae32c97c0929f4be02 Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_6462a748ddf21dbaebe9d66ccd636ab4ac360d83f98d9bc6b22cadf7b671474668 Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.i6866c1b648d8faf29465f33d790dbae59abb100b56a25ec90803c1f026087ce5842 Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.mipsb462ba2f999979da2877d19912dec4670a5cfa5da27d79b4698e97d0f8fb76a8 Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64n/an/amirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsld1d6e68e23d49e3c735fccff543ff4dfe723149d58573c1eab3f88e71974f2d4 Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.arme2eba61b70602462cbbc28b8e01c252363639f09132338a42f472a453e18c22a Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm535c241bf3841295b4f14d99e4fbb6126bd17a02d9226073691f14fde70b7c189 Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6cec2e61a532b6fd15cdd7e682f64fd00f07e97d1524d1995eb39e24f6c13658e Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm79862d2186cc270e8dfb4fc3962ad897177ddc039164dd641a6746e1524e660d4 Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppcbb1fa3a547092538a79e3049ba99028941413b31c240a8b6ff7dc571c9ad0385 Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparcn/an/amirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k46b82cf6b22744c07830a3d8a78e7f9426c512052516e25930a5fff171afb35f Miraimirai
http://103.163.118.122/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh41f8bc69aed0cfffd9899001cccf86a4595c413b00fe93c25aef68d848c6b02ae Miraimirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6833dd06668438e362e6e57blinux22vpnfull_triage
Tags:
downloader ransomware agent
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3f2a0609f064f1145d36edde0df4b1f58eb7dfb67e6f19941961e1d4cc6ec134
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f2a0609f064f1145d36edde0df4b1f58eb7dfb67e6f19941961e1d4cc6ec134/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-05-26 03:06:21 UTC
File Type:
Text (Shell)
AV detection:
16 of 24 (66.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h4vamcpqmtyrixjw5xpa35fr6whlpx5wpzxrtfazmhq5jtdoye2a._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/250526-dlwt7scl61/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3f2a0609f064/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3f2a0609f064f1145d36edde0df4b1f58eb7dfb67e6f19941961e1d4cc6ec134

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 3f2a0609f064f1145d36edde0df4b1f58eb7dfb67e6f19941961e1d4cc6ec134

(this sample)

Mirai

elf 140a0279764f4a4c5f7bfc569d451f94c8b7c0a2bed38e65e329d0f920e6613d

  
URLhaus
https://urlhaus.abuse.ch/url/3552651/
  
Delivery method
Distributed via web download
  
Dropping
MD5 08bb5b6cff67ff6b7bc887428429f6f0
  
Dropping
SHA256 140a0279764f4a4c5f7bfc569d451f94c8b7c0a2bed38e65e329d0f920e6613d

Comments