MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 489ee0930ca21690c07c770b01b60d35b9eaa46f4e20da92b7f8b5d533b49867. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	489ee0930ca21690c07c770b01b60d35b9eaa46f4e20da92b7f8b5d533b49867
SHA3-384 hash:	d6fc126d84b456d4b2f9d2f3e7bab86bd612c009c478160fadd2b06f248c87b971cecdb6f38c4c354fcb51b0916682e8
SHA1 hash:	b849aedafcd530e8d80022fbea187e810e3708e2
MD5 hash:	b59e0fd4e9db5c33e213fb98bb5e81a3
humanhash:	mississippi-freddie-sad-grey
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'970 bytes
First seen:	2025-10-03 05:35:25 UTC
Last seen:	2025-10-03 11:40:10 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vc7f7N7hc66GcgSzPcqKWcooUc7o7o7UcfZ3bcv9RcUcgcjpVcSSOcG+CcpfTcB0:vc7f7N7hc66GcgSzPcqKWcooUc7o7o7Q
TLSH	T1CD51C1894106CD382D67AF13E6B6C2287086A452ECE1BFD599E7BBF0074EC147650FA3
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.80.225/hiddenbin/boatnet.x86	804d3d54d13108819443e419c3d4cc652a2b1f4b5888c4dde5f268ef64de954f	Mirai	elf mirai ua-wget
http://196.251.80.225/hiddenbin/boatnet.mips	6d2a1b330ef54ed53061e877759eadf1da2a61b756b9b7ac885e8e12ccb0e540	Mirai	elf mirai ua-wget
http://196.251.80.225/hiddenbin/boatnet.arc	9fd8101e6ffd964f4fbfc443f50ca5415c5fe2b12a33c440214261c282a75478	Mirai	elf mirai ua-wget
http://196.251.80.225/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://196.251.80.225/hiddenbin/boatnet.i686	n/a	n/a	elf ua-wget
http://196.251.80.225/hiddenbin/boatnet.x86_64	n/a	n/a	elf ua-wget
http://196.251.80.225/hiddenbin/boatnet.mpsl	89099c1e998108e7e02fec68014145098aeb3ebc59382e85d9bcad21f3590169	Mirai	elf mirai ua-wget
http://196.251.80.225/hiddenbin/boatnet.arm	ce37b068e07472c43fa7fbb1d19fc4afcaa5f198f5f42634bc20686d82387d46	Mirai	elf mirai ua-wget
http://196.251.80.225/hiddenbin/boatnet.arm5	b23c50d2b16ebfda7f97af2e735e00b4bf55791faa93d3d59745ad0f0c422a8d	Mirai	elf mirai ua-wget
http://196.251.80.225/hiddenbin/boatnet.arm6	941e01321b9fbed42248436fbefa0509173b18bc00977b671de61ad06cafe1a0	Mirai	elf mirai ua-wget
http://196.251.80.225/hiddenbin/boatnet.arm7	9c73051dca715b07d730e72d2a7c9cf38d19f8b9facf159beea2d1d1acd1d2a9	Mirai	elf mirai ua-wget
http://196.251.80.225/hiddenbin/boatnet.ppc	2687623f1b70a39cde38049d5703b404e4dc6748bb96644045181a2088a108d0	Mirai	elf mirai ua-wget
http://196.251.80.225/hiddenbin/boatnet.spc	n/a	n/a	elf ua-wget
http://196.251.80.225/hiddenbin/boatnet.m68k	a38627df22e61daeb371a761cd84ddf7f9574844934d3d8af658595daf1e6ef1	Mirai	elf mirai ua-wget
http://196.251.80.225/hiddenbin/boatnet.sh4	28d29bb92b443aee20f42edb6923d9e7f7d34f8af9d6099c5d50402b33b780c8	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

no reply from clamd

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-03T02:41:00Z UTC

Last seen:

2025-10-04T13:03:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/489ee0930ca21690c07c770b01b60d35b9eaa46f4e20da92b7f8b5d533b49867/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/32b9186e-4dd6-4092-a046-ca29c8ceab88

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/489ee0930ca21690c07c770b01b60d35b9eaa46f4e20da92b7f8b5d533b49867

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/489ee0930ca21690c07c770b01b60d35b9eaa46f4e20da92b7f8b5d533b49867/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/489ee0930ca21690c07c770b01b60d35b9eaa46f4e20da92b7f8b5d533b49867

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-02 12:10:56 UTC

File Type:

Text (Shell)

AV detection:

23 of 36 (63.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jcpobeymuiljbqd4o4fqdnqngw46vjdpjyqnvevx7c25km5utbtq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251003-gank8sxxax/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/489ee0930ca2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/489ee0930ca21690c07c770b01b60d35b9eaa46f4e20da92b7f8b5d533b49867

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.