MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5153a76178d0bf875035eeb84c2963f9a5e981ec993cb6a0ce4f4ad45ec5b728. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	5153a76178d0bf875035eeb84c2963f9a5e981ec993cb6a0ce4f4ad45ec5b728
SHA3-384 hash:	df944b86e75522f98a87bb2a2e2163db2a1bf63bf984eb1f4f51b08244de3dc4d140fcd2f56e53b5e59d35588bdf2a82
SHA1 hash:	2681625c79ecbb85415691549687fe30814726e0
MD5 hash:	e8b209355b8265c35e342c8ef79b9a43
humanhash:	glucose-social-montana-bulldog
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'798 bytes
First seen:	2025-11-23 19:23:50 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:ItlaAsaQansafkhanejej4a2TJkaOaraQa0qaiaSaqaPaCRE:ig+1ZMk56/G1UHXPih
TLSH	T16C5121CA336794B0EF629556B7F60808B1E052F3E9C69A87D9FC74B8418CE1C74B8653
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://91.235.116.149/bins/sora.arc	n/a	n/a	elf ua-wget
http://91.235.116.149/bins/sora.x86	8fc530b8fd8b035ec3579f471828dc56f3f6f58c0715dd41e62265149051507a	Mirai	elf mirai ua-wget
http://91.235.116.149/bins/sora.x86_64	n/a	n/a	elf ua-wget
http://91.235.116.149/bins/sora.i686	n/a	n/a	elf ua-wget
http://91.235.116.149/bins/sora.mips	432ed970f8c58ce8dea9b372fd2249be0cf2bd949b129616a7eada92ef434cab	Mirai	elf mirai ua-wget
http://91.235.116.149/bins/sora.mips64	n/a	n/a	elf ua-wget
http://91.235.116.149/bins/sora.mpsl	929d6ed170d41e287be0a750ae5eaf2450e327f0fb80fbb3ca5763fdf09a6a84	Mirai	elf mirai ua-wget
http://91.235.116.149/bins/sora.arm	97f63ef7cefef12fb266f5c3f59a138034d66727be82cca655e5409f88adb491	Mirai	elf mirai ua-wget
http://91.235.116.149/bins/sora.arm5	8df7b7a1247bb4136998232ab60cb5f1bb255ddd10d56b6e51023d48dacaceea	Mirai	elf mirai ua-wget
http://91.235.116.149/bins/sora.arm6	111602576d721e999af7de832dbf5ffb6348f2fe62690c27cc520a75d9e257fe	Mirai	elf mirai ua-wget
http://91.235.116.149/bins/sora.arm7	b8feee78d70e3c61149e08d8a88c114a3be4d816d72f447b1e25dbf12c9e81f0	Mirai	elf mirai ua-wget
http://91.235.116.149/bins/sora.ppc	706807f3b47c5acf17c86e06ef272c7af6a1696950f143edff41a8f0c6d3802e	Mirai	elf mirai ua-wget
http://91.235.116.149/bins/sora.sparc	n/a	n/a	elf ua-wget
http://91.235.116.149/bins/sora.m68k	6f8177c4ddb241f7d0f66a67df6424a6c31ab5ff0a0a19e173b7aac6395f4a56	Mirai	elf mirai ua-wget
http://91.235.116.149/bins/sora.sh4	c5aa4be0eeb98aad6ee83c6e98608ccfe966903037e5ffdb45e649396593b97c	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox medusa mirai

Link:

https://www.filescan.io/uploads/69235f655d3feebe12d8454c/reports/acab8a9b-a9b1-45b9-a8d1-67fd5e0722ab/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-11-23T17:31:00Z UTC

Last seen:

2025-11-23T18:46:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/5153a76178d0bf875035eeb84c2963f9a5e981ec993cb6a0ce4f4ad45ec5b728/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/4ca3b479-6460-44a9-a14a-d5e9b8b832cf

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/5153a76178d0bf875035eeb84c2963f9a5e981ec993cb6a0ce4f4ad45ec5b728

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5153a76178d0bf875035eeb84c2963f9a5e981ec993cb6a0ce4f4ad45ec5b728/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-11-23 19:24:25 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kfj2oyly2c7youbv524eykld7gs6tapmte6lnigoj5fnixwfw4ua._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:sora antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251123-x4h6ls1jay/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Reads system network configuration

UPX packed file

Enumerates active TCP sockets

Enumerates running processes

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Contacts a large (403375) amount of remote hosts

Creates a large amount of network flows

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5153a76178d0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.