MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e6fe6508b8f2704ff323b92bfac82acbddf4750f541953ee97b37be8f7d78e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e6fe6508b8f2704ff323b92bfac82acbddf4750f541953ee97b37be8f7d78e0
SHA3-384 hash: 1bcf2135c6f749f7ccc2587bc4f8282abfb140c518ec1ad395ff909f5754fb190ec10670653bb01534e991edb6cd09fd
SHA1 hash: d196dee2b5e69292bd0fee531b8b0137cd9522fa
MD5 hash: 24021915c772445da497ac6635313982
humanhash: nuts-happy-jig-kilo
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'764 bytes
First seen:2026-04-24 23:46:56 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:ip7YpZ0pWopuIpYcpaUp8O4ph0p+opTwpkQpGWpqypN8pKZ:iy895vhYUFer3Xww
TLSH T181514185B3915472EFF69A7671B9D508748095A2AACA3F4DD8FC34A884CCF08A0D4F97
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.139.64/bins/sora.arcn/an/aelf opendir ua-wget
http://176.65.139.64/bins/sora.x86cc105f72dca0ce157c3f5cffeaf4b5cf981fccf71dee6c469127649768ffeca2 Mirai32-bit elf mirai x86-32
http://176.65.139.64/bins/sora.x86_649b83781344156ae1fd75a20de83f741bec1cf331581b61e9ebab50fd316dc765 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.i686n/an/aelf opendir ua-wget
http://176.65.139.64/bins/sora.mips87b4da6325c09742e72874166442dca4c4b4d84c7bde546259a2f7ebecb0b521 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.mips64n/an/aelf opendir ua-wget
http://176.65.139.64/bins/sora.mpsl90324772fa25816cc396637b1f7e185f8912a4b037cf4710c3fca46576a5fb1a Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.arm7c66410bef86d9f38cc0ab2607c84a12de0f5225d3fa6edecbea0c5c77bf6616 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.arm520dab8f45c894c09b7f9c8dc834e9db2138e77f46d7ff7acc0173be9b954d3b2 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.arm65d5077c72d638baa0a33a1cbb7fdb499d5c83e57483f9d8c880bdf17228643e7 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.arm797b7b4c456be48420e9bc9fc6c2d3d2ec86f4a73eae457a6ef11134ec446a42f Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.ppc794639f0f4b89e1bcd618ff1d62de51ac69a3229cbcc73f27d044978759734b8 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.sparcn/an/aelf opendir ua-wget
http://176.65.139.64/bins/sora.m68kd4caee185f73fb3fb15d7248db87db47998dbe6edcde4b6622b8cb1fabf30c98 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.sh4eafe14e9fda6171db41d7b6e78d905b82117c2de8a5bfe8889560132bf8dc9be Miraielf mirai opendir ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-04-24T21:04:00Z UTC
Last seen:
2026-04-24T21:18:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.c HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen
Link:
https://opentip.kaspersky.com/5e6fe6508b8f2704ff323b92bfac82acbddf4750f541953ee97b37be8f7d78e0/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5e6fe6508b8f2704ff323b92bfac82acbddf4750f541953ee97b37be8f7d78e0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e6fe6508b8f2704ff323b92bfac82acbddf4750f541953ee97b37be8f7d78e0/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/5e6fe6508b8f2704ff323b92bfac82acbddf4750f541953ee97b37be8f7d78e0
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-04-24 23:47:37 UTC
File Type:
Text (Shell)
AV detection:
17 of 24 (70.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzx6muelr4tqj7zshojl7lecvs656r2q6vazkpxjpm335d35pdqa._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:sora antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260424-3s15yagx7t/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
UPX packed file
Enumerates active TCP sockets
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (482996) amount of remote hosts
Creates a large amount of network flows
Family: Mirai
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5e6fe6508b8f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 5e6fe6508b8f2704ff323b92bfac82acbddf4750f541953ee97b37be8f7d78e0

(this sample)

Mirai

elf cc105f72dca0ce157c3f5cffeaf4b5cf981fccf71dee6c469127649768ffeca2

  
URLhaus
https://urlhaus.abuse.ch/url/3808365/
  
Delivery method
Distributed via web download
  
Dropping
MD5 0ee5e61ee1bd87fbf45fbcfe9b5a04f6
  
Dropping
SHA256 cc105f72dca0ce157c3f5cffeaf4b5cf981fccf71dee6c469127649768ffeca2

Comments