MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75c235cb6d97f739c174240bd4030a98e1eef69ca60333608c88ede89b258eaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	75c235cb6d97f739c174240bd4030a98e1eef69ca60333608c88ede89b258eaf
SHA3-384 hash:	f1042e9d9f9df9494cb00e202bdd8a9760e55edde1b9af8671663214ed7d0c08206e7593576111abc23cdd449fc3deec
SHA1 hash:	d0ab409d1b070df7273ee599389195397fd5ca5c
MD5 hash:	1ae676ef35dec3d1cdbb719021bb22f5
humanhash:	louisiana-three-moon-north
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'910 bytes
First seen:	2026-01-22 09:17:21 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vI7L7N7hIS6GIg6zPICKWIEoUI7E7o7UIf53bIb9RIwcgIfpVI6SOI++CIJfTIRE:vI7L7N7hIS6GIg6zPICKWIEoUI7E7o7A
TLSH	T11151B68A47462E7038A36E53FAB771383081D45298E1AB95EDE4BEF0336EF143184793
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://45.144.54.79/hiddenbin/boatnet.x86	8018baeb68c36b223cb6d9df66d158c50fe11a215aed02825177474c93b86939	Mirai	elf mirai ua-wget
http://45.144.54.79/hiddenbin/boatnet.mips	0e5726a596c6d83994a14dd7d95a339f2d058e6cc6eecd127ac8e891ced08584	Mirai	elf mirai ua-wget
http://45.144.54.79/hiddenbin/boatnet.arc	ddc80619659aaceed7c9b01accef32dcf5fd2db3b5fff47f574cb1a9fc4f9858	Mirai	elf mirai ua-wget
http://45.144.54.79/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://45.144.54.79/hiddenbin/boatnet.i686	n/a	n/a	elf ua-wget
http://45.144.54.79/hiddenbin/boatnet.x86_64	n/a	n/a	elf ua-wget
http://45.144.54.79/hiddenbin/boatnet.mpsl	0a9fb6f2877778839a6b8a36ce4e7b7973cf853ebfacbd4e35b1000bbf1867fd	Mirai	elf mirai ua-wget
http://45.144.54.79/hiddenbin/boatnet.arm	c16a6c5af10f561b281764aae289cf9e60a86aabf6c8b02b577b041be09f9f01	Mirai	elf mirai ua-wget
http://45.144.54.79/hiddenbin/boatnet.arm5	1c5c43711d001c4ee3af49cf4bdeafd97fccb6228e653a943008800910b86005	Mirai	elf mirai ua-wget
http://45.144.54.79/hiddenbin/boatnet.arm6	0f2c8ca60db776610b09f62221dc4f2dfbca6dee0c5fe19318e4b8759ee5a706	Mirai	elf mirai ua-wget
http://45.144.54.79/hiddenbin/boatnet.arm7	5e001b88f4d0c1a80c9feb1ec7a673d96202821f5e6f7c35a7c12d01909c9a63	Mirai	elf mirai ua-wget
http://45.144.54.79/hiddenbin/boatnet.ppc	b9c637bfa42aebb25fe433cdd8b4867d21f63f71eb93e87d7a638a3e79f6d904	Mirai	elf mirai ua-wget
http://45.144.54.79/hiddenbin/boatnet.spc	fd6035d46484c22f614268ccca884d9e02ae7ed9f7d05e87e1c07bf404d8c395	Mirai	elf mirai ua-wget
http://45.144.54.79/hiddenbin/boatnet.m68k	362512cef9d62ebdc4a8fd1a29b4065b6270341058c6a3e714b1b14348eb25b8	Mirai	elf mirai ua-wget
http://45.144.54.79/hiddenbin/boatnet.sh4	3f113f972822757c5a113be92f886192d85408cbcb995632f2dc8f70cf99d5fb	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6971eb395db9ae47708d5e17/reports/945280fc-e51a-4327-b155-305d04840f61/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-22T06:21:00Z UTC

Last seen:

2026-01-22T12:54:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p

Link:

https://opentip.kaspersky.com/75c235cb6d97f739c174240bd4030a98e1eef69ca60333608c88ede89b258eaf/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/0dfd6327-45d3-4155-8f40-190d097029dc

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/75c235cb6d97f739c174240bd4030a98e1eef69ca60333608c88ede89b258eaf

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/75c235cb6d97f739c174240bd4030a98e1eef69ca60333608c88ede89b258eaf/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/75c235cb6d97f739c174240bd4030a98e1eef69ca60333608c88ede89b258eaf

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-01-22 09:00:55 UTC

File Type:

Text (Shell)

AV detection:

23 of 36 (63.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oxbdls3ns73ttqlueqf5iayktdq655u4uybtgyemrdw6rgzfr2xq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260122-k932rabz7a/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/75c235cb6d97/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.37

Link:

https://yomi.yoroi.company/submissions/75c235cb6d97f739c174240bd4030a98e1eef69ca60333608c88ede89b258eaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh