MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 779bd92f2bec1bed3a9f23ea36cf401a4914e890b58bbfc526b7d4365c82d291. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 779bd92f2bec1bed3a9f23ea36cf401a4914e890b58bbfc526b7d4365c82d291
SHA3-384 hash: fedccc36f8358169c74a0010376f4072d8e7f15d98c546949f618f5b926706561f665732ddaecf67fe7b725ac95c6cf3
SHA1 hash: 63fcaefa76b5e881cc7ebcd3c965b215db03e05a
MD5 hash: 5e8f6124a9a803857d94de335d4a97dd
humanhash: comet-south-idaho-video
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'824 bytes
First seen:2026-04-17 23:47:17 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:ip7UpZApWkpuEpYIpagp8O0phAp+kpTspkMpGapqWpNopKd:iWoNJnxUgVCDvPs4
TLSH T1F5517E8933D54432EFB599B672B4D108B89050A77AC67E88DCFC38F8C48CE0A60C1B97
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.139.64/bins/sora.arcn/an/aelf opendir ua-wget
http://176.65.139.64/bins/sora.x86cc105f72dca0ce157c3f5cffeaf4b5cf981fccf71dee6c469127649768ffeca2 Mirai32-bit elf mirai x86-32
http://176.65.139.64/bins/sora.x86_649b83781344156ae1fd75a20de83f741bec1cf331581b61e9ebab50fd316dc765 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.i686n/an/aelf opendir ua-wget
http://176.65.139.64/bins/sora.mips87b4da6325c09742e72874166442dca4c4b4d84c7bde546259a2f7ebecb0b521 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.mips64n/an/aelf opendir ua-wget
http://176.65.139.64/bins/sora.mpsl90324772fa25816cc396637b1f7e185f8912a4b037cf4710c3fca46576a5fb1a Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.arm7c66410bef86d9f38cc0ab2607c84a12de0f5225d3fa6edecbea0c5c77bf6616 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.arm520dab8f45c894c09b7f9c8dc834e9db2138e77f46d7ff7acc0173be9b954d3b2 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.arm65d5077c72d638baa0a33a1cbb7fdb499d5c83e57483f9d8c880bdf17228643e7 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.arm797b7b4c456be48420e9bc9fc6c2d3d2ec86f4a73eae457a6ef11134ec446a42f Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.ppc794639f0f4b89e1bcd618ff1d62de51ac69a3229cbcc73f27d044978759734b8 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.sparcn/an/aelf opendir ua-wget
http://176.65.139.64/bins/sora.m68kd4caee185f73fb3fb15d7248db87db47998dbe6edcde4b6622b8cb1fabf30c98 Miraielf mirai opendir ua-wget
http://176.65.139.64/bins/sora.sh4eafe14e9fda6171db41d7b6e78d905b82117c2de8a5bfe8889560132bf8dc9be Miraielf mirai opendir ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-04-17T20:54:00Z UTC
Last seen:
2026-04-17T21:36:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.c HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/779bd92f2bec1bed3a9f23ea36cf401a4914e890b58bbfc526b7d4365c82d291/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/779bd92f2bec1bed3a9f23ea36cf401a4914e890b58bbfc526b7d4365c82d291
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/779bd92f2bec1bed3a9f23ea36cf401a4914e890b58bbfc526b7d4365c82d291/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/779bd92f2bec1bed3a9f23ea36cf401a4914e890b58bbfc526b7d4365c82d291
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2026-04-17 23:47:51 UTC
File Type:
Text (Shell)
AV detection:
23 of 38 (60.53%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6n5slzl5qn62ou7epvdnt2adjerj2eqwwf37rjgw7kdmxec2kiq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:sora antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/260417-3s9gbadv7x/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
UPX packed file
Enumerates active TCP sockets
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (373449) amount of remote hosts
Creates a large amount of network flows
Family: Mirai
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/779bd92f2bec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 779bd92f2bec1bed3a9f23ea36cf401a4914e890b58bbfc526b7d4365c82d291

(this sample)

Mirai

elf cc105f72dca0ce157c3f5cffeaf4b5cf981fccf71dee6c469127649768ffeca2

  
URLhaus
https://urlhaus.abuse.ch/url/3808365/
  
Delivery method
Distributed via web download
  
Dropping
MD5 0ee5e61ee1bd87fbf45fbcfe9b5a04f6
  
Dropping
SHA256 cc105f72dca0ce157c3f5cffeaf4b5cf981fccf71dee6c469127649768ffeca2

Comments