MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79dfad940aa718395f04c71d5eb99fe87f2072ca1ce4d534c0e1847631f1375e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	79dfad940aa718395f04c71d5eb99fe87f2072ca1ce4d534c0e1847631f1375e
SHA3-384 hash:	6df3c6f4c41924a0a38359cb30f95e7728b72ca366912dd616c122ff0b5c0705a4d0c39ca40c8b1d3e204c1f9301d98f
SHA1 hash:	50ce4f78161c4a670c0cbfbee6aa2c0b5c1bb5f8
MD5 hash:	db72f5e0d507c0abfcf9d6ff046cdd14
humanhash:	beer-bakerloo-zebra-lion
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'007 bytes
First seen:	2026-06-01 05:38:02 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ipl70l7N7hplvl6GplgnlzPplflKWpl1loUpl71l7o7UplfOl3bplEl9RplhlcgN:iD7Y7N7hD96GDglzPDtKWDvoUD7v7o7U
TLSH	T10C51B4C542866C3968B7EA13F6B68138308191D318FE7F9ADED8BAF0868ED347140753
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	BlinkzSec
Tags:	mirai

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.139.116/hiddenbin/boatnet.x86	09015d7cc063b6d89e97e2eb864c934d7bd42cce1041ad67fa3c725074565bc6	Mirai	176-65-139-116 elf mirai ua-wget
http://176.65.139.116/hiddenbin/boatnet.mips	39256d0ebac42184c8c5c8d5bfc4999090e5a0f3bf8cbf3ed4c69465e34cc104	Mirai	176-65-139-116 elf mirai ua-wget
http://176.65.139.116/hiddenbin/boatnet.arc	cab04ea015a6260a1dede7f2df4162e43743890e45974bc38b79a3e3e0534037	Mirai	176-65-139-116 elf mirai ua-wget
http://176.65.139.116/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://176.65.139.116/hiddenbin/boatnet.i686	n/a	n/a	elf ua-wget
http://176.65.139.116/hiddenbin/boatnet.x86_64	n/a	n/a	elf ua-wget
http://176.65.139.116/hiddenbin/boatnet.mpsl	dd4199c2b8d94da33925badf03a25a5a896c71167a1afa6b8fe6119a4d28f213	Mirai	176-65-139-116 elf mirai ua-wget
http://176.65.139.116/hiddenbin/boatnet.arm	35490e92117a13045b528fe05c3aa20c784657d1a674f3730ab23aae045516f7	Mirai	176-65-139-116 elf mirai ua-wget
http://176.65.139.116/hiddenbin/boatnet.arm5	68f13ab488e209bae93f7c03b8c14a2f51fdc1930a8412dc806c07a58beeae73	Mirai	176-65-139-116 elf mirai ua-wget
http://176.65.139.116/hiddenbin/boatnet.arm6	23ab870dbce151ea72e0966114dacd7d0b3e436314c73943bc8d2ddf679625d9	Mirai	176-65-139-116 elf mirai ua-wget
http://176.65.139.116/hiddenbin/boatnet.arm7	d5f651b772c567a2997eebad10b8b062191270dba3d17c99f161686bf8b98adf	Mirai	176-65-139-116 elf mirai ua-wget
http://176.65.139.116/hiddenbin/boatnet.ppc	2cc14c04ab566cb0d3a3778d76cc263e0b75c504f03af3b6b464a1366dbd5044	Mirai	176-65-139-116 elf mirai ua-wget
http://176.65.139.116/hiddenbin/boatnet.spc	d05519da897fa942cd63f3b05257dc850deee869a188b2faf25c5f54d9a4effa	Mirai	176-65-139-116 elf mirai ua-wget
http://176.65.139.116/hiddenbin/boatnet.m68k	c7395e64995437727f25a648fb0b8dc7dbca02cfc9a3bba463f8eb7f1f0068f8	Mirai	176-65-139-116 elf mirai ua-wget
http://176.65.139.116/hiddenbin/boatnet.sh4	c8010894730cbf62d420591cae5d92cf2bc91d36241826a86ba90c6a8ad58082	Mirai	176-65-139-116 elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

busybox

Link:

https://www.filescan.io/uploads/6a1d1c2d099ef368af122539/reports/1804ce80-2e9e-45aa-8644-aa71418035d8/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-06-01T04:05:00Z UTC

Last seen:

2026-06-01T13:36:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/79dfad940aa718395f04c71d5eb99fe87f2072ca1ce4d534c0e1847631f1375e/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/82f22c27-2bfa-4f18-a350-dbd42c5712c0

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/79dfad940aa718395f04c71d5eb99fe87f2072ca1ce4d534c0e1847631f1375e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/79dfad940aa718395f04c71d5eb99fe87f2072ca1ce4d534c0e1847631f1375e/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-06-01 05:37:49 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=php23faku4mdsxyey4ov5om75b7sa4wkdtsnknga4gchmmprg5pa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260601-gbve6se16j/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Family: Mirai

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/79dfad940aa7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh