MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84169b3c5a219018f397eceb2023846b9f47f0931c447422fc09396a79f40535. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	84169b3c5a219018f397eceb2023846b9f47f0931c447422fc09396a79f40535
SHA3-384 hash:	660e77c64a7058907866ea753ff1878457194ee718e0889211cb6a84d42c6cd6b2c4b71f66c982878df9a71f306609a9
SHA1 hash:	ad7e3cdf5913a6397e51fc0570e99e3f2b5cd2c6
MD5 hash:	32774e26d02b3c1b8e5c9bf8b5992be0
humanhash:	single-mobile-quebec-bulldog
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'970 bytes
First seen:	2025-02-18 04:07:03 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vJ+7g+7N7hJ+7+6GJ+gz+zPJ+L+KWJ+l+oUJ+7l+7o7UJ+fO+3bJ+Q+9RJ+h+cgH:vJ+7g+7N7hJ+7+6GJ+gz+zPJ+L+KWJ+E
TLSH	T1C351868962464D305C67BF13F676C1383086A091A8E1BFD5D9E9BFF4458ED247940FA3
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.87.222/hiddenbin/boatnet.x86	984e3565cdf897a62523a6776c16835634be7312a415d8c36c56ce14545539d7	Mirai	32-bit elf mirai
http://196.251.87.222/hiddenbin/boatnet.mips	0445d12106a314074d4b96870742787452528196da68b67def54cc1d97a228cb	Mirai	elf mirai opendir
http://196.251.87.222/hiddenbin/boatnet.arc	35e1279abdbf2bee230f3aeb00f8412136da9638cda2c2908e056a6072c3e69c	Mirai	elf mirai opendir
http://196.251.87.222/hiddenbin/boatnet.i468	n/a	n/a	n/a
http://196.251.87.222/hiddenbin/boatnet.i686	n/a	n/a	n/a
http://196.251.87.222/hiddenbin/boatnet.x86_64	n/a	n/a	n/a
http://196.251.87.222/hiddenbin/boatnet.mpsl	085b783a70418a1df98062e2200120874b879db790192bf6c5b60c6cc6d9319f	Mirai	32-bit elf mirai
http://196.251.87.222/hiddenbin/boatnet.arm	9371164fd8d063691c0ed690e7f191d40bb571ce4b9b90600f6eef1b6955e696	Mirai	elf mirai opendir
http://196.251.87.222/hiddenbin/boatnet.arm5	457ce0ce0d34c2acb90f9e267dd2cb353cfb023dc23d935e235a6c32fb61838a	Mirai	32-bit elf mirai
http://196.251.87.222/hiddenbin/boatnet.arm6	7d6b66492089ec32009fb66d8cafe08e8261801ee8f7d3e69ca0acdfcf96527c	Mirai	elf mirai opendir
http://196.251.87.222/hiddenbin/boatnet.arm7	bc815e3b91633b2d342f75776e6343db9ee0748e8e8a74b11df3c7b6c6b4547e	Mirai	elf mirai opendir
http://196.251.87.222/hiddenbin/boatnet.ppc	8e22d1223680ae8b0de54121512f11a2023b85336894624380a9282b766a49b6	Mirai	32-bit elf mirai
http://196.251.87.222/hiddenbin/boatnet.spc	ab171bad27f378ff78584b5de53999ff749b033f8a639aded9fc6fc4aff8d2cc	Mirai	elf mirai opendir
http://196.251.87.222/hiddenbin/boatnet.m68k	4eac6db5805c3a09a864cee5e50c59fe95c09b75577728a4cc4f8ffb9d4d2223	Mirai	32-bit elf mirai
http://196.251.87.222/hiddenbin/boatnet.sh4	88fc7562728336daf83dce97600380d4b0905d9c17a9d8fa4a48f36a8afbdb4f	Mirai	32-bit elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67b408a028ab76d43a5b92a7linux22vpnfull_triage

Tags:

gafgyt mirai ddos

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/67b4076c991985e0a95ad977/reports/048099ec-f4dd-43d6-b53b-b77838eafc71/overview

Result

Verdict:

MALICIOUS

Score:

96%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/84169b3c5a219018f397eceb2023846b9f47f0931c447422fc09396a79f40535

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/84169b3c5a219018f397eceb2023846b9f47f0931c447422fc09396a79f40535/

Threat name:

Win32.Trojan.Mirai

Status:

Malicious

First seen:

2025-02-18 04:08:10 UTC

File Type:

Text (Shell)

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qqljwpc2egibr44x5tvsai4enopup4etdrchiix4be4wu6puau2q._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250218-eppqqsylv7/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/84169b3c5a21/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.96

Link:

https://yomi.yoroi.company/submissions/84169b3c5a219018f397eceb2023846b9f47f0931c447422fc09396a79f40535

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.