MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8562b9fbc61584ce74c2f56847565faccf053134a8f4abf4aaee8e2ed82ccfc5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	8562b9fbc61584ce74c2f56847565faccf053134a8f4abf4aaee8e2ed82ccfc5
SHA3-384 hash:	0b73eb8c295bff5d64bf8933c92fc8d6a73b80c83461908f247d0746f1b640cf5b9126532cb274bd870f7ba76de6714f
SHA1 hash:	cf899d0844a5cbac80784008dd7ff20ddc95ef8f
MD5 hash:	bb9b02790d9369cfdce60911efa478c8
humanhash:	eighteen-sixteen-social-bravo
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'805 bytes
First seen:	2025-01-06 06:41:34 UTC
Last seen:	2025-01-07 03:50:16 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:vIp7pmI2cikIXtyI+Z+zhIQ+IpqpkIrXcVIlYIsiItXuI2WIhEhIIrMI7TmIrap:v6lmwlcy6okQ+jWD8qRmm5
TLSH	T1A5514BCD00C29C746CA76E93E7BA87E831C2F0A53CE6AF9595DA3CA45F5DE04F040692
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://154.216.17.34/hiddenbin/wind.x86	bedafc169492f127eddcab8a5eba9b7aa57acb0c43aa7b24ab4953331ed58b79	Mirai	elf mirai opendir
http://154.216.17.34/hiddenbin/wind.mips	287674c6de3182e54ad83939f5051379ccba8dc7a3fbcd7ab312029f809c8f4d	Mirai	elf mirai opendir
http://154.216.17.34/hiddenbin/wind.arc	83d20d0e5aec9d315f798912ca20bf125bd0450abd8ea7c8f2af8020068bb356	Mirai	elf mirai opendir
http://154.216.17.34/hiddenbin/wind.i468	83d20d0e5aec9d315f798912ca20bf125bd0450abd8ea7c8f2af8020068bb356	Mirai	elf opendir
http://154.216.17.34/hiddenbin/wind.i686	83d20d0e5aec9d315f798912ca20bf125bd0450abd8ea7c8f2af8020068bb356	Mirai	elf opendir
http://154.216.17.34/hiddenbin/wind.x86_64	83d20d0e5aec9d315f798912ca20bf125bd0450abd8ea7c8f2af8020068bb356	Mirai	elf opendir
http://154.216.17.34/hiddenbin/wind.mpsl	a45e443726e3f25bae098ce7de31366afb803070e5579eb66fe0017cdac2e863	Mirai	elf mirai opendir
http://154.216.17.34/hiddenbin/wind.arm	adca3bf3f36fd505510dbd9bd6d838c14c3cf95bfec0b110c4e0419d54ae498e	Mirai	elf mirai opendir
http://154.216.17.34/hiddenbin/wind.arm5	6b9ac8046914ee84ab4b9ab4faa3086724ca2634efa644886e0d5c2590c507ed	Mirai	elf mirai opendir
http://154.216.17.34/hiddenbin/wind.arm6	3f7556b9469b3bb92df7421eb9fd2e3507bc191e965cef65bded70bc79d0c071	Mirai	elf mirai opendir
http://154.216.17.34/hiddenbin/wind.arm7	82b29e4b91c531b569329058729197d23761cafa2a8c9065571234c3b116794e	Mirai	elf mirai opendir
http://154.216.17.34/hiddenbin/wind.ppc	82cb0097c8547e3e853c0b932fb0cc084ce43c42f73320d667d5670ba77e73a4	Mirai	elf mirai opendir
http://154.216.17.34/hiddenbin/wind.spc	ed3a360fb5ede606844679577a2476198c81904bcebf8def184fc1e23d421a3f	Mirai	elf mirai opendir
http://154.216.17.34/hiddenbin/wind.m68k	568b01ecf9436a963df2d7d9bc307606ec29edfbbdec7aea75a23d17d3415106	Mirai	elf mirai opendir
http://154.216.17.34/hiddenbin/wind.sh4	cb230cb3967e8c5604845642837721b0930d3ae3b69dec1fa62231087e6c5ed9	Mirai	elf mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=677b7bfeffdcee13ec840e71linux22vpnfull_triage

Tags:

ransomware downloader agent

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug

Link:

https://www.filescan.io/uploads/677b7b46b5d42d92056810cf/reports/dd3e2fb6-7dc6-4a1e-9866-d916c83b6125/overview

Result

Verdict:

MALICIOUS

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/8562b9fbc61584ce74c2f56847565faccf053134a8f4abf4aaee8e2ed82ccfc5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8562b9fbc61584ce74c2f56847565faccf053134a8f4abf4aaee8e2ed82ccfc5/

Threat name:

Win32.Trojan.Mirai

Status:

Malicious

First seen:

2025-01-06 06:25:43 UTC

File Type:

Text (Shell)

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qvrlt66gcwcm45gc6vueovs7vthqkmjuvd2kx5fk52hc5wbmz7cq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250106-hgcmzsyqby/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8562b9fbc615/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8562b9fbc61584ce74c2f56847565faccf053134a8f4abf4aaee8e2ed82ccfc5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.