MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92fc8f2ded05418117b46fe8701f3a414c7b1b8372ca26165f2b062c59a72f6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	92fc8f2ded05418117b46fe8701f3a414c7b1b8372ca26165f2b062c59a72f6d
SHA3-384 hash:	2ed094ba34850b41d639cdd484503e1e8af340afcfd3e36c877adf4ba1b3857045bff17cbc2702b53b687271777844c3
SHA1 hash:	8c2ab7de2490e18bcc4102d0bb26b93e8bf0bb94
MD5 hash:	f3d7ec7bbe69bf82fb48c68236d09d20
humanhash:	two-december-coffee-twelve
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'007 bytes
First seen:	2025-10-24 12:14:06 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:iCt79t7N7hCtot6GCtgQtzPCt4tKWCtmtoUCt7mt7o7UCtfnt3bCttt9RCtqtcgn:iA7n7N7hA66GAgCzPAqKWA0oUA707o7I
TLSH	T1FC5183C541546E341CABEA2BA677822830C3B06298EB6F95DBD4AEE0475EE147780F53
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://192.142.10.124/hiddenbin/boatnet.x86	45cd3b09f34adf3d5cd1a10fb4716145f7e9f78324af5da3ff8267314fd5aacb	Mirai	mirai opendir
http://192.142.10.124/hiddenbin/boatnet.mips	5471e26e2fac7d56e47fefd5d0ec4cc4df049b4d9668b893b842f0bb8cef69f5	Mirai	mirai opendir
http://192.142.10.124/hiddenbin/boatnet.arc	0b3509bfea82c3c2b1032c315cbe2f08a21ab30df64d03b89d0909aa05a09348	Mirai	mirai opendir
http://192.142.10.124/hiddenbin/boatnet.i468	24a2379d625b8269501babe0eac3dd5c5fe04b841c869cf13d0a8688d68f180b	Mirai	elf mirai ua-wget
http://192.142.10.124/hiddenbin/boatnet.i686	8159ebce3beea97a0df4d558a67077a123960f097e66806a883a58536e8a5415	Mirai	elf mirai ua-wget
http://192.142.10.124/hiddenbin/boatnet.x86_64	2173c740c4d6dec7d6e99d595253360f3fca6eeeb2f248ec4b6e1fb38c042bb6	Mirai	elf mirai ua-wget
http://192.142.10.124/hiddenbin/boatnet.mpsl	61a1dbc1043be77a8167a7f76548aeccb8e8e89258ff59877289670a037552d6	Mirai	mirai opendir
http://192.142.10.124/hiddenbin/boatnet.arm	bc9b09ac7beebdee4f39ee8207fa0b57202d39c8e9fe158eb8006a2270e505b1	Mirai	mirai opendir
http://192.142.10.124/hiddenbin/boatnet.arm5	0e436461207c53c2bfb69bd684a439ddbb65dd44d15a6c5ecb7f092e60817433	Mirai	mirai opendir
http://192.142.10.124/hiddenbin/boatnet.arm6	6aefcb35569d5a6f03ca744b1a8197b85e38293f3506d5f520d734a72a075b38	Mirai	mirai opendir
http://192.142.10.124/hiddenbin/boatnet.arm7	0e436461207c53c2bfb69bd684a439ddbb65dd44d15a6c5ecb7f092e60817433	Mirai	mirai opendir
http://192.142.10.124/hiddenbin/boatnet.ppc	051790796751e97ee60e75201bc1358b6b553042da965e26bd39d376e1a26b0b	Mirai	mirai opendir
http://192.142.10.124/hiddenbin/boatnet.spc	e1962626e0cdc9c3464920387f4e80039d6131b730098550131de534d135f586	Mirai	mirai opendir
http://192.142.10.124/hiddenbin/boatnet.m68k	7560349da3de161e8a2c8d488f24d5ea4f72e1c54b062207e6c74e2cb45ea42b	Mirai	mirai opendir
http://192.142.10.124/hiddenbin/boatnet.sh4	365a69936b75809e9ca965ccb4d8932f1568f4ec5db9349534079074e69a3ce4	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-24T11:08:00Z UTC

Last seen:

2025-10-24T12:05:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/92fc8f2ded05418117b46fe8701f3a414c7b1b8372ca26165f2b062c59a72f6d/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/c9247fcc-031c-4af2-b856-b471ee43c203

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/92fc8f2ded05418117b46fe8701f3a414c7b1b8372ca26165f2b062c59a72f6d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/92fc8f2ded05418117b46fe8701f3a414c7b1b8372ca26165f2b062c59a72f6d/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-24 12:14:40 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sl6i6lpnavaycf5un7uhahz2ifghwg4dolfcmfs7fmdcywnhf5wq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux

Link:

https://tria.ge/reports/251024-pemthafw9a/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

File and Directory Permissions Modification

Executes dropped EXE

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/92fc8f2ded05/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/92fc8f2ded05418117b46fe8701f3a414c7b1b8372ca26165f2b062c59a72f6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.