MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 956e4d50cee880c95457cb69ad152739f8cdab964d634d61efbc79e5d7099285. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	956e4d50cee880c95457cb69ad152739f8cdab964d634d61efbc79e5d7099285
SHA3-384 hash:	4c142616f3cecc386eba37024924f3ecd735d68b0c9b6a3bc1d903f245eb4d83e1a3e16381a2e1a2d451e1e4484c2cb3
SHA1 hash:	630ffcba7d2a6fbdd274b3d534008735b7811905
MD5 hash:	f3bb76fe23f01fbd5d0cd2c86ba3fdeb
humanhash:	michigan-april-artist-apart
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	408 bytes
First seen:	2025-11-08 15:42:12 UTC
Last seen:	2025-11-09 06:01:09 UTC
File type:	sh
MIME type:	text/plain
ssdeep	6:8KhDiOnFflE0FXRLd3uNidRLd3uNCaWELFFhXBLduFGCaWELFF+q0LdlvsGL/usu:O0Fhp+IPp+N/FFhxpuFg/FF+LpxaypJg
TLSH	T19DE09BCA281222305429ED872E72CC50F016805167858FF059FBDBF08CDBF486D4C9BB
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://196.251.87.155/1.sh	f4cd34574511fba95f796025862741c1ccd2375edd13e1a544ca0fd418098604	Mirai	mirai script

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/690f64e445d0218fdf1ed829/reports/89977ef3-449e-4089-82e1-e5dba8d871b5/overview

Verdict:

Malicious

File Type:

text

First seen:

2025-11-08T14:16:00Z UTC

Last seen:

2025-11-09T01:27:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p

Link:

https://opentip.kaspersky.com/956e4d50cee880c95457cb69ad152739f8cdab964d634d61efbc79e5d7099285/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/37b427dc-ea82-451b-beb9-3f031e875f72

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/956e4d50cee880c95457cb69ad152739f8cdab964d634d61efbc79e5d7099285

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/956e4d50cee880c95457cb69ad152739f8cdab964d634d61efbc79e5d7099285/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/956e4d50cee880c95457cb69ad152739f8cdab964d634d61efbc79e5d7099285

Threat name:

Script.Browser.Heuristic

Status:

Malicious

First seen:

2025-11-08 15:43:18 UTC

File Type:

Text (Shell)

AV detection:

2 of 37 (5.41%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=svxe2ugo5camsvcxznu22fjhhh4m3k4wjvru2yppxr46lvyjskcq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251108-s5jfjs1jhr/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.