MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a43f6a8613ef0b1d6123aada7ad34566d2e27c73bccccdb8e7bf68dbcc18677f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	a43f6a8613ef0b1d6123aada7ad34566d2e27c73bccccdb8e7bf68dbcc18677f
SHA3-384 hash:	4d3fe02ec3d35ab958eb0aae61533c99572bdde05ac4a5c065857c4f218b600911313db0b4f76dffb8461363573e43d6
SHA1 hash:	e35a1e0e1b45153e6808251c87146ecfd3ca26ad
MD5 hash:	732176a2ea3527b00b30cce08192a744
humanhash:	nitrogen-red-edward-coffee
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'150 bytes
First seen:	2025-10-12 09:21:24 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:vBDsBBmxyBtmrBqNqBsHIBo70Bb0vB7UVBgDEBxCpBe5iBsHOBlOfB282XZhBo7N:5DmmMtaqgsMosbG7WgUxmeIsala282pg
TLSH	T11A5139843211FA783DBB5923A275450CB1406CF2ACDFFD848DEC28A5619DE00395A7E6
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://91.231.222.182/hiddenbin/vdataupdate.x86	b7e2904a9fdb74cc2e8c04e7ceaa8b7d2a3a5a752243b69ed150b8491e17abcf	Mirai	elf mirai
http://91.231.222.182/hiddenbin/vdataupdate.mips	98014a1a30a3083ce8411d2ba2528e0ee90d480e614b43e857de6a4e74f8621d	Mirai	elf mirai
http://91.231.222.182/hiddenbin/vdataupdate.arc	6f1b64500e506c245d19785998a752ae36e6754e68c69091cfc39cd9d2a3b647	Mirai	DEU elf geofenced mirai
http://91.231.222.182/hiddenbin/vdataupdate.i468	n/a	n/a	elf ua-wget
http://91.231.222.182/hiddenbin/vdataupdate.i686	n/a	n/a	elf ua-wget
http://91.231.222.182/hiddenbin/vdataupdate.x86_64	n/a	n/a	elf ua-wget
http://91.231.222.182/hiddenbin/vdataupdate.mpsl	f5b4f88a4c70399d89eb83083565fe01b942170cffc4ada739aefea648906ec8	Mirai	DEU elf geofenced mirai
http://91.231.222.182/hiddenbin/vdataupdate.arm	32ba56f7801b5581ee2f66eb3e21d80b5206681108037ac89e4bdafc8e4be290	Mirai	elf mirai
http://91.231.222.182/hiddenbin/vdataupdate.arm5	0ebc1ece17e20bc2e3152d15454bac3e2cffaac5a9c80402c42116fb6f88d869	Mirai	elf mirai
http://91.231.222.182/hiddenbin/vdataupdate.arm6	a05ab194d7576fcba5653d583739bdc7e35e0a6191f0cd13b4ff75c4e1a81390	Mirai	elf mirai
http://91.231.222.182/hiddenbin/vdataupdate.arm7	3e017f7319cbf6940240abbd4926fbb5f08955caa986b99cec4baaa7eb78e1e9	Mirai	elf mirai
http://91.231.222.182/hiddenbin/vdataupdate.ppc	533335400df9bfba7b527089f51bc084e66d9639e5c4545bda2c9357049785fe	Mirai	elf mirai
http://91.231.222.182/hiddenbin/vdataupdate.spc	083843febd5c0ea084e07b0199ae8a9a4a32a5983121fe6947143ba6a77a1a6f	Mirai	elf mirai
http://91.231.222.182/hiddenbin/vdataupdate.m68k	6429714379b972207fa45a94646773186684173a129cbfe1e5aa55b679afd023	Mirai	elf mirai
http://91.231.222.182/hiddenbin/vdataupdate.sh4	599e5b086932a4c7a35874a5b185caea8405c0679bcfd031886c028aa13173d7	Mirai	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-12T04:12:00Z UTC

Last seen:

2025-10-12T10:09:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/a43f6a8613ef0b1d6123aada7ad34566d2e27c73bccccdb8e7bf68dbcc18677f/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/9e13ef75-9605-4023-8dbe-075456e62e55

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a43f6a8613ef0b1d6123aada7ad34566d2e27c73bccccdb8e7bf68dbcc18677f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a43f6a8613ef0b1d6123aada7ad34566d2e27c73bccccdb8e7bf68dbcc18677f/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-12 07:44:05 UTC

File Type:

Text (Shell)

AV detection:

23 of 38 (60.53%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uq7wvbqt54fr2yjdvlnhvu2fm3joe7dtxtgm3ohhx5unxtaym57q._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251012-lbnd3shj51/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a43f6a8613ef/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/a43f6a8613ef0b1d6123aada7ad34566d2e27c73bccccdb8e7bf68dbcc18677f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.