MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4cf2aa94a0af3b97cda888e31ba3a9b2577b1f456ea7c5e6b49414a005bef8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	a4cf2aa94a0af3b97cda888e31ba3a9b2577b1f456ea7c5e6b49414a005bef8e
SHA3-384 hash:	57a9a8a027335e4f8f95a0b38c44eaa513eb59f3beb4e2be268f7b4d74c3f5832743f5d33a17c198b3f9ce2eb7186a73
SHA1 hash:	aa1a219970eb1c02d460e577f9c806173a38b435
MD5 hash:	0934f0d3fae1afc992654dd43f4be816
humanhash:	twelve-mike-michigan-beer
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'970 bytes
First seen:	2025-04-26 20:09:35 UTC
Last seen:	2025-04-27 17:30:43 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vp+70+7N7hp+v+6Gp+gn+zPp+f+KWp+1+oUp+71+7o7Up+fO+3bp+E+9Rp+h+cgv:vI7T7N7hI26GIg+zPImKWIMoUI7M7o7g
TLSH	T17D51778591856C3458B7EB33F6B681383081A0D358EEBF99DEDCBEE4868ED147244B53
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.138.123/hiddenbin/boatnet.x86	4daee52fff302e0dd9c67b785f6ba384cd099b735db179ebcf64943d95cea55b	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.mips	02ddf8116e45f7892d0f3c9c00bd6142b2aef991bc152ae333b3eac8204e6641	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.arc	6fefc3d70378be43b371bd7eb3c21ab54af0819d5871e2fb24cae10f9ebe2a81	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.i468	n/a	n/a	elf
http://176.65.138.123/hiddenbin/boatnet.i686	n/a	n/a	elf
http://176.65.138.123/hiddenbin/boatnet.x86_64	ca406d7afe9009c1b8b41858aeeb6e6c46c662f9da5c7439df02211e786f0f44	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.mpsl	e7c98fcdebcf3213d3fbd318689466d51f9d2092f8852f36d424d18416490847	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.arm	1a12b6f44e24c08e65c4a86d6aaee6c5cadaedad6875e9d39fb9826dbe9ecf1d	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.arm5	e554fe34b19cd345f9dabb832e6728475aea2210f8ee6c37ded318485759d6fb	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.arm6	4c5d24645fd81921a5ba0022b678a1ee897d95d7742738ee531fe93bb3636f95	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.arm7	59ee762de327085e9d404976970a4a6865fc3e0cabafb0aad249226dac03d02f	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.ppc	b105b9083a06e03a8fc62e3c78cee23ffef08e4b2bcaaa71c953431eb3387986	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.spc	a0789fc56e8c3d2abd26c0edb892251a9b2849ff63aaf07cd8ce15fe151c6aef	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.m68k	4414ff8db7b4927aaeee5a4b2e4d2e53aad3d9443de7daf45883a74ca87e1c0f	Mirai	elf mirai opendir
http://176.65.138.123/hiddenbin/boatnet.sh4	42d599d6afac363fe274bb0cb258157fb5ef7060817dc1d1acb45e07f8c7d606	Mirai	elf mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

103

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=680d3ea1cc5fb3600cc2e583linux22vpnfull_triage

Tags:

shellcode agent virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin remote

Link:

https://www.filescan.io/uploads/680d3da0212716475faf5383/reports/67ca8a20-979b-4d29-913a-2ad54a9a4f6d/overview

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a4cf2aa94a0af3b97cda888e31ba3a9b2577b1f456ea7c5e6b49414a005bef8e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a4cf2aa94a0af3b97cda888e31ba3a9b2577b1f456ea7c5e6b49414a005bef8e/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-04-26 20:02:28 UTC

File Type:

Text (Shell)

AV detection:

18 of 24 (75.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uthsvkkkblz3s7g2rchddor2tmsxpmpuk3vhyxtljfauuac356ha._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/250426-yxp61syvhy/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a4cf2aa94a0a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/a4cf2aa94a0af3b97cda888e31ba3a9b2577b1f456ea7c5e6b49414a005bef8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.