MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae36ef959616126f91e13df3bff4ffa956a362c38f6e0abeacd903b6f3a1a5ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	ae36ef959616126f91e13df3bff4ffa956a362c38f6e0abeacd903b6f3a1a5ca
SHA3-384 hash:	9225f6ffe74cce8524dcdc666f1e928e7a1246ef6dc0f07992d2974cf673c91d6a9ff8e3a1647d958fa2da55da3a27a2
SHA1 hash:	c09375a84297369b495a5e8e5542d720fae93fc8
MD5 hash:	11bdf0149859b4efdaaaa976f122820f
humanhash:	carbon-oklahoma-alabama-yellow
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'060 bytes
First seen:	2025-10-13 15:39:31 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vaBMyirwqQI806lvqVMEqpkiSOSfaDXZhqN:vaBMyirwqQI802vqVMEqpkiSOSfaDXZ+
TLSH	T1795175853312FBB43DBB443632750408A250ADF6BCCFDEC484D828A9708EE507D5E7AA
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://91.231.222.182/update/vdataupdate.x86	b7e2904a9fdb74cc2e8c04e7ceaa8b7d2a3a5a752243b69ed150b8491e17abcf	Mirai	elf geofenced mirai ua-wget USA x86
http://91.231.222.182/update/vdataupdate.mips	98014a1a30a3083ce8411d2ba2528e0ee90d480e614b43e857de6a4e74f8621d	Mirai	elf geofenced mips mirai ua-wget USA
http://91.231.222.182/update/vdataupdate.arc	6f1b64500e506c245d19785998a752ae36e6754e68c69091cfc39cd9d2a3b647	Mirai	arc elf geofenced mirai ua-wget USA
http://91.231.222.182/update/vdataupdate.i468	n/a	n/a	elf ua-wget
http://91.231.222.182/update/vdataupdate.i686	n/a	n/a	elf ua-wget
http://91.231.222.182/update/vdataupdate.x86_64	n/a	n/a	elf ua-wget
http://91.231.222.182/update/vdataupdate.mpsl	f5b4f88a4c70399d89eb83083565fe01b942170cffc4ada739aefea648906ec8	Mirai	elf geofenced mips mirai ua-wget USA
http://91.231.222.182/update/vdataupdate.arm	32ba56f7801b5581ee2f66eb3e21d80b5206681108037ac89e4bdafc8e4be290	Mirai	arm elf geofenced mirai ua-wget USA
http://91.231.222.182/update/vdataupdate.arm5	0ebc1ece17e20bc2e3152d15454bac3e2cffaac5a9c80402c42116fb6f88d869	Mirai	arm elf geofenced mirai ua-wget USA
http://91.231.222.182/update/vdataupdate.arm6	a05ab194d7576fcba5653d583739bdc7e35e0a6191f0cd13b4ff75c4e1a81390	Mirai	arm elf geofenced mirai ua-wget USA
http://91.231.222.182/update/vdataupdate.arm7	3e017f7319cbf6940240abbd4926fbb5f08955caa986b99cec4baaa7eb78e1e9	Mirai	arm elf geofenced mirai ua-wget USA
http://91.231.222.182/update/vdataupdate.ppc	533335400df9bfba7b527089f51bc084e66d9639e5c4545bda2c9357049785fe	Mirai	elf geofenced mirai PowerPC ua-wget USA
http://91.231.222.182/update/vdataupdate.spc	083843febd5c0ea084e07b0199ae8a9a4a32a5983121fe6947143ba6a77a1a6f	Mirai	elf geofenced mirai sparc ua-wget USA
http://91.231.222.182/update/vdataupdate.m68k	6429714379b972207fa45a94646773186684173a129cbfe1e5aa55b679afd023	Mirai	elf geofenced m68k mirai ua-wget USA
http://91.231.222.182/update/vdataupdate.sh4	599e5b086932a4c7a35874a5b185caea8405c0679bcfd031886c028aa13173d7	Mirai	elf geofenced mirai SuperH ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-13T12:47:00Z UTC

Last seen:

2025-10-13T17:00:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen

Link:

https://opentip.kaspersky.com/ae36ef959616126f91e13df3bff4ffa956a362c38f6e0abeacd903b6f3a1a5ca/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/3e710032-40b2-4f78-88f5-47b4d5ef8f6c

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/ae36ef959616126f91e13df3bff4ffa956a362c38f6e0abeacd903b6f3a1a5ca

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae36ef959616126f91e13df3bff4ffa956a362c38f6e0abeacd903b6f3a1a5ca/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/ae36ef959616126f91e13df3bff4ffa956a362c38f6e0abeacd903b6f3a1a5ca

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-13 15:43:24 UTC

File Type:

Text (Shell)

AV detection:

23 of 38 (60.53%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vy3o7fmwcyjg7epbhxz375h7vflkgywdr5xavpvm3eb3n45buxfa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251013-s4bpbazn14/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ae36ef959616/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/ae36ef959616126f91e13df3bff4ffa956a362c38f6e0abeacd903b6f3a1a5ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.