MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6123b0f20cf949dd9213f5614f1d5cf8e7e20ee8453fd4d552fd3173e5f7d21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	b6123b0f20cf949dd9213f5614f1d5cf8e7e20ee8453fd4d552fd3173e5f7d21
SHA3-384 hash:	48d7fd1ff95f8db7c8baf887751e899cb6271f0c32c04930a8a449c03a984ce1f40fdecad4d40829984972c104e9aa47
SHA1 hash:	e8f1d8f32391ac9cf5968f533cebd822195cf276
MD5 hash:	8d9894980103b95b7f69d0a9bc2039f7
humanhash:	lamp-jupiter-happy-march
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'940 bytes
First seen:	2026-02-06 08:25:09 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vY797N7hYO6GYgmzPY+KWY8oUY787o7UYff3bYN9RYwcgYZpVYmSOYC+CYvfTYn+:vY797N7hYO6GYgmzPY+KWY8oUY787o7w
TLSH	T1B1512BC541144DFCBC636AB3E67E439C35869452A9EDABD5DBC4BAE0025EE303780793
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://64.89.163.109/hiddenbin/boatnet.x86	1c5e695b5402b80a5c7f8236fa8af54c625be858e450cb86e165fabcb1a83f84	Mirai	elf mirai ua-wget
http://64.89.163.109/hiddenbin/boatnet.mips	e148df54874034e30a89c7e64371da330d42e7ba6cda157043ec965029c9805c	Mirai	elf mirai ua-wget
http://64.89.163.109/hiddenbin/boatnet.arc	9ef77eb016ce406ca7dba90322b60cad6c1986abb9ed572e2da8ab354276515e	Mirai	elf mirai ua-wget
http://64.89.163.109/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://64.89.163.109/hiddenbin/boatnet.i686	n/a	n/a	elf ua-wget
http://64.89.163.109/hiddenbin/boatnet.x86_64	n/a	n/a	elf ua-wget
http://64.89.163.109/hiddenbin/boatnet.mpsl	c277f03630ff0b108512295ec561254083ccf7cd39251bc02448c5952aa997d8	Mirai	elf mirai ua-wget
http://64.89.163.109/hiddenbin/boatnet.arm	a5318581ba6b71c49dfaf71c0ec469e9d0ff95ba80cfc6eac5bc7f326e42c356	Mirai	elf mirai ua-wget
http://64.89.163.109/hiddenbin/boatnet.arm5	bbaf73d6a7b48fbfc2dffc4d121ccf71ef23b5b01368df4640ab6797270e6e5d	Mirai	elf mirai ua-wget
http://64.89.163.109/hiddenbin/boatnet.arm6	d5b998abdcc64673a041d6b1adc055f6523bf650627fe7cb46831d2d13d6a9b8	Mirai	elf mirai ua-wget
http://64.89.163.109/hiddenbin/boatnet.arm7	45145360b6a17541fe46ead925604d63a66f4de7410339e19a5344672a39d8e8	Mirai	elf mirai ua-wget
http://64.89.163.109/hiddenbin/boatnet.ppc	e0937908386cfe22e32d17addf6a0f326d804418e7b9964630ab8c70bf9a3258	Mirai	elf mirai ua-wget
http://64.89.163.109/hiddenbin/boatnet.spc	06ffb716a0067e78b8b644dd80c76a28b7bf114e1ff0f4494291ec87892df89a	Mirai	elf mirai ua-wget
http://64.89.163.109/hiddenbin/boatnet.m68k	838344c4f5a9b9f527629d19c5e24abe8eae0025dd8fe7c10ceb0896309a1309	Mirai	elf mirai ua-wget
http://64.89.163.109/hiddenbin/boatnet.sh4	n/a	n/a	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p

Link:

https://opentip.kaspersky.com/b6123b0f20cf949dd9213f5614f1d5cf8e7e20ee8453fd4d552fd3173e5f7d21/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/c0706c4f-9ded-47bb-815d-11b66460114b

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/b6123b0f20cf949dd9213f5614f1d5cf8e7e20ee8453fd4d552fd3173e5f7d21

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b6123b0f20cf949dd9213f5614f1d5cf8e7e20ee8453fd4d552fd3173e5f7d21/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/b6123b0f20cf949dd9213f5614f1d5cf8e7e20ee8453fd4d552fd3173e5f7d21

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-02-06 01:33:41 UTC

File Type:

Text (Shell)

AV detection:

23 of 36 (63.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wyjdwdzaz6kj3wjbh5lbj4ovz6hh4ihoqrj72tkvf7jrops7puqq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260206-kbh9pafs7h/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b6123b0f20cf/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh