MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7600d7570e765f791cf15bdfc7fefcbfa9af199d2b56b1369832f5ee1059585. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	b7600d7570e765f791cf15bdfc7fefcbfa9af199d2b56b1369832f5ee1059585
SHA3-384 hash:	8bd2f681bc85e00fa15298c6e00aae9c88ad0c701cded0916d23493d7d066b9b8935085b031510fadaba61116c29cef2
SHA1 hash:	7bcc055a0af5fe0245dcba83984598c2ce71b66a
MD5 hash:	c3891360bf0d702c46f16a46d3b360cd
humanhash:	oxygen-fruit-blossom-kansas
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'655 bytes
First seen:	2025-02-14 18:46:16 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vstbEs0+9bsnbnFahs4b4FLhse8vsmE3sRdxosB/csusPslzH2swqNsEufs/p+sE:vstbEs0+9bsbFGssWNse8vsmE3sHxosf
TLSH	T13F516BD403F21878EEFA9A2E71AD081471E2D05778CCEF54DCDE78A9847DF0A3841A46
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://154.23.163.91/bins/main_x86	9945d554d97c40592e832b9e53a301b591eeda18b39398b694458bafdd68b75a	Mirai	censys elf fbi.gov GREED mirai moobot opendir
http://154.23.163.91/bins/main_mips	7f8e1bbf5479115bb03613e8325aaafd3df46744c859fc3d5c023f4461f5dc22	Mirai	censys elf fbi.gov GREED mirai moobot opendir
http://154.23.163.91/bins/main_arc	n/a	n/a	n/a
http://154.23.163.91/bins/main_i468	n/a	n/a	n/a
http://154.23.163.91/bins/main_i686	n/a	n/a	n/a
http://154.23.163.91/bins/main_x86_64	7574216a82c0a4388b5ba088560bbdbd61854d1fc8528e2279753c5c7f62d6b0	Mirai	censys elf fbi.gov GREED mirai moobot opendir
http://154.23.163.91/bins/main_mpsl	efc8caf0077a89637f815ed3fbbeec30b16b3d217e30c82e8d247d17b45be42a	Mirai	censys elf fbi.gov GREED mirai moobot opendir
http://154.23.163.91/bins/main_arm	c7ff4a8a82d5cdc9c8f1c42c01665821eb95b25da8b1e997397b86bf331a3aed	Mirai	censys elf fbi.gov GREED mirai moobot opendir
http://154.23.163.91/bins/main_arm5	c1998baae396bf14305ef056516ac4886f5fff1307569bc0adba621619f22020	Mirai	censys elf fbi.gov GREED mirai moobot opendir
http://154.23.163.91/bins/main_arm6	efaae03815be08d12faaa045a18e9eb5d42e78de1db2143e557c32a19c92b147	Mirai	censys elf fbi.gov GREED mirai moobot opendir
http://154.23.163.91/bins/main_arm7	6a9ccf0a6b7b9a01389627d38a6fefd72dbb299fc0b41e5fb9f166b0827be340	Mirai	censys elf fbi.gov GREED mirai moobot opendir
http://154.23.163.91/bins/main_ppc	b39074fb3471b29c7bd77c044eb136d2e8bbbc2f2d3772321c4e8afc1d8b653a	Mirai	censys elf fbi.gov GREED mirai moobot opendir
http://154.23.163.91/bins/main_spc	n/a	n/a	n/a
http://154.23.163.91/bins/main_m68k	f5ac2ffa6e87b8e6dcd649a4585c9600c82d27bffa84ccecdd65c536c6f71288	Mirai	censys elf fbi.gov GREED mirai moobot opendir
http://154.23.163.91/bins/main_sh4	7eb182135f83f64b2d73b956fa5f9e90bd0856bb59b2afc6e8bf4e3eccf5e9d0	Mirai	censys elf fbi.gov GREED mirai moobot opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67af90b9a0fd713c335ad54elinux22vpnfull_triage

Tags:

shellcode mirai agent virus

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

bash lolbin mirai remote

Link:

https://www.filescan.io/uploads/67af8fccfc59120fe522b502/reports/317b5794-cb18-4fb8-9c11-7ea3447d4fc8/overview

Result

Verdict:

MALICIOUS

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/b7600d7570e765f791cf15bdfc7fefcbfa9af199d2b56b1369832f5ee1059585

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b7600d7570e765f791cf15bdfc7fefcbfa9af199d2b56b1369832f5ee1059585/

Threat name:

Win32.Trojan.Mirai

Status:

Malicious

First seen:

2025-02-14 18:47:09 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w5qa25lq45s7peopcw67y77pzp5jv4mz2k2wwe3jqmxv5yifswcq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/250214-xe81qsxkez/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Traces itself

Mirai

Mirai family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Mirai

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/b7600d7570e765f791cf15bdfc7fefcbfa9af199d2b56b1369832f5ee1059585

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.