MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7a3af59ee5db48d17799334c31d2fa9e6c819ea0f5dcfea3e10f689808286d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	b7a3af59ee5db48d17799334c31d2fa9e6c819ea0f5dcfea3e10f689808286d2
SHA3-384 hash:	1f02554de1163dadc99300759075244fd8ca76de2e6c89c051c3e6d1b7fd80b5c903f9d237414ece9d75bc55948ba2db
SHA1 hash:	7dedea74c3cc0c2241bbe7c8972cb43be9174f9e
MD5 hash:	ea06167acd0193e549c213ff7813ca4b
humanhash:	item-monkey-oxygen-april
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'910 bytes
First seen:	2026-01-31 11:33:12 UTC
Last seen:	2026-02-01 04:37:30 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vK7J7N7hKM6GKg0zPK8KWKOoUK7O7o7UKff3bKZ9RKycgKFpVK0SOKg+CKvfTK3U:vK7J7N7hKM6GKg0zPK8KWKOoUK7O7o74
TLSH	T13B5165C6534A1E302CA3AE13F6F6452831C2D2A26CE5AB99EDDCBEE4434ED343142753
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://45.137.98.97/hiddenbin/boatnet.x86	1630c0ac8b151b87303be177d5e88405bdfbb20c4e093e65a8c24183752889e0	Mirai	elf ua-wget
http://45.137.98.97/hiddenbin/boatnet.mips	9e6ec64dc19e5ddf7637b525d3efabb389310135eb7804324759301cadda2e43	Mirai	elf ua-wget
http://45.137.98.97/hiddenbin/boatnet.arc	adb2385fba3898d961f892bee173eccecbca0966f4af2d3122b4b88a13f27cc3	Mirai	elf ua-wget
http://45.137.98.97/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://45.137.98.97/hiddenbin/boatnet.i686	9d35cdb7e64c5c2b6b6414bbdb0ed673462eaae0d33ca1a13982076da3c14920	Mirai	32-bit elf mirai Mozi
http://45.137.98.97/hiddenbin/boatnet.x86_64	b49b61a50bae2e33237dae317d4c13b3930b820ef7413dba7aa03843d045925a	Mirai	64-bit elf mirai Mozi
http://45.137.98.97/hiddenbin/boatnet.mpsl	1a36cc27aad9710d84cae270e45d1a3316e26abe26fdca923c5cd9fcfdc25f18	Mirai	32-bit elf mirai Mozi
http://45.137.98.97/hiddenbin/boatnet.arm	4d51d0159555abeaf7fe47c02edefb953d1ee27bd9085f8307fc81cbf6ebda0c	Mirai	32-bit elf mirai Mozi
http://45.137.98.97/hiddenbin/boatnet.arm5	d9ba9fb873fa21e81758486c9b84d6b4a733844958b5c752151715d6ebb1b0fe	Mirai	32-bit elf mirai Mozi
http://45.137.98.97/hiddenbin/boatnet.arm6	2601ed454c19e82b3fc9c10f1b8e9f1c83cee1108ae86e34ab998527bf73488d	Mirai	32-bit elf mirai Mozi
http://45.137.98.97/hiddenbin/boatnet.arm7	c617e1eec0d27007dfeea31c3bcc40b849f66e531ffeaef18ecdbd694538cae0	Mirai	32-bit elf mirai Mozi
http://45.137.98.97/hiddenbin/boatnet.ppc	a2ded513c4266461de5786f3304cd28b0e9622815e279080052146f96b59bf63	Mirai	elf ua-wget
http://45.137.98.97/hiddenbin/boatnet.spc	53ae423125c6fd4f48f6c1330bcd056c3f038bb35ef6b0c6d539ab87c5f0e8e6	Mirai	32-bit elf mirai Mozi
http://45.137.98.97/hiddenbin/boatnet.m68k	1ca4d27101849db0b20b2e17b4cb430ca7f895c83df304e54bce4aea025e6667	Mirai	32-bit elf mirai Mozi
http://45.137.98.97/hiddenbin/boatnet.sh4	9f105da2ffe133a582958a7c5bcdfddc4454216cef71fe7aec5e67a4002f88f9	Mirai	32-bit elf mirai Mozi

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

medusa mirai

Link:

https://www.filescan.io/uploads/697de884981ff1d38a42c72f/reports/5ba6ff60-fcf2-4fdc-8321-29873f27b7e2/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-30T07:41:00Z UTC

Last seen:

2026-01-31T15:45:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/b7a3af59ee5db48d17799334c31d2fa9e6c819ea0f5dcfea3e10f689808286d2/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/738e8e5d-2dec-4d3a-8671-66a921e76f36

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/b7a3af59ee5db48d17799334c31d2fa9e6c819ea0f5dcfea3e10f689808286d2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b7a3af59ee5db48d17799334c31d2fa9e6c819ea0f5dcfea3e10f689808286d2/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/b7a3af59ee5db48d17799334c31d2fa9e6c819ea0f5dcfea3e10f689808286d2

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-01-30 14:57:24 UTC

File Type:

Text (Shell)

AV detection:

23 of 36 (63.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w6r26wpolw2i2f3zsm2mghjpvhtmqgpkb5o472r6cd3itaecq3ja._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260131-nn244sh15b/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b7a3af59ee5d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/b7a3af59ee5db48d17799334c31d2fa9e6c819ea0f5dcfea3e10f689808286d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh