MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1d8d718cc73faf4786acee4d6d7dd01424fd4505ab0a9f50a6f50377c894f7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	c1d8d718cc73faf4786acee4d6d7dd01424fd4505ab0a9f50a6f50377c894f7d
SHA3-384 hash:	6eada2d211183c83288ae83925dd4c8c27f70610488fbe64c51d77ef096debbf9f50b6d07a42e289e635429c4a179470
SHA1 hash:	bf06c564b661e00cbd8d1b09c5805deede39ad4f
MD5 hash:	7ff92515fcde21fb0ea3607f0bcb7ace
humanhash:	island-uncle-enemy-sierra
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'910 bytes
First seen:	2025-06-26 05:31:33 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vo7P7N7hoK6GogSzPo6KWoEoUo7E7o7Uof93bof9RowcgojpVoSSOoG+CoNfTo1A:vo7P7N7hoK6GogSzPo6KWoEoUo7E7o7A
TLSH	T15B51E9C543440D302D636A97EAB7C12C72C7A4679CE16BE5E9C4BAE1038FE147B407A3
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://89.42.88.239/hiddenbin/boatnet.x86	1d908ba4fbc4c7ac68fff944b4723fada55ab89569e248036e40b18ef829e4db	Mirai	elf mirai ua-wget
http://89.42.88.239/hiddenbin/boatnet.mips	a8df7a6f8fa6146d30c20e0ca7f8ac849e0ba8596a5b01e3a3c6cb720c736420	Mirai	elf mirai ua-wget
http://89.42.88.239/hiddenbin/boatnet.arc	9088213382505b5e9cd3e1b2b0ae7f4469695aa417cac460994b1b7c5575800c	Mirai	elf mirai ua-wget
http://89.42.88.239/hiddenbin/boatnet.i468	n/a	n/a	n/a
http://89.42.88.239/hiddenbin/boatnet.i686	n/a	n/a	n/a
http://89.42.88.239/hiddenbin/boatnet.x86_64	n/a	n/a	n/a
http://89.42.88.239/hiddenbin/boatnet.mpsl	6f83e5c36f8454491c6ce4621f5482ccc3c671b216b7e3ebba85715ab3dd4380	Mirai	elf mirai ua-wget
http://89.42.88.239/hiddenbin/boatnet.arm	8d9291e86708b3266790077c9d37034f2e09d8439eae364898cdbca7eb99efa7	Mirai	elf mirai ua-wget
http://89.42.88.239/hiddenbin/boatnet.arm5	ec25a66677f57719fe0061e622218e878542a3abccd48500892343ff9b619e09	Mirai	elf mirai ua-wget
http://89.42.88.239/hiddenbin/boatnet.arm6	755667347b4245f965a4f4eb228bc82777ead558e68400227e8344386fabc64a	Mirai	elf mirai ua-wget
http://89.42.88.239/hiddenbin/boatnet.arm7	d8aa947123f7edf93e6fdc1f828b5c4f783058a04fb7c807393d5a41783e053a	Mirai	elf mirai ua-wget
http://89.42.88.239/hiddenbin/boatnet.ppc	9907fad0916c4e4596ada58f90433d751505c01f57a52f8ea7651acfe6589ddb	Mirai	elf mirai ua-wget
http://89.42.88.239/hiddenbin/boatnet.spc	ea136bcdfeb1a8381d88b0546c5ddbb0cb99d22c3b97176b19179a227c455e17	Mirai	elf mirai ua-wget
http://89.42.88.239/hiddenbin/boatnet.m68k	c8f22977ad3af77f171902919a0344fc210bdefcc08ee2e24d266cb608dbd0d6	Mirai	elf mirai ua-wget
http://89.42.88.239/hiddenbin/boatnet.sh4	e7641095f4d479eb201878c9e67cf1624bb47ad97306aab4f6dad9dbf06c3db8	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685cdbc132ed47a3a8d76116linux22vpnfull_triage

Tags:

trojandownloader downloader agent

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/867513e8-f909-4802-b58d-31712e61b51c

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c1d8d718cc73faf4786acee4d6d7dd01424fd4505ab0a9f50a6f50377c894f7d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c1d8d718cc73faf4786acee4d6d7dd01424fd4505ab0a9f50a6f50377c894f7d/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-06-26 05:22:22 UTC

File Type:

Text (Shell)

AV detection:

23 of 36 (63.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yhmnoggmop5pi6dkz3snnv65afbe7vcqlkykt5ikn5ido7ejj56q._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250626-f9t2mafn8v/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c1d8d718cc73/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Mirai

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/c1d8d718cc73faf4786acee4d6d7dd01424fd4505ab0a9f50a6f50377c894f7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.