MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c218a3067ba3d62259fdc61811a686d751fde495914a5ea662f6a08b7ff62018. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	c218a3067ba3d62259fdc61811a686d751fde495914a5ea662f6a08b7ff62018
SHA3-384 hash:	2eac0ea5ddcb69c48ad12cca52978d2755699a670736912cf60171ce88c8e3faaa9979470a15e781420f5bb0f5881e4f
SHA1 hash:	42a3654514acadb97a72ad301e94b002f4fc997c
MD5 hash:	cb5077badc015a24beedbb7336b8fbba
humanhash:	georgia-nineteen-zebra-autumn
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'970 bytes
First seen:	2025-09-17 15:17:31 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:v57C7N7h5j6G5gbzP5TKW5loU57l7o7U5fA3b5S9R5xcg5GpV5bSO5f+C5QfT5Im:v57C7N7h5j6G5gbzP5TKW5loU57l7o7Q
TLSH	T10951168563C44D782C636A53E6B6412872DAF4568CE2BFD5D9CCBFE0234EE10B941B53
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://89.213.174.225/hiddenbin/boatnet.x86	dfeb7acda278f46310539560d46c1f4054ba255aaba0b75ea1c6f5634779b847	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.mips	ce037db965e1b96149c34a219dd31a069b78db3b2892540540c99f2e95250e88	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.arc	e14148ef50afaf90475f6a13323b0a1547c747c45895b0d1c6ecbdfe773324f9	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://89.213.174.225/hiddenbin/boatnet.i686	4b6e5cc2aa27d0338421feb62a952f652076f5436aa6580abfc3f7a018815232	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.x86_64	3450424b0f9a0f3b78d9a4701bb572a0476b27e1db1d041b41eb9aa8da2aa1f6	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.mpsl	282786263a89c5ff2cdec8c2e021d670a6073d99f0e03b65f0e6f07024b4f81c	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.arm	3d1c06ab7a63ea3ab6fe5f226e3e0c7faa7c6926000fb048fcd041fb1d5b14a7	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.arm5	cf6613970a53f466364a6422761d28724f6ef50983bce95fe285dc7d72da3c21	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.arm6	6cb58686e4a5196264c6d7b8c3f3cd5c8b78388cb7dcb0b79f0ad56de2e8ec14	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.arm7	080697ddd9ab71acfd9b736168a0ecabda7cb3a1c86f36a2660943b67249923c	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.ppc	7f5e4a7f021e83738bb50c721651dc9b3a415014fdab6399ea6c465605028985	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.spc	6fa54a5ddce877dece40fcad3695ace427c43c1912422ecd895be284309c6eef	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.m68k	4245b7a26616ea900e29beca8314057ffe821a0ff0910d4977c04d03e0a8836a	Mirai	elf mirai ua-wget
http://89.213.174.225/hiddenbin/boatnet.sh4	9994f9cd9011844f69e34910db7219b75c47e36d730b27a5eb90cbbf8c8a4c79	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-17T09:52:00Z UTC

Last seen:

2025-09-17T09:52:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/c218a3067ba3d62259fdc61811a686d751fde495914a5ea662f6a08b7ff62018/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/4dfbb295-f5d2-40b8-857b-19fbabce5e14

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c218a3067ba3d62259fdc61811a686d751fde495914a5ea662f6a08b7ff62018

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c218a3067ba3d62259fdc61811a686d751fde495914a5ea662f6a08b7ff62018/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/c218a3067ba3d62259fdc61811a686d751fde495914a5ea662f6a08b7ff62018

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-09-17 15:07:49 UTC

File Type:

Text (Shell)

AV detection:

24 of 38 (63.16%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yimkgbt3uplcewp5yymbdjug25i73zevsfff5jtc62qiw77weama._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250917-sph5va1xbx/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c218a3067ba3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/c218a3067ba3d62259fdc61811a686d751fde495914a5ea662f6a08b7ff62018

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.