MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb912d3295673bb37e533d3c8b61d347ef1ba344c3c33f51552dfdc9c2eb44aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	cb912d3295673bb37e533d3c8b61d347ef1ba344c3c33f51552dfdc9c2eb44aa
SHA3-384 hash:	bb48f943a0f7891e5bcc1cce4d676499bcd672c1bd0b90b2a8d4bfd8d17c508ec13fc6c6a464944a427b22e98999ecc1
SHA1 hash:	6b555051ce4628879d2948c50595da2a4101361f
MD5 hash:	7919151e719f835eab006c5a1c910277
humanhash:	enemy-gee-louisiana-minnesota
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'940 bytes
First seen:	2026-04-01 05:51:23 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vBA7gA7N7hBATA6GBAg7AzPBAjAKWBAdAoUBA7dA7o7UBAfWA3bBAQA9RBAJAcgR:vBA7gA7N7hBATA6GBAg7AzPBAjAKWBAI
TLSH	T15D51DEC651880C349D636E53EA76C19C71CA917128FAEBE5DACCF5E4814EE983940753
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	adliwahid
Tags:	mirai

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://82.23.183.167/hiddenbin/boatnet.x86	aed989d84071a05da9662f9b1de8d36973fdebcc641e9e9001c341dd899eebdf	Mirai	mirai
http://82.23.183.167/hiddenbin/boatnet.mips	ac914fe1b0ce527bb7f29f31bde365151a6fb65729e5980ff38b085b579bc457	Mirai	mirai
http://82.23.183.167/hiddenbin/boatnet.arc	bdd064c7894244e3b8b7465dbef00be1c64d588d8459d0d90884fd042c968ea1	Mirai	mirai
http://82.23.183.167/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://82.23.183.167/hiddenbin/boatnet.i686	n/a	n/a	elf ua-wget
http://82.23.183.167/hiddenbin/boatnet.x86_64	n/a	n/a	elf ua-wget
http://82.23.183.167/hiddenbin/boatnet.mpsl	ba4d2f103407816f75eb623830dd96d5bf1a368cfbdb47c604bb1f528c11e84d	Mirai	mirai
http://82.23.183.167/hiddenbin/boatnet.arm	8221d526fa678fec87590cb98767ca21cce09930dfae8701062db22083a4418f	Mirai	mirai
http://82.23.183.167/hiddenbin/boatnet.arm5	72e34026135410e3c8a717bb3cb16fe624b7259d88fbdfb1bb20dcadaf3aa386	Mirai	mirai
http://82.23.183.167/hiddenbin/boatnet.arm6	60497d4f2b60430f0ad48b50cdaa204b0d1f429cf3874aef811a0ce2ea35121f	Mirai	mirai
http://82.23.183.167/hiddenbin/boatnet.arm7	53698d89b3cce77d5023d421e065ffd2170019f91c219862d5985278d082a1b9	Mirai	mirai
http://82.23.183.167/hiddenbin/boatnet.ppc	3b4659ca648c5e42edbb1db07d331f9f0561d6adadd6f7a3537c6ddfa3656346	Mirai	mirai
http://82.23.183.167/hiddenbin/boatnet.spc	61f919f38d1244ffaa6afd556fbac3550e4e27f50fd07a84f8908d3f19eb5978	Mirai	mirai
http://82.23.183.167/hiddenbin/boatnet.m68k	3edd11ac6dc90a27a991b2c3c5cd1bf5f8c6b66732e81fef3d02ff9e0a6dd212	Mirai	mirai
http://82.23.183.167/hiddenbin/boatnet.sh4	985cb51febf70a96b96a977e2fb01d54d5b9f38a5930581e4e0fbdd1b1a35dd4	Mirai	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Gathering data

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-03-31T23:26:00Z UTC

Last seen:

2026-04-01T14:21:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/cb912d3295673bb37e533d3c8b61d347ef1ba344c3c33f51552dfdc9c2eb44aa/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/4d805cc3-5976-44c9-9ec8-da24852ab89b

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/cb912d3295673bb37e533d3c8b61d347ef1ba344c3c33f51552dfdc9c2eb44aa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb912d3295673bb37e533d3c8b61d347ef1ba344c3c33f51552dfdc9c2eb44aa/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-04-01 05:52:47 UTC

File Type:

Text (Shell)

AV detection:

23 of 36 (63.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zois2muvm453g7sthu6iwyoti7xrxi2eypbt6ukvfx64tqxlisva._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260401-gkzfgsby4x/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cb912d329567/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/cb912d3295673bb37e533d3c8b61d347ef1ba344c3c33f51552dfdc9c2eb44aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh