MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cece11963249ce094941b57bff342db7a322bea4e74250c10503abdac6b82aef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	cece11963249ce094941b57bff342db7a322bea4e74250c10503abdac6b82aef
SHA3-384 hash:	e1c7f1c13337dad14da8b3781415a5a86790a980fe8eb9313d38684a159b0fc6c025b6bf52453687af9350c94e45c9a0
SHA1 hash:	b58c47b75e4ef6eca63ad72a31b984b192fec56d
MD5 hash:	1bcfde7d0142459d9fdb1d71e3840db2
humanhash:	eight-nebraska-pip-social
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'784 bytes
First seen:	2025-10-18 15:58:37 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:iL393Mx3O3E3gB3EE313O3T3U3Y3w3Z3kwz:Ytcxe0wBtl+DEogJ0W
TLSH	T1BE718495D80250B41D5E6772A9FB22AAF191B3C238E77E0F7A8C68F4618CF4154C9DE1
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.arc	9bbbc7e6130003b0f5eec08a6ecec6d8930851b060df3b1c5f94c2f2f909df0d	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86	a7d3ea598f8397518cf54946c3c3a287c9d2ab8cae8d8dcddeeb2e1ffe6707ce	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.x86_64	e133b2bdca392330464db0c7bca9ef03128c68c7d474edd3d24680fda250f486	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.i686	ec942d84ec57cc59f0ec4eda261ba088df6db6594620d4670d46bb4ccf7f824d	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips	ad9148150a90ec5114cc3f8cf5fc3414b16bbb4ba6f1091c250ccb4a7b0716fa	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.mips64	n/a	n/a	elf ua-wget
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.mpsl	9be8ec509eccd01d5c7698e6a67b5d001f1c77bceb9cdcdf4b2cac43b1bc32cc	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm	a5bbbc56e90ad697bd49cc950f982ad90da48c56838b1ba30a9a5e930677fe76	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm5	f2feb0015b5cce34b0b77b38130b8847288a209a0b3c8d1345ba2be630f22faa	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm6	57a870191cfacd9e04d206e9a33c1f01262374532525f558add1cc4e4d73cee1	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.arm7	b45bdef80933435e9840ed965fe778113490cb1f9afc0baee06301c1ad06836e	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.ppc	fc09d9d48b1fa771b39aa50bb1fe77e3dfb8213283e0a6a693946dad33edd393	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.sparc	n/a	n/a	elf ua-wget
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.m68k	871f02bcc6c869814b7ae9f7f708e5972d47609e72524854f79ebab573a43aaf	Mirai	mirai opendir
http://160.238.13.201/HideChaotic/ub8ehJSePAfc9FYqZIT6.sh4	9a9a4946241391b309c797a9633041f4b75c7e7fa621fc4a7dd775ba80e39e06	Mirai	mirai opendir

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-18T13:15:00Z UTC

Last seen:

2025-10-19T10:15:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/cece11963249ce094941b57bff342db7a322bea4e74250c10503abdac6b82aef/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/00b54e9c-3aa4-448c-80a4-651764d8de1e

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/cece11963249ce094941b57bff342db7a322bea4e74250c10503abdac6b82aef

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cece11963249ce094941b57bff342db7a322bea4e74250c10503abdac6b82aef/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-10-18 15:59:34 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z3hbdfrsjhhasskbwv576nbnw6rsfpve45bfbqifaov5vrvyflxq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/251018-tfab1stkhx/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cece11963249/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/cece11963249ce094941b57bff342db7a322bea4e74250c10503abdac6b82aef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.