MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d58011db0b5bb21a50387d8f0d7e6a4da6fa0c9a896fb28709b23f4f47631007. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	d58011db0b5bb21a50387d8f0d7e6a4da6fa0c9a896fb28709b23f4f47631007
SHA3-384 hash:	68ca74c729598fd169096140381f69dcc7c43861e6c903c69b7f7d880cca13536afd31d971aebc5ee1dc2af131d9c93a
SHA1 hash:	042e719edecb03c16704028a90b099edd2f8a0e1
MD5 hash:	8ead438a4ce2a502f119e01584382a95
humanhash:	island-solar-bluebird-wisconsin
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'940 bytes
First seen:	2025-09-06 18:32:26 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vx7Q7N7hxD6Gxg7zPxzKWxdoUx7d7o7Uxfu3bxg9RxJcgxkpVx7SOxv+Cx+fTx2G:vx7Q7N7hxD6Gxg7zPxzKWxdoUx7d7o7G
TLSH	T18F51A38787768EB828636A17F7B681783081D0939CF9EB99EBC4BBE0834ED143154753
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://45.79.126.103/hiddenbin/boatnet.x86	103c7baac2ecef90db8e4583e56cdb0e93c006552019339a6ea5e67282b57c7f	Mirai	censys elf mirai ua-wget
http://45.79.126.103/hiddenbin/boatnet.mips	79f477ddebaddf16cf5965c31b2c480d82742fc7207d512071049e337b1a84a5	Mirai	censys elf mirai ua-wget
http://45.79.126.103/hiddenbin/boatnet.arc	n/a	n/a	elf ua-wget
http://45.79.126.103/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://45.79.126.103/hiddenbin/boatnet.i686	n/a	n/a	elf ua-wget
http://45.79.126.103/hiddenbin/boatnet.x86_64	n/a	n/a	elf ua-wget
http://45.79.126.103/hiddenbin/boatnet.mpsl	090c9dd8540ee3bcdd8fec6ecedb657439820b2a9a2c092260d5f288a1574515	Mirai	censys elf mirai ua-wget
http://45.79.126.103/hiddenbin/boatnet.arm	f5fd00d981f5e3987816ac6c68e4eb91eed42e5775169b74984a48ff44f4cb78	Mirai	censys elf mirai ua-wget
http://45.79.126.103/hiddenbin/boatnet.arm5	ff4af9890c5d89f5eccf39ae5ee1ce0298bb48255069905599ac75f05a72e755	Mirai	censys elf mirai ua-wget
http://45.79.126.103/hiddenbin/boatnet.arm6	788d9e6ae51a80f3f5b6647db426f171c62a8d7026e777d0d52a393bb06ed9b9	Mirai	censys elf mirai ua-wget
http://45.79.126.103/hiddenbin/boatnet.arm7	afeeb691c7733d1c3ac33a8a88f4e496323ad5346f8925c8f057bd1d8e4459bc	Mirai	censys elf mirai ua-wget
http://45.79.126.103/hiddenbin/boatnet.ppc	964f2f6e2bcf4bb33ee4ffe3db2e184722001b05ea499cf3892e0d43e2b1d96e	Mirai	censys elf mirai ua-wget
http://45.79.126.103/hiddenbin/boatnet.spc	n/a	n/a	elf ua-wget
http://45.79.126.103/hiddenbin/boatnet.m68k	e0e4fe62b7d6de7c7f84cc9f6a7082f20c0eed2967b0370f6b814a802476d17f	Mirai	censys elf mirai ua-wget
http://45.79.126.103/hiddenbin/boatnet.sh4	5e6e33f93d093c1f992e80f3d31758ff7ccb4ad97449022a75c6e2fc4566eaa8	Mirai	censys elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-06T16:04:00Z UTC

Last seen:

2025-09-06T16:04:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/d58011db0b5bb21a50387d8f0d7e6a4da6fa0c9a896fb28709b23f4f47631007/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/dce92222-8fc1-49b5-8abb-62ebb5b937c2

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/d58011db0b5bb21a50387d8f0d7e6a4da6fa0c9a896fb28709b23f4f47631007

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d58011db0b5bb21a50387d8f0d7e6a4da6fa0c9a896fb28709b23f4f47631007/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/d58011db0b5bb21a50387d8f0d7e6a4da6fa0c9a896fb28709b23f4f47631007

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-09-06 18:38:26 UTC

File Type:

Text (Shell)

AV detection:

24 of 37 (64.86%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2wabdwyllozbuubypwhq27tkjwtpude2rfx3fbyjwi7u6r3dcadq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250906-w72xfs1vey/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d58011db0b5b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/d58011db0b5bb21a50387d8f0d7e6a4da6fa0c9a896fb28709b23f4f47631007

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.