MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc35aa4c01c11cef05eb3ba05e52fac7de17350edcbfbe10e272f9d98d3ed3bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	dc35aa4c01c11cef05eb3ba05e52fac7de17350edcbfbe10e272f9d98d3ed3bc
SHA3-384 hash:	7d718e71e8b1e82b8fa4758fc583f0b9499239babed98f118963bb48be3149fa166366ae3676a868a9130a576d0a6244
SHA1 hash:	f3dc639cb1aa0bc5ce1a90aef8b67bd4396a384f
MD5 hash:	20667aac4970dd04963e52d9f3e760f0
humanhash:	eighteen-fillet-enemy-juliet
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	3'037 bytes
First seen:	2025-09-16 06:52:12 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:ic757N7hcm6GcguzPcWKWcooUc7o7o7Ucfn3bcJ9RckcgctpVcuSOcy+Cc3fTcfG:ic757N7hcm6GcguzPcWKWcooUc7o7o7w
TLSH	T12251E58562044E7418A76E17F67651A83082A093ECFDEFDAD9E8FBE81B4ED10B940753
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://195.248.240.141/hiddenbin/boatnet.x86	f01c4c644e3e1f5eda07b757f02a6ae773584a52fea94acd7c42f2ffb21cd855	Mirai	elf geofenced mirai opendir ua-wget USA
http://195.248.240.141/hiddenbin/boatnet.mips	499643893e03001bfc362cb959d7adf18cb7bdbb49452284fb4fef2217700e78	Mirai	32-bit elf mirai Mozi
http://195.248.240.141/hiddenbin/boatnet.arc	f126f5c9e00d2410ea652a7ed9792744b4018d415156857e57594dab242732dd	Mirai	elf geofenced mirai opendir ua-wget USA
http://195.248.240.141/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://195.248.240.141/hiddenbin/boatnet.i686	n/a	n/a	elf ua-wget
http://195.248.240.141/hiddenbin/boatnet.x86_64	n/a	n/a	elf ua-wget
http://195.248.240.141/hiddenbin/boatnet.mpsl	176f4f628e68d4a8654f2accdc20767c7002e3586097fddc3115927bc8c30cbc	Mirai	elf geofenced mirai opendir ua-wget USA
http://195.248.240.141/hiddenbin/boatnet.arm	531abc5d50abad8da7ed5a8aa03c5a0ff93e0abc1a6902b0ad0749ae0b07922b	Mirai	elf geofenced mirai opendir ua-wget USA
http://195.248.240.141/hiddenbin/boatnet.arm5	fc1d102f8b271fcfdc812325e7a7a4f23dd2c10b78c3b799c4692f0f04414ade	Mirai	elf geofenced mirai opendir ua-wget USA
http://195.248.240.141/hiddenbin/boatnet.arm6	b71da3283b93f4514831f964bbfc6aff6919695ae64b89a5e568632be79bfd81	Mirai	elf geofenced mirai opendir ua-wget USA
http://195.248.240.141/hiddenbin/boatnet.arm7	bb65e5a41a7a37642d24405127fd7539017ea2d4a0df36c0a6258d429b648713	Mirai	elf geofenced mirai opendir ua-wget USA
http://195.248.240.141/hiddenbin/boatnet.ppc	d11155289af909cf6ced3d2374f1f92f6cf8365605b2fb793470b5f5859ccdd0	Mirai	elf geofenced mirai opendir ua-wget USA
http://195.248.240.141/hiddenbin/boatnet.spc	n/a	n/a	elf ua-wget
http://195.248.240.141/hiddenbin/boatnet.m68k	fac662e8ece923483c7baa3dba098467e1823e60ac63ab946e98f275c7bb62dd	Mirai	32-bit elf mirai Mozi
http://195.248.240.141/hiddenbin/boatnet.sh4	8aa1abbc2e72a49bb19df3904d081a6d05b2197ae904deb517880d9a9ac8a1ef	Mirai	elf geofenced mirai opendir ua-wget USA

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-16T04:48:00Z UTC

Last seen:

2025-09-16T04:48:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/dc35aa4c01c11cef05eb3ba05e52fac7de17350edcbfbe10e272f9d98d3ed3bc/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/026ff3d3-e2ed-4eb3-90c4-308df7918d67

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/dc35aa4c01c11cef05eb3ba05e52fac7de17350edcbfbe10e272f9d98d3ed3bc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dc35aa4c01c11cef05eb3ba05e52fac7de17350edcbfbe10e272f9d98d3ed3bc/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-09-16 06:52:36 UTC

File Type:

Text (Shell)

AV detection:

23 of 38 (60.53%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3q22utabyeoo6bplhoqf4ux2y7pbonio3s734ehcol45tdj62o6a._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250916-hnclka11hy/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware Config

C2 Extraction:

103.191.63.195

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dc35aa4c01c1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/dc35aa4c01c11cef05eb3ba05e52fac7de17350edcbfbe10e272f9d98d3ed3bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.