MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e284a2f322ef9f0fde7d982d001d626cb9a2452eb76e0b713530f2315de87e8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e284a2f322ef9f0fde7d982d001d626cb9a2452eb76e0b713530f2315de87e8b
SHA3-384 hash: bba01401de5db022749645d8dbac5740b02087d4dc0bb3db995dc00a97bae79f1055379972beb238e0d6404d359fda5e
SHA1 hash: 120635613372da22ba9d30f6338e00621427fc42
MD5 hash: 6d6321057ba7d19f4abe97103cd4c6a0
humanhash: jig-angel-stairway-massachusetts
File name:ohshit.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:2'734 bytes
First seen:2025-07-20 18:14:40 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:ivRSv7uvuyvWyvMdkvqev4aCvjevWivhqvQKvGwvKsvv2vyD:isaJZjZSiZsTvvG4
TLSH T12B5192DA331554386FF1DAA6B2FB801471E566A2EEC12E0AD5FDB4F9548CE0C20A0793
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://212.11.64.25/bins/sora.arcn/an/aelf opendir ua-wget
http://212.11.64.25/bins/sora.x8665923a129c35ea8a29417e345382804efcd56a0c879f8491894950c66059b5cb Miraielf mirai ua-wget
http://212.11.64.25/bins/sora.x86_64n/an/aelf opendir ua-wget
http://212.11.64.25/bins/sora.i686n/an/aelf opendir ua-wget
http://212.11.64.25/bins/sora.mips6d46529eaa57237b9de8714df68d8438910c645666535934ce4f54defd4d2b82 Miraielf mirai ua-wget
http://212.11.64.25/bins/sora.mips64n/an/aelf opendir ua-wget
http://212.11.64.25/bins/sora.mpsl60c04965c12c0e6473f3bd7464e0597720b8b8c6fc2f56e81123dfb925955965 Miraielf mirai ua-wget
http://212.11.64.25/bins/sora.arm9681561bffd2e734f1a7f30d3c5e0e4d405340074c19622548f93036e568755f Miraielf mirai ua-wget
http://212.11.64.25/bins/sora.arm57bd904bc89081549f1486d3369933cc8cbb7c869857f0a4def57c596601a49ee Miraielf mirai ua-wget
http://212.11.64.25/bins/sora.arm664188d3fb9dc8b3a6f7049c4807221e43e0cc2deb0c98e4dfe42bdd68a188141 Miraielf mirai ua-wget
http://212.11.64.25/bins/sora.arm76789f018c5cdcd64da1f6d81764f536fd3ecf8df9cf6b7841f86d18515886232 Miraielf mirai ua-wget
http://212.11.64.25/bins/sora.ppcba9ba160288f8741a3a6fbb03aa1dafecbf4a61cde4bc8bef8430464189eda96 Miraielf mirai ua-wget
http://212.11.64.25/bins/sora.sparcn/an/aelf opendir ua-wget
http://212.11.64.25/bins/sora.m68ka20898aa0fa8caa70e65576b9fcdffa4dcd413e9c7fef936b42120cf1831a939 Miraielf mirai ua-wget
http://212.11.64.25/bins/sora.sh44e745045df6e40da1d3c3113a6c10b058ae7bbb748d52fcccace43e5819ed6d4 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
25
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e284a2f322ef9f0fde7d982d001d626cb9a2452eb76e0b713530f2315de87e8b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e284a2f322ef9f0fde7d982d001d626cb9a2452eb76e0b713530f2315de87e8b/
Verdict:
Malicious
Threat:
HEUR:Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/e284a2f322ef9f0fde7d982d001d626cb9a2452eb76e0b713530f2315de87e8b
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-07-20 18:15:45 UTC
File Type:
Text (Shell)
AV detection:
21 of 36 (58.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kckf4zc56pq7xt5tawqahlcns42erjow5xaw4jvgdzdcxpip2fq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:sora antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/250720-wv61msvvaz/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
UPX packed file
Enumerates active TCP sockets
Enumerates running processes
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (542722) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh e284a2f322ef9f0fde7d982d001d626cb9a2452eb76e0b713530f2315de87e8b

(this sample)

Mirai

elf 65923a129c35ea8a29417e345382804efcd56a0c879f8491894950c66059b5cb

  
URLhaus
https://urlhaus.abuse.ch/url/3585885/
  
Delivery method
Distributed via web download
  
Dropping
MD5 7ebaa60272192f889ae1073521bab645
  
Dropping
SHA256 65923a129c35ea8a29417e345382804efcd56a0c879f8491894950c66059b5cb

Comments