MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3140cc9dc1348c3d4d7f0e76211d5411083cf649c9ffd88dc2969e55d9f7b6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	e3140cc9dc1348c3d4d7f0e76211d5411083cf649c9ffd88dc2969e55d9f7b6f
SHA3-384 hash:	8360ce67e1fc848fc57aff700a8370d1a4356ffe29bec3384100a00e73618e0c564fa8f55422a403b319fb4b39e1f1d4
SHA1 hash:	347091a445038130c6a623852fc0cfc5139d5824
MD5 hash:	ba5b00bad9a8bc5a20ca00f9567715ec
humanhash:	lamp-whiskey-foxtrot-pip
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'910 bytes
First seen:	2026-02-25 07:04:31 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vt7u7N7htX6GtgfzPtHKWtZoUt7Z7o7Utf83bt+9Rt1cgtSpVtfSOtD+CtMfTtUm:vt7u7N7htX6GtgfzPtHKWtZoUt7Z7o74
TLSH	T1F7512AC541D40FB41C636B77EAB6416C33C6B6678CE1ABD5D9E4BBE0824EE5039407A3
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://83.142.209.9/hiddenbin/boatnet.x86	33704c6f682a5399f3a763bbef351afae4f64759a4d9eab086e3530fc4e13023	Mirai	elf mirai ua-wget
http://83.142.209.9/hiddenbin/boatnet.mips	0e5ce8920fc81721e195d6567473daeee40023ae542c0e641a099b39441f20cf	Mirai	elf mirai ua-wget
http://83.142.209.9/hiddenbin/boatnet.arc	3762a6a3b989850716155a080bf907ddde31d00903cf192dbd01fe3584bc3b1f	Mirai	elf mirai ua-wget
http://83.142.209.9/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://83.142.209.9/hiddenbin/boatnet.i686	n/a	n/a	elf ua-wget
http://83.142.209.9/hiddenbin/boatnet.x86_64	n/a	n/a	elf ua-wget
http://83.142.209.9/hiddenbin/boatnet.mpsl	be4e5905ac734250ef02d18c3cad7c537ae7f6c2b4a35a77da99c1e2eb74abb8	Mirai	elf mirai ua-wget
http://83.142.209.9/hiddenbin/boatnet.arm	c3bf3b0be0e8a68eef4365fcae96aeef658b18e32fe52c86701e13ae464ecd70	Mirai	elf mirai ua-wget
http://83.142.209.9/hiddenbin/boatnet.arm5	0260f7c239b5741341c84b2334222c98a8bfa688fb058472c2ac390b039ea100	Mirai	elf mirai ua-wget
http://83.142.209.9/hiddenbin/boatnet.arm6	03eba2113e1ce14bec510ab7c3cb9536886d9cc46ec02936538a610104ff09ba	Mirai	elf mirai ua-wget
http://83.142.209.9/hiddenbin/boatnet.arm7	ab277a4ed7e102b7ab4c204127cc5c38ba69cd8799d6042518457b0225abfde0	Mirai	elf mirai ua-wget
http://83.142.209.9/hiddenbin/boatnet.ppc	1ab5099ca53a7ac2fdfc5455f52f9b67036eb3d89a44ca98099a11cff86056fe	Mirai	elf mirai ua-wget
http://83.142.209.9/hiddenbin/boatnet.spc	6a8e701c2bccea14460cdf7bc8d92acf5ff1187554094565407cf91ce226cab2	Mirai	elf mirai ua-wget
http://83.142.209.9/hiddenbin/boatnet.m68k	aadd6c06fab540b50b2f84fe852b970fd625defa427597e8a4c0f33ca1320c35	Mirai	elf mirai ua-wget
http://83.142.209.9/hiddenbin/boatnet.sh4	f2d106119cf094bab39955c564eaa924ff7e0888d9e225c69fd0123cda5f43e7	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/e3140cc9dc1348c3d4d7f0e76211d5411083cf649c9ffd88dc2969e55d9f7b6f/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/223c4fcd-264c-45b4-9e8b-cdbb39f284a0

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e3140cc9dc1348c3d4d7f0e76211d5411083cf649c9ffd88dc2969e55d9f7b6f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e3140cc9dc1348c3d4d7f0e76211d5411083cf649c9ffd88dc2969e55d9f7b6f/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/e3140cc9dc1348c3d4d7f0e76211d5411083cf649c9ffd88dc2969e55d9f7b6f

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-02-25 05:46:32 UTC

File Type:

Text (Shell)

AV detection:

23 of 36 (63.89%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4mkazso4cnemhvgx6dtweeovieiiht3etsp73cg4ffu6kxm7pnxq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260225-hwt6ksfs7f/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e3140cc9dc13/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/e3140cc9dc1348c3d4d7f0e76211d5411083cf649c9ffd88dc2969e55d9f7b6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh