MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f41e6de59989e2c6ed117b87578e0af3aaa5aaad2ef47a6e054f591b0c166d6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	f41e6de59989e2c6ed117b87578e0af3aaa5aaad2ef47a6e054f591b0c166d6d
SHA3-384 hash:	b6bc4f24071043ba0c2813e8531f21b1dfd11fd61df7c6b149cd2108968b1e3d1e49998ac22986afddcf5950ad78bf24
SHA1 hash:	ca6bd1110df1a696d8eddc5b05068e5fd9689b93
MD5 hash:	a45649aa9691bd169c078330a0303cc8
humanhash:	green-cardinal-single-batman
File name:	ohshit.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'940 bytes
First seen:	2025-08-19 03:42:36 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vsX7pX7N7hsX+X6GsXgWXzPsXuXKWsXgXoUsX7gX7o7UsXf3X3bsX5X9RsXEXcgx:vsX7pX7N7hsX+X6GsXgWXzPsXuXKWsX2
TLSH	T1C551FE8543040D7CA963EA67F6B68A6836C5949ACCE1FB99DDCCBEE0034EC607E40753
Magika	shell
Reporter	abuse_ch
Tags:	mirai sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://87.248.130.35/hiddenbin/boatnet.x86	8f0e238a567f9ca48b1c4b1a66632fc7b81677cc96cc4dc45bea2f911afede98	Mirai	elf mirai ua-wget
http://87.248.130.35/hiddenbin/boatnet.mips	3afc9fbca40c7438888ac8cf76960cacc995fbd318f5da8ab9a2c19aa7eb43c5	Mirai	elf mirai ua-wget
http://87.248.130.35/hiddenbin/boatnet.arc	ef22eb1202da76a34463883d389b4ba38fec546f63448baa5ce23f14df37e3fb	Mirai	elf mirai ua-wget
http://87.248.130.35/hiddenbin/boatnet.i468	n/a	n/a	elf ua-wget
http://87.248.130.35/hiddenbin/boatnet.i686	n/a	n/a	elf ua-wget
http://87.248.130.35/hiddenbin/boatnet.x86_64	n/a	n/a	elf ua-wget
http://87.248.130.35/hiddenbin/boatnet.mpsl	59133721df19c0f3a98427cb0488ae138aa57a72f5dd5bd93c0c04f8ce898f1c	Mirai	elf mirai ua-wget
http://87.248.130.35/hiddenbin/boatnet.arm	f5e000f5fbf47ca4af50578c9f7faa043cd26f387e265f76043a52e034a2648e	Mirai	32-bit elf mirai Mozi
http://87.248.130.35/hiddenbin/boatnet.arm5	2944417cc687828437b385ab784070a6ed78be9ff0351f0bb76252afd82f2d05	Mirai	elf mirai ua-wget
http://87.248.130.35/hiddenbin/boatnet.arm6	dfa9c94cf8083b93dd6b1671798925677c4d2b8d57fca00ae51cb53a2869af28	Mirai	elf mirai ua-wget
http://87.248.130.35/hiddenbin/boatnet.arm7	b50cb401830afeb0ababa44c7a4fd6ec8750e201390ab2552b1c94418d40af06	Mirai	32-bit elf mirai Mozi
http://87.248.130.35/hiddenbin/boatnet.ppc	fff1297728f6e5c4d08c640cabff2461d7af035b9e7d17c955fcba6582aff8c2	Mirai	elf mirai ua-wget
http://87.248.130.35/hiddenbin/boatnet.spc	n/a	n/a	elf ua-wget
http://87.248.130.35/hiddenbin/boatnet.m68k	614da65bb9290e16302332692a6f7a0e722f1081ef2f8379d438addab8587fe5	Mirai	elf mirai ua-wget
http://87.248.130.35/hiddenbin/boatnet.sh4	1ff919c6528e2e4531ffe74ac4cd35c9fbbd513cc38fb69bedf7ebb16f961b9b	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/2cee85c0-829f-4bad-a947-e7b0ee08732d

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f41e6de59989e2c6ed117b87578e0af3aaa5aaad2ef47a6e054f591b0c166d6d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f41e6de59989e2c6ed117b87578e0af3aaa5aaad2ef47a6e054f591b0c166d6d/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/f41e6de59989e2c6ed117b87578e0af3aaa5aaad2ef47a6e054f591b0c166d6d

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-08-17 17:38:00 UTC

File Type:

Text (Shell)

AV detection:

18 of 24 (75.00%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6qpg3zmzrhrmn3irpodvpdqk6ovklkvnf32hu3qfj5mrwdawnvwq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd antivm botnet defense_evasion discovery linux upx

Link:

https://tria.ge/reports/250819-d97avazxfv/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Checks CPU configuration

UPX packed file

Enumerates running processes

Writes file to system bin folder

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Mirai

Mirai family

Malware family:

Mirai

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f41e6de59989/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.39

Link:

https://yomi.yoroi.company/submissions/f41e6de59989e2c6ed117b87578e0af3aaa5aaad2ef47a6e054f591b0c166d6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.