MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8
SHA3-384 hash: 9a4d46f522b9923beaeb77c000e467ba28754ef41632f4db5a817d0f95b9d574c4dbec442a6d37784e3ab2bd4f69da8a
SHA1 hash: fd9090f0d4696fa6b5adb71c2b2fbbbb923728b9
MD5 hash: 36207ad6597e99c6826a0f960122c7b6
humanhash: sixteen-jersey-kentucky-juliet
File name:db0fa4b8db0333367e9bda3ab68b8042.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:76'080 bytes
First seen:2025-12-19 10:30:28 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:hfV4LLVtRuHZU6jaetKql8Zxj6WEhiz0AmhZP/QJiMCh:5VSLVtRuHZU6jRU68LHn4AmnYk
TLSH T101735CC5A943D8F5DE150A3470B7FF36867AE43E2169EAD3D3A85A73BD41602D00329D
telfhash t1d921cdf92e764ce8bbd4a401c34a87323a6d977b196032b348f3753421a5a530876c75
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 fe41937c3b1cf4a2bf8d120e7a16414c85ba458b96f9b637685779c512272c97
File size (compressed) :34'532 bytes
File size (de-compressed) :76'080 bytes
Format:linux/i386
Packed file: fe41937c3b1cf4a2bf8d120e7a16414c85ba458b96f9b637685779c512272c97

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Link:
https://research.acce.ciphertechsolutions.com/results/779b6e16-44ce-4802-acba-44c715030957/
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28940.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29524.LC.UNOFFICIAL
Create hunting rule

Unix.Dropper.Mirai-7135870-0
Create hunting rule

Unix.Dropper.Mirai-7135906-0
Create hunting rule

Unix.Dropper.Mirai-7135966-0
Create hunting rule

Unix.Dropper.Mirai-7135979-0
Create hunting rule

Unix.Dropper.Mirai-7355719-0
Create hunting rule

Unix.Trojan.Mirai-9935718-0
Create hunting rule

Unix.Malware.Mirai-9939313-0
Create hunting rule

Unix.Dropper.Mirai-9977145-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CVE-2017-17215 exploit gafgyt masquerade mirai obfuscated
Link:
https://www.filescan.io/uploads/69452975e126b9ff438890f7/reports/1466de38-b228-4a72-a457-33b2d10d0bce/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-12-19T08:03:00Z UTC
Last seen:
2025-12-19T10:03:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8/results?tab=lookup
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/962c7d0d-8212-4bae-9831-8b410ae3d42f
Result
Threat name:
Mirai, Gafgyt
Create hunting rule
Detection:
malicious
Classification:
spre.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1836190
Signature
Antivirus / Scanner detection for submitted sample
Detected Mirai
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample tries to kill multiple processes (SIGKILL)
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected Gafgyt
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1836190 Sample: db0fa4b8db0333367e9bda3ab68... Startdate: 19/12/2025 Architecture: LINUX Score: 100 29 197.190.12.204 zain-asGH Ghana 2->29 31 156.124.58.112, 37215 XNSTGCA United States 2->31 33 99 other IPs or domains 2->33 35 Suricata IDS alerts for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 5 other signatures 2->41 8 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 2->8         started        10 xfce4-panel wrapper-2.0 2->10         started        12 xfce4-panel wrapper-2.0 2->12         started        14 8 other processes 2->14 signatures3 process4 process5 16 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 8->16         started        18 wrapper-2.0 xfpm-power-backlight-helper 10->18         started        process6 20 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 16->20         started        23 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 16->23         started        25 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 16->25         started        27 3 other processes 16->27 signatures7 43 Sample tries to kill multiple processes (SIGKILL) 20->43
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/0134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-19 10:31:17 UTC
File Type:
ELF32 Little (Exe)
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ae2ludmc3jdvjgx36t7wdh7fdc7uqy7p6d2jze4uk7f7qhbncw4a._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:unstable defense_evasion discovery linux
Link:
https://tria.ge/reports/251219-mj3z6sznhx/
Behaviour
Reads runtime system information
Changes its process name
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Contacts a large (193347) amount of remote hosts
Creates a large amount of network flows
Malware Config
C2 Extraction:
cnc.504.su
scan.504.su
Verdict:
Malicious
Tags:
botnet mirai trojan gafgyt Unix.Dropper.Mirai-7135870-0
YARA:
MAL_ELF_LNX_Mirai_Oct10_1 Linux_Trojan_Gafgyt_ea92cca8 Linux_Trojan_Mirai_fa3ad9d0 Linux_Trojan_Mirai_b14f4c5d Linux_Trojan_Mirai_93fc3657 Linux_Trojan_Mirai_804f8e7c Linux_Trojan_Mirai_99d78950 Linux_Trojan_Mirai_a68e498c Linux_Trojan_Mirai_88de437f Linux_Trojan_Mirai_ae9d0fa6 Linux_Trojan_Mirai_389ee3e9 Linux_Trojan_Mirai_cc93863b Linux_Trojan_Mirai_8aa7b5d3
Link:
https://app.threat.zone/submission/d42bd754-fd47-4a39-8982-18a14efb57e7
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_Yakuza
Create hunting rule
Author:NDA0E
Description:Yakuza botnet
Rule name:CVE_2017_17215
Create hunting rule
Author:NDA0E
Description:Detects exploitation attempt of CVE-2017-17215
Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_ea92cca8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_804f8e7c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_8aa7b5d3
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_93fc3657
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_99d78950
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_a68e498c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_ae9d0fa6
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_b14f4c5d
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_fa3ad9d0
Create hunting rule
Author:Elastic Security
Rule name:MAL_ELF_LNX_Mirai_Oct10_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ELF Mirai variant
Reference:Internal Research
Rule name:MAL_ELF_LNX_Mirai_Oct10_1_RID2F39
Create hunting rule
Author:Florian Roth
Description:Detects ELF Mirai variant
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf fe41937c3b1cf4a2bf8d120e7a16414c85ba458b96f9b637685779c512272c97

Mirai

elf 0134ba0d82da47549afbf4ff619fe518bf4863eff0f49c939457cbf81c2d15b8

(this sample)

  
Dropped by
SHA256 fe41937c3b1cf4a2bf8d120e7a16414c85ba458b96f9b637685779c512272c97
  
URLhaus
https://urlhaus.abuse.ch/url/3669666/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 de62f72845561544a82b44a5dcc419fb
  
URLhaus
https://urlhaus.abuse.ch/url/3716487/
  
URLhaus
https://urlhaus.abuse.ch/url/3669670/
  
Dropped by
SHA256 345788eabb975481037f214c074eed2e01f6ecbec45681ac1e38e651175a77d8
  
Dropped by
MD5 fad21da0336f5ec9fc9e8801edeed9ed
  
Dropped by
SHA256 408190407003a55d8159f11dd07276bb3523bdeab7d86fa04ca4dabd40365001
  
Dropped by
MD5 87455d78ef277e014ad2ea913b5d017e
  
Dropped by
SHA256 c71367be57de4ae4aacda61df508f5356d6a3b454ac910e9f774fac8cf27ef64
  
Dropped by
MD5 abfd5bec5419adcccff8331cfb7dba9b
  
Dropped by
SHA256 832bf2f75a1ab6d80387c37ca11f2a9c0c3cd217add30c6e7dcc8175c8e18d7b
  
Dropped by
MD5 65be96bc9b1bf5b2e14f81643d6c51eb
  
Dropped by
SHA256 43809edd788a28fecfa38ee1bbcf1bd8be2bcf359e20fa4ec7ddebc94d76069c
  
Dropped by
MD5 2c7ad81ace59170cf0a3a230924c78e5
  
Dropped by
SHA256 2ffdeab2400e30c5725d06228e1a47bc28b0aa9559fb69860f19ed03b8fcd95f
  
Dropped by
MD5 2d00dac503efa04c4363d1d0bef79cc4
  
Dropped by
SHA256 3247504a4242975b3a7901933eab2cfcfb4d56fed70c6a7ae49bcb510333b182
  
Dropped by
MD5 3bae1ecd22190b04e7d157fa1e45ac87
  
Dropped by
SHA256 67e48c5c814d61add4f3b588365bed5cfdba543613f206d8c1d9c46021788d0d
  
Dropped by
MD5 8d268a632e2ade51e90d50624b94adad
  
Dropped by
SHA256 ee00c8608b03d3615f82691d1083b7c0b735651264de32c08fc91d5d253b232b
  
Dropped by
MD5 bffb4be9d8e1625a58e32be37793844b
  
Dropped by
SHA256 283faaa9fc8bd92419688c20a71b23685381e3fcd6b4b4ae72fc773cf5bfb4c4
  
Dropped by
MD5 1df321c227de5fbe89521a6a74e740b7
  
Dropped by
SHA256 8b25edef9fbe562a259d1e185d94c0351615bcc34a7194db833eb7bee1bf864c
  
Dropped by
MD5 e1b2aa9b205daf8fe5b43648f78a2ec8
  
Dropped by
SHA256 51d2be83760edb354ca4661498c4ad8a1afb9ddb18018530e85ddd96c998852c
  
Dropped by
MD5 f8b433947719c864b6c6516dc41cbd56
  
Dropped by
SHA256 a8bf7fd01bb4a16af2fa1b13165f0f2c4753c3271feac14690d4dc6bb3268da0
  
Dropped by
MD5 559885e87cb41d52cbacef943159c602
  
Dropped by
SHA256 c668535e17521b53eecd34c132a3dbb2c65070194fb019e9bd4805f82d04784e
  
Dropped by
MD5 b1fee40bc19ec1a293ade48d220c507a
  
Dropped by
SHA256 e5f1f0364b4ac0de4a17c141d9b6e86ccbcf20c2af78b9a425cdd167e9466075
  
Dropped by
MD5 8931059721c424d3042a8d9344ab2930
  
Dropped by
SHA256 d1bd69626e207679d3b239d6925dafebc466a587a564ebafc3de70a3c8ec6582
  
Dropped by
MD5 236256ce34eba7f94e82f9535433cbde
  
Dropped by
SHA256 9a23b008a6581bf66db9decfff8c0439b3e196ee7ac070a9203719c8a7a33e78
  
Dropped by
MD5 1c9f7eb1279b68dee7da5336daac6c0d
  
Dropped by
SHA256 71261f9bfc0872f3603effa16c96c289515cbfa779681e3e1ee2bf797c56704f
  
Dropped by
MD5 e385f15fe3e76fab547cb7d2654d8a9a
  
Dropped by
SHA256 c9ab774993000422e89e9239b5af0b69be3b5743c86c9d95ffce27999789c83c
  
Dropped by
MD5 2525ba9e822ec45bb887a5d087c96ec9
  
Dropped by
SHA256 adb093323fb9006e784b5aee4093c6c712b2b6ee6343cd49ad323da23986c776
  
Dropped by
MD5 f5afbc98340ef09fcdbeaa2553dc76c3
  
URLhaus
https://urlhaus.abuse.ch/url/3669709/
  
URLhaus
https://urlhaus.abuse.ch/url/3725844/
  
URLhaus
https://urlhaus.abuse.ch/url/3669715/
  
URLhaus
https://urlhaus.abuse.ch/url/3725846/
  
URLhaus
https://urlhaus.abuse.ch/url/3669701/
  
URLhaus
https://urlhaus.abuse.ch/url/3669705/
  
URLhaus
https://urlhaus.abuse.ch/url/3669695/
  
URLhaus
https://urlhaus.abuse.ch/url/3725845/
  
URLhaus
https://urlhaus.abuse.ch/url/3669704/
  
URLhaus
https://urlhaus.abuse.ch/url/3669707/
  
URLhaus
https://urlhaus.abuse.ch/url/3669714/
  
URLhaus
https://urlhaus.abuse.ch/url/3669694/
  
URLhaus
https://urlhaus.abuse.ch/url/3669727/
  
URLhaus
https://urlhaus.abuse.ch/url/3669711/
  
URLhaus
https://urlhaus.abuse.ch/url/3725851/
  
URLhaus
https://urlhaus.abuse.ch/url/3669702/
  
URLhaus
https://urlhaus.abuse.ch/url/3725843/
  
URLhaus
https://urlhaus.abuse.ch/url/3669717/
  
URLhaus
https://urlhaus.abuse.ch/url/3725847/
  
URLhaus
https://urlhaus.abuse.ch/url/3669690/
  
URLhaus
https://urlhaus.abuse.ch/url/3669699/
  
URLhaus
https://urlhaus.abuse.ch/url/3669713/
  
URLhaus
https://urlhaus.abuse.ch/url/3725853/
  
URLhaus
https://urlhaus.abuse.ch/url/3669696/
  
URLhaus
https://urlhaus.abuse.ch/url/3725848/
  
URLhaus
https://urlhaus.abuse.ch/url/3669712/
  
URLhaus
https://urlhaus.abuse.ch/url/3669697/
  
URLhaus
https://urlhaus.abuse.ch/url/3725849/
  
URLhaus
https://urlhaus.abuse.ch/url/3725855/
  
URLhaus
https://urlhaus.abuse.ch/url/3669726/
  
URLhaus
https://urlhaus.abuse.ch/url/3725852/
  
Dropped by
SHA256 5696427021b6016b4b0a22d131330bacd260554685b530dd30d72dca9a6f6f3e
  
Dropped by
MD5 3a1bfa935f1cd3e12fe9842c799b22a8
  
Dropped by
SHA256 31cc14fb020d386110003b4518621cc0347c6fcc6b81653331f8ec9e1e609cbf
  
Dropped by
MD5 83d9843740dcfc66c5743704e67f0b95
  
URLhaus
https://urlhaus.abuse.ch/url/3725856/
  
URLhaus
https://urlhaus.abuse.ch/url/3669708/
  
Dropped by
SHA256 451d5a38b1ee4c58dfe164633dbf8a684b9554efe0093491d69484c25e30687f
  
Dropped by
MD5 482cab02eaf81c7cbe980f77c79a2ac5
  
Dropped by
SHA256 c585b81e0285d171fdd99cc9a44e0873c2bbd6778c20307c96d0a5f4fb5e7c89
  
Dropped by
MD5 8e41c140c37dc1d46b23ad86c6fd173b
  
URLhaus
https://urlhaus.abuse.ch/url/3716594/

Comments