MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ac663b01f2911059097f7497352f7477d8bbf96145501893be6ca286794ce5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ac663b01f2911059097f7497352f7477d8bbf96145501893be6ca286794ce5a
SHA3-384 hash: d392659db0b84e438b7c1852c8c50a615e6ad437d6ef3301f79603830916d2cb9b22855f50468f0dcf016fa9b96df2b0
SHA1 hash: fa293c7a645ad3818875794d9acb4c95a72a0438
MD5 hash: 6161c3027035e6dd1105c69c4ad256db
humanhash: eleven-cola-black-hamper
File name:ub8ehJSePAfc9FYqZIT6.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:38'172 bytes
First seen:2025-12-27 21:33:46 UTC
Last seen:2025-12-27 21:36:49 UTC
File type: elf
MIME type:application/x-executable
ssdeep 768:O08AiXBZlfR9QavzASIAAZ6S6+hOdt3tGpDbnbcuyD7UHQRj4:O5AiX3lTQizGAA6f8e3tWbnouy8Hy0
TLSH T1C703F222E46BC901C02510F888E5F35A4465F90EB95ADB585D84373FDBE7231BA3B7E2
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :38'172 bytes
File size (de-compressed) :74'864 bytes
Format:linux/i386
Unpacked file: e666d78b84fc2c65dc3c956482f6a23ee53a5ea32c5b763d97299620f935295f

Intelligence

File Origin
# of uploads :
2
# of downloads :
33
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/2e12da54-23b8-4eb9-b8ea-e41c4709f48c/
Detection(s):
Unix.Dropper.Mirai-7135858-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade mirai obfuscated packed upx
Link:
https://www.filescan.io/uploads/695050d584afa5547b5ee0c1/reports/bcd0b4e3-2f77-4097-94a8-4712551556f0/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-12-27T18:52:00Z UTC
Last seen:
2025-12-28T12:49:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0ac663b01f2911059097f7497352f7477d8bbf96145501893be6ca286794ce5a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/79149634-125d-4d48-b589-85eaae4f56ac
Behavior Graph:
Download SVG
%3 guuid=5e607b8b-1700-0000-3638-a126e1090000 pid=2529 /usr/bin/sudo guuid=23aa1d8d-1700-0000-3638-a126e8090000 pid=2536 /tmp/sample.bin net guuid=5e607b8b-1700-0000-3638-a126e1090000 pid=2529->guuid=23aa1d8d-1700-0000-3638-a126e8090000 pid=2536 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=23aa1d8d-1700-0000-3638-a126e8090000 pid=2536->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c414f48d-1700-0000-3638-a126e9090000 pid=2537 /tmp/sample.bin guuid=23aa1d8d-1700-0000-3638-a126e8090000 pid=2536->guuid=c414f48d-1700-0000-3638-a126e9090000 pid=2537 clone guuid=da9515ba-1800-0000-3638-a126650c0000 pid=3173 /tmp/sample.bin guuid=23aa1d8d-1700-0000-3638-a126e8090000 pid=2536->guuid=da9515ba-1800-0000-3638-a126650c0000 pid=3173 clone guuid=1d4d20ba-1800-0000-3638-a126660c0000 pid=3174 /tmp/sample.bin dns net send-data zombie guuid=23aa1d8d-1700-0000-3638-a126e8090000 pid=2536->guuid=1d4d20ba-1800-0000-3638-a126660c0000 pid=3174 clone guuid=d739fb8d-1700-0000-3638-a126ea090000 pid=2538 /tmp/sample.bin guuid=c414f48d-1700-0000-3638-a126e9090000 pid=2537->guuid=d739fb8d-1700-0000-3638-a126ea090000 pid=2538 clone guuid=0a88008e-1700-0000-3638-a126eb090000 pid=2539 /tmp/sample.bin dns net send-data zombie guuid=c414f48d-1700-0000-3638-a126e9090000 pid=2537->guuid=0a88008e-1700-0000-3638-a126eb090000 pid=2539 clone guuid=0a88008e-1700-0000-3638-a126eb090000 pid=2539->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=0a88008e-1700-0000-3638-a126eb090000 pid=2539->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 1178B b56683c0-9fd4-5038-b0fa-d85f3c9a4b9f bytenet.serveftp.com:3778 guuid=0a88008e-1700-0000-3638-a126eb090000 pid=2539->b56683c0-9fd4-5038-b0fa-d85f3c9a4b9f send: 155B guuid=1d4d20ba-1800-0000-3638-a126660c0000 pid=3174->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1d4d20ba-1800-0000-3638-a126660c0000 pid=3174->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 1178B guuid=1d4d20ba-1800-0000-3638-a126660c0000 pid=3174->b56683c0-9fd4-5038-b0fa-d85f3c9a4b9f send: 150B
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7f10088c-6fb4-408d-bdf9-911bbb18ad4c
Result
Threat name:
Gafgyt, Mirai
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1840517
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Yara detected Gafgyt
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1840517 Sample: ub8ehJSePAfc9FYqZIT6.x86.elf Startdate: 27/12/2025 Architecture: LINUX Score: 76 20 bytenet.serveftp.com 45.83.207.105, 3778, 42488, 42490 CLOUVIDERClouvider-GlobalASNGB Netherlands 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected Gafgyt 2->26 28 2 other signatures 2->28 8 ub8ehJSePAfc9FYqZIT6.x86.elf 2->8         started        signatures3 process4 process5 10 ub8ehJSePAfc9FYqZIT6.x86.elf 8->10         started        12 ub8ehJSePAfc9FYqZIT6.x86.elf 8->12         started        14 ub8ehJSePAfc9FYqZIT6.x86.elf 8->14         started        process6 16 ub8ehJSePAfc9FYqZIT6.x86.elf 10->16         started        18 ub8ehJSePAfc9FYqZIT6.x86.elf 10->18         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/0ac663b01f2911059097f7497352f7477d8bbf96145501893be6ca286794ce5a
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0ac663b01f2911059097f7497352f7477d8bbf96145501893be6ca286794ce5a/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-27 21:34:15 UTC
File Type:
ELF32 Little (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bldghma7feiqleex65exguxxi56yxp4wcrkqdcj343fcqz4uzzna._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:lzrd botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251227-1etslazqcx/
Behaviour
Reads runtime system information
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Mirai
Mirai family
Verdict:
Malicious
Tags:
Unix.Dropper.Mirai-7135858-0
YARA:
n/a
Link:
https://app.threat.zone/submission/ba8b83e7-1fb2-48a7-9a92-50373653ff24
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/0ac663b01f2911059097f7497352f7477d8bbf96145501893be6ca286794ce5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 0ac663b01f2911059097f7497352f7477d8bbf96145501893be6ca286794ce5a

(this sample)

Mirai

elf e666d78b84fc2c65dc3c956482f6a23ee53a5ea32c5b763d97299620f935295f

  
URLhaus
https://urlhaus.abuse.ch/url/3744941/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 e666d78b84fc2c65dc3c956482f6a23ee53a5ea32c5b763d97299620f935295f
  
Dropping
MD5 e745ff6f0a2bdd9707ae4a03cdf128bb

Comments