MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b265a89f89abed68d47200ed1f27f4f1d68af668103176085e362fa8979f1e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b265a89f89abed68d47200ed1f27f4f1d68af668103176085e362fa8979f1e9
SHA3-384 hash: c620be46fd80553e51c49b689bd3726aa1d40c6da02366b1dc461fddd2f1ce3aab3e122536beaeaa0efd66b7190c7e2a
SHA1 hash: 1f3741cd5ef4d21b0eb176d8dca1a982c303c14d
MD5 hash: ab8d8698ed051bd357d8b94cb4833a20
humanhash: white-winter-floor-black
File name:sumrak.i586
Download: download sample
Signature Mirai
Create hunting rule
File size:39'200 bytes
First seen:2025-12-20 16:57:03 UTC
Last seen:2025-12-21 02:21:11 UTC
File type: elf
MIME type:application/x-executable
ssdeep 768:ifhbRXPX72qwjNdGBPw39ifAvVtscLwaWwietJuOnbcuyD7UHQRj7:ifhtXPKLN4BP6T9tPLbJJuOnouy8Hy/
TLSH T1FD03F113C3B1A306E1BE163F8A6F76561C91B4D7ACD892EFE4D470E2E851651202CFCA
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :39'200 bytes
File size (de-compressed) :85'868 bytes
Format:linux/i386
Unpacked file: 39b108c712c0b8b354c3a55c3f609ee629624f6a4b37c3730852549f67be155d

Intelligence

File Origin
# of uploads :
4
# of downloads :
40
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/3975cf77-83d4-459a-8f6e-ab5f1dc09476/
Detection(s):
Unix.Dropper.Mirai-7135858-0
Create hunting rule

Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
masquerade packed upx
Link:
https://www.filescan.io/uploads/6946d568e126b9ff438a0b1a/reports/e138e94e-176c-4781-82a4-b0c021ac3492/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-12-20T14:13:00Z UTC
Last seen:
2025-12-22T13:23:00Z UTC
Hits:
~100
Detections:
HEUR:Backdoor.Linux.Mirai.r HEUR:Backdoor.Linux.Mirai.b HEUR:Backdoor.Linux.Gafgyt.bl HEUR:Backdoor.Linux.Gafgyt.bj
Link:
https://opentip.kaspersky.com/0b265a89f89abed68d47200ed1f27f4f1d68af668103176085e362fa8979f1e9/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d8a664d1-49fd-4fa8-8cf3-7be0fdd5ddff
Behavior Graph:
Download SVG
%3 guuid=ddb7e7e5-1900-0000-5c43-c97094090000 pid=2452 /usr/bin/sudo guuid=3b30b0e8-1900-0000-5c43-c97099090000 pid=2457 /tmp/sample.bin net guuid=ddb7e7e5-1900-0000-5c43-c97094090000 pid=2452->guuid=3b30b0e8-1900-0000-5c43-c97099090000 pid=2457 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=3b30b0e8-1900-0000-5c43-c97099090000 pid=2457->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d15f7ee9-1900-0000-5c43-c9709d090000 pid=2461 /tmp/sample.bin guuid=3b30b0e8-1900-0000-5c43-c97099090000 pid=2457->guuid=d15f7ee9-1900-0000-5c43-c9709d090000 pid=2461 clone guuid=d2878ae9-1900-0000-5c43-c9709e090000 pid=2462 /tmp/sample.bin guuid=3b30b0e8-1900-0000-5c43-c97099090000 pid=2457->guuid=d2878ae9-1900-0000-5c43-c9709e090000 pid=2462 clone guuid=c3fd94e9-1900-0000-5c43-c9709f090000 pid=2463 /tmp/sample.bin net send-data zombie guuid=3b30b0e8-1900-0000-5c43-c97099090000 pid=2457->guuid=c3fd94e9-1900-0000-5c43-c9709f090000 pid=2463 clone guuid=c3fd94e9-1900-0000-5c43-c9709f090000 pid=2463->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 6081b4f2-a8f4-54a6-ad7c-2654ee0f2625 141.98.10.91:19000 guuid=c3fd94e9-1900-0000-5c43-c9709f090000 pid=2463->6081b4f2-a8f4-54a6-ad7c-2654ee0f2625 send: 280B guuid=8d0ea9e9-1900-0000-5c43-c970a1090000 pid=2465 /tmp/sample.bin guuid=c3fd94e9-1900-0000-5c43-c9709f090000 pid=2463->guuid=8d0ea9e9-1900-0000-5c43-c970a1090000 pid=2465 clone guuid=4adcaee9-1900-0000-5c43-c970a2090000 pid=2466 /tmp/sample.bin guuid=c3fd94e9-1900-0000-5c43-c9709f090000 pid=2463->guuid=4adcaee9-1900-0000-5c43-c970a2090000 pid=2466 clone
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a65c44c-900e-47b9-95e3-46911c02982d
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1836787
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1836787 Sample: sumrak.i586.elf Startdate: 20/12/2025 Architecture: LINUX Score: 60 20 141.98.10.91, 19000, 35690, 35692 HOSTBALTICLT Lithuania 2->20 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Sample is packed with UPX 2->26 8 sumrak.i586.elf 2->8         started        signatures3 process4 process5 10 sumrak.i586.elf 8->10         started        12 sumrak.i586.elf 8->12         started        14 sumrak.i586.elf 8->14         started        process6 16 sumrak.i586.elf 10->16         started        18 sumrak.i586.elf 10->18         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/0b265a89f89abed68d47200ed1f27f4f1d68af668103176085e362fa8979f1e9
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0b265a89f89abed68d47200ed1f27f4f1d68af668103176085e362fa8979f1e9/
Verdict:
Malicious
Threat:
Family.Mirai
Link:
https://tip.neiki.dev/file/0b265a89f89abed68d47200ed1f27f4f1d68af668103176085e362fa8979f1e9
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-20 14:08:57 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 36 (52.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bmtfvcpytk7nndkheahnd4t7j4owrl3gqebroyef4nrpvclz6huq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:unst botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251220-vgh6zstrcs/
Behaviour
Reads runtime system information
Enumerates running processes
Modifies Watchdog functionality
Mirai
Mirai family
Verdict:
Malicious
Tags:
Unix.Dropper.Mirai-7135858-0
YARA:
n/a
Link:
https://app.threat.zone/submission/1235f2ad-6fa9-4c15-8f14-01c21b662959
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0b265a89f89abed68d47200ed1f27f4f1d68af668103176085e362fa8979f1e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 0b265a89f89abed68d47200ed1f27f4f1d68af668103176085e362fa8979f1e9

(this sample)

Mirai

elf 39b108c712c0b8b354c3a55c3f609ee629624f6a4b37c3730852549f67be155d

  
URLhaus
https://urlhaus.abuse.ch/url/3738090/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3738107/
  
URLhaus
https://urlhaus.abuse.ch/url/3738109/
  
URLhaus
https://urlhaus.abuse.ch/url/3738117/
  
Dropping
SHA256 39b108c712c0b8b354c3a55c3f609ee629624f6a4b37c3730852549f67be155d
  
Dropping
MD5 199a246a752bce4261ad0d0fdaebe747

Comments