MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c8f5d3259f11c49aeadd68447a8890fae1b8f9d8dffb4aa31e3e631b74afa6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c8f5d3259f11c49aeadd68447a8890fae1b8f9d8dffb4aa31e3e631b74afa6e
SHA3-384 hash: 93d61e9171f5335ca429aa4ee2511e6a4d00f7ea30ea90438e82d1c35b78078061686340a675c32268c9a98012e9bc7d
SHA1 hash: 337c111dba67567b7f3d0971b2a6a9b5da1275ad
MD5 hash: ba28fcddc6d4b010431103a90c56e2e1
humanhash: bakerloo-east-snake-juliet
File name:iran.x86_64
Download: download sample
Signature Mirai
Create hunting rule
File size:159'792 bytes
First seen:2026-01-02 22:36:30 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:LtVj1uCynTUXOss0PF1811E7YpleoNRUAP9CudfFXu7LE:PxkAfi+X2FRZAE
TLSH T18EF36B07B5C0D0FDC8DAC2B44BAFA12ADA72F4595134B21F23C4AE266E5DF216B2D750
telfhash t104519b302daa3498a1dff6aab30ee459fc320a1008e070f5ed736dd5de867480e754a3
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 bc0a99dbc918d0274a1302dea811ccb51ce34ca4bacdcdea37f1d9e6bc923f4a
File size (compressed) :61'080 bytes
File size (de-compressed) :159'792 bytes
Format:linux/amd64
Packed file: bc0a99dbc918d0274a1302dea811ccb51ce34ca4bacdcdea37f1d9e6bc923f4a

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Detection(s):
Unix.Dropper.Mirai-7540662-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bash gafgyt lolbin mirai
Link:
https://www.filescan.io/uploads/6958489d127d6a14e0cd4cc2/reports/61e70bac-01cf-44d3-b7e0-595cad744d81/overview
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-01-02T21:00:00Z UTC
Last seen:
2026-01-02T23:25:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0c8f5d3259f11c49aeadd68447a8890fae1b8f9d8dffb4aa31e3e631b74afa6e/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/a99808e6-3c10-4e6d-a19f-62db1f078d7f
Behavior Graph:
Download SVG
%3 guuid=48c256cf-1a00-0000-7515-e3c87b0b0000 pid=2939 /usr/bin/sudo guuid=15767bd1-1a00-0000-7515-e3c87c0b0000 pid=2940 /tmp/sample.bin guuid=48c256cf-1a00-0000-7515-e3c87b0b0000 pid=2939->guuid=15767bd1-1a00-0000-7515-e3c87c0b0000 pid=2940 execve guuid=967877d4-1a00-0000-7515-e3c87d0b0000 pid=2941 /tmp/sample.bin zombie guuid=15767bd1-1a00-0000-7515-e3c87c0b0000 pid=2940->guuid=967877d4-1a00-0000-7515-e3c87d0b0000 pid=2941 clone guuid=6b7a83d4-1a00-0000-7515-e3c87e0b0000 pid=2942 /tmp/sample.bin delete-file net send-data zombie guuid=967877d4-1a00-0000-7515-e3c87d0b0000 pid=2941->guuid=6b7a83d4-1a00-0000-7515-e3c87e0b0000 pid=2942 clone 2f918999-73c3-5b31-8be3-4961cb1d73c3 87.121.84.11:7080 guuid=6b7a83d4-1a00-0000-7515-e3c87e0b0000 pid=2942->2f918999-73c3-5b31-8be3-4961cb1d73c3 send: 602B guuid=f0faabd4-1a00-0000-7515-e3c87f0b0000 pid=2943 /tmp/sample.bin guuid=6b7a83d4-1a00-0000-7515-e3c87e0b0000 pid=2942->guuid=f0faabd4-1a00-0000-7515-e3c87f0b0000 pid=2943 clone guuid=bd3ab2d4-1a00-0000-7515-e3c8800b0000 pid=2944 /tmp/sample.bin guuid=f0faabd4-1a00-0000-7515-e3c87f0b0000 pid=2943->guuid=bd3ab2d4-1a00-0000-7515-e3c8800b0000 pid=2944 clone
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e32a834e-c492-4f96-aab8-6537003306db
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1843870
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample deletes itself
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1843870 Sample: iran.x86_64.elf Startdate: 02/01/2026 Architecture: LINUX Score: 60 25 87.121.84.11, 50864, 50866, 50868 SKATTV-ASBG Bulgaria 2->25 27 109.202.202.202, 80 INIT7CH Switzerland 2->27 29 2 other IPs or domains 2->29 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 10 iran.x86_64.elf 2->10         started        12 dash rm 2->12         started        14 dash rm 2->14         started        signatures3 process4 process5 16 iran.x86_64.elf 10->16         started        process6 18 iran.x86_64.elf 16->18         started        signatures7 31 Sample deletes itself 18->31 21 iran.x86_64.elf 18->21         started        process8 process9 23 iran.x86_64.elf 21->23         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/0c8f5d3259f11c49aeadd68447a8890fae1b8f9d8dffb4aa31e3e631b74afa6e
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0c8f5d3259f11c49aeadd68447a8890fae1b8f9d8dffb4aa31e3e631b74afa6e/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-02 22:37:30 UTC
File Type:
ELF64 Little (Exe)
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bshv2msz6eoetlvn22cepkejb6xbxd45rx73jkrr4ptddn2k7jxa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery linux
Link:
https://tria.ge/reports/260102-2jwy7acj9v/
Behaviour
Reads runtime system information
Changes its process name
Enumerates running processes
Deletes itself
Verdict:
Malicious
Tags:
trojan gafgyt Unix.Dropper.Mirai-7540662-0
YARA:
Linux_Trojan_Gafgyt_9e9530a7 Linux_Trojan_Gafgyt_807911a2 Linux_Trojan_Gafgyt_d4227dbf Linux_Trojan_Gafgyt_d996d335 Linux_Trojan_Gafgyt_d0c57a2e Linux_Trojan_Gafgyt_620087b9 Linux_Trojan_Gafgyt_0cd591cd Linux_Trojan_Gafgyt_33b4111a Linux_Trojan_Gafgyt_a33a8363
Link:
https://app.threat.zone/submission/aecc03ef-34b6-485b-883c-3f86199a637f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/0c8f5d3259f11c49aeadd68447a8890fae1b8f9d8dffb4aa31e3e631b74afa6e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:Linux_Trojan_Gafgyt_0cd591cd
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_a33a8363
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d0c57a2e
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d996d335
Create hunting rule
Author:Elastic Security
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 263bdc6867200b4c29eb91e6e04da967d0749412b168f4447f9f3e048e4880c8

Mirai

elf bc0a99dbc918d0274a1302dea811ccb51ce34ca4bacdcdea37f1d9e6bc923f4a

Mirai

elf 0c8f5d3259f11c49aeadd68447a8890fae1b8f9d8dffb4aa31e3e631b74afa6e

(this sample)

  
Dropped by
SHA256 bc0a99dbc918d0274a1302dea811ccb51ce34ca4bacdcdea37f1d9e6bc923f4a
  
URLhaus
https://urlhaus.abuse.ch/url/3749327/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 a5dbad6ec73677707c841c6d0ef2995d

Comments