MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0dd50416937f0bbb202464b09fb982739b34bde7d11834b78a137fc4659502de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0dd50416937f0bbb202464b09fb982739b34bde7d11834b78a137fc4659502de
SHA3-384 hash: 10826bce3588862c6b6de3780a33cf07ab5ccb11e8149e2cd4f1f514cc7f95c9bc5e77b0eeb572640211a4cc74383543
SHA1 hash: 51867a302a3084a0d2a42dac580d694e7d9178c7
MD5 hash: 669e9f498ad1c0763cf893313bc22832
humanhash: music-april-salami-autumn
File name:sora.sh4
Download: download sample
Signature Mirai
Create hunting rule
File size:63'772 bytes
First seen:2025-10-14 20:15:04 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:PaAtVnz1/mUUNztiYmW6ihiYLTofs3wfpWIDNEJ7JC7:P/tVz1eUUfwN0T0f+whWONEJ7J
TLSH T1FB539FA5C5ACAE58C71441B8B654CD398723F408A5A76EFBD646C796800BEFCF0187F1
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30435.LC.UNOFFICIAL
Create hunting rule

Unix.Dropper.Mirai-7135890-0
Create hunting rule

Unix.Dropper.Mirai-7135897-0
Create hunting rule

Unix.Dropper.Mirai-7135901-0
Create hunting rule

Unix.Trojan.Mirai-7135916-0
Create hunting rule

Unix.Dropper.Mirai-7135918-0
Create hunting rule

Unix.Dropper.Mirai-7135939-0
Create hunting rule

Unix.Dropper.Mirai-7135954-0
Create hunting rule

Unix.Dropper.Mirai-7136025-0
Create hunting rule

Unix.Dropper.Mirai-7136028-0
Create hunting rule

Unix.Dropper.Mirai-7136288-0
Create hunting rule

Unix.Trojan.Mirai-7138377-0
Create hunting rule

Unix.Trojan.Mirai-7674518-0
Create hunting rule

Unix.Trojan.Mirai-9819563-0
Create hunting rule

Unix.Trojan.Mirai-9820623-0
Create hunting rule

Unix.Trojan.Generic-9910199-0
Create hunting rule

Unix.Trojan.Mirai-10057021-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade mirai obfuscated
Link:
https://www.filescan.io/uploads/68eeb0befe81c560ba58e281/reports/6f4d45f2-56ef-4462-b713-7c876f29daf7/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-10-14T17:40:00Z UTC
Last seen:
2025-10-14T19:32:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0dd50416937f0bbb202464b09fb982739b34bde7d11834b78a137fc4659502de/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/53b8dfba-1218-4bf8-8282-f5b55f297b0c
Behavior Graph:
Download SVG
%3 guuid=f45b8d57-1900-0000-6129-c9e929080000 pid=2089 /usr/bin/sudo guuid=edc1e359-1900-0000-6129-c9e931080000 pid=2097 /tmp/sample.bin guuid=f45b8d57-1900-0000-6129-c9e929080000 pid=2089->guuid=edc1e359-1900-0000-6129-c9e931080000 pid=2097 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/04d72991-6d04-4e91-82da-dd56901a83d1
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1795287
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1795287 Sample: sora.sh4.elf Startdate: 14/10/2025 Architecture: LINUX Score: 84 28 114.194.20.2 XEPHIONNTT-MECorporationJP Japan 2->28 30 165.161.108.52 WISCNET1-ASUS United States 2->30 32 98 other IPs or domains 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 2 other signatures 2->40 8 sora.sh4.elf 2->8         started        10 dash rm 2->10         started        12 dash rm 2->12         started        14 python3.8 dpkg 2->14         started        signatures3 process4 process5 16 sora.sh4.elf 8->16         started        18 sora.sh4.elf 8->18         started        20 sora.sh4.elf 8->20         started        process6 22 sora.sh4.elf 16->22         started        24 sora.sh4.elf 16->24         started        26 sora.sh4.elf 16->26         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/0dd50416937f0bbb202464b09fb982739b34bde7d11834b78a137fc4659502de
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0dd50416937f0bbb202464b09fb982739b34bde7d11834b78a137fc4659502de/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-10-14 20:20:35 UTC
File Type:
ELF32 Little (Exe)
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxkqifutp4f3wibemsyj7omcoontjpph2emdjn4kcn74izmvalpa._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai linux
Link:
https://tria.ge/reports/251014-y4tssadn8t/
Verdict:
Malicious
Tags:
botnet mirai Unix.Dropper.Mirai-7135890-0
YARA:
MAL_ELF_LNX_Mirai_Oct10_2
Link:
https://app.threat.zone/submission/98e4b9de-fa59-4bed-8688-1c0f128ffa1e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0dd50416937f0bbb202464b09fb982739b34bde7d11834b78a137fc4659502de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:MAL_ELF_LNX_Mirai_Oct10_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A
Create hunting rule
Author:Florian Roth
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 0dd50416937f0bbb202464b09fb982739b34bde7d11834b78a137fc4659502de

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3678186/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3678207/

Comments