MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 115884838243401d462bc6f20ea85fc080366252b7a865282460b7cbf71a2746. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 11

Intelligence 11 IOCs YARA 8 File information Comments 1

SHA256 hash:	115884838243401d462bc6f20ea85fc080366252b7a865282460b7cbf71a2746
SHA3-384 hash:	2a3d24c69038d7d987e66831238ed739983d762dea318be0abb97c2eba273cc3879ccfd1ec78b77678bdcf212b6a35a7
SHA1 hash:	b5a3f0a0f42f2476438278b3d92e72cb4fd1ace8
MD5 hash:	c9b4b7aaeffe8fa7bc08d9f266d1e588
humanhash:	spring-hydrogen-steak-purple
File name:	c9b4b7aaeffe8fa7bc08d9f266d1e588
Download:	download sample
Signature	Mirai Create hunting rule
File size:	116'308 bytes
First seen:	2024-03-15 08:03:43 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	3072:JV4UT/xeY9NBvaLzqJjRN0fTHRn5Shpm/GzA:P4U1nJUzqjN0RI4GM
TLSH	T131B3BE61D0A5ADE1C260023420F19A385773F809E71B5FF36989C7AEA447DDCB16B3B9
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter	zbetcheckin
Tags:	32 elf gafgyt mirai renesas

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.29502.LC.UNOFFICIAL

Sanesecurity.Malware.29524.LC.UNOFFICIAL

Unix.Dropper.Mirai-7135870-0

Unix.Dropper.Mirai-7135906-0

Unix.Dropper.Mirai-7135966-0

Unix.Dropper.Mirai-7135979-0

Unix.Dropper.Mirai-7135980-0

Unix.Dropper.Mirai-7136288-0

Unix.Trojan.Mirai-7138377-0

Unix.Dropper.Mirai-7171384-0

Unix.Dropper.Mirai-7355719-0

Unix.Trojan.Mirai-7674518-0

Unix.Trojan.Generic-9910199-0

Unix.Trojan.Mirai-9935718-0

Unix.Trojan.Mirai-9945193-0

Unix.Trojan.Mirai-9946826-0

Unix.Dropper.Mirai-9977145-0

Unix.Dropper.Mirai-10008433-0

Unix.Trojan.Gafgyt-6748839-0

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug lolbin mirai obfuscated remote

Link:

https://www.filescan.io/uploads/65f400fc83a3efb188d238cd/reports/37321d37-0a93-4c37-893d-333edc1c1773/overview

Result

Verdict:

MALICIOUS

Malware family:

Mirai

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8fa000c0-f282-427a-8495-375db58feb90

Result

Threat name:

Mirai

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1409394

Signature

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample deletes itself

Yara detected Mirai

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/115884838243401d462bc6f20ea85fc080366252b7a865282460b7cbf71a2746

Detection:

mirai

Link:

https://mwdb.cert.pl/sample/115884838243401d462bc6f20ea85fc080366252b7a865282460b7cbf71a2746/

Threat name:

Linux.Trojan.Mirai

Status:

Malicious

First seen:

2024-03-13 15:06:08 UTC

File Type:

ELF32 Little (Exe)

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cfmija4cinab2rrly3za5kc7ycadmyssw6ugkkbemc34x5y2e5da._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:unstable linux

Link:

https://tria.ge/reports/240315-jyaemabe9v/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Mirai

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/115884838243401d462bc6f20ea85fc080366252b7a865282460b7cbf71a2746

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	iot_req_metachar Create hunting rule

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	MAL_ELF_LNX_Mirai_Oct10_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects ELF Mirai variant
Reference:	Internal Research

Rule name:	MAL_ELF_LNX_Mirai_Oct10_1_RID2F39 Create hunting rule
Author:	Florian Roth
Description:	Detects ELF Mirai variant
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 115884838243401d462bc6f20ea85fc080366252b7a865282460b7cbf71a2746

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2783323/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-03-15 08:03:43 UTC

url : hxxp://147.78.103.94//Yboats.sh4