MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12eed24008138b02388e12ba2c9e01244ef66d7a993d2ce8cf906990474dce80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12eed24008138b02388e12ba2c9e01244ef66d7a993d2ce8cf906990474dce80
SHA3-384 hash: 7b300427b0a72203856bb18801244bb69313f92d042800ac7ad5612713c6c64ba82008419e794d95a7bdefadcb2146e6
SHA1 hash: b83510026913c08dee9cf1b485d804de57ea7d3d
MD5 hash: d5b5379387145df9fd603244043db4a3
humanhash: yankee-michigan-south-twelve
File name:powerpc.kok
Download: download sample
Signature Mirai
Create hunting rule
File size:95'540 bytes
First seen:2026-01-04 06:39:08 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:GszBf5GiNk+bvD7knVnf5s0PSSJBL2AyaRleyHZIq2KouK12:PjGiNlvPkn5f5s06SLRcyRC2
TLSH T112936C02B7180E43E1636DB47E3F27C1D3EADD9112F4E648250EBB49D072A326697E9D
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30455.LC.BadVar.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-10001386-0
Create hunting rule

Unix.Trojan.Mirai-10010127-0
Create hunting rule

Unix.Trojan.Mirai-10017351-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gafgyt masquerade mirai
Link:
https://www.filescan.io/uploads/695a0b128d1aa9829e29f213/reports/d9df0727-d80d-4c05-b717-8241cc630abb/overview
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2026-01-03T22:27:00Z UTC
Last seen:
2026-01-04T05:51:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/12eed24008138b02388e12ba2c9e01244ef66d7a993d2ce8cf906990474dce80/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/66fab562-cc92-4236-ba1a-b3630c6156ff
Behavior Graph:
Download SVG
%3 guuid=3b9f7fe3-3500-0000-29db-0d1097030000 pid=919 /usr/bin/sudo guuid=0e144ce6-3500-0000-29db-0d1098030000 pid=920 /tmp/sample.bin guuid=3b9f7fe3-3500-0000-29db-0d1097030000 pid=919->guuid=0e144ce6-3500-0000-29db-0d1098030000 pid=920 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f9431fc8-a359-4ad9-9609-8dcf13721541
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1844357
Signature
Drops files in suspicious directories
Drops invisible ELF files
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Terminates several processes with shell command 'killall'
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1844357 Sample: powerpc.kok.elf Startdate: 04/01/2026 Architecture: LINUX Score: 100 114 Multi AV Scanner detection for submitted file 2->114 10 powerpc.kok.elf 2->10         started        13 dash rm 2->13         started        15 dash cat 2->15         started        17 8 other processes 2->17 process3 signatures4 124 Sample tries to kill multiple processes (SIGKILL) 10->124 126 Sample reads /proc/mounts (often used for finding a writable filesystem) 10->126 19 powerpc.kok.elf 10->19         started        process5 file6 78 /var/spool/cron/root, ASCII 19->78 dropped 80 /var/spool/cron/crontabs/root, ASCII 19->80 dropped 82 /root/.bashrc, ASCII 19->82 dropped 84 11 other files (10 malicious) 19->84 dropped 116 Sample tries to set files in /etc globally writable 19->116 118 Sample tries to persist itself using /etc/profile 19->118 120 Drops files in suspicious directories 19->120 122 4 other signatures 19->122 23 powerpc.kok.elf sh 19->23         started        25 powerpc.kok.elf sh 19->25         started        27 powerpc.kok.elf sh 19->27         started        29 54 other processes 19->29 signatures7 process8 process9 31 sh cp 23->31         started        35 sh crontab 25->35         started        37 sh 25->37         started        39 sh cp 27->39         started        41 sh cp 29->41         started        43 sh cp 29->43         started        45 sh rm 29->45         started        47 52 other processes 29->47 file10 86 /usr/bin/.update, ELF 31->86 dropped 96 Writes identical ELF files to multiple locations 31->96 98 Drops invisible ELF files 31->98 100 Drops files in suspicious directories 31->100 88 /var/spool/cron/crontabs/tmp.Lbt6IQ, ASCII 35->88 dropped 102 Sample tries to persist itself using cron 35->102 104 Executes the "crontab" command typically for achieving persistence 35->104 49 sh crontab 37->49         started        90 /boot/.update, ELF 39->90 dropped 92 /var/jbx/shared/.update, ELF 41->92 dropped 94 /var/log/.update, ELF 43->94 dropped 106 Sample deletes itself 45->106 108 Sample tries to kill multiple processes (SIGKILL) 47->108 110 Terminates several processes with shell command 'killall' 47->110 52 S99backup0 47->52         started        54 S99backup1 47->54         started        56 S99backup2 47->56         started        58 5 other processes 47->58 signatures11 process12 signatures13 112 Executes the "crontab" command typically for achieving persistence 49->112 60 S99backup0 .update 52->60         started        70 5 other processes 52->70 62 S99backup1 .update 54->62         started        72 5 other processes 54->72 64 S99backup2 .update 56->64         started        74 5 other processes 56->74 66 S99network .update 58->66         started        68 .monitor .update 58->68         started        76 6 other processes 58->76 process14
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/12eed24008138b02388e12ba2c9e01244ef66d7a993d2ce8cf906990474dce80
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/12eed24008138b02388e12ba2c9e01244ef66d7a993d2ce8cf906990474dce80/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-04 03:16:02 UTC
File Type:
ELF32 Big (Exe)
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=clxneqaicofqeoeock5czhqberhpm3l2te6sz2gpsbuzar2nz2aa._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/260104-hethqacz2f/
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-10001386-0
YARA:
n/a
Link:
https://app.threat.zone/submission/47fc9a7f-03b0-43e0-9eec-da9e43068976
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202503_elf_Mirai
Create hunting rule
Author:abuse.ch
Description:Detects Mirai 'TSource' ELF files
Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 12eed24008138b02388e12ba2c9e01244ef66d7a993d2ce8cf906990474dce80

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3749713/
  
Delivery method
Distributed via web download

Comments