MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13631070d72cc8231bbfbaec509bc2d0abd042f9f8c5cc3e5f65eeef7a65452b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13631070d72cc8231bbfbaec509bc2d0abd042f9f8c5cc3e5f65eeef7a65452b
SHA3-384 hash: d864a2735c91b84c3e27d69181c6f00633507839ae255769bc234a7a835212ea60893a2f84f6cb1ac0adf310dd8652e1
SHA1 hash: da9ff352226e679eaa99c39c1bbd37d1906f0cb5
MD5 hash: 6cdb220ef04ac7b12645eb91cd2762ab
humanhash: ack-comet-avocado-florida
File name:6cdb220ef04ac7b12645eb91cd2762ab
Download: download sample
Signature Mirai
Create hunting rule
File size:70'472 bytes
First seen:2024-06-08 10:41:39 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:rxbnVyO5Lnfzfo4gqcRQHG/oP6J7Q4TQ8flc1HqF:FbAA/hHVs
TLSH T163634B023B64494BF9E21EB02A3F2BE587EEDD4115F07148698FFA814671E73184EED9
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter zbetcheckin
Tags:32 elf mirai powerpc

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30435.LC.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-6976991-0
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Dropper.Mirai-7135881-0
Create hunting rule

Unix.Trojan.Mirai-7135916-0
Create hunting rule

Unix.Trojan.Mirai-7135978-0
Create hunting rule

Unix.Dropper.Mirai-7135996-0
Create hunting rule

Unix.Dropper.Mirai-7136013-0
Create hunting rule

Unix.Dropper.Mirai-7136016-0
Create hunting rule

Unix.Dropper.Mirai-7136033-0
Create hunting rule

Unix.Dropper.Mirai-7136045-0
Create hunting rule

Unix.Dropper.Mirai-7136057-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Trojan.Mirai-9807962-0
Create hunting rule

Unix.Trojan.Mirai-9808381-0
Create hunting rule

Unix.Trojan.Mirai-9858729-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Opens a port
Sends data to a server
Receives data from a server
Connection attempt
Kills processes
Runs as daemon
Kills critical processes
Performs a bruteforce attack in the network
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug botnet mirai mirai
Link:
https://www.filescan.io/uploads/6664357eef9fdf64aa690d5d/reports/0ccda4fd-1735-4916-8223-a74eed6268fb/overview
Result
Verdict:
MALICIOUS
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29be427d-bd6a-4152-8921-43fbd67f03b7
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1454012
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1454012 Sample: Hj8k38lJRF.elf Startdate: 08/06/2024 Architecture: LINUX Score: 92 138 208.176.113.240, 23, 30127 XO-AS15US United States 2->138 140 218.108.176.106 WASUHZHuashumediaNetworkLimitedCN China 2->140 142 98 other IPs or domains 2->142 146 Malicious sample detected (through community Yara rule) 2->146 148 Antivirus / Scanner detection for submitted sample 2->148 150 Multi AV Scanner detection for submitted file 2->150 152 Yara detected Mirai 2->152 13 systemd gdm3 2->13         started        15 systemd gpu-manager 2->15         started        17 systemd gpu-manager 2->17         started        19 69 other processes 2->19 signatures3 process4 file5 23 gdm3 gdm-session-worker 13->23         started        25 gdm3 gdm-session-worker 13->25         started        34 5 other processes 13->34 36 8 other processes 15->36 38 8 other processes 17->38 136 /var/log/wtmp, data 19->136 dropped 154 Sample reads /proc/mounts (often used for finding a writable filesystem) 19->154 156 Reads system files that contain records of logged in users 19->156 27 Hj8k38lJRF.elf 19->27         started        29 Hj8k38lJRF.elf 19->29         started        32 accounts-daemon language-validate 19->32         started        40 29 other processes 19->40 signatures6 process7 signatures8 42 gdm-session-worker gdm-x-session 23->42         started        44 gdm-session-worker gdm-wayland-session 25->44         started        46 Hj8k38lJRF.elf 27->46         started        53 2 other processes 27->53 160 Sample tries to kill multiple processes (SIGKILL) 29->160 49 language-validate language-options 32->49         started        55 8 other processes 36->55 57 8 other processes 38->57 51 language-validate language-options 40->51         started        59 18 other processes 40->59 process9 signatures10 61 gdm-x-session dbus-run-session 42->61         started        63 gdm-x-session Xorg Xorg.wrap Xorg 42->63         started        65 gdm-x-session Default 42->65         started        67 gdm-wayland-session dbus-run-session 44->67         started        166 Sample tries to kill multiple processes (SIGKILL) 46->166 69 language-options sh 49->69         started        71 language-options sh 51->71         started        73 language-options sh 59->73         started        75 gdm-wayland-session dbus-run-session 59->75         started        process11 process12 77 dbus-run-session dbus-daemon 61->77         started        80 dbus-run-session gnome-session gnome-session-binary 1 61->80         started        82 Xorg sh 63->82         started        84 dbus-run-session dbus-daemon 67->84         started        86 dbus-run-session gnome-session gnome-session-binary 1 67->86         started        90 2 other processes 69->90 92 2 other processes 71->92 94 2 other processes 73->94 88 dbus-run-session dbus-daemon 75->88         started        signatures13 162 Sample tries to kill multiple processes (SIGKILL) 77->162 164 Sample reads /proc/mounts (often used for finding a writable filesystem) 77->164 96 dbus-daemon 77->96         started        109 7 other processes 77->109 98 gnome-session-binary sh gnome-shell 80->98         started        101 gnome-session-binary gnome-session-check-accelerated 80->101         started        103 gnome-session-binary session-migration 80->103         started        105 sh xkbcomp 82->105         started        107 dbus-daemon 84->107         started        111 6 other processes 84->111 113 2 other processes 86->113 process14 signatures15 115 dbus-daemon at-spi-bus-launcher 96->115         started        144 Sample reads /proc/mounts (often used for finding a writable filesystem) 98->144 117 gnome-shell ibus-daemon 98->117         started        127 2 other processes 101->127 119 dbus-daemon false 107->119         started        129 7 other processes 109->129 121 dbus-daemon false 111->121         started        123 dbus-daemon false 111->123         started        125 dbus-daemon false 111->125         started        131 3 other processes 111->131 process16 process17 133 at-spi-bus-launcher dbus-daemon 115->133         started        signatures18 158 Sample reads /proc/mounts (often used for finding a writable filesystem) 133->158
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/13631070d72cc8231bbfbaec509bc2d0abd042f9f8c5cc3e5f65eeef7a65452b
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/13631070d72cc8231bbfbaec509bc2d0abd042f9f8c5cc3e5f65eeef7a65452b/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2024-06-08 10:42:07 UTC
File Type:
ELF32 Big (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cnrra4gxftecgg57xlwfbg6c2cv5aqxz7dc4yps7mxxo66tfiuvq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:mirai linux
Link:
https://tria.ge/reports/240608-mrnkfsah6s/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/13631070d72cc8231bbfbaec509bc2d0abd042f9f8c5cc3e5f65eeef7a65452b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Mirai_Generic
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Mirai/Gafgyt samples
Rule name:MAL_ELF_LNX_Mirai_Oct10_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A
Create hunting rule
Author:Florian Roth
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:Mirai_Botnet_Malware
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:Mirai_Botnet_Malware_RID2EF6
Create hunting rule
Author:Florian Roth
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 13631070d72cc8231bbfbaec509bc2d0abd042f9f8c5cc3e5f65eeef7a65452b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2879487/

Comments


Avatar
zbet commented on 2024-06-08 10:41:40 UTC

url : hxxp://37.44.238.75/bins/sora.ppc