MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16e1ee418331636fe990b7869dcf83c30b72b00a72c1ec034d75111613ab693d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16e1ee418331636fe990b7869dcf83c30b72b00a72c1ec034d75111613ab693d
SHA3-384 hash: 0175e4221f13caad27612e12566800680c0ee60d4a0759cae7b9e77e9fb19eba9063275c987a5d45ac2db88514812a73
SHA1 hash: bb847a4373a7937b8a03330b29f5419b8c9748ee
MD5 hash: df1e0c5add52af58d748901315703915
humanhash: undress-harry-november-stairway
File name:xnxnxnxnxnxnxnxni386xnxn
Download: download sample
Signature Mirai
Create hunting rule
File size:115'388 bytes
First seen:2025-12-23 05:48:28 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:xQddz4q45jHhsgcvdcAUsesO0Os7bB4/SJBsCDguiRb2JAXrd1+5t+tvUBY5PkyK:/Q1cV/0BXe/JCDIb2Jkrf+2ZUmFm
TLSH T1BEB34B82EAA2D0F0E18701B00517F3EA8A34E5306156DED6EFA93D71ED717825D9B72C
telfhash t1ce4137f61e791cecb3d0a801e29a6f51ad0ea7732570657300a366b033eac9141bbc38
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 fa3aca53a9ce6132422aea7163f99c1df8afbe576d1cd4391f0350a983686064
File size (compressed) :60'420 bytes
File size (de-compressed) :115'388 bytes
Format:linux/i386
Packed file: fa3aca53a9ce6132422aea7163f99c1df8afbe576d1cd4391f0350a983686064

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
gafgyt mirai rust
Link:
https://www.filescan.io/uploads/694a2d50a7163552ba040f26/reports/5f6e26a8-313a-4bd9-aef7-886acab2108e/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-12-23T05:27:00Z UTC
Last seen:
2025-12-23T06:37:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/16e1ee418331636fe990b7869dcf83c30b72b00a72c1ec034d75111613ab693d/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7ec70fc5-232e-40ca-bf29-77d6a032efe7
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1838081
Signature
Connects to many ports of the same IP (likely port scanning)
Deletes system log files
Manipulation of devices in /dev
Sample tries to kill a massive number of system processes
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/16e1ee418331636fe990b7869dcf83c30b72b00a72c1ec034d75111613ab693d
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16e1ee418331636fe990b7869dcf83c30b72b00a72c1ec034d75111613ab693d/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-23 05:49:11 UTC
File Type:
ELF32 Little (Exe)
AV detection:
2 of 36 (5.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c3q64qmdgfrw72mqw6dj3t4dymfxfmakola6ya2nouirme5lne6q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/251223-gh48yssrgz/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Enumerates active TCP sockets
Enumerates running processes
Deletes Audit logs
Deletes journal logs
Deletes system logs
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7e98159b-17b9-493f-bea5-63887290d1a9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/16e1ee418331636fe990b7869dcf83c30b72b00a72c1ec034d75111613ab693d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf fa3aca53a9ce6132422aea7163f99c1df8afbe576d1cd4391f0350a983686064

Mirai

elf 16e1ee418331636fe990b7869dcf83c30b72b00a72c1ec034d75111613ab693d

(this sample)

  
Dropped by
SHA256 fa3aca53a9ce6132422aea7163f99c1df8afbe576d1cd4391f0350a983686064
  
URLhaus
https://urlhaus.abuse.ch/url/3713410/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 f41a7681dedfdfd1147029b0f79e333a
  
URLhaus
https://urlhaus.abuse.ch/url/3739927/

Comments