MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17806cff786a06fa00d52134b9953cb3f0f16e90ec1cb6ff96b9ccc224430dea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 14


Intelligence 14 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17806cff786a06fa00d52134b9953cb3f0f16e90ec1cb6ff96b9ccc224430dea
SHA3-384 hash: a9abc14165444c2fd4a6ee87738cd9df8e0bc63b4e8878f6c167511cea477648257e58834d6a7cf9afd3dee3eb6af341
SHA1 hash: becbcba5476b142070d31caaac2dc054b45a7de2
MD5 hash: 0e957d7d9ca10f14eede1795db3d5b3b
humanhash: vegan-india-fish-october
File name:weje64
Download: download sample
Signature Mirai
Create hunting rule
File size:165'032 bytes
First seen:2025-04-02 02:27:01 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:jDGjvzVSg/BKkwxguHOpqpVyg4gyRBO28FguRtBnLvZmXZjHKY:jDGjvzVSg/IkwxKAKxYLRIXZjHp
TLSH T133F34A07B5D098FDC4D5C1744BAEB236D972F15D2138B26F2BD8EA262E8CE305B2D650
telfhash t1a951dd742ea53998a0f7f76a730ae955ec36091019e131e2dfa37df6ce42b840d72427
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30423.LX.BOT.UNOFFICIAL
Create hunting rule

Unix.Dropper.Mirai-7540662-0
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67eca3dc855e5ec5240bf6bclinux22vpnfull_triage
Tags:
gafgyt mirai
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
DNS request
Runs as daemon
Kills processes
Sends data to a server
Opens a port
Creating a file
Receives data from a server
Deletes a system binary file
Kills critical processes
Substitutes an application name
Deleting of the original file
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
bash explorer lolbin remote
Link:
https://www.filescan.io/uploads/67eca082631830704a8de4ce/reports/085cafd4-332d-454c-9627-53da40c61f29/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
58
Number of processes launched:
4
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/17806cff786a06fa00d52134b9953cb3f0f16e90ec1cb6ff96b9ccc224430dea
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8a8714f-1433-49a6-854f-47e114707553
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1654201
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654201 Sample: weje64.elf Startdate: 02/04/2025 Architecture: LINUX Score: 72 157 raw.awaken-network.net 141.98.10.142, 2211, 35880, 37048 HOSTBALTICLT Lithuania 2->157 159 daisy.ubuntu.com 2->159 163 Malicious sample detected (through community Yara rule) 2->163 165 Multi AV Scanner detection for submitted file 2->165 15 systemd gdm3 2->15         started        17 systemd gpu-manager 2->17         started        19 weje64.elf 2->19         started        21 28 other processes 2->21 signatures3 process4 file5 25 gdm3 gdm-session-worker 15->25         started        27 gdm3 gdm-session-worker 15->27         started        29 gdm3 gdm-session-worker 15->29         started        38 5 other processes 15->38 31 gpu-manager sh 17->31         started        40 7 other processes 17->40 33 weje64.elf 19->33         started        155 /var/log/wtmp, data 21->155 dropped 169 Sample reads /proc/mounts (often used for finding a writable filesystem) 21->169 171 Reads system files that contain records of logged in users 21->171 36 accounts-daemon language-validate 21->36         started        42 4 other processes 21->42 signatures6 process7 signatures8 44 gdm-session-worker gdm-x-session 25->44         started        46 gdm-session-worker gdm-x-session 27->46         started        48 gdm-session-worker gdm-wayland-session 29->48         started        50 sh grep 31->50         started        161 Sample deletes itself 33->161 52 weje64.elf 33->52         started        55 weje64.elf 33->55         started        57 language-validate language-options 36->57         started        59 sh grep 40->59         started        61 6 other processes 40->61 process9 signatures10 63 gdm-x-session dbus-run-session 44->63         started        65 gdm-x-session Xorg Xorg.wrap Xorg 44->65         started        67 gdm-x-session Default 44->67         started        69 gdm-x-session dbus-run-session 46->69         started        71 gdm-x-session Xorg Xorg.wrap Xorg 46->71         started        73 gdm-x-session Default 46->73         started        75 gdm-wayland-session dbus-run-session 48->75         started        167 Sample tries to kill multiple processes (SIGKILL) 52->167 77 language-options sh 57->77         started        process11 process12 79 dbus-run-session dbus-daemon 63->79         started        82 dbus-run-session gnome-session gnome-session-binary 63->82         started        94 2 other processes 65->94 84 dbus-run-session dbus-daemon 69->84         started        86 dbus-run-session gnome-session gnome-session-binary 69->86         started        88 Xorg sh 71->88         started        90 dbus-run-session dbus-daemon 75->90         started        92 dbus-run-session gnome-session gnome-session-binary 1 75->92         started        96 2 other processes 77->96 signatures13 181 Sample tries to kill multiple processes (SIGKILL) 79->181 183 Sample reads /proc/mounts (often used for finding a writable filesystem) 79->183 98 dbus-daemon 79->98         started        102 10 other processes 79->102 104 19 other processes 82->104 107 8 other processes 84->107 109 4 other processes 86->109 100 sh xkbcomp 88->100         started        111 7 other processes 90->111 113 2 other processes 92->113 115 2 other processes 94->115 process14 signatures15 117 dbus-daemon at-spi-bus-launcher 98->117         started        119 dbus-daemon gjs 102->119         started        126 9 other processes 102->126 175 Sample reads /proc/mounts (often used for finding a writable filesystem) 104->175 122 gnome-shell ibus-daemon 104->122         started        128 3 other processes 104->128 124 dbus-daemon at-spi-bus-launcher 107->124         started        130 7 other processes 107->130 132 2 other processes 109->132 134 7 other processes 111->134 process16 signatures17 136 at-spi-bus-launcher dbus-daemon 117->136         started        173 Sample reads /proc/mounts (often used for finding a writable filesystem) 119->173 139 ibus-daemon 122->139         started        141 ibus-daemon ibus-memconf 122->141         started        143 ibus-daemon ibus-engine-simple 122->143         started        145 at-spi-bus-launcher dbus-daemon 124->145         started        147 gsd-print-notifications gsd-printer 128->147         started        process18 signatures19 177 Sample tries to kill multiple processes (SIGKILL) 136->177 179 Sample reads /proc/mounts (often used for finding a writable filesystem) 136->179 149 dbus-daemon 136->149         started        151 ibus-daemon ibus-x11 139->151         started        process20 process21 153 dbus-daemon at-spi2-registryd 149->153         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/17806cff786a06fa00d52134b9953cb3f0f16e90ec1cb6ff96b9ccc224430dea
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/17806cff786a06fa00d52134b9953cb3f0f16e90ec1cb6ff96b9ccc224430dea/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-04-02 06:37:10 UTC
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c6agz73ynidpuagvee2ltfj4wpypc3uq5qoln74wxhgmejcdbxva._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:botnet credential_access linux
Link:
https://tria.ge/reports/250402-cxgzraztex/
Behaviour
Changes its process name
Reads process memory
Enumerates running processes
Deletes itself
Malware Config
C2 Extraction:
raw.awaken-network.net
Verdict:
Malicious
Tags:
trojan mirai gafgyt Unix.Dropper.Mirai-7540662-0
YARA:
Linux_Trojan_Gafgyt_9e9530a7 Linux_Trojan_Gafgyt_807911a2 Linux_Trojan_Gafgyt_d4227dbf Linux_Trojan_Gafgyt_d996d335 Linux_Trojan_Gafgyt_d0c57a2e Linux_Trojan_Gafgyt_620087b9 Linux_Trojan_Gafgyt_0cd591cd Linux_Trojan_Gafgyt_33b4111a Linux_Trojan_Gafgyt_a33a8363 Linux_Trojan_Mirai_520deeb8 Linux_Trojan_Mirai_01e4a728 Linux_Trojan_Mirai_e0cf29e2
Link:
https://app.threat.zone/submission/38cc450f-7a6b-4dcf-b0bb-462a594a744d
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/17806cff786a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/17806cff786a06fa00d52134b9953cb3f0f16e90ec1cb6ff96b9ccc224430dea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_0cd591cd
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_a33a8363
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d0c57a2e
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d996d335
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_01e4a728
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_520deeb8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_e0cf29e2
Create hunting rule
Author:Elastic Security
Rule name:MatchByteSequence
Create hunting rule
Author:Generated by ChatGPT
Description:Rule to match specific byte sequence: 89 C8 C1 E8 08 31 D1 31 C8
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 17806cff786a06fa00d52134b9953cb3f0f16e90ec1cb6ff96b9ccc224430dea

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3477324/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments