MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17fe6c845240f07f13c8f0e8e7a774542fac60deaa04ab5c92d56aa70f44ae48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17fe6c845240f07f13c8f0e8e7a774542fac60deaa04ab5c92d56aa70f44ae48
SHA3-384 hash: e13f2aae8aa2eea015e5151da6accaa10c0b1c0a26ac20df28969d003e0905af821bb1772dab694583bfd877b399f662
SHA1 hash: 722d997bb551629df1b93c0b04b4c25c854db965
MD5 hash: 77d77214f85fcd6cae52660df3453be0
humanhash: nineteen-oklahoma-indigo-coffee
File name:bejv86
Download: download sample
Signature Mirai
Create hunting rule
File size:110'540 bytes
First seen:2025-04-11 03:48:22 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:h/78FOdojZG1Zu8fF8iQWyXum2jVKF8jlwtobz7INf:x7IOyFG1Z6HaBiAz8l
TLSH T1B2B36CC5BB83E4F5E86600B25037A7374B33F839502ADA46C769FA36EC61950DB1A35C
telfhash t1c35126f7297e1ce8b7d09900e31e2fe12d1ad67b1560b2a009a3593423a7ec141b6c3e
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30423.LX.BOT.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Unix.Trojan.Mirai-9857931-0
Create hunting rule

Unix.Trojan.Mirai-9866113-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f891fad6e7c3effacf97f6linux22vpnfull_triage
Tags:
shellcode
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Runs as daemon
Connection attempt
Receives data from a server
Opens a port
DNS request
Sends data to a server
Kills processes
Deletes a system binary file
Substitutes an application name
Kills critical processes
Deleting of the original file
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
58
Number of processes launched:
4
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/17fe6c845240f07f13c8f0e8e7a774542fac60deaa04ab5c92d56aa70f44ae48
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0623dd44-e733-425a-b08c-4b711937bc21
Result
Threat name:
Aquabot
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1662747
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Sends malformed DNS queries
Yara detected Aquabot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1662747 Sample: bejv86.elf Startdate: 11/04/2025 Architecture: LINUX Score: 84 169 raw.awaken-network.net. [malformed] 2->169 171 raw.awaken-network.net 141.98.10.142, 2211, 51852, 54538 HOSTBALTICLT Lithuania 2->171 173 daisy.ubuntu.com 2->173 177 Malicious sample detected (through community Yara rule) 2->177 179 Multi AV Scanner detection for submitted file 2->179 181 Yara detected Aquabot 2->181 15 systemd gdm3 2->15         started        17 systemd gpu-manager 2->17         started        19 bejv86.elf 2->19         started        21 29 other processes 2->21 signatures3 183 Sends malformed DNS queries 169->183 process4 file5 25 gdm3 gdm-session-worker 15->25         started        27 gdm3 gdm-session-worker 15->27         started        29 gdm3 gdm-session-worker 15->29         started        38 5 other processes 15->38 31 gpu-manager sh 17->31         started        40 7 other processes 17->40 33 bejv86.elf 19->33         started        167 /var/log/wtmp, data 21->167 dropped 187 Sample reads /proc/mounts (often used for finding a writable filesystem) 21->187 189 Reads system files that contain records of logged in users 21->189 36 accounts-daemon language-validate 21->36         started        42 3 other processes 21->42 signatures6 process7 signatures8 44 gdm-session-worker gdm-x-session 25->44         started        46 gdm-session-worker gdm-x-session 27->46         started        48 gdm-session-worker gdm-wayland-session 29->48         started        50 sh grep 31->50         started        175 Sample deletes itself 33->175 52 bejv86.elf 33->52         started        55 bejv86.elf 33->55         started        57 language-validate language-options 36->57         started        59 sh grep 40->59         started        61 6 other processes 40->61 process9 signatures10 63 gdm-x-session dbus-run-session 44->63         started        65 gdm-x-session Xorg Xorg.wrap Xorg 44->65         started        67 gdm-x-session Default 44->67         started        69 gdm-x-session dbus-run-session 46->69         started        71 gdm-x-session Xorg Xorg.wrap Xorg 46->71         started        73 gdm-x-session Default 46->73         started        75 gdm-wayland-session dbus-run-session 48->75         started        185 Sample tries to kill multiple processes (SIGKILL) 52->185 77 language-options sh 57->77         started        process11 process12 79 dbus-run-session dbus-daemon 63->79         started        82 dbus-run-session gnome-session gnome-session-binary 63->82         started        92 2 other processes 65->92 84 dbus-run-session dbus-daemon 69->84         started        86 dbus-run-session gnome-session gnome-session-binary 69->86         started        94 2 other processes 71->94 88 dbus-run-session dbus-daemon 75->88         started        90 dbus-run-session gnome-session gnome-session-binary 1 75->90         started        96 2 other processes 77->96 signatures13 199 Sample tries to kill multiple processes (SIGKILL) 79->199 201 Sample reads /proc/mounts (often used for finding a writable filesystem) 79->201 98 dbus-daemon 79->98         started        100 10 other processes 79->100 102 20 other processes 82->102 105 10 other processes 84->105 107 17 other processes 86->107 109 7 other processes 88->109 111 2 other processes 90->111 113 2 other processes 92->113 115 2 other processes 94->115 process14 signatures15 117 dbus-daemon at-spi-bus-launcher 98->117         started        119 dbus-daemon gjs 100->119         started        126 9 other processes 100->126 128 4 other processes 102->128 122 dbus-daemon at-spi-bus-launcher 105->122         started        124 dbus-daemon gjs 105->124         started        130 8 other processes 105->130 191 Sample reads /proc/mounts (often used for finding a writable filesystem) 107->191 132 3 other processes 107->132 134 7 other processes 109->134 process16 signatures17 136 at-spi-bus-launcher dbus-daemon 117->136         started        193 Sample reads /proc/mounts (often used for finding a writable filesystem) 119->193 139 at-spi-bus-launcher dbus-daemon 122->139         started        141 ibus-daemon 128->141         started        143 ibus-daemon ibus-memconf 128->143         started        145 ibus-daemon ibus-engine-simple 128->145         started        147 gsd-print-notifications gsd-printer 128->147         started        149 ibus-daemon 132->149         started        151 ibus-daemon ibus-memconf 132->151         started        153 ibus-daemon ibus-engine-simple 132->153         started        process18 signatures19 195 Sample tries to kill multiple processes (SIGKILL) 136->195 197 Sample reads /proc/mounts (often used for finding a writable filesystem) 136->197 155 dbus-daemon 136->155         started        157 dbus-daemon 136->157         started        159 dbus-daemon 139->159         started        161 ibus-daemon ibus-x11 141->161         started        163 ibus-daemon ibus-x11 149->163         started        process20 process21 165 dbus-daemon at-spi2-registryd 155->165         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/17fe6c845240f07f13c8f0e8e7a774542fac60deaa04ab5c92d56aa70f44ae48
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/17fe6c845240f07f13c8f0e8e7a774542fac60deaa04ab5c92d56aa70f44ae48/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-04-11 03:49:08 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c77gzbcsidyh6e6i6duopj3ukqx2yyg6vickwxes2vvkod2evzea._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:botnet linux rootkit
Link:
https://tria.ge/reports/250411-edc8kaypt7/
Behaviour
Writes file to tmp directory
Loads a kernel module
Malware Config
C2 Extraction:
raw.awaken-network.net
141.98.10.142
Verdict:
Malicious
Tags:
trojan mirai Unix.Trojan.Mirai-9441505-0
YARA:
Linux_Trojan_Mirai_b14f4c5d Linux_Trojan_Mirai_5f7b67b8 Linux_Trojan_Mirai_88de437f Linux_Trojan_Mirai_ae9d0fa6 Linux_Trojan_Mirai_389ee3e9 Linux_Trojan_Mirai_cc93863b Linux_Trojan_Mirai_8aa7b5d3
Link:
https://app.threat.zone/submission/df54e10c-d82c-47bf-beda-30bbddd93614
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/17fe6c845240f07f13c8f0e8e7a774542fac60deaa04ab5c92d56aa70f44ae48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_5f7b67b8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_8aa7b5d3
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_ae9d0fa6
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_b14f4c5d
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 17fe6c845240f07f13c8f0e8e7a774542fac60deaa04ab5c92d56aa70f44ae48

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3475244/
  
Delivery method
Distributed via web download

Comments