MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18763735c9002fc6aa0ce0236032cfef33ee975fc12fb4ae5091eda14dc8b16a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18763735c9002fc6aa0ce0236032cfef33ee975fc12fb4ae5091eda14dc8b16a
SHA3-384 hash: 2ce8877cd87a139d6dd0c188005faace4bd32d18b1b8f5a78aaf2f07a9e7fd370e796085216632248036d7f092b1af5b
SHA1 hash: 2cdb02a5b7b0d9bf057157f963652b2fdbd88088
MD5 hash: 05979e2acefdd81617c6d520ac1ac044
humanhash: four-blossom-triple-stairway
File name:debug
Download: download sample
Signature Mirai
Create hunting rule
File size:155'176 bytes
First seen:2026-01-03 12:18:17 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:jGcKraAe9vrHaeRSADfn/VuvKgbBPupv0H3qoUsabx3WwbZnsBn:jGcKrc9D6wSUVuCIP73qdvl3WwRsBn
TLSH T155E37CC5E743D4F5EC1646711177EB36BAB2E03A123EDA82C7BA9932EC41581C51B3AC
telfhash t163516bf9ad761ded67c0d903e78e2b22ed0eea77246031b905f317e0326254191b8c79
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 75aa30fc031d710ffad4dade42a90d8b98e9070cc3d8d732e3c00e006a0b096a
File size (compressed) :64'412 bytes
File size (de-compressed) :155'176 bytes
Format:linux/i386
Packed file: 75aa30fc031d710ffad4dade42a90d8b98e9070cc3d8d732e3c00e006a0b096a

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Link:
https://research.acce.ciphertechsolutions.com/results/54b556e7-9b4d-4852-b540-8012dd53ae69/
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30541.LC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9999-14.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Trojan.Mirai-7135916-0
Create hunting rule

Unix.Dropper.Mirai-7136016-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Unix.Trojan.Mirai-10028515-0
Create hunting rule

Unix.Trojan.Mirai-10056463-0
Create hunting rule

Unix.Trojan.Mirai-10059006-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Kills processes
Sends data to a server
Launching a process
Manages services
Creating a file
Sets a written file as executable
Opens a port
Substitutes an application name
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
botnet gafgyt mirai obfuscated
Link:
https://www.filescan.io/uploads/695909417d55b68cb20cdfd3/reports/ad69c966-b5ba-4e43-9c8b-8bb433bf4d6c/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-01-03T09:29:00Z UTC
Last seen:
2026-01-04T01:46:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Mirai.r HEUR:Backdoor.Linux.Mirai.cw HEUR:Backdoor.Linux.Mirai.b HEUR:Backdoor.Linux.Gafgyt.bl HEUR:Backdoor.Linux.Gafgyt.bj
Link:
https://opentip.kaspersky.com/18763735c9002fc6aa0ce0236032cfef33ee975fc12fb4ae5091eda14dc8b16a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/5acc29ba-57bb-4b0f-8097-c986883446d4
Behavior Graph:
Download SVG
%3 guuid=8692361c-1900-0000-79b6-7040fe090000 pid=2558 /usr/bin/sudo guuid=5f366c1e-1900-0000-79b6-7040050a0000 pid=2565 /tmp/sample.bin net send-data write-config write-file guuid=8692361c-1900-0000-79b6-7040fe090000 pid=2558->guuid=5f366c1e-1900-0000-79b6-7040050a0000 pid=2565 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=5f366c1e-1900-0000-79b6-7040050a0000 pid=2565->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=5f366c1e-1900-0000-79b6-7040050a0000 pid=2565->54d92a3b-1447-55af-b534-047898c60c8d send: 370B 51a553e2-ae0e-5eda-9e98-aa9e45810237 151.242.30.13:12121 guuid=5f366c1e-1900-0000-79b6-7040050a0000 pid=2565->51a553e2-ae0e-5eda-9e98-aa9e45810237 send: 12B guuid=4107015b-1900-0000-79b6-7040b70a0000 pid=2743 /usr/bin/dash guuid=5f366c1e-1900-0000-79b6-7040050a0000 pid=2565->guuid=4107015b-1900-0000-79b6-7040b70a0000 pid=2743 execve guuid=b959685e-1900-0000-79b6-7040c00a0000 pid=2752 /usr/bin/dash guuid=5f366c1e-1900-0000-79b6-7040050a0000 pid=2565->guuid=b959685e-1900-0000-79b6-7040c00a0000 pid=2752 execve guuid=facda660-1900-0000-79b6-7040c50a0000 pid=2757 /tmp/sample.bin guuid=5f366c1e-1900-0000-79b6-7040050a0000 pid=2565->guuid=facda660-1900-0000-79b6-7040c50a0000 pid=2757 clone guuid=b9f9aa60-1900-0000-79b6-7040c60a0000 pid=2758 /tmp/sample.bin guuid=5f366c1e-1900-0000-79b6-7040050a0000 pid=2565->guuid=b9f9aa60-1900-0000-79b6-7040c60a0000 pid=2758 clone guuid=24f7885b-1900-0000-79b6-7040b90a0000 pid=2745 /usr/bin/systemctl guuid=4107015b-1900-0000-79b6-7040b70a0000 pid=2743->guuid=24f7885b-1900-0000-79b6-7040b90a0000 pid=2745 execve guuid=891c9d5e-1900-0000-79b6-7040c10a0000 pid=2753 /usr/bin/systemctl guuid=b959685e-1900-0000-79b6-7040c00a0000 pid=2752->guuid=891c9d5e-1900-0000-79b6-7040c10a0000 pid=2753 execve guuid=41cab060-1900-0000-79b6-7040c70a0000 pid=2759 /tmp/sample.bin guuid=facda660-1900-0000-79b6-7040c50a0000 pid=2757->guuid=41cab060-1900-0000-79b6-7040c70a0000 pid=2759 clone guuid=ea37b460-1900-0000-79b6-7040c80a0000 pid=2760 /tmp/sample.bin guuid=facda660-1900-0000-79b6-7040c50a0000 pid=2757->guuid=ea37b460-1900-0000-79b6-7040c80a0000 pid=2760 clone
Gathering data
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1844095
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1844095 Sample: debug.elf Startdate: 03/01/2026 Architecture: LINUX Score: 80 31 169.254.169.254, 80 USDOSUS Reserved 2->31 33 151.242.30.13, 12121, 42446 RASANAIR Iran (ISLAMIC Republic Of) 2->33 35 2 other IPs or domains 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for dropped file 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 2 other signatures 2->43 8 debug.elf 2->8         started        11 python3.8 dpkg 2->11         started        signatures3 process4 file5 29 /usr/local/bin/infinitd, ELF 8->29 dropped 13 debug.elf sh 8->13         started        15 debug.elf sh 8->15         started        17 debug.elf 8->17         started        19 debug.elf 8->19         started        process6 process7 21 sh systemctl 13->21         started        23 sh systemctl 15->23         started        25 debug.elf 17->25         started        27 debug.elf 17->27         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/18763735c9002fc6aa0ce0236032cfef33ee975fc12fb4ae5091eda14dc8b16a
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/18763735c9002fc6aa0ce0236032cfef33ee975fc12fb4ae5091eda14dc8b16a/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/18763735c9002fc6aa0ce0236032cfef33ee975fc12fb4ae5091eda14dc8b16a
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-03 12:19:14 UTC
File Type:
ELF32 Little (Exe)
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=db3donojaax4nkqm4arwamwp54z65f27yex3jlsqshw2ctoiwfva._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet defense_evasion discovery linux persistence privilege_escalation
Link:
https://tria.ge/reports/260103-pg3yhads6e/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Enumerates active TCP sockets
Modifies systemd
Write file to user bin folder
Writes file to system bin folder
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
teamc2.duckdns.org
Verdict:
Malicious
Tags:
botnet mirai trojan gafgyt Unix.Trojan.Mirai-7100807-0
YARA:
Mirai_Botnet_Malware Linux_Trojan_Gafgyt_5bf62ce4 Linux_Trojan_Mirai_fa3ad9d0 Linux_Trojan_Mirai_b14f4c5d Linux_Trojan_Mirai_93fc3657 Linux_Trojan_Mirai_804f8e7c Linux_Trojan_Mirai_99d78950 Linux_Trojan_Mirai_a68e498c Linux_Trojan_Mirai_88de437f Linux_Trojan_Mirai_ae9d0fa6 Linux_Trojan_Mirai_389ee3e9 Linux_Trojan_Mirai_cc93863b Linux_Trojan_Mirai_8aa7b5d3
Link:
https://app.threat.zone/submission/b1f33232-d081-480e-8ccf-81272c56d0a0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.29
Link:
https://yomi.yoroi.company/submissions/18763735c9002fc6aa0ce0236032cfef33ee975fc12fb4ae5091eda14dc8b16a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Mirai_Generic
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Mirai/Gafgyt samples
Rule name:Linux_Trojan_Gafgyt_5bf62ce4
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_804f8e7c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_8aa7b5d3
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_93fc3657
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_99d78950
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_a68e498c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_ae9d0fa6
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_b14f4c5d
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_fa3ad9d0
Create hunting rule
Author:Elastic Security
Rule name:Mirai_Botnet_Malware
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:Mirai_Botnet_Malware_RID2EF6
Create hunting rule
Author:Florian Roth
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 75aa30fc031d710ffad4dade42a90d8b98e9070cc3d8d732e3c00e006a0b096a

Mirai

elf 18763735c9002fc6aa0ce0236032cfef33ee975fc12fb4ae5091eda14dc8b16a

(this sample)

  
Dropped by
SHA256 75aa30fc031d710ffad4dade42a90d8b98e9070cc3d8d732e3c00e006a0b096a
  
URLhaus
https://urlhaus.abuse.ch/url/3722814/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 4c8216023b259460efb20c48e25606e3
  
URLhaus
https://urlhaus.abuse.ch/url/3722816/

Comments