MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a47815c2cf007204916e12a71b2f17ce34e8831e2bbd61ba734cdec1828de91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a47815c2cf007204916e12a71b2f17ce34e8831e2bbd61ba734cdec1828de91
SHA3-384 hash: 4845243fa29154bc03af5dd722a9fec71aabb1ae8be75f0061744dda7cd057fc8cccc39e0b63d294b29f1725fbf27612
SHA1 hash: 654be2ac9373797045edf065a968f0d9e78e337d
MD5 hash: a6361ad176e59ddaf64c45f66a527e19
humanhash: lithium-ten-magnesium-sodium
File name:i686
Download: download sample
Signature Mirai
Create hunting rule
File size:988'604 bytes
First seen:2025-05-20 01:32:14 UTC
Last seen:2025-05-20 08:31:54 UTC
File type: elf
MIME type:application/x-executable
ssdeep 24576:56LpZQsqhOWhY/ESuQgE9wVxkbOIf+4XsT1S5mmcUMHOYNfiZn:gZhqhOWhK1HIkbK4XkuYNf
TLSH T1DD258E89EBC6D4E1F25301B5068FD7F6053492265043FAF6EB8C9A777432B126E1722E
telfhash t1abd02bb11fa485016507ec402cc100bd7daef9051fcafc41fa4dd4915c7009d2b1394b
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682bdbca2f280a98fb42223blinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Creating a process from a recently created file
Runs as daemon
Sends data to a server
Creating a file
Sets a written file as executable
Receives data from a server
Writes files to system directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gcc lolbin remote
Link:
https://www.filescan.io/uploads/682bdbd7c609634bd7ca386b/reports/4f903525-3a4f-43c0-95f3-8e9dcee321bf/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
1
Number of processes launched:
2
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/1a47815c2cf007204916e12a71b2f17ce34e8831e2bbd61ba734cdec1828de91
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/94f362bc-d199-47ec-84a7-91d519a4e4d2
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1694428
Signature
Drops files in suspicious directories
Malicious sample detected (through community Yara rule)
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694428 Sample: i686.elf Startdate: 20/05/2025 Architecture: LINUX Score: 56 71 89.42.88.163, 1338, 42274, 42276 MOLDTELECOM-ASMoldtelecomAutonomousSystemMD Romania 2->71 73 daisy.ubuntu.com 2->73 79 Malicious sample detected (through community Yara rule) 2->79 15 i686.elf 2->15         started        signatures3 process4 process5 17 i686.elf 15->17         started        signatures6 75 Writes identical ELF files to multiple locations 17->75 77 Drops files in suspicious directories 17->77 20 i686.elf update 17->20         started        22 i686.elf 17->22         started        24 i686.elf 17->24         started        26 5 other processes 17->26 process7 process8 28 update 20->28         started        signatures9 85 Drops files in suspicious directories 28->85 31 update update 28->31         started        33 update 28->33         started        35 update 28->35         started        37 4 other processes 28->37 process10 process11 39 update 31->39         started        signatures12 83 Drops files in suspicious directories 39->83 42 update update 39->42         started        44 update update 39->44         started        46 update 39->46         started        48 3 other processes 39->48 process13 process14 50 update 42->50         started        52 update 44->52         started        signatures15 55 update update 50->55         started        57 update 50->57         started        59 update 50->59         started        81 Drops files in suspicious directories 52->81 61 update 52->61         started        63 update 52->63         started        65 update 52->65         started        67 2 other processes 52->67 process16 process17 69 update 55->69         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/1a47815c2cf007204916e12a71b2f17ce34e8831e2bbd61ba734cdec1828de91
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1a47815c2cf007204916e12a71b2f17ce34e8831e2bbd61ba734cdec1828de91/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-20 01:32:55 UTC
File Type:
ELF32 Little (Exe)
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djdycxbm6adsasiw4evhdmxrptru5cbr4k55mg5hgtg6ygbi32iq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
linux rootkit
Link:
https://tria.ge/reports/250520-byg6gahq3w/
Behaviour
Loads a kernel module
Writes memory of remote process
Verdict:
Malicious
Tags:
trojan tsunami
YARA:
Linux_Trojan_Tsunami_c94eec37
Link:
https://app.threat.zone/submission/a54bb8b0-5d8a-40a3-a771-3f5890ee63d0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1a47815c2cf007204916e12a71b2f17ce34e8831e2bbd61ba734cdec1828de91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Tsunami_c94eec37
Create hunting rule
Author:Elastic Security
Rule name:malwareelf55503
Create hunting rule
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 1a47815c2cf007204916e12a71b2f17ce34e8831e2bbd61ba734cdec1828de91

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3545672/
  
Delivery method
Distributed via web download

Comments