MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c77cf3da944139b112aa7f96cfb604acc1d0e0d8283c7569aff8ca380d05f0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c77cf3da944139b112aa7f96cfb604acc1d0e0d8283c7569aff8ca380d05f0d
SHA3-384 hash: dd84fbe020b5fd313665d0ca356303ad22ed124d24ab6cdb73f2fffe7769d6a8ffa9ebbc2646adb1a6b432bed0f823fe
SHA1 hash: 56212489999d3982ef26df06d44ddaf98b53a1d6
MD5 hash: 29f6fd9a4feca5c00871b2284feec37e
humanhash: yankee-table-fanta-fix
File name:2.off3.ru
Download: download sample
Signature Mirai
Create hunting rule
File size:345'768 bytes
First seen:2025-11-02 16:16:44 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:fryELpHq4VOzE0zDHfcm9qA9AJO9ydQb2KiA:fbKDztlPbt
TLSH T117744C076B8120BEC052C17457EF92A3E733F0BB1121755E778C9A702F57E216B6ABA1
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 1a698a6c4f1c78ea5caeb43b37a8f830f102e90aa66b71c2a8f7b46ad67b2017
File size (compressed) :122'364 bytes
File size (de-compressed) :345'768 bytes
Format:linux/amd64
Packed file: 1a698a6c4f1c78ea5caeb43b37a8f830f102e90aa66b71c2a8f7b46ad67b2017

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
NL NL
Vendor Threat Intelligence
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Mounts file systems
Runs as daemon
Collects information on the OS
Creating a file
Locks files
Launching a process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64
Link:
https://www.filescan.io/uploads/69078419de25fddba0616785/reports/32f77a87-6181-4b2d-874b-9ccae1c6c496/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
13
Number of processes launched:
4
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/1c77cf3da944139b112aa7f96cfb604acc1d0e0d8283c7569aff8ca380d05f0d
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2025-09-14T00:31:00Z UTC
Last seen:
2025-11-02T16:35:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/1c77cf3da944139b112aa7f96cfb604acc1d0e0d8283c7569aff8ca380d05f0d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ce1fe0e6-b0e1-4cce-857e-c7d05fef2495
Behavior Graph:
Download SVG
%3 guuid=11205b7a-5600-0000-9268-96a8a4030000 pid=932 /usr/bin/sudo guuid=6c13b67c-5600-0000-9268-96a8a5030000 pid=933 /tmp/sample.bin guuid=11205b7a-5600-0000-9268-96a8a4030000 pid=932->guuid=6c13b67c-5600-0000-9268-96a8a5030000 pid=933 execve guuid=94b4d47c-5600-0000-9268-96a8a6030000 pid=934 /tmp/sample.bin zombie guuid=6c13b67c-5600-0000-9268-96a8a5030000 pid=933->guuid=94b4d47c-5600-0000-9268-96a8a6030000 pid=934 clone guuid=bc31dd7c-5600-0000-9268-96a8a7030000 pid=935 /tmp/sample.bin dns send-data write-file zombie guuid=94b4d47c-5600-0000-9268-96a8a6030000 pid=934->guuid=bc31dd7c-5600-0000-9268-96a8a7030000 pid=935 clone 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=bc31dd7c-5600-0000-9268-96a8a7030000 pid=935->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 80B guuid=0c1de37c-5600-0000-9268-96a8a8030000 pid=936 /usr/bin/dash guuid=bc31dd7c-5600-0000-9268-96a8a7030000 pid=935->guuid=0c1de37c-5600-0000-9268-96a8a8030000 pid=936 execve guuid=1daf097d-5600-0000-9268-96a8a9030000 pid=937 /usr/bin/mount guuid=0c1de37c-5600-0000-9268-96a8a8030000 pid=936->guuid=1daf097d-5600-0000-9268-96a8a9030000 pid=937 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b3652eb4-e9b2-4eb2-a79c-0407d6616c10
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1806578
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Copies a time stamp from an existing file to another (can be used for hiding)
Drops files in suspicious directories
Executes itself again with its parent PID as an argument (indicative of hampering debugging)
Executes the "insmod" command used for loading kernel modules
Executes the "iptables" command to insert, remove and/or manipulate rules
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Protects files from modification
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to set files in /etc globally writable
Spawns processes using file descriptor names (likely to hide the executable path or fileless malware)
Terminates several processes with shell command 'killall'
Tries to load the MSR kernel module used for reading/writing to CPUs model specific register
Writes identical ELF files to multiple locations
Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1806578 Sample: 2.off3.ru.elf Startdate: 02/11/2025 Architecture: LINUX Score: 100 148 www.onlinetools99.shop 45.135.134.90, 36122, 80 ASBAXETRU Russian Federation 2->148 150 1.off3.ru 2->150 152 9 other IPs or domains 2->152 154 Malicious sample detected (through community Yara rule) 2->154 156 Antivirus detection for dropped file 2->156 158 Antivirus / Scanner detection for submitted sample 2->158 160 2 other signatures 2->160 15 2.off3.ru.elf 2->15         started        17 kmod sh 2->17         started        19 kmod sh 2->19         started        21 42 other processes 2->21 signatures3 process4 process5 23 2.off3.ru.elf 15->23         started        25 sh selinuxdefconed 17->25         started        29 sh selinuxdefconed 19->29         started        31 sh selinuxdefconed 21->31         started        33 sh selinuxdefconed 21->33         started        35 sh selinuxdefconed 21->35         started        37 26 other processes 21->37 file6 39 2.off3.ru.elf 23->39         started        128 /usr/bin/reviews, ELF 25->128 dropped 130 /usr/bin/mldconfigs, ELF 25->130 dropped 172 Drops files in suspicious directories 25->172 signatures7 process8 process9 41 2.off3.ru.elf sh 39->41         started        43 2.off3.ru.elf sh 39->43         started        45 2.off3.ru.elf sh 39->45         started        47 15 other processes 39->47 signatures10 50 sh tty 41->50         started        52 sh install.sh 43->52         started        54 sh tar 45->54         started        57 sh dd 45->57         started        59 sh openssl 45->59         started        180 Executes itself again with its parent PID as an argument (indicative of hampering debugging) 47->180 61 sh rm 47->61         started        64 sh chattr 47->64         started        66 sh iptables 47->66         started        68 26 other processes 47->68 process11 file12 70 tty 4 50->70         started        74 install.sh bot 52->74         started        76 install.sh killall 52->76         started        78 install.sh killall 52->78         started        86 36 other processes 52->86 110 /var/lib/gold20/rctl.sh, Bourne-Again 54->110 dropped 112 /var/lib/gold20/last.sh, Bourne-Again 54->112 dropped 114 /var/lib/gold20/install.sh, Bourne-Again 54->114 dropped 116 2 other malicious files 54->116 dropped 80 tar 54->80         started        174 Sample deletes itself 61->174 176 Protects files from modification 64->176 178 Executes the "iptables" command to insert, remove and/or manipulate rules 66->178 82 xargs kill 68->82         started        84 xargs kill 68->84         started        signatures13 process14 file15 118 /memfd:kdump (deleted), ELF 70->118 dropped 162 Spawns processes using file descriptor names (likely to hide the executable path or fileless malware) 70->162 164 Writes identical ELF files to multiple locations 70->164 88 4 70->88         started        120 /usr/lib/x86_64-li...onv/libpci.so.3.0.1, ELF 74->120 dropped 122 /usr/lib/kernel/systemd-reboot, ELF 74->122 dropped 124 /usr/bin/selinuxdefconed, ELF 74->124 dropped 126 2 other malicious files 74->126 dropped 166 Drops files in suspicious directories 74->166 168 Sample deletes itself 74->168 90 bot sh 74->90         started        170 Terminates several processes with shell command 'killall' 76->170 92 tar gzip 80->92         started        signatures16 process17 process18 94 4 88->94         started        98 sh libpci.so.3.0.1 90->98         started        file19 132 /usr/sbin/sshd, ELF 94->132 dropped 134 /usr/bin/telinited.upluj, ELF 94->134 dropped 136 /usr/bin/systemd-udeved.hxgid, ELF 94->136 dropped 146 17 other malicious files 94->146 dropped 182 Sample tries to set files in /etc globally writable 94->182 184 Drops files in suspicious directories 94->184 186 Opens /proc/net/* files useful for finding connected devices and routers 94->186 188 Sample deletes itself 94->188 100 4 sh 94->100         started        102 4 sh 94->102         started        104 4 sh 94->104         started        106 52 other processes 94->106 138 /usr/sbin/swapon, ELF 98->138 dropped 140 /usr/sbin/agetty, ELF 98->140 dropped 142 /usr/bin/tty, ELF 98->142 dropped 144 /usr/bin/kmod, ELF 98->144 dropped 190 Writes identical ELF files to multiple locations 98->190 signatures20 process21 process22 108 sh chattr 106->108         started       
Score:
39%
Verdict:
Susipicious
File Type:
ELF
Link:
https://malprob.io/report/1c77cf3da944139b112aa7f96cfb604acc1d0e0d8283c7569aff8ca380d05f0d
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1c77cf3da944139b112aa7f96cfb604acc1d0e0d8283c7569aff8ca380d05f0d/
Threat name:
Linux.PUA.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-05-25 01:21:00 UTC
File Type:
ELF64 Little (Exe)
AV detection:
11 of 36 (30.56%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dr346pnjiqjzwejku74wz63ajlgb2dqnqkb4ovu276gkhagql4gq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux persistence upx
Link:
https://tria.ge/reports/251102-trkxwsxkfk/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Reads CPU attributes
UPX packed file
Attempts to change immutable files
Disables SELinux
Enumerates running processes
Reads list of loaded kernel modules
Write file to user bin folder
Writes file to system bin folder
Executes dropped EXE
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b3fa3dbf-9add-421a-b65d-91243604ca4a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c77cf3da944139b112aa7f96cfb604acc1d0e0d8283c7569aff8ca380d05f0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_shellpop_Bash
Create hunting rule
Author:Tobias Michalski
Description:Detects susupicious bash command
Reference:https://github.com/0x00-0x00/ShellPop
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 1a698a6c4f1c78ea5caeb43b37a8f830f102e90aa66b71c2a8f7b46ad67b2017

Mirai

elf 1c77cf3da944139b112aa7f96cfb604acc1d0e0d8283c7569aff8ca380d05f0d

(this sample)

  
Dropped by
SHA256 1a698a6c4f1c78ea5caeb43b37a8f830f102e90aa66b71c2a8f7b46ad67b2017
  
URLhaus
https://urlhaus.abuse.ch/url/3694211/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 fbf6bb336f808d1adf037599a08ba8e0

Comments