MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e1401f51435c8048f21656d574d2397e96ebcdb41073107cda6ede08e206f1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e1401f51435c8048f21656d574d2397e96ebcdb41073107cda6ede08e206f1d
SHA3-384 hash: f33e41d7f988d8efa0cd3f8c5b3cebbf195d4746411570974aaab681e203c43e01ee89f2a8dd8b973cd499c3f62ea8b2
SHA1 hash: 1199c1e377e084c19aaef803f9738ba9c21be119
MD5 hash: 413b79b83615e6c10836bdb060d45c5f
humanhash: beer-arizona-mockingbird-robert
File name:m68k
Download: download sample
Signature Mirai
Create hunting rule
File size:830'452 bytes
First seen:2025-05-20 01:07:03 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 24576:RJGNh0mZpUVGYB00jgjVjpj50bVOIaYhjjKw6:3GNh0700jgjVjpjiIuhjE
TLSH T14305BFE3AB06B925D4688F3288D347257731629289C29B3FE15CF5393A1B5947F037CA
telfhash t193f0aca04a7d80800d62ec005c5211ff5eebd6a61e82f945fb46ddc52c6e41dfb43d4b
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Linux.Gafgyt.32750.25904.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682bd5c7c28c67d666422533linux22vpnfull_triage
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gcc lolbin remote
Link:
https://www.filescan.io/uploads/682bd5c5c609634bd7ca2e90/reports/b62c5cf4-3be8-4e4c-af19-35cf2ffff03e/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ad9ea751-3326-498d-a9b3-dbffafd5b9fa
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1694415
Signature
Drops files in suspicious directories
Drops invisible ELF files
Malicious sample detected (through community Yara rule)
Sample tries to persist itself using .desktop files
Writes ELF files to hidden directories
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694415 Sample: m68k.elf Startdate: 20/05/2025 Architecture: LINUX Score: 68 151 daisy.ubuntu.com 2->151 161 Malicious sample detected (through community Yara rule) 2->161 15 m68k.elf 2->15         started        signatures3 process4 file5 143 /tmp/vmware-root_7...ig/.update-4924b3aa, ELF 15->143 dropped 145 /tmp/vmware-root_7...he/.update-18fa6fac, ELF 15->145 dropped 147 /tmp/systemd-priva...ig/.update-14bc2b74, ELF 15->147 dropped 149 7 other malicious files 15->149 dropped 153 Writes ELF files to hidden directories 15->153 155 Writes identical ELF files to multiple locations 15->155 157 Sample tries to persist itself using .desktop files 15->157 159 Drops invisible ELF files 15->159 19 m68k.elf 15->19         started        signatures6 process7 process8 21 m68k.elf 19->21         started        file9 81 /usr/local/sbin/update, ELF 21->81 dropped 83 /usr/local/sbin/lists, ELF 21->83 dropped 165 Writes identical ELF files to multiple locations 21->165 25 m68k.elf update 21->25         started        29 m68k.elf lists 21->29         started        signatures10 process11 file12 93 /tmp/vmware-root_7...rt/.update-4d506167, ELF 25->93 dropped 95 /tmp/vmware-root_7...ig/.update-6440becb, ELF 25->95 dropped 97 /tmp/vmware-root_7...he/.update-1e87ff4d, ELF 25->97 dropped 105 7 other malicious files 25->105 dropped 175 Writes ELF files to hidden directories 25->175 177 Writes identical ELF files to multiple locations 25->177 179 Sample tries to persist itself using .desktop files 25->179 31 update 25->31         started        99 /tmp/vmware-root_7...rt/.update-38274ddc, ELF 29->99 dropped 101 /tmp/vmware-root_7...ig/.update-200b5b2a, ELF 29->101 dropped 103 /tmp/vmware-root_7...he/.update-6b48ea6e, ELF 29->103 dropped 107 7 other malicious files 29->107 dropped 181 Drops invisible ELF files 29->181 33 lists 29->33         started        signatures13 process14 process15 35 update 31->35         started        39 lists 33->39         started        file16 73 /usr/local/sbin/servers, ELF 35->73 dropped 75 /usr/local/bin/update, ELF 35->75 dropped 163 Writes identical ELF files to multiple locations 35->163 41 update servers 35->41         started        45 update update 35->45         started        77 /usr/local/sbin/updater, ELF 39->77 dropped 79 /usr/local/bin/lists, ELF 39->79 dropped 47 lists updater 39->47         started        49 lists lists 39->49         started        signatures17 process18 file19 109 /tmp/vmware-root_7...rt/.update-3ccbf7f8, ELF 41->109 dropped 111 /tmp/vmware-root_7...ig/.update-796eb3b3, ELF 41->111 dropped 119 8 other malicious files 41->119 dropped 183 Writes ELF files to hidden directories 41->183 185 Writes identical ELF files to multiple locations 41->185 187 Sample tries to persist itself using .desktop files 41->187 51 servers 41->51         started        113 /tmp/vmware-root_7...rt/.update-316be857, ELF 45->113 dropped 121 9 other malicious files 45->121 dropped 53 update 45->53         started        115 /tmp/vmware-root_7...rt/.update-7a95f3c1, ELF 47->115 dropped 123 9 other malicious files 47->123 dropped 189 Drops invisible ELF files 47->189 55 updater 47->55         started        117 /tmp/vmware-root_7...rt/.update-582d91b6, ELF 49->117 dropped 125 9 other malicious files 49->125 dropped 57 lists 49->57         started        signatures20 process21 process22 59 servers 51->59         started        63 update 53->63         started        65 updater 55->65         started        67 lists 57->67         started        file23 127 /usr/sbin/update, ELF 59->127 dropped 129 /usr/local/bin/servers, ELF 59->129 dropped 191 Writes identical ELF files to multiple locations 59->191 193 Drops files in suspicious directories 59->193 69 servers servers 59->69         started        131 /usr/sbin/updater, ELF 63->131 dropped 133 /usr/sbin/lists, ELF 63->133 dropped 135 /usr/sbin/servers, ELF 65->135 dropped 137 /usr/local/bin/updater, ELF 65->137 dropped 139 /usr/bin/update, ELF 67->139 dropped 141 /usr/bin/lists, ELF 67->141 dropped signatures24 process25 file26 85 /tmp/vmware-root_7...rt/.update-1acb71ac, ELF 69->85 dropped 87 /tmp/vmware-root_7...fig/.update-261c2ce, ELF 69->87 dropped 89 /tmp/vmware-root_7...he/.update-311eb8c3, ELF 69->89 dropped 91 7 other malicious files 69->91 dropped 167 Writes ELF files to hidden directories 69->167 169 Writes identical ELF files to multiple locations 69->169 171 Sample tries to persist itself using .desktop files 69->171 173 Drops invisible ELF files 69->173 signatures27
Score:
97%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/1e1401f51435c8048f21656d574d2397e96ebcdb41073107cda6ede08e206f1d
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1e1401f51435c8048f21656d574d2397e96ebcdb41073107cda6ede08e206f1d/
Threat name:
Linux.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 01:07:19 UTC
File Type:
ELF32 Big (Exe)
AV detection:
10 of 23 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dykad5iugxeajdzbmvwvotjds7uw5pg3iedtcb6nu3w6bdran4oq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/250520-bgr94ssnz4/
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2105d0ad-f8ad-4134-bd8c-0027ee186b84
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1e1401f51435c8048f21656d574d2397e96ebcdb41073107cda6ede08e206f1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:malwareelf55503
Create hunting rule
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 1e1401f51435c8048f21656d574d2397e96ebcdb41073107cda6ede08e206f1d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3445861/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments