MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e9eb027d920ff43990e78a73cd9ccd1ce8e1f13f0f0de2d92001533389c96ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 11

Intelligence 11 IOCs YARA 8 File information Comments

SHA256 hash:	1e9eb027d920ff43990e78a73cd9ccd1ce8e1f13f0f0de2d92001533389c96ca
SHA3-384 hash:	5e52957fe0b07d6d294a88a702a9d391517fb3aaab1bbdb4417a9b070470bc194a0d932834b4c573783862d6a252bc80
SHA1 hash:	e458622a6f00d7e9b362835dcc14d234ad259456
MD5 hash:	758a25e6b9203144eca6b12906e96d9a
humanhash:	gee-pizza-salami-four
File name:	ecco.arm
Download:	download sample
Signature	Mirai Create hunting rule
File size:	250'592 bytes
First seen:	2025-12-03 05:23:18 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	6144:mKqB4691dO97Osqsierb4zOlyPLnooI+n:mXB4gsFb4zOwjn
TLSH	T1EF342985F8819E26C6C512B7FA6F028D371A13F9D2EA7103DD151F6137CA85B0E3B686
telfhash	t154512081ee06173c77e651c4c5bba42e99e932997b097513cb18b67e8c039c3b129817
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf mirai upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 7146976b9d57b28c612bbd667a89895ee9a67dabefc88eb7df149955e3c1b77e

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	82'912 bytes
File size (de-compressed) :	250'592 bytes
Format:	linux/arm
Packed file:	7146976b9d57b28c612bbd667a89895ee9a67dabefc88eb7df149955e3c1b77e

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Mirai

Details

Mirai

an XOR decryption key and at least a c2 socket address

Detection(s):

Sanesecurity.Malware.29325.LC.Pl.UNOFFICIAL

SecuriteInfo.com.Linux.Mirai-81.UNOFFICIAL

Sanesecurity.Malware.29524.LC.UNOFFICIAL

Sanesecurity.Malware.30395.LC.UNOFFICIAL

Sanesecurity.Malware.30435.LC.UNOFFICIAL

SecuriteInfo.com.Linux.Siggen.9999-6.UNOFFICIAL

Sanesecurity.Malware.29001.LCM.UNOFFICIAL

Unix.Trojan.Mirai-7100807-0

Unix.Dropper.Mirai-7135870-0

Unix.Dropper.Mirai-7135881-0

Unix.Dropper.Mirai-7135897-0

Unix.Dropper.Mirai-7135901-0

Unix.Dropper.Mirai-7135909-0

Unix.Trojan.Mirai-7135916-0

Unix.Dropper.Mirai-7135918-0

Unix.Dropper.Mirai-7135954-0

Unix.Dropper.Mirai-7135996-0

Unix.Dropper.Mirai-7136013-0

Unix.Dropper.Mirai-7136016-0

Unix.Dropper.Mirai-7136017-0

Unix.Dropper.Mirai-7136028-0

Unix.Dropper.Mirai-7136033-0

Unix.Dropper.Mirai-7136057-0

Unix.Trojan.Mirai-8025795-0

Unix.Trojan.Mirai-9441505-0

Unix.Trojan.Mirai-9807962-0

Unix.Trojan.Mirai-9808381-0

Unix.Trojan.Mirai-9858729-0

Unix.Dropper.Mirai-9977145-0

Unix.Dropper.Mirai-10007027-0

Unix.Trojan.Mirai-10009361-0

Unix.Trojan.Mirai-10011027-0

Unix.Trojan.Mirai-10011918-0

Unix.Trojan.Mirai-10058414-0

Unix.Packed.Botnet-6566031-0

Unix.Dropper.Botnet-6566040-0

Unix.Trojan.Gafgyt-6748839-0

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

gafgyt masquerade mirai obfuscated rust

Link:

https://www.filescan.io/uploads/692fc97f8e26c121ec94e5a4/reports/3e32a937-c4bd-44ae-8c6f-252abb6f6ee8/overview

Result

Gathering data

Verdict:

Malicious

File Type:

elf.32.le

Detections:

HEUR:Exploit.Linux.Netgear.a HEUR:Exploit.Linux.DLink.a HEUR:Backdoor.Linux.Mirai.ii HEUR:Backdoor.Linux.Mirai.b HEUR:Exploit.Linux.Mvpower.a HEUR:Exploit.Linux.DLink.b HEUR:Exploit.Linux.CVE-2018-10561.a HEUR:Backdoor.Linux.Mirai.r HEUR:Backdoor.Linux.Mirai.h HEUR:Backdoor.Linux.Gafgyt.cn HEUR:Backdoor.Linux.Gafgyt.bl HEUR:Backdoor.Linux.Gafgyt.bj HEUR:Exploit.Linux.CVE-2014-8361.a HEUR:Exploit.Linux.Vacron.a HEUR:Exploit.Linux.CVE-2017-17215.a HEUR:Backdoor.Linux.Mirai.cw HEUR:Exploit.Linux.Netgear.b

Link:

https://opentip.kaspersky.com/1e9eb027d920ff43990e78a73cd9ccd1ce8e1f13f0f0de2d92001533389c96ca/results?tab=lookup

Malware family:

Mirai

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cc880849-366f-43ae-903a-fff91fad3008

Result

Threat name:

Mirai, Gafgyt

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1825073

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Mirai

Drops files in suspicious directories

Executes the "crontab" command typically for achieving persistence

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample tries to persist itself using cron

Sample tries to persist itself using System V runlevels

Sample tries to set files in /etc globally writable

Suricata IDS alerts for network traffic

Uses known network protocols on non-standard ports

Yara detected Gafgyt

Yara detected Mirai

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/1e9eb027d920ff43990e78a73cd9ccd1ce8e1f13f0f0de2d92001533389c96ca

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1e9eb027d920ff43990e78a73cd9ccd1ce8e1f13f0f0de2d92001533389c96ca/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/1e9eb027d920ff43990e78a73cd9ccd1ce8e1f13f0f0de2d92001533389c96ca

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=d2plaj6zed7uhgiopcttzwom2hhi4hyt6dyn4lmsaaktgoe4s3fa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:lzrd

Link:

https://tria.ge/reports/251203-f3tsaafj5v/

Malware Config

C2 Extraction:

draft21.redirectme.net

Verdict:

Malicious

Tags:

trojan gafgyt Unix.Trojan.Mirai-7100807-0

YARA:

Linux_Trojan_Gafgyt_28a2fe0c Linux_Gafgyt_May_2024

Link:

https://app.threat.zone/submission/42c540f0-2e88-4d7c-acbd-9b73a8c74221

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/1e9eb027d920ff43990e78a73cd9ccd1ce8e1f13f0f0de2d92001533389c96ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CVE_2017_17215 Create hunting rule
Author:	NDA0E
Description:	Detects exploitation attempt of CVE-2017-17215

Rule name:	ELF_Mirai Create hunting rule
Author:	NDA0E
Description:	Detects multiple Mirai variants

Rule name:	iot_req_metachar Create hunting rule

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Linux_Generic_Threat_1ac392ca Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Generic_Threat_d94e1020 Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Trojan_Gafgyt_28a2fe0c Create hunting rule
Author:	Elastic Security

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 7146976b9d57b28c612bbd667a89895ee9a67dabefc88eb7df149955e3c1b77e

Mirai

elf 1e9eb027d920ff43990e78a73cd9ccd1ce8e1f13f0f0de2d92001533389c96ca

(this sample)

Dropped by

SHA256 7146976b9d57b28c612bbd667a89895ee9a67dabefc88eb7df149955e3c1b77e

URLhaus

https://urlhaus.abuse.ch/url/3723396/

Delivery method

Distributed via web download

Dropped by

MD5 97b148911789fc90ef56220acb110fc8

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample