MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f27eeeff451657f192bc3221f997b7e34f96807474e12f5d47cabdfdbebb72f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f27eeeff451657f192bc3221f997b7e34f96807474e12f5d47cabdfdbebb72f
SHA3-384 hash: d3c630a85773945f1ee810cd985a1fd9de504de6dad487842bd96deeeed403fa6fa0517fe119cfe562690ffc19586ccc
SHA1 hash: 850f9634040bf564c36d950a11100e9665dfb3d2
MD5 hash: 10933a174d5b98819b4eb60d66daef91
humanhash: massachusetts-friend-four-lactose
File name:bolobotx86
Download: download sample
Signature Mirai
Create hunting rule
File size:98'632 bytes
First seen:2025-07-11 15:45:11 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:fa4JEBgS53Xd2+vBpL7zDx+c94FXNtIsT1UKpq5Dc7UmN0fVcSIY6bp4S:fa4CBZ53Xd7vBpL7h+X255eUy0dZwH
TLSH T1F9A36CC5FB43D4F5ED5706B1A137A7328732F43A112EEA83C7696E32AC91580E61A35C
telfhash t1a25104f76eaa08e8b3d4a808c71e56d11a19d77b185036f245b3ad6523fbdc140bac35
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
15
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28940.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30455.LC.BadVar.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-9945193-0
Create hunting rule

Unix.Trojan.Mirai-9946826-0
Create hunting rule

Unix.Dropper.Mirai-10008433-0
Create hunting rule

Unix.Trojan.Mirai-10028515-0
Create hunting rule

Unix.Trojan.Mirai-10028946-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687131e4900df8e7f869e21elinux22vpnfull_triage
Tags:
mirai ddos
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sends data to a server
Creating a file
Manages services
Sets a written file as executable
Changes the time when the file was created, accessed, or modified
Receives data from a server
Launching a process
Connection attempt
Changes access rights for a written file
DNS request
Runs as daemon
Substitutes an application name
Writes files to system directory
Creates or modifies files in /cron to set up autorun
Deletes a system binary file
Creates or modifies files in /init.d to set up autorun
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
bash lolbin obfuscated remote
Link:
https://www.filescan.io/uploads/687131bb0abaf8edd6ef16a8/reports/db64f333-fd2f-41db-9171-6467c6229ccc/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
185.186.25.220
Number of open files:
56
Number of processes launched:
3
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/1f27eeeff451657f192bc3221f997b7e34f96807474e12f5d47cabdfdbebb72f
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
type:Moobot 185.186.25.220:6996
UDP botnet C2(s):
not identified
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/1b62cb8f-1d98-4a03-b766-3da3bcb4166d
Behavior Graph:
Download SVG
%3 guuid=4c96dd6a-1a00-0000-1f67-b71ffb0a0000 pid=2811 /usr/bin/sudo guuid=9715806c-1a00-0000-1f67-b71f000b0000 pid=2816 /tmp/sample.bin delete-file net guuid=4c96dd6a-1a00-0000-1f67-b71ffb0a0000 pid=2811->guuid=9715806c-1a00-0000-1f67-b71f000b0000 pid=2816 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=9715806c-1a00-0000-1f67-b71f000b0000 pid=2816->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817 /tmp/sample.bin dns net send-data write-config write-file zombie guuid=9715806c-1a00-0000-1f67-b71f000b0000 pid=2816->guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817 clone guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 30B 0a547167-1908-55f5-a0b6-ec51a4fc9637 net.bolo.gay:6996 guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->0a547167-1908-55f5-a0b6-ec51a4fc9637 send: 7B guuid=bf95d36c-1a00-0000-1f67-b71f020b0000 pid=2818 /tmp/sample.bin guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->guuid=bf95d36c-1a00-0000-1f67-b71f020b0000 pid=2818 clone guuid=f680ef6c-1a00-0000-1f67-b71f030b0000 pid=2819 /usr/bin/dash guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->guuid=f680ef6c-1a00-0000-1f67-b71f030b0000 pid=2819 execve guuid=4253c3a8-1a00-0000-1f67-b71fa50b0000 pid=2981 /usr/bin/dash guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->guuid=4253c3a8-1a00-0000-1f67-b71fa50b0000 pid=2981 execve guuid=d6e389ae-1a00-0000-1f67-b71fb60b0000 pid=2998 /usr/bin/dash guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->guuid=d6e389ae-1a00-0000-1f67-b71fb60b0000 pid=2998 execve guuid=58429eb0-1a00-0000-1f67-b71fbd0b0000 pid=3005 /usr/bin/dash guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->guuid=58429eb0-1a00-0000-1f67-b71fbd0b0000 pid=3005 execve guuid=58ae80b2-1a00-0000-1f67-b71fc20b0000 pid=3010 /usr/bin/dash guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->guuid=58ae80b2-1a00-0000-1f67-b71fc20b0000 pid=3010 execve guuid=2bb57db4-1a00-0000-1f67-b71fc60b0000 pid=3014 /usr/bin/dash guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->guuid=2bb57db4-1a00-0000-1f67-b71fc60b0000 pid=3014 execve guuid=1253e2b6-1a00-0000-1f67-b71fc90b0000 pid=3017 /usr/bin/dash guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->guuid=1253e2b6-1a00-0000-1f67-b71fc90b0000 pid=3017 execve guuid=481500b9-1a00-0000-1f67-b71fd70b0000 pid=3031 /usr/bin/dash guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->guuid=481500b9-1a00-0000-1f67-b71fd70b0000 pid=3031 execve guuid=a3ed34bc-1a00-0000-1f67-b71fe10b0000 pid=3041 /usr/bin/dash guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->guuid=a3ed34bc-1a00-0000-1f67-b71fe10b0000 pid=3041 execve guuid=e5664bbd-1a00-0000-1f67-b71fe60b0000 pid=3046 /usr/bin/dash guuid=db7cc66c-1a00-0000-1f67-b71f010b0000 pid=2817->guuid=e5664bbd-1a00-0000-1f67-b71fe60b0000 pid=3046 execve guuid=2a616b6d-1a00-0000-1f67-b71f050b0000 pid=2821 /usr/bin/systemctl guuid=f680ef6c-1a00-0000-1f67-b71f030b0000 pid=2819->guuid=2a616b6d-1a00-0000-1f67-b71f050b0000 pid=2821 execve guuid=b054eaa8-1a00-0000-1f67-b71fa60b0000 pid=2982 /usr/bin/systemctl guuid=4253c3a8-1a00-0000-1f67-b71fa50b0000 pid=2981->guuid=b054eaa8-1a00-0000-1f67-b71fa60b0000 pid=2982 execve guuid=2fdaba13-0000-0000-1f67-b71f01000000 pid=1 /usr/lib/systemd/systemd guuid=755449ac-1a00-0000-1f67-b71fb00b0000 pid=2992 /tmp/sample.bin net guuid=2fdaba13-0000-0000-1f67-b71f01000000 pid=1->guuid=755449ac-1a00-0000-1f67-b71fb00b0000 pid=2992 execve guuid=755449ac-1a00-0000-1f67-b71fb00b0000 pid=2992->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994 /tmp/sample.bin dns net send-data write-config write-file zombie guuid=755449ac-1a00-0000-1f67-b71fb00b0000 pid=2992->guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994 clone guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 360B guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->0a547167-1908-55f5-a0b6-ec51a4fc9637 send: 60B guuid=9c9103ae-1a00-0000-1f67-b71fb40b0000 pid=2996 /tmp/sample.bin guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->guuid=9c9103ae-1a00-0000-1f67-b71fb40b0000 pid=2996 clone guuid=e39318ae-1a00-0000-1f67-b71fb50b0000 pid=2997 /usr/bin/dash guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->guuid=e39318ae-1a00-0000-1f67-b71fb50b0000 pid=2997 execve guuid=fac5feea-1a00-0000-1f67-b71f440c0000 pid=3140 /usr/bin/dash guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->guuid=fac5feea-1a00-0000-1f67-b71f440c0000 pid=3140 execve guuid=baa694ee-1a00-0000-1f67-b71f480c0000 pid=3144 /usr/bin/dash guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->guuid=baa694ee-1a00-0000-1f67-b71f480c0000 pid=3144 execve guuid=9d2ebbef-1a00-0000-1f67-b71f4c0c0000 pid=3148 /usr/bin/dash guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->guuid=9d2ebbef-1a00-0000-1f67-b71f4c0c0000 pid=3148 execve guuid=bcff0cf1-1a00-0000-1f67-b71f4e0c0000 pid=3150 /usr/bin/dash guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->guuid=bcff0cf1-1a00-0000-1f67-b71f4e0c0000 pid=3150 execve guuid=950e15f2-1a00-0000-1f67-b71f510c0000 pid=3153 /usr/bin/dash guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->guuid=950e15f2-1a00-0000-1f67-b71f510c0000 pid=3153 execve guuid=e36a2cf3-1a00-0000-1f67-b71f550c0000 pid=3157 /usr/bin/dash guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->guuid=e36a2cf3-1a00-0000-1f67-b71f550c0000 pid=3157 execve guuid=7ad1baf3-1a00-0000-1f67-b71f590c0000 pid=3161 /usr/bin/dash guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->guuid=7ad1baf3-1a00-0000-1f67-b71f590c0000 pid=3161 execve guuid=06d25df4-1a00-0000-1f67-b71f5c0c0000 pid=3164 /usr/bin/dash guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->guuid=06d25df4-1a00-0000-1f67-b71f5c0c0000 pid=3164 execve guuid=c2a2fff4-1a00-0000-1f67-b71f600c0000 pid=3168 /usr/bin/dash guuid=0a568ead-1a00-0000-1f67-b71fb20b0000 pid=2994->guuid=c2a2fff4-1a00-0000-1f67-b71f600c0000 pid=3168 execve guuid=fb6ce8ae-1a00-0000-1f67-b71fb90b0000 pid=3001 /usr/bin/systemctl guuid=e39318ae-1a00-0000-1f67-b71fb50b0000 pid=2997->guuid=fb6ce8ae-1a00-0000-1f67-b71fb90b0000 pid=3001 execve guuid=e0aab1ae-1a00-0000-1f67-b71fb70b0000 pid=2999 /usr/bin/dash guuid=d6e389ae-1a00-0000-1f67-b71fb60b0000 pid=2998->guuid=e0aab1ae-1a00-0000-1f67-b71fb70b0000 pid=2999 clone guuid=3e41b9ae-1a00-0000-1f67-b71fb80b0000 pid=3000 /usr/bin/dash guuid=d6e389ae-1a00-0000-1f67-b71fb60b0000 pid=2998->guuid=3e41b9ae-1a00-0000-1f67-b71fb80b0000 pid=3000 clone guuid=ca0b21b3-1a00-0000-1f67-b71fc40b0000 pid=3012 /usr/bin/cp guuid=58ae80b2-1a00-0000-1f67-b71fc20b0000 pid=3010->guuid=ca0b21b3-1a00-0000-1f67-b71fc40b0000 pid=3012 execve guuid=a6cb1bb5-1a00-0000-1f67-b71fc70b0000 pid=3015 /usr/bin/cp guuid=2bb57db4-1a00-0000-1f67-b71fc60b0000 pid=3014->guuid=a6cb1bb5-1a00-0000-1f67-b71fc70b0000 pid=3015 execve guuid=03248db7-1a00-0000-1f67-b71fcb0b0000 pid=3019 /usr/bin/cp guuid=1253e2b6-1a00-0000-1f67-b71fc90b0000 pid=3017->guuid=03248db7-1a00-0000-1f67-b71fcb0b0000 pid=3019 execve guuid=7c9b4fba-1a00-0000-1f67-b71fdd0b0000 pid=3037 /usr/bin/cp guuid=481500b9-1a00-0000-1f67-b71fd70b0000 pid=3031->guuid=7c9b4fba-1a00-0000-1f67-b71fdd0b0000 pid=3037 execve guuid=4ebe6ebc-1a00-0000-1f67-b71fe20b0000 pid=3042 /usr/bin/cp guuid=a3ed34bc-1a00-0000-1f67-b71fe10b0000 pid=3041->guuid=4ebe6ebc-1a00-0000-1f67-b71fe20b0000 pid=3042 execve guuid=148575bd-1a00-0000-1f67-b71fe70b0000 pid=3047 /usr/bin/cp guuid=e5664bbd-1a00-0000-1f67-b71fe60b0000 pid=3046->guuid=148575bd-1a00-0000-1f67-b71fe70b0000 pid=3047 execve guuid=0b992aeb-1a00-0000-1f67-b71f450c0000 pid=3141 /usr/bin/systemctl guuid=fac5feea-1a00-0000-1f67-b71f440c0000 pid=3140->guuid=0b992aeb-1a00-0000-1f67-b71f450c0000 pid=3141 execve guuid=92cfdfee-1a00-0000-1f67-b71f490c0000 pid=3145 /usr/bin/dash guuid=baa694ee-1a00-0000-1f67-b71f480c0000 pid=3144->guuid=92cfdfee-1a00-0000-1f67-b71f490c0000 pid=3145 clone guuid=e7dbe3ee-1a00-0000-1f67-b71f4a0c0000 pid=3146 /usr/bin/dash guuid=baa694ee-1a00-0000-1f67-b71f480c0000 pid=3144->guuid=e7dbe3ee-1a00-0000-1f67-b71f4a0c0000 pid=3146 clone guuid=34a3a4f1-1a00-0000-1f67-b71f4f0c0000 pid=3151 /usr/bin/cp guuid=bcff0cf1-1a00-0000-1f67-b71f4e0c0000 pid=3150->guuid=34a3a4f1-1a00-0000-1f67-b71f4f0c0000 pid=3151 execve guuid=7c63c4f2-1a00-0000-1f67-b71f530c0000 pid=3155 /usr/bin/cp guuid=950e15f2-1a00-0000-1f67-b71f510c0000 pid=3153->guuid=7c63c4f2-1a00-0000-1f67-b71f530c0000 pid=3155 execve guuid=92a454f3-1a00-0000-1f67-b71f570c0000 pid=3159 /usr/bin/cp guuid=e36a2cf3-1a00-0000-1f67-b71f550c0000 pid=3157->guuid=92a454f3-1a00-0000-1f67-b71f570c0000 pid=3159 execve guuid=d638e3f3-1a00-0000-1f67-b71f5a0c0000 pid=3162 /usr/bin/cp guuid=7ad1baf3-1a00-0000-1f67-b71f590c0000 pid=3161->guuid=d638e3f3-1a00-0000-1f67-b71f5a0c0000 pid=3162 execve guuid=f7148bf4-1a00-0000-1f67-b71f5e0c0000 pid=3166 /usr/bin/cp guuid=06d25df4-1a00-0000-1f67-b71f5c0c0000 pid=3164->guuid=f7148bf4-1a00-0000-1f67-b71f5e0c0000 pid=3166 execve guuid=986f2ef5-1a00-0000-1f67-b71f610c0000 pid=3169 /usr/bin/cp guuid=c2a2fff4-1a00-0000-1f67-b71f600c0000 pid=3168->guuid=986f2ef5-1a00-0000-1f67-b71f610c0000 pid=3169 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ff4ef78-bb48-4b90-85bb-347b609c86ad
Result
Threat name:
Mirai, Okiru
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1733993
Signature
Contains VNC / remote desktop functionality (version string found)
Detected Mirai
Drops files in suspicious directories
Drops invisible ELF files
Executes the "crontab" command typically for achieving persistence
Malicious sample detected (through community Yara rule)
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Multi AV Scanner detection for submitted file
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Suricata IDS alerts for network traffic
Writes identical ELF files to multiple locations
Yara detected Mirai
Yara detected Okiru
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1733993 Sample: bolobotx86.elf Startdate: 11/07/2025 Architecture: LINUX Score: 100 121 net.bolo.gay 185.186.25.220, 52028, 52030, 52032 ASGHOSTNETDE Germany 2->121 123 109.202.202.202, 80 INIT7CH Switzerland 2->123 125 3 other IPs or domains 2->125 127 Suricata IDS alerts for network traffic 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 Detected Mirai 2->131 133 4 other signatures 2->133 12 systemd bolobotx86.elf 2->12         started        15 bolobotx86.elf 2->15         started        17 systemd snapd-env-generator 2->17         started        19 7 other processes 2->19 signatures3 process4 signatures5 151 Contains VNC / remote desktop functionality (version string found) 12->151 21 bolobotx86.elf 12->21         started        25 bolobotx86.elf 15->25         started        process6 file7 95 /root/.bashrc, ASCII 21->95 dropped 97 /etc/rc.local, ASCII 21->97 dropped 99 /etc/profile, ASCII 21->99 dropped 101 /etc/init.d/S99network, POSIX 21->101 dropped 137 Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions 21->137 139 Sample tries to persist itself using System V runlevels 21->139 27 bolobotx86.elf sh 21->27         started        29 bolobotx86.elf sh 21->29         started        31 bolobotx86.elf sh 21->31         started        39 8 other processes 21->39 141 Sample tries to set files in /etc globally writable 25->141 143 Sample tries to persist itself using /etc/profile 25->143 145 Drops files in suspicious directories 25->145 33 bolobotx86.elf sh 25->33         started        35 bolobotx86.elf sh 25->35         started        37 bolobotx86.elf sh 25->37         started        43 8 other processes 25->43 signatures8 process9 file10 57 2 other processes 27->57 45 sh cp 29->45         started        49 sh cp 31->49         started        59 2 other processes 33->59 51 sh cp 35->51         started        53 sh cp 37->53         started        103 /var/spool/cron/crontabs/root, ASCII 39->103 dropped 61 6 other processes 39->61 147 Sample tries to persist itself using cron 43->147 55 sh systemctl 43->55         started        63 5 other processes 43->63 signatures11 process12 file13 105 /usr/bin/networkd, ELF 45->105 dropped 107 /usr/bin/netconfig, ELF 49->107 dropped 153 Writes identical ELF files to multiple locations 51->153 155 Drops files in suspicious directories 51->155 65 systemctl systemd-sysv-install 55->65         started        109 /var/spool/cron/crontabs/tmp.ilbAIq, ASCII 57->109 dropped 67 sh crontab 57->67         started        111 /var/spool/cron/crontabs/tmp.gR3i0C, ASCII 59->111 dropped 157 Sample tries to persist itself using cron 59->157 159 Executes the "crontab" command typically for achieving persistence 59->159 70 sh crontab 59->70         started        113 /var/tmp/.sys, ELF 61->113 dropped 115 /usr/sbin/network-service, ELF 61->115 dropped 117 /usr/sbin/netmgr, ELF 61->117 dropped 119 /tmp/.net, ELF 61->119 dropped 72 systemctl systemd-sysv-install 61->72         started        161 Drops invisible ELF files 63->161 signatures14 process15 signatures16 74 systemd-sysv-install update-rc.d 65->74         started        77 systemd-sysv-install update-rc.d 65->77         started        79 systemd-sysv-install getopt 65->79         started        135 Executes the "crontab" command typically for achieving persistence 70->135 81 systemd-sysv-install update-rc.d 72->81         started        83 systemd-sysv-install update-rc.d 72->83         started        85 systemd-sysv-install getopt 72->85         started        process17 signatures18 149 Sample tries to persist itself using System V runlevels 74->149 87 update-rc.d systemctl 74->87         started        89 update-rc.d systemctl 77->89         started        91 update-rc.d systemctl 81->91         started        93 update-rc.d systemctl 83->93         started        process19
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/1f27eeeff451657f192bc3221f997b7e34f96807474e12f5d47cabdfdbebb72f
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1f27eeeff451657f192bc3221f997b7e34f96807474e12f5d47cabdfdbebb72f/
Threat name:
Linux.Trojan.MiraiBotnet
Create hunting rule
Status:
Malicious
First seen:
2025-07-11 14:10:16 UTC
File Type:
ELF32 Little (Exe)
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4t6537ukfsx6gjlymrb7gl3py2ps2ahi5hbf5oupsv57w7lw4xq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution linux persistence privilege_escalation stealer
Link:
https://tria.ge/reports/250711-s7gdzaxvby/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Modifies Bash startup script
Creates/modifies Cron job
Creates/modifies environment variables
Enumerates running processes
Modifies init.d
Modifies rc script
Modifies systemd
Write file to user bin folder
Writes file to system bin folder
Reads EFI boot settings
Verdict:
Malicious
Tags:
trojan gafgyt mirai Unix.Trojan.Mirai-9945193-0
YARA:
Linux_Trojan_Gafgyt_5bf62ce4 Linux_Trojan_Gafgyt_ea92cca8 Linux_Trojan_Mirai_b14f4c5d Linux_Trojan_Mirai_5f7b67b8 Linux_Trojan_Mirai_88de437f Linux_Trojan_Mirai_ae9d0fa6 Linux_Trojan_Mirai_389ee3e9 Linux_Trojan_Mirai_cc93863b Linux_Trojan_Mirai_8aa7b5d3
Link:
https://app.threat.zone/submission/c658e9ec-6ef3-428a-9af4-bb25faef6362
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/1f27eeeff451657f192bc3221f997b7e34f96807474e12f5d47cabdfdbebb72f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202503_elf_Mirai
Create hunting rule
Author:abuse.ch
Description:Detects Mirai 'TSource' ELF files
Rule name:botnet_Yakuza
Create hunting rule
Author:NDA0E
Description:Yakuza botnet
Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:linux_generic_irc_catcher
Create hunting rule
Author:@_lubiedo
Description:Find new ELF IRC samples
Rule name:Linux_Generic_Threat_3bcc1630
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_5bf62ce4
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_ea92cca8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_5f7b67b8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_8aa7b5d3
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_ae9d0fa6
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_b14f4c5d
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:Mal_LNX_Mirai_Botnet_ELF
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect Mirai botnet, and there variants.
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 1f27eeeff451657f192bc3221f997b7e34f96807474e12f5d47cabdfdbebb72f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3581455/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3581482/

Comments