MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2050a018b4c7bb059e8b470a7eef39855953b3fb2ea3998dbde799a37d1dfa77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2050a018b4c7bb059e8b470a7eef39855953b3fb2ea3998dbde799a37d1dfa77
SHA3-384 hash: 26d89c823c2f4309a4e71a9937e7f8040d1381a095c77774b643bdedf2af74566d89734ac71f20202f51e1a5e29aad99
SHA1 hash: 28219b778e8e04764b2a9e781a1bba5e85ddf943
MD5 hash: ce4499b3a012641c103066f1b794c8df
humanhash: angel-lake-tennessee-mississippi
File name:mips
Download: download sample
Signature Mirai
Create hunting rule
File size:256'516 bytes
First seen:2026-01-09 01:34:48 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:mEpXwDAJtIFq5rCwds873U16ELa8c/PoBwRDbB7:mEpXhrA6hl
TLSH T19044C70E6F228F3DF7A8873457B78E24A75D23D626E1D585D1ACD2015E6028E241FFB8
telfhash t11f4190180e7417e4a3656c4d49adff76d6a320db7e162c378e11e85aeb69b835d10c0c
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 fc11f086201b6750d4c2ab4238c5bf1070148ff76f47f0b9b72186a44cae8fdc
File size (compressed) :77'880 bytes
File size (de-compressed) :256'516 bytes
Format:linux/mips
Packed file: fc11f086201b6750d4c2ab4238c5bf1070148ff76f47f0b9b72186a44cae8fdc

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Link:
https://research.acce.ciphertechsolutions.com/results/dd71b905-0f96-41a3-9420-ac78532c3ce2/
Detection(s):
Sanesecurity.Malware.30435.LC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9999-6.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Trojan.Mirai-7135916-0
Create hunting rule

Unix.Dropper.Mirai-7136016-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Trojan.Mirai-8041698-0
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Unix.Trojan.Mirai-10056463-0
Create hunting rule

Unix.Trojan.Mirai-10059006-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Kills processes
Sends data to a server
Launching a process
Receives data from a server
Manages services
Creating a file
Runs as daemon
Sets a written file as executable
Opens a port
DNS request
Substitutes an application name
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bash gafgyt lolbin mirai obfuscated obfuscated
Link:
https://www.filescan.io/uploads/69605b7530368802bb7ccbed/reports/ac28dacb-c4c8-447f-84f5-a0816250e29d/overview
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2026-01-08T22:52:00Z UTC
Last seen:
2026-01-08T23:29:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Gafgyt.bj HEUR:Backdoor.Linux.Mirai.r HEUR:Backdoor.Linux.Mirai.cw HEUR:Backdoor.Linux.Mirai.b HEUR:Backdoor.Linux.Gafgyt.bl
Link:
https://opentip.kaspersky.com/2050a018b4c7bb059e8b470a7eef39855953b3fb2ea3998dbde799a37d1dfa77/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/087a11a3-c07d-492c-a0cf-05cdacd47f18
Behavior Graph:
Download SVG
%3 guuid=0e5e16e8-2000-0000-3f41-02f02b0a0000 pid=2603 /usr/bin/sudo guuid=056a27ea-2000-0000-3f41-02f0320a0000 pid=2610 /tmp/sample.bin guuid=0e5e16e8-2000-0000-3f41-02f02b0a0000 pid=2603->guuid=056a27ea-2000-0000-3f41-02f0320a0000 pid=2610 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/65d68899-ac45-4c3d-8fd6-4fb74a53affd
Result
Threat name:
Gafgyt
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1847010
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1847010 Sample: mips.elf Startdate: 09/01/2026 Architecture: LINUX Score: 80 35 169.254.169.254, 80 USDOSUS Reserved 2->35 37 teamc2.duckdns.org 151.242.30.13, 12121, 56254 RASANAIR Iran (ISLAMIC Republic Of) 2->37 39 4 other IPs or domains 2->39 41 Found malware configuration 2->41 43 Antivirus detection for dropped file 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 2 other signatures 2->47 8 mips.elf 2->8         started        11 python3.8 dpkg 2->11         started        13 dash rm 2->13         started        15 2 other processes 2->15 signatures3 process4 file5 33 /usr/local/bin/infinitd, ELF 8->33 dropped 17 mips.elf sh 8->17         started        19 mips.elf sh 8->19         started        21 mips.elf 8->21         started        23 2 other processes 8->23 process6 process7 25 sh systemctl 17->25         started        27 sh systemctl 19->27         started        29 mips.elf 21->29         started        31 mips.elf 21->31         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/2050a018b4c7bb059e8b470a7eef39855953b3fb2ea3998dbde799a37d1dfa77
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2050a018b4c7bb059e8b470a7eef39855953b3fb2ea3998dbde799a37d1dfa77/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/2050a018b4c7bb059e8b470a7eef39855953b3fb2ea3998dbde799a37d1dfa77
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-09 01:35:53 UTC
File Type:
ELF32 Big (Exe)
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ebikagfuy65qlhuli4fh53zzqvmvhm73f2rztdn546m2g7i57j3q._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet defense_evasion discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260109-bz5cdshw9f/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Reads system network configuration
Enumerates active TCP sockets
Modifies systemd
Write file to user bin folder
Writes file to system bin folder
Modifies Watchdog functionality
Mirai
Mirai family
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-7100807-0
YARA:
n/a
Link:
https://app.threat.zone/submission/13360d56-576d-4dbf-a4eb-8dfc57d9a6a8
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2050a018b4c7bb059e8b470a7eef39855953b3fb2ea3998dbde799a37d1dfa77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf fc11f086201b6750d4c2ab4238c5bf1070148ff76f47f0b9b72186a44cae8fdc

Mirai

elf 2050a018b4c7bb059e8b470a7eef39855953b3fb2ea3998dbde799a37d1dfa77

(this sample)

  
Dropped by
SHA256 fc11f086201b6750d4c2ab4238c5bf1070148ff76f47f0b9b72186a44cae8fdc
  
URLhaus
https://urlhaus.abuse.ch/url/3722805/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 a37b7e4e1bdbf4338168c6da3b878735
  
URLhaus
https://urlhaus.abuse.ch/url/3719334/
  
URLhaus
https://urlhaus.abuse.ch/url/3722823/

Comments