MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20ea0bb5d211ebd39c76d3b6c905921d4aae19b35b647a920b23bd1cbdaa9b56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash: 20ea0bb5d211ebd39c76d3b6c905921d4aae19b35b647a920b23bd1cbdaa9b56
SHA3-384 hash: 1aa9325b31b2c3b1ee58a2c4bd34897994770e9a6a3049f6c73580a64333dc27d042e503eed950024ce09ce7f149f719
SHA1 hash: d3a8238d8345b5e3b91a0c682f86ceca1d643a4a
MD5 hash: 40e0e35cbfff20835e859fce48a54353
humanhash: mobile-social-network-georgia
File name:6Peh
Download: download sample
Signature Mirai
File size:101'436 bytes
First seen:2026-06-19 09:07:46 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:hSf6NIYdBcoqXbF2xDUNkZfHKj25CuXwgIWL2mwfrmt7Tjs1UPw8kaXJaf4tdt99:JIYtdnP7T2szIfoB9gIZnN5
TLSH T193A3C80F7F61ABACF3B8863497B34A709A8832D126D5C184F5ACD7083D7424E591F7A9
telfhash t19d31050a487802f4e7b10e895eeefb31e0a174db3a155d378e10fd9aee1d9818e10c1c
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence


File Origin
# of uploads :
1
# of downloads :
72
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Collects information on the network activity
Sends data to a server
Receives data from a server
Connection attempt
Collects information on the CPU
Kills processes
Collects information on the OS
Collects information on the RAM
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2026-06-19T07:23:00Z UTC
Last seen:
2026-06-21T07:09:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=34dd7517-1f00-0000-fbcf-eb1140140000 pid=5184 /usr/bin/sudo guuid=2f455a19-1f00-0000-fbcf-eb1141140000 pid=5185 /tmp/sample.bin guuid=34dd7517-1f00-0000-fbcf-eb1140140000 pid=5184->guuid=2f455a19-1f00-0000-fbcf-eb1141140000 pid=5185 execve
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad
Score:
48 / 100
Signature
Sample deletes itself
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1930950 Sample: 6Peh.elf Startdate: 19/06/2026 Architecture: LINUX Score: 48 37 129.121.114.124, 234, 41898 ORACLE-BMC-31898-OracleCorporationUS United States 2->37 39 109.202.202.202, 80 INIT7CH Switzerland 2->39 41 4 other IPs or domains 2->41 9 6Peh.elf 2->9         started        11 dash rm 2->11         started        13 dash rm 2->13         started        process3 process4 15 6Peh.elf 9->15         started        process5 17 6Peh.elf 15->17         started        signatures6 43 Sample tries to kill multiple processes (SIGKILL) 17->43 20 6Peh.elf 17->20         started        23 6Peh.elf 17->23         started        25 6Peh.elf 17->25         started        27 4 other processes 17->27 process7 signatures8 45 Sample tries to kill multiple processes (SIGKILL) 20->45 47 Sample deletes itself 20->47 29 6Peh.elf exe 23->29         started        31 6Peh.elf exe 25->31         started        33 6Peh.elf exe 27->33         started        35 6Peh.elf exe 27->35         started        process9
Threat name:
Linux.Backdoor.Mirai
Status:
Malicious
First seen:
2026-06-19 09:09:05 UTC
File Type:
ELF32 Big (Exe)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm defense_evasion discovery
Behaviour
Reads runtime system information
Checks CPU configuration
Enumerates running processes
Reads hardware information
Reads list of loaded kernel modules
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 20ea0bb5d211ebd39c76d3b6c905921d4aae19b35b647a920b23bd1cbdaa9b56

(this sample)

  
Delivery method
Distributed via web download

Comments