MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21ac5563cde511f024577ec38b888745db32793e8b7f54228d2c3cce67d0502c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21ac5563cde511f024577ec38b888745db32793e8b7f54228d2c3cce67d0502c
SHA3-384 hash: f466d4601c77a5d600a7da94f2965a4d6faaf7efa5283d46acc92d29809388a1098efb8737fc25d99650d08de1f63a99
SHA1 hash: 75cf998dfcdbd1b302ae8bdf02c86f08beaa8553
MD5 hash: 50a2b2fc38051ec4ab31caf390c1ec9c
humanhash: king-avocado-connecticut-neptune
File name:bot
Download: download sample
Signature Mirai
Create hunting rule
File size:3'678'832 bytes
First seen:2025-12-03 22:07:18 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 98304:4db2OT1t9ROChzrH/lsY8vjUXIcDdFlUF:S2I1t9xluvjGRUF
TLSH T16E0633FCE138ED54E100B169636AE528E049D03A1DED7DF00B587B5AC73F225EEB2562
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf UPX
File size (compressed) :3'678'832 bytes
File size (de-compressed) :10'154'696 bytes
Format:linux/amd64
Unpacked file: f064d969f25f36a06133df0d61b93e403b724a5d1a1723688f1902f77a518b0d

Intelligence

File Origin
# of uploads :
1
# of downloads :
22
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/a38cdfd7-087b-45a2-8b74-7214a9e427ff/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Deleting a recently created file
Launching a process
Collects information on the CPU
Sets a written file as executable
Changes the time when the file was created, accessed, or modified
Opens a port
Creating a file
Locks files
Runs as daemon
Changes access rights for a written file
Manages services
Collects information on the OS
Kills processes
Creating a file in the %temp% directory
Substitutes an application name
Creates or modifies files in /cron to set up autorun
Loading a system driver
Creates or modifies files in /init.d to set up autorun
Creates or modifies files to set up autorun
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
miner monero packed upx xmrig
Link:
https://www.filescan.io/uploads/6930b4cdbba50eaf041fe52b/reports/6e0abb3b-7db2-477b-89b6-48fe4fad13d2/overview
Result
Gathering data
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ec7e1cf1-97e7-40e7-9d82-6d69d90a9b08
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad.mine
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1825897
Signature
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings related to Crypto-Mining
Malicious sample detected (through community Yara rule)
Sample is packed with UPX
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1825897 Sample: bot.elf Startdate: 03/12/2025 Architecture: LINUX Score: 84 92 169.254.169.254, 80 USDOSUS Reserved 2->92 94 195.24.237.46, 4000, 54118, 54122 NTI-AS9MaiBlocB11ScaraDEtaj2Ap67RO Romania 2->94 96 3 other IPs or domains 2->96 100 Malicious sample detected (through community Yara rule) 2->100 102 Found strings related to Crypto-Mining 2->102 104 Sample is packed with UPX 2->104 12 bot.elf 2->12         started        14 dash rm 2->14         started        16 dash rm 2->16         started        18 6 other processes 2->18 signatures3 process4 process5 20 bot.elf 12->20         started        file6 84 /etc/init.d/systemhelper, POSIX 20->84 dropped 86 /etc/cron.d/systemhelper, ASCII 20->86 dropped 88 /etc/cron.d/syshelper, ASCII 20->88 dropped 90 /tmp/docker-daemon, ELF 20->90 dropped 108 Drops files in suspicious directories 20->108 110 Sample reads /proc/mounts (often used for finding a writable filesystem) 20->110 112 Sample tries to persist itself using cron 20->112 24 bot.elf sh 20->24         started        26 bot.elf sh 20->26         started        28 bot.elf sh 20->28         started        30 31 other processes 20->30 signatures7 process8 signatures9 33 sh ufw 24->33         started        35 sh ufw 26->35         started        37 sh ufw 28->37         started        118 Sample tries to kill multiple processes (SIGKILL) 30->118 39 sh systemctl 30->39         started        41 sh crontab 30->41         started        44 sh iptables 30->44         started        46 12 other processes 30->46 process10 signatures11 59 11 other processes 33->59 48 ufw iptables 35->48         started        51 ufw iptables 35->51         started        53 ufw iptables 35->53         started        61 3 other processes 35->61 55 ufw iptables 37->55         started        63 5 other processes 37->63 57 systemctl systemd-sysv-install 39->57         started        114 Executes the "crontab" command typically for achieving persistence 41->114 116 Executes the "iptables" command to insert, remove and/or manipulate rules 44->116 65 5 other processes 46->65 process12 signatures13 98 Executes the "iptables" command to insert, remove and/or manipulate rules 48->98 67 systemd-sysv-install update-rc.d 57->67         started        70 systemd-sysv-install update-rc.d 57->70         started        72 systemd-sysv-install getopt 57->72         started        74 ip6tables modprobe 59->74         started        76 service systemctl 65->76         started        78 service sed 65->78         started        process14 signatures15 106 Sample tries to persist itself using System V runlevels 67->106 80 update-rc.d systemctl 67->80         started        82 update-rc.d systemctl 70->82         started        process16
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/21ac5563cde511f024577ec38b888745db32793e8b7f54228d2c3cce67d0502c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21ac5563cde511f024577ec38b888745db32793e8b7f54228d2c3cce67d0502c/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-03 22:08:16 UTC
File Type:
ELF64 Little (SO)
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egwfky6n4ui7ajcxp3byxcehixnte6j6rn7viiunfq6m4z6qkawa._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig antivm defense_evasion discovery exection execution linux miner persistence privilege_escalation rootkit upx
Link:
https://tria.ge/reports/251203-11tpqahk7t/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads CPU attributes
UPX packed file
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Disables AppArmor
Disables SELinux
Enumerates running processes
Modifies init.d
Reads hardware information
Write file to user bin folder
Executes dropped EXE
Loads a kernel module
Modifies hosts file
Renames itself
Modifies the dynamic linker configuration file
XMRig Miner payload
Xmrig family
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 21ac5563cde511f024577ec38b888745db32793e8b7f54228d2c3cce67d0502c

(this sample)

Mirai

elf f064d969f25f36a06133df0d61b93e403b724a5d1a1723688f1902f77a518b0d

  
URLhaus
https://urlhaus.abuse.ch/url/3715325/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 f064d969f25f36a06133df0d61b93e403b724a5d1a1723688f1902f77a518b0d
  
Dropping
MD5 136d0a668e7e4b6dd88893bbb8f5533d

Comments