MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2650570b3f9286d0dada93b01a0d5be74735b590d73d0f0b6943236e0cc1e989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2650570b3f9286d0dada93b01a0d5be74735b590d73d0f0b6943236e0cc1e989
SHA3-384 hash: 825eee41e328f8e3db3430b1ddfebb92450eb8dffcb3db44fb98e7ce62eb07720dd9b541716a568c075880bb4b982919
SHA1 hash: 7dca5c2029026b49a2915a76de1e5a47a149ac2d
MD5 hash: c864153bed0bb6a924cb702c4ca5e707
humanhash: speaker-mexico-river-skylark
File name:earyzq
Download: download sample
Signature Mirai
Create hunting rule
File size:168'199 bytes
First seen:2025-05-17 18:19:58 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:gbX63GA0Q24vM9RhR75hTzc4NCURxNKq+1kCFntn:0GGA0WUjb75hTg4UURxNKq+1kCFntn
TLSH T10AF3A6AA3A116FBAD2ACC6310BFB5B70D354259336E19761E29CD7081FB038C5D5E7A0
telfhash t1b021e243a5f68a2c6ff3597458bc06b11591a6237260af70ef1ec1805d37112b475e8b
Magika elf
Reporter abuse_ch
Tags:elf gafgyt mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30395.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29001.LCM.UNOFFICIAL
Create hunting rule

Unix.Trojan.Gafgyt-6981154-0
Create hunting rule

Unix.Dropper.Mirai-7135946-0
Create hunting rule

Unix.Dropper.Mirai-7136011-0
Create hunting rule

Unix.Dropper.Mirai-7136029-0
Create hunting rule

Unix.Dropper.Mirai-7138855-0
Create hunting rule

Unix.Dropper.Mirai-7139223-0
Create hunting rule

Unix.Dropper.Mirai-7139232-0
Create hunting rule

Unix.Proxy.Mirai-7844054-0
Create hunting rule

Unix.Trojan.Mirai-8041698-0
Create hunting rule

Unix.Trojan.Mirai-9864781-0
Create hunting rule

Unix.Trojan.Gafgyt-9879277-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6828d39f375681df7c1a1ed2linux22vpnfull_triage
Tags:
gafgyt mirai ddos
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Deletes a file
Removes directories
Removes directories from a subdirectory of a temporary directory
Launching a process
Gains root access
Sends data to a server
Creating a file
Removes directories from a temporary directory
Substitutes an application name
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
gcc lolbin remote
Link:
https://www.filescan.io/uploads/6828d36dc609634bd7c70db7/reports/3f9eb199-683b-4a32-b7e1-2427b995ef60/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
13
Number of processes launched:
18
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/2650570b3f9286d0dada93b01a0d5be74735b590d73d0f0b6943236e0cc1e989
Behaviour
Process Renaming
Firewall Changes
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dfe0a7f3-7b5c-4b68-851d-cf4590ce1b96
Result
Threat name:
Gafgyt, Mirai
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1692994
Signature
Deletes all firewall rules
Found malware configuration
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample is potentially a Mirai botnet sample
Tries to stop the "iptables" service
Yara detected Gafgyt
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1692994 Sample: earyzq.elf Startdate: 17/05/2025 Architecture: LINUX Score: 96 72 45.125.33.82, 23966, 57400 ULAN-NETWORK-LIMITEDULanNetworkLimitedHK China 2->72 74 109.202.202.202, 80 INIT7CH Switzerland 2->74 76 2 other IPs or domains 2->76 84 Found malware configuration 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 Yara detected Gafgyt 2->88 90 2 other signatures 2->90 13 earyzq.elf 2->13         started        15 dash rm 2->15         started        17 dash rm 2->17         started        signatures3 process4 process5 19 earyzq.elf 13->19         started        process6 21 earyzq.elf 19->21         started        process7 23 earyzq.elf 21->23         started        process8 25 earyzq.elf sh 23->25         started        27 earyzq.elf sh 23->27         started        29 earyzq.elf sh 23->29         started        31 10 other processes 23->31 process9 33 sh service systemctl 25->33         started        36 sh rm 27->36         started        38 sh iptables 29->38         started        40 sh service systemctl 31->40         started        42 sh rm 31->42         started        44 sh rm 31->44         started        46 7 other processes 31->46 signatures10 78 Tries to stop the "iptables" service 33->78 48 service 33->48         started        50 service basename 33->50         started        52 service basename 33->52         started        54 service systemctl 33->54         started        80 Sample deletes itself 36->80 82 Deletes all firewall rules 38->82 56 service 40->56         started        58 service basename 40->58         started        60 service basename 40->60         started        62 service systemctl 40->62         started        process11 process12 64 service systemctl 48->64         started        66 service sed 48->66         started        68 service systemctl 56->68         started        70 service sed 56->70         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/2650570b3f9286d0dada93b01a0d5be74735b590d73d0f0b6943236e0cc1e989
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2650570b3f9286d0dada93b01a0d5be74735b590d73d0f0b6943236e0cc1e989/
Threat name:
Linux.Trojan.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2025-05-17 18:20:29 UTC
File Type:
ELF32 Big (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ezifocz7skdnbww2soybudk345dtlnmq246q6c3jimrw4dgb5geq._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt defense_evasion discovery
Link:
https://tria.ge/reports/250517-wywdbayns6/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Reads CPU attributes
Enumerates running processes
Flushes firewall rules
Writes DNS configuration
Malware Config
C2 Extraction:
45.125.33.82:23966
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2650570b3f9286d0dada93b01a0d5be74735b590d73d0f0b6943236e0cc1e989

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Mal_LNX_Gafgyt_Botnet_ELF
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect Gafgyt botnet, and there variants.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 07e264784f1de87ed958d458251a3810dc1a6fc7437cf234fcb0c574d261cee9

Mirai

elf 2650570b3f9286d0dada93b01a0d5be74735b590d73d0f0b6943236e0cc1e989

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3545832/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 07e264784f1de87ed958d458251a3810dc1a6fc7437cf234fcb0c574d261cee9
  
Dropped by
MD5 a074ac485a1f04af0e9a0726fc0d164a
  
URLhaus
https://urlhaus.abuse.ch/url/3545840/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments