MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 296d6af5b711aada05ec72d517af8b677c32d4f894fda2934ad5289b7f671619. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 296d6af5b711aada05ec72d517af8b677c32d4f894fda2934ad5289b7f671619
SHA3-384 hash: 8a749b68f1d292fe80627cd841e026a5de2627d3d29ba8c03f8526f4fd8eb17f99ef43c54d1933decee1004abb871c68
SHA1 hash: 393f390a0bca8a019e273b848ceeff98356dbd70
MD5 hash: c166123a74bbec5ca38322fa51a26735
humanhash: august-bravo-edward-eight
File name:frost.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:87'264 bytes
First seen:2025-11-08 02:38:15 UTC
Last seen:2025-11-08 07:45:16 UTC
File type: elf
MIME type:application/x-sharedlib
ssdeep 1536:XenS4WqqVzXfZ9fghZiIGehag+8LSaPu7orfFCdRiAt:XeSjqqVzXfZ9IhFGKag+8d
TLSH T1C8834A84FB87E0F1F6A305F0061BE7AA5774AD185015FAA5FB0BBB797C322126D4621C
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
4
# of downloads :
40
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.82938843.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sends data to a server
Receives data from a server
Runs as daemon
DNS request
Substitutes an application name
Deleting of the original file
Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
0
Number of processes launched:
3
Processes remaning?
true
Remote TCP ports scanned:
80
Full report:
https://elfdigest.com/brief/296d6af5b711aada05ec72d517af8b677c32d4f894fda2934ad5289b7f671619
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Clean
File Type:
elf.32.le
First seen:
2025-11-08T00:01:00Z UTC
Last seen:
2025-11-08T13:07:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/296d6af5b711aada05ec72d517af8b677c32d4f894fda2934ad5289b7f671619/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f8b45305-a742-4aab-955e-bd8e1afedcff
Behavior Graph:
Download SVG
%3 guuid=1fd63ad0-1600-0000-d557-1597470e0000 pid=3655 /usr/bin/sudo guuid=b951aed3-1600-0000-d557-1597520e0000 pid=3666 /tmp/sample.bin delete-file guuid=1fd63ad0-1600-0000-d557-1597470e0000 pid=3655->guuid=b951aed3-1600-0000-d557-1597520e0000 pid=3666 execve guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3669 /tmp/sample.bin net send-data zombie guuid=b951aed3-1600-0000-d557-1597520e0000 pid=3666->guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3669 clone 5964582a-537a-5ab9-bea4-3571985c6152 69.5.189.168:5555 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3669->5964582a-537a-5ab9-bea4-3571985c6152 send: 55B 74e4e219-c467-5008-a212-50a3f10516d3 114.114.115.115:53 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3669->74e4e219-c467-5008-a212-50a3f10516d3 send: 27B guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826 /tmp/sample.bin net net-scan send-data zombie guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3669->guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826 clone 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 43a7504f-1394-5952-a636-ad3eae011e46 64.6.175.250:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->43a7504f-1394-5952-a636-ad3eae011e46 send: 122B 771d658b-ca2c-5afe-aa8f-e344c5f5a37f 184.72.150.199:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->771d658b-ca2c-5afe-aa8f-e344c5f5a37f send: 126B c759f197-e320-557e-a37a-ee8b31786f4a 194.146.234.92:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->c759f197-e320-557e-a37a-ee8b31786f4a send: 126B c2b5d8c9-8406-538f-b3bb-43d0e11519b5 34.111.158.140:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->c2b5d8c9-8406-538f-b3bb-43d0e11519b5 send: 126B 15386e7b-ef36-5dde-8a9c-9ca432884551 208.109.78.16:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->15386e7b-ef36-5dde-8a9c-9ca432884551 send: 124B 72153cf9-f08b-542e-a003-28f8aac27887 156.234.10.155:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->72153cf9-f08b-542e-a003-28f8aac27887 send: 126B 9cb59546-b40c-5b90-851d-cd9ff038b7b3 52.41.220.189:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->9cb59546-b40c-5b90-851d-cd9ff038b7b3 send: 124B d32e162b-e37b-52c2-bbdf-6fd1bdc4c0bf 220.185.184.76:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->d32e162b-e37b-52c2-bbdf-6fd1bdc4c0bf send: 126B 659db687-51a1-541e-a00d-2e9a3b8765d0 34.194.219.19:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->659db687-51a1-541e-a00d-2e9a3b8765d0 send: 124B 58a551c9-6e06-53d3-acad-ccf62993ce16 70.32.91.234:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->58a551c9-6e06-53d3-acad-ccf62993ce16 send: 122B 8ac127d1-859e-5f36-baf6-a32055def4f5 142.58.242.126:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->8ac127d1-859e-5f36-baf6-a32055def4f5 send: 126B fafb123c-4594-5758-8f92-b35d7fab5b0d 190.24.45.70:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->fafb123c-4594-5758-8f92-b35d7fab5b0d send: 122B dea705eb-ca00-5448-aa8d-245717621044 194.160.229.219:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->dea705eb-ca00-5448-aa8d-245717621044 send: 128B 06d4a780-416b-595e-a86e-173697d0cabc 166.104.105.166:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->06d4a780-416b-595e-a86e-173697d0cabc send: 480B 171af8ef-4864-5fca-bc81-eab1e49c7de3 52.92.137.249:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->171af8ef-4864-5fca-bc81-eab1e49c7de3 send: 124B 25816e75-e14e-5c30-b9f4-01465401c90c 198.105.231.83:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->25816e75-e14e-5c30-b9f4-01465401c90c send: 126B 4e8f2611-b544-59b4-9584-1f0b63eb12d0 216.80.74.20:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->4e8f2611-b544-59b4-9584-1f0b63eb12d0 send: 122B b3e621bc-28a1-5f4b-a0a7-05a0d3d5d384 34.215.3.223:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->b3e621bc-28a1-5f4b-a0a7-05a0d3d5d384 send: 122B 435c53cd-6994-57e5-b878-c10c0139866d 36.10.200.21:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->435c53cd-6994-57e5-b878-c10c0139866d send: 122B ca79a2bc-19c0-5bb4-8300-e7a0e4329ec7 24.134.74.197:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->ca79a2bc-19c0-5bb4-8300-e7a0e4329ec7 send: 124B c273aa24-199e-54f1-bed3-935abb5c155c 18.172.218.87:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->c273aa24-199e-54f1-bed3-935abb5c155c send: 124B 5ee13df1-072d-519b-8ed5-93901ab8c262 34.56.189.4:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->5ee13df1-072d-519b-8ed5-93901ab8c262 send: 120B 9443569b-8fc9-5338-b347-f8598a5ff10e 184.29.118.61:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->9443569b-8fc9-5338-b347-f8598a5ff10e send: 124B 9a7bce43-5e26-5b25-bf71-40746f49285f 202.66.124.32:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->9a7bce43-5e26-5b25-bf71-40746f49285f send: 124B f4f1a528-9c9d-533a-8b4e-7bbd8b5742b6 148.135.16.250:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->f4f1a528-9c9d-533a-8b4e-7bbd8b5742b6 send: 126B 58c39560-13f0-5628-ad34-08dd599262be 18.205.138.174:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->58c39560-13f0-5628-ad34-08dd599262be send: 126B 16a5f1f9-a3ec-559e-bf92-9926bd42ecea 72.192.224.39:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->16a5f1f9-a3ec-559e-bf92-9926bd42ecea send: 124B b6031605-36ce-50ca-ae99-17582957e555 34.160.66.30:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->b6031605-36ce-50ca-ae99-17582957e555 send: 122B 69bfd57a-9266-5c02-9f54-29aed39f7354 18.66.174.170:80 guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->69bfd57a-9266-5c02-9f54-29aed39f7354 con guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826|send-data send-data to 4033 IP addresses review logs to see them all guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826->guuid=9a3761d4-1600-0000-d557-1597550e0000 pid=3826|send-data send
Malware family:
Gafgyt
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/be7ae9e4-19ea-4170-a29b-b7986bd0436a
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1810324
Signature
Performs DNS queries to domains with low reputation
Sample deletes itself
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1810324 Sample: frost.x86.elf Startdate: 08/11/2025 Architecture: LINUX Score: 48 16 mreow.xyz 2->16 18 66.88.72.71, 80 XO-AS15US United States 2->18 20 99 other IPs or domains 2->20 7 frost.x86.elf 2->7         started        10 dash rm 2->10         started        12 dash rm 2->12         started        signatures3 22 Performs DNS queries to domains with low reputation 16->22 process4 signatures5 24 Sample deletes itself 7->24 14 frost.x86.elf 7->14         started        process6
Score:
99%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/296d6af5b711aada05ec72d517af8b677c32d4f894fda2934ad5289b7f671619
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/296d6af5b711aada05ec72d517af8b677c32d4f894fda2934ad5289b7f671619/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/296d6af5b711aada05ec72d517af8b677c32d4f894fda2934ad5289b7f671619
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-11-08 02:39:23 UTC
File Type:
ELF32 Little (SO)
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ffwwv5nxcgvnubpmolkrpl4lm56dfvhyst62fe2k2uujw73hcymq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion linux
Link:
https://tria.ge/reports/251108-c5frnaskgl/
Behaviour
Changes its process name
Deletes itself
Modifies Watchdog functionality
Unexpected DNS network traffic destination
Verdict:
Unknown
Tags:
botnet persirai trojan
YARA:
Persirai elf_persirai_w0
Link:
https://app.threat.zone/submission/a389a847-edce-462f-bc1c-ad8cb842741e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/296d6af5b711aada05ec72d517af8b677c32d4f894fda2934ad5289b7f671619

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:elf_persirai_w0
Create hunting rule
Author:Tim Yeh
Description:Detects Persirai Botnet Malware
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 296d6af5b711aada05ec72d517af8b677c32d4f894fda2934ad5289b7f671619

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3699270/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3700351/
  
URLhaus
https://urlhaus.abuse.ch/url/3700359/
  
URLhaus
https://urlhaus.abuse.ch/url/3700706/

Comments