MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ba5a553b3698e2c8ebf221d3d8f5eafb119136567abee4c0e86bb76b89b9b71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash: 2ba5a553b3698e2c8ebf221d3d8f5eafb119136567abee4c0e86bb76b89b9b71
SHA3-384 hash: cbc99d2c18a2eaeac45126f0256561fd3dca6d12a55d1c43b274921fd0ca790d52351ca22b2fc75066b161360acd3088
SHA1 hash: 51920182f4104e89a57152a6f643b04b6d8690cd
MD5 hash: f872c1f46fbc3e306b07926d43410872
humanhash: ack-fourteen-pizza-mirror
File name:ecco.ppc
Download: download sample
Signature Mirai
File size:253'504 bytes
First seen:2025-12-04 21:18:22 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:fEfOoVI8fIGcbMv7AEoYZUMxPe6TYIjjZ3BBa/X6hh1RnW9/:fEfOoVmgT1FxPe6TYIjj1BwUnWZ
TLSH T1CB445A02B72C4947E1D31EF4373F57E1A7EFD98220A0B641399F9A498176E370989EC9
Magika elf
Reporter abuse_ch
Tags:elf gafgyt mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 068c807168cd98fc8868d0c22b38ad59c00b17c2775e2ad01c39c88e610cd572
File size (compressed) :82'120 bytes
File size (de-compressed) :253'504 bytes
Format:linux/ppc32
Packed file: 068c807168cd98fc8868d0c22b38ad59c00b17c2775e2ad01c39c88e610cd572

Intelligence


File Origin
# of uploads :
1
# of downloads :
113
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.29325.LC.Pl.UNOFFICIAL
SecuriteInfo.com.Linux.Mirai-81.UNOFFICIAL
Sanesecurity.Malware.29524.LC.UNOFFICIAL
Sanesecurity.Malware.30395.LC.UNOFFICIAL
Sanesecurity.Malware.30435.LC.UNOFFICIAL
SecuriteInfo.com.Linux.Siggen.9999-6.UNOFFICIAL
Sanesecurity.Malware.29001.LCM.UNOFFICIAL
Unix.Trojan.Mirai-7100807-0
Unix.Dropper.Mirai-7135870-0
Unix.Dropper.Mirai-7135881-0
Unix.Dropper.Mirai-7135897-0
Unix.Dropper.Mirai-7135901-0
Unix.Dropper.Mirai-7135909-0
Unix.Trojan.Mirai-7135916-0
Unix.Dropper.Mirai-7135918-0
Unix.Dropper.Mirai-7135954-0
Unix.Dropper.Mirai-7135957-0
Unix.Dropper.Mirai-7135996-0
Unix.Dropper.Mirai-7136013-0
Unix.Dropper.Mirai-7136016-0
Unix.Dropper.Mirai-7136017-0
Unix.Dropper.Mirai-7136028-0
Unix.Dropper.Mirai-7136033-0
Unix.Dropper.Mirai-7136057-0
Unix.Trojan.Mirai-8025795-0
Unix.Trojan.Mirai-9441505-0
Unix.Trojan.Mirai-9807962-0
Unix.Trojan.Mirai-9808381-0
Unix.Trojan.Mirai-9858729-0
Unix.Trojan.Mirai-9940367-0
Unix.Dropper.Mirai-9977145-0
Unix.Dropper.Mirai-10007027-0
Unix.Trojan.Mirai-10009361-0
Unix.Trojan.Mirai-10011027-0
Unix.Trojan.Mirai-10011918-0
Unix.Trojan.Mirai-10012200-0
Unix.Trojan.Mirai-10012201-0
Unix.Trojan.Mirai-10012671-0
Unix.Trojan.Mirai-10058414-0
Unix.Packed.Botnet-6566031-0
Unix.Dropper.Botnet-6566040-0
Unix.Trojan.Gafgyt-6748839-0
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2025-12-04T17:32:00Z UTC
Last seen:
2025-12-04T19:53:00Z UTC
Hits:
~10
Result
Threat name:
Mirai, Gafgyt
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Deletes system log files
Detected Mirai
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Malicious sample detected (through community Yara rule)
Manipulation of devices in /dev
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected Gafgyt
Yara detected Mirai
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1826821 Sample: ecco.ppc.elf Startdate: 04/12/2025 Architecture: LINUX Score: 100 85 91.197.100.46 ZIM_INTEGRATED_SHIPING_SERVICES_COMPANYIL Israel 2->85 87 60.193.250.217 XEPHIONNTT-MECorporationJP Japan 2->87 89 99 other IPs or domains 2->89 99 Suricata IDS alerts for network traffic 2->99 101 Malicious sample detected (through community Yara rule) 2->101 103 Antivirus detection for dropped file 2->103 105 6 other signatures 2->105 12 dash rm ecco.ppc.elf 2->12         started        14 dash rm 2->14         started        16 dash tr 2->16         started        18 7 other processes 2->18 signatures3 process4 process5 20 ecco.ppc.elf 12->20         started        process6 22 ecco.ppc.elf 20->22         started        file7 81 /etc/init.d/sysd, POSIX 22->81 dropped 109 Sample tries to set files in /etc globally writable 22->109 111 Drops files in suspicious directories 22->111 113 Sample tries to persist itself using System V runlevels 22->113 26 ecco.ppc.elf 22->26         started        28 ecco.ppc.elf 22->28         started        31 ecco.ppc.elf sh 22->31         started        signatures8 process9 file10 33 ecco.ppc.elf 26->33         started        35 ecco.ppc.elf sh 26->35         started        37 ecco.ppc.elf 26->37         started        45 4 other processes 26->45 83 /usr/Bin), ELF 28->83 dropped 39 ecco.ppc.elf sh 28->39         started        41 ecco.ppc.elf 28->41         started        43 sh cp 31->43         started        process11 signatures12 62 848 other processes 33->62 48 sh crontab 35->48         started        52 sh 35->52         started        54 ecco.ppc.elf 37->54         started        64 3 other processes 37->64 56 sh crontab 39->56         started        58 sh 39->58         started        66 120 other processes 41->66 115 Manipulation of devices in /dev 45->115 60 ecco.ppc.elf 45->60         started        process13 file14 75 /var/spool/cron/crontabs/tmp.llKQth, ASCII 48->75 dropped 68 sh crontab 52->68         started        91 Deletes system log files 54->91 77 /var/spool/cron/cr...mp.LPGirI (deleted), ASCII 56->77 dropped 79 /dev/null (deleted), ASCII 56->79 dropped 93 Manipulation of devices in /dev 56->93 95 Sample tries to persist itself using cron 56->95 97 Executes the "crontab" command typically for achieving persistence 56->97 71 sh crontab 58->71         started        73 ecco.ppc.elf 64->73         started        signatures15 process16 signatures17 107 Executes the "crontab" command typically for achieving persistence 68->107
Threat name:
Linux.Backdoor.Gafgyt
Status:
Malicious
First seen:
2025-12-04 21:19:18 UTC
File Type:
ELF32 Big (Exe)
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:mirai botnet:lzrd linux
Verdict:
Malicious
Tags:
trojan gafgyt Unix.Trojan.Mirai-7100807-0
YARA:
Linux_Trojan_Gafgyt_28a2fe0c Linux_Gafgyt_May_2024
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CVE_2017_17215
Author:NDA0E
Description:Detects exploitation attempt of CVE-2017-17215
Rule name:ELF_Mirai
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:iot_req_metachar
Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Generic_Threat_1ac392ca
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_28a2fe0c
Author:Elastic Security
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 2ba5a553b3698e2c8ebf221d3d8f5eafb119136567abee4c0e86bb76b89b9b71

(this sample)

  
Delivery method
Distributed via web download

Comments