MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d7aad4cd9f534449106df11d19e3aed6a65db961acdd232885aee5cde939131. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d7aad4cd9f534449106df11d19e3aed6a65db961acdd232885aee5cde939131
SHA3-384 hash: 0d2065718b503a313181d1d0a805a87305a1d31fe56be35a072efbf044d6619be3acc00c2d4b4bfb2293d60004859dc4
SHA1 hash: 7ba305bfd44d8a48136b12601cb79fac46134627
MD5 hash: 5912a2cca11d4aad7350dc2d9c216411
humanhash: vegan-september-lake-mississippi
File name:Yboats.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:43'424 bytes
First seen:2025-12-03 07:29:01 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:6ryy1i4WU+3HDWPlgz2E4W/b7BuffXBmaXzOJmv81r3tauu0p+NlnbcuyD7UVyq+:6Z10lqP3EtUnBmaF81rsN0inouy8sq+
TLSH T1A013F1A0C3F955D9C4A9C13714EF3F095209730DCE4209F0AA5977FD288AB706E29BE5
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :43'424 bytes
File size (de-compressed) :112'016 bytes
Format:linux/i386
Unpacked file: f3d62ef5384d652eada72ac38603793a332e7ae74def72f6d20c5c5afe6e87df

Intelligence

File Origin
# of uploads :
1
# of downloads :
19
Origin country :
DE DE
Vendor Threat Intelligence
Details
No details
Detection(s):
Unix.Trojan.Mirai-7669677-0
Create hunting rule

Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
masquerade mirai obfuscated packed upx
Link:
https://www.filescan.io/uploads/692fe6c8ddcd694c78ba09ea/reports/b2a8aafb-f7ac-470c-a59d-19af4c26f0b8/overview
Result
Gathering data
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d365b800-6218-4434-b109-8b3a67255277
Result
Threat name:
Mirai, Okiru
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1825127
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample is packed with UPX
Yara detected Mirai
Yara detected Okiru
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1825127 Sample: Yboats.x86.elf Startdate: 03/12/2025 Architecture: LINUX Score: 96 20 Malicious sample detected (through community Yara rule) 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected Okiru 2->24 26 2 other signatures 2->26 7 Yboats.x86.elf 2->7         started        process3 signatures4 28 Sample deletes itself 7->28 10 Yboats.x86.elf 7->10         started        process5 process6 12 Yboats.x86.elf 10->12         started        14 Yboats.x86.elf 10->14         started        16 Yboats.x86.elf 10->16         started        18 24 other processes 10->18
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/2d7aad4cd9f534449106df11d19e3aed6a65db961acdd232885aee5cde939131
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2d7aad4cd9f534449106df11d19e3aed6a65db961acdd232885aee5cde939131/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-03 06:41:07 UTC
File Type:
ELF32 Little (Exe)
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fv5k2tgz6u2ejeig34i5dhr25vvglw4wdlg5emuillxfzxutseyq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:unstable botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251203-jbbn6strg1/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Enumerates active TCP sockets
Writes file to system bin folder
Deletes itself
Modifies Watchdog functionality
Contacts a large (1322533) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Malware Config
C2 Extraction:
cnc.504.su
scan.504.su
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2d7aad4cd9f534449106df11d19e3aed6a65db961acdd232885aee5cde939131

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 99bff4adcb1e047daa826367b3fa3a69d6fe84fb4f0127f3e5c90a9388d80f62

Mirai

elf 2d7aad4cd9f534449106df11d19e3aed6a65db961acdd232885aee5cde939131

(this sample)

Mirai

elf f3d62ef5384d652eada72ac38603793a332e7ae74def72f6d20c5c5afe6e87df

  
URLhaus
https://urlhaus.abuse.ch/url/3723980/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 f3d62ef5384d652eada72ac38603793a332e7ae74def72f6d20c5c5afe6e87df
  
Dropping
MD5 902bda20bdb73eff9af9681b7f3028c5
  
Dropped by
SHA256 99bff4adcb1e047daa826367b3fa3a69d6fe84fb4f0127f3e5c90a9388d80f62
  
Dropped by
MD5 3f92ddaee606ddf5805eb0d2a438a714
  
Dropped by
SHA256 f0b29a983f8d41bd63c41107323a1a918d4d47360f230175532b9ed525c3e178
  
Dropped by
MD5 44185e737bd0a9cece293d99cb3cffdd
  
Dropped by
SHA256 32d5fe27db7b7cced757e91fc8401bf629969899bfff8cd384465cfee46b9b4c
  
Dropped by
MD5 c893554f905afdf8348f6ca88fd98e2e
  
Dropped by
SHA256 10fc366fd3891698f918a76feadf8e07142464719d1cc208dd920d2cf9038257
  
Dropped by
MD5 c3f01ae4acd98f296bf4905280a2d309
  
Dropped by
SHA256 96bea289c70ea1155d29201859ea4768fb7b51bed3f5e4b38a8c248715e0461d
  
Dropped by
MD5 1c0b36b05f0aef5fbc479767e86c85bd
  
Dropped by
SHA256 6c6909c66d9ca8f198c199c18b583793347102a3ac0ba030a6716462a37deca3
  
Dropped by
MD5 9561ef4fe783cc9bafac52ce30bb85e7
  
URLhaus
https://urlhaus.abuse.ch/url/3669717/
  
URLhaus
https://urlhaus.abuse.ch/url/3669705/
  
URLhaus
https://urlhaus.abuse.ch/url/3669701/
  
URLhaus
https://urlhaus.abuse.ch/url/3669694/
  
URLhaus
https://urlhaus.abuse.ch/url/3669696/
  
URLhaus
https://urlhaus.abuse.ch/url/3669726/
  
URLhaus
https://urlhaus.abuse.ch/url/3669713/
  
URLhaus
https://urlhaus.abuse.ch/url/3669697/
  
URLhaus
https://urlhaus.abuse.ch/url/3669690/
  
Dropped by
SHA256 db1e13252b2ac9000b3c34ddd1886e09bb76c27bebc01037a87ef057a8c8d0c0
  
Dropped by
MD5 f15deb99c7e9dd74d4086de7d7b5d3fe
  
Dropped by
SHA256 5d526cd9fd62c839bdff20cab24c804f2f35ad47d62c11564a494447c59e906f
  
Dropped by
MD5 0c9d31badc240f3ed1123523974deb83
  
Dropped by
SHA256 e05b8bcdc18cd00ab479cf0ae1255b41110c1c913b3415dc7063c480aa0e1de8
  
Dropped by
MD5 8df057f6765f2003deaa84e7c953414d
  
URLhaus
https://urlhaus.abuse.ch/url/3669708/
  
URLhaus
https://urlhaus.abuse.ch/url/3669709/
  
URLhaus
https://urlhaus.abuse.ch/url/3669727/
  
URLhaus
https://urlhaus.abuse.ch/url/3669707/

Comments