MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d8fea0d43cdd0c083cf4d94267390fb91e82fc95af76865051f6d1d1214424e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d8fea0d43cdd0c083cf4d94267390fb91e82fc95af76865051f6d1d1214424e
SHA3-384 hash: 573891dc95643738bde1e9940aa4df736bafaf98fe8ea5e3e3b2418f67e728206627de93c6d7a42bc9d23e4f82bb5ce9
SHA1 hash: cbd31a6de793e71a9d35553bc24f4d3d707d9e21
MD5 hash: ccfb12730ec7c922964da7217c9bd578
humanhash: tennessee-papa-enemy-hydrogen
File name:miori.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:37'888 bytes
First seen:2025-01-07 21:16:47 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:5owKAbat+M1qtcbwRWSil7goQc7O0z25EInZXA2pw:OZaYwRr7Bc7O225Ecxpw
TLSH T1F003F90328A580FCC85AC7705B7FB52BC633B57D1535F68973D47E22AA4BE321E1A909
telfhash t14111c2f0b5617cc066c37522738dd7a1c4be5a38646235eeeaa0a4e14b76b810e65c33
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
142
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Unix.Trojan.Mirai-9866553-0
Create hunting rule

Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=677d9b16c029bd73f285ffaalinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Connection attempt
Receives data from a server
Opens a port
Sends data to a server
Kills processes
Substitutes an application name
Kills critical processes
Performs a bruteforce attack in the network
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
anti-debug masquerade
Link:
https://www.filescan.io/uploads/677d99ce5fa77d8e98ac9f58/reports/ed954ff1-a238-4f7a-95b0-dd38825e661f/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
8
Number of processes launched:
4
Processes remaning?
true
Remote TCP ports scanned:
2323,23
Full report:
https://elfdigest.com/brief/2d8fea0d43cdd0c083cf4d94267390fb91e82fc95af76865051f6d1d1214424e
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
type:Mirai 79.124.60.186:3277
UDP botnet C2(s):
not identified
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ac03d65-fdb8-4c07-896f-a6569d56c741
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1585607
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585607 Sample: miori.x86.elf Startdate: 07/01/2025 Architecture: LINUX Score: 64 25 76.160.56.210 WINDSTREAMUS United States 2->25 27 94.222.49.223 VODANETInternationalIP-BackboneofVodafoneDE Germany 2->27 29 98 other IPs or domains 2->29 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Machine Learning detection for sample 2->37 8 miori.x86.elf 2->8         started        10 gnome-session-binary sh gsd-print-notifications 2->10         started        12 xfce4-session rm 2->12         started        signatures3 process4 process5 14 miori.x86.elf 8->14         started        16 gsd-print-notifications 10->16         started        process6 18 miori.x86.elf 14->18         started        21 miori.x86.elf 14->21         started        23 gsd-print-notifications gsd-printer 16->23         started        signatures7 31 Sample tries to kill multiple processes (SIGKILL) 18->31
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/2d8fea0d43cdd0c083cf4d94267390fb91e82fc95af76865051f6d1d1214424e
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2d8fea0d43cdd0c083cf4d94267390fb91e82fc95af76865051f6d1d1214424e/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-01-07 21:17:04 UTC
File Type:
ELF64 Little (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fwh6udkdzximba6pjwkcm44q7oi6ql6jll3wqzifd5wr2equijha._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery linux
Link:
https://tria.ge/reports/250107-z41f1aypbv/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Creates a large amount of network flows
Enumerates active TCP sockets
Contacts a large (4761) amount of remote hosts
Verdict:
Malicious
Tags:
trojan gafgyt mirai Unix.Trojan.Mirai-9866553-0
YARA:
Linux_Trojan_Gafgyt_9e9530a7 Linux_Trojan_Gafgyt_807911a2 Linux_Trojan_Gafgyt_d4227dbf Linux_Trojan_Gafgyt_620087b9 Linux_Trojan_Gafgyt_0cd591cd Linux_Trojan_Gafgyt_33b4111a Linux_Trojan_Gafgyt_a33a8363 Linux_Trojan_Mirai_1cb033f3
Link:
https://app.threat.zone/submission/a25815e2-dc8e-4933-af65-261d8100ab7f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/2d8fea0d43cdd0c083cf4d94267390fb91e82fc95af76865051f6d1d1214424e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_0cd591cd
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_a33a8363
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_1cb033f3
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Xorbot

sh e0e7845b1bb2b49ae1fba9968059f7cecdd636840c976c63d4f429a6f0855019

Mirai

elf 2d8fea0d43cdd0c083cf4d94267390fb91e82fc95af76865051f6d1d1214424e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3392531/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3392336/
  
URLhaus
https://urlhaus.abuse.ch/url/3391135/
  
Dropped by
SHA256 e0e7845b1bb2b49ae1fba9968059f7cecdd636840c976c63d4f429a6f0855019
  
Dropped by
MD5 daa194ec4c80e1b3a7d99b32af05b3be
  
Dropped by
SHA256 3b43c6d7e130c86f326dd7ec21f9b7d1028312465fa887377e45dbb16b77d510
  
Dropped by
MD5 185c7ca44b68c4c864de23c5a61ab55f
  
Dropped by
SHA256 7b6de6f57aebd42c19c72a639fe5dea93b22098f7567c82a63f27331dc9baaab
  
Dropped by
MD5 f685f55dcccb972876f3da6bbe91d271

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments