MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30cbdb041e1308d69b45e9997ddd7bff19dde1e5b6ce5847207834ce4f53e443. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	30cbdb041e1308d69b45e9997ddd7bff19dde1e5b6ce5847207834ce4f53e443
SHA3-384 hash:	f31c80189e3f8599f30fd0dba030b996a9691cb845c55f73966807b06c8b4bf0e843de8507af4cd064c6f8cc88fb7953
SHA1 hash:	8742a864d24f8f7b6238e348a460d95c16df6b0a
MD5 hash:	800ca46e44ba5196511a2a7bc8c0ff7c
humanhash:	winter-mike-oregon-bluebird
File name:	morte.arm5
Download:	download sample
Signature	Mirai Create hunting rule
File size:	49'272 bytes
First seen:	2025-07-09 08:50:42 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	768:LhdSlbMcRAvlgV/u3oee0vJB5OkJZ2SDE8KcXboxu+MS0BNFnjmz:nSpjSlgVWEEOkJZ2Z8KcXv+
TLSH	T1C2231781BCD2CA6AC6D16376B62EA68E3362B394E1CE3317CD094B1137C521F4DB7A51
telfhash	t17fe0ab40fe7a4a1888e75a30ec9c03b494012217a0664b10cf10cae0883f049a30cd2e
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf mirai upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 cc03686fd80a16569d3670f928cc84769eb545fd2fc4d2a252c4b095029d7104

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	23'344 bytes
File size (de-compressed) :	49'272 bytes
Format:	linux/arm
Packed file:	cc03686fd80a16569d3670f928cc84769eb545fd2fc4d2a252c4b095029d7104

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30435.LC.UNOFFICIAL

Unix.Trojan.Mirai-7100807-0

Unix.Trojan.Mirai-7135916-0

Unix.Dropper.Mirai-7136016-0

Unix.Trojan.Mirai-8025795-0

Verdict:

Clean

Score:

84.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686e2daf900df8e7f868eef0linux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

false

Architecture:

arm

Packer:

not packed

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/30cbdb041e1308d69b45e9997ddd7bff19dde1e5b6ce5847207834ce4f53e443

Behaviour

no suspicious findings

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

not identified

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/4d2af238-d5c6-4dd0-b663-c45b568fd312

Behavior Graph:

Download SVG

Malware family:

Mirai

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2a4602cb-8cf7-4a09-adb2-02f61f1e3328

Result

Threat name:

Xmrig

Detection:

malicious

Classification:

mine

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1731689

Signature

Antivirus / Scanner detection for submitted sample

Found strings related to Crypto-Mining

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/30cbdb041e1308d69b45e9997ddd7bff19dde1e5b6ce5847207834ce4f53e443

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/30cbdb041e1308d69b45e9997ddd7bff19dde1e5b6ce5847207834ce4f53e443/

Threat name:

Linux.Worm.Mirai

Status:

Malicious

First seen:

2025-07-09 08:51:51 UTC

File Type:

ELF32 Little (Exe)

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gdf5wba6cmenng2f5gmx3xl374m53ypfw3hfqrzapa2m4t2t4rbq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai

Link:

https://tria.ge/reports/250709-ksd2aswp17/

Verdict:

Malicious

Tags:

Unix.Trojan.Mirai-7100807-0

YARA:

n/a

Link:

https://app.threat.zone/submission/62bcd94c-2d31-4113-b4e3-ef72cbf00dcb

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.64

Link:

https://yomi.yoroi.company/submissions/30cbdb041e1308d69b45e9997ddd7bff19dde1e5b6ce5847207834ce4f53e443

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ELF_Mirai Create hunting rule
Author:	NDA0E
Description:	Detects multiple Mirai variants

Rule name:	setsockopt Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for setsockopt() red flags

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research