MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b998c8635e50d1c92328347fd152381b08ddd14b18ec931caa99d2195792179. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b998c8635e50d1c92328347fd152381b08ddd14b18ec931caa99d2195792179
SHA3-384 hash: d268543ff742620ec103d702b373c62516a4c74c871d0636eb644ff9eeb645235087c05a3d7ae8aaef7f3a11a1e5706f
SHA1 hash: df37e5ca19070e1c3410c204ff82b0e631d1238f
MD5 hash: 546d4f8eee6bc5ebd7be885f1c30754b
humanhash: jersey-cup-diet-johnny
File name:s
Download: download sample
Signature Mirai
Create hunting rule
File size:227'600 bytes
First seen:2025-07-20 06:52:27 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:u5ChJEayZqZmBaKycFZnmOKwqlqyxL/KilIirmCzwodZisU68:u52JEayKmBaKycPmOKflb/TlvmCztdZq
TLSH T1AE241A08EB408B1BC1D227BAFB9E424D33339B54B7EB370A59385BB43BC27695E25115
telfhash t18b418621997982352ba18c5c5c6c9bf201269b1363073f32bf32d4cc4536091d53ed5b
Magika elf
Reporter abuse_ch
Tags:elf gafgyt mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
21
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30541.LC.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-9760303-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Collects information on the CPU
Receives data from a server
Runs as daemon
Creating a file
Opens a port
Kills processes
Sends data to a server
Connection attempt
Substitutes an application name
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
gcc lolbin obfuscated obfuscated remote
Link:
https://www.filescan.io/uploads/687c92695076b202e43e49ce/reports/07105d51-2076-4fc0-91a9-02953b534fba/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/2447503a-8208-410a-be91-a8fe165d96f2
Behavior Graph:
Download SVG
%3 guuid=8165f0fa-1800-0000-b1de-dfdd89070000 pid=1929 /usr/bin/sudo guuid=fbcf7bfd-1800-0000-b1de-dfdd8a070000 pid=1930 /tmp/sample.bin guuid=8165f0fa-1800-0000-b1de-dfdd89070000 pid=1929->guuid=fbcf7bfd-1800-0000-b1de-dfdd8a070000 pid=1930 execve
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73a59481-59fa-475d-a574-9448aaa4cf97
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1740374
Signature
Multi AV Scanner detection for submitted file
Sample tries to kill multiple processes (SIGKILL)
Terminates several processes with shell command 'killall'
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1740374 Sample: s.elf Startdate: 20/07/2025 Architecture: LINUX Score: 56 68 88.98.151.173 ZEN-ASZenInternet-UKGB United Kingdom 2->68 70 77.247.117.48 XTGLOBALRO Lithuania 2->70 72 98 other IPs or domains 2->72 74 Multi AV Scanner detection for submitted file 2->74 10 s.elf 2->10         started        12 xfce4-session xfce4-panel 2->12         started        14 xfce4-session xfce4-panel 2->14         started        16 10 other processes 2->16 signatures3 process4 process5 18 s.elf 10->18         started        20 xfce4-panel wrapper-2.0 12->20         started        22 xfce4-panel wrapper-2.0 12->22         started        24 xfce4-panel wrapper-2.0 12->24         started        32 3 other processes 12->32 26 xfce4-panel wrapper-2.0 14->26         started        28 xfce4-panel wrapper-2.0 14->28         started        34 4 other processes 14->34 30 wrapper-2.0 xfpm-power-backlight-helper 16->30         started        process6 36 s.elf 18->36         started        39 s.elf 18->39         started        41 wrapper-2.0 xfpm-power-backlight-helper 20->41         started        43 wrapper-2.0 xfpm-power-backlight-helper 26->43         started        signatures7 76 Sample tries to kill multiple processes (SIGKILL) 36->76 45 s.elf sh 36->45         started        47 s.elf sh 36->47         started        49 s.elf sh 36->49         started        51 30 other processes 36->51 process8 process9 53 sh killall 45->53         started        56 sh killall 47->56         started        58 sh killall 49->58         started        60 sh killall 51->60         started        62 sh killall 51->62         started        64 sh killall 51->64         started        66 27 other processes 51->66 signatures10 78 Terminates several processes with shell command 'killall' 53->78
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/3b998c8635e50d1c92328347fd152381b08ddd14b18ec931caa99d2195792179
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3b998c8635e50d1c92328347fd152381b08ddd14b18ec931caa99d2195792179/
Verdict:
Malicious
Threat:
HEUR:Backdoor.Linux.Gafgyt
Link:
https://tip.neiki.dev/file/3b998c8635e50d1c92328347fd152381b08ddd14b18ec931caa99d2195792179
Threat name:
Linux.Trojan.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2025-07-20 06:53:28 UTC
File Type:
ELF32 Little (Exe)
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=homyzbrv4ugrzersqnd72fjdqgyi3xiuwghmsmokvgosdflzef4q._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt antivm defense_evasion discovery execution
Link:
https://tria.ge/reports/250720-hngkhsaj6v/
Behaviour
Command and Scripting Interpreter: Unix Shell
Reads runtime system information
Changes its process name
Checks CPU configuration
Reads CPU attributes
Writes file to system bin folder
Enumerates running processes
Modifies Watchdog functionality
Writes memory of remote process
Contacts a large (536402) amount of remote hosts
Creates a large amount of network flows
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-9760303-0
YARA:
n/a
Link:
https://app.threat.zone/submission/ce1242e9-7cbd-4f7c-8958-c9e8ff6dfdfd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3b998c8635e50d1c92328347fd152381b08ddd14b18ec931caa99d2195792179

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202503_elf_Mirai
Create hunting rule
Author:abuse.ch
Description:Detects Mirai 'TSource' ELF files
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 3b998c8635e50d1c92328347fd152381b08ddd14b18ec931caa99d2195792179

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3584472/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3576532/
  
URLhaus
https://urlhaus.abuse.ch/url/3584473/

Comments