MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b9fb643ee107c4fdc321425bf8801dae55aa9e5c392b6062e463ec8dde0cb9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b9fb643ee107c4fdc321425bf8801dae55aa9e5c392b6062e463ec8dde0cb9d
SHA3-384 hash: 2348cf0fff97a33b668222fd380407d90a080608e15548e7827cbade95120f7c72f7d624d8f209a713edce9ab605cbf1
SHA1 hash: e5db8a229a1919ee00bc7ecdb99659e385f3fade
MD5 hash: d69962a0d590997917a9e4833a554267
humanhash: nineteen-diet-batman-william
File name:arm4
Download: download sample
Signature Mirai
Create hunting rule
File size:87'260 bytes
First seen:2025-08-23 06:14:40 UTC
Last seen:2025-09-06 09:40:24 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:w4dV9zkdXih/Nwnck+ticqrknWczc4v7I2t2jZd+HqFPs+evHE6G48vLAi:d9wdyhSoticIknWcI4vUE2FcKFPshvHY
TLSH T11C832855BC819B56C7C156BBFB1F428D332663ACE2EA7217C9255F61338B95B0E3B002
telfhash t12ce02bf2894624fd53d0d186d1ab31ca15a4b0290f0110d155cdded7d2f2a87f25744b
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
7
# of downloads :
87
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.88621559.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
expand lolbin remote
Link:
https://www.filescan.io/uploads/68a95cd828a89d9dd4f2977f/reports/f25e54e0-d9b3-4508-8a55-a54a369902a7/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-08-22T23:32:00Z UTC
Last seen:
2025-08-22T23:32:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/3b9fb643ee107c4fdc321425bf8801dae55aa9e5c392b6062e463ec8dde0cb9d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/0c5db317-ef68-4bb2-8f0a-3d1dd68b6ddf
Behavior Graph:
Download SVG
%3 guuid=e5053dff-1700-0000-e78d-8f1640080000 pid=2112 /usr/bin/sudo guuid=0b766902-1800-0000-e78d-8f1649080000 pid=2121 /tmp/sample.bin guuid=e5053dff-1700-0000-e78d-8f1640080000 pid=2112->guuid=0b766902-1800-0000-e78d-8f1649080000 pid=2121 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b8d91730-f4c1-474d-8705-23c62dce0daa
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1763432
Signature
Connects to many ports of the same IP (likely port scanning)
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample reads /proc/mounts (often used for finding a writable filesystem)
Uses STUN server to do NAT traversial
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1763432 Sample: arm4.elf Startdate: 23/08/2025 Architecture: LINUX Score: 72 22 ilovementallyilltrannysandanorexicbrits.su 2->22 24 stun.l.google.com 2->24 26 6 other IPs or domains 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Connects to many ports of the same IP (likely port scanning) 2->30 8 arm4.elf 2->8         started        11 dash rm 2->11         started        13 dash rm 2->13         started        signatures3 32 Performs DNS TXT record lookups 22->32 34 Uses STUN server to do NAT traversial 24->34 process4 signatures5 36 Sample reads /proc/mounts (often used for finding a writable filesystem) 8->36 15 arm4.elf 8->15         started        process6 signatures7 38 Opens /sys/class/net/* files useful for querying network interface information 15->38 40 Opens /proc/net/* files useful for finding connected devices and routers 15->40 18 arm4.elf 15->18         started        20 arm4.elf 15->20         started        process8
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/3b9fb643ee107c4fdc321425bf8801dae55aa9e5c392b6062e463ec8dde0cb9d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b9fb643ee107c4fdc321425bf8801dae55aa9e5c392b6062e463ec8dde0cb9d/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-08-23 03:12:22 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hop3mq7ocb6e7xbscqs37cab3lsvvkpfyojlmbroiy7mrxpazooq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250823-g1w1assrv5/
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/150c7a22-2c60-42be-9d2b-39ff3667a637
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3b9fb643ee107c4fdc321425bf8801dae55aa9e5c392b6062e463ec8dde0cb9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Linux_Generic_Threat_e9aef030
Create hunting rule
Author:Elastic Security
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 331027ed453f9de1d2640644a421b727408dddc443db65076e7d91fedc51e09c

Mirai

elf 3b9fb643ee107c4fdc321425bf8801dae55aa9e5c392b6062e463ec8dde0cb9d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3609692/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3591773/
  
URLhaus
https://urlhaus.abuse.ch/url/3591042/
  
URLhaus
https://urlhaus.abuse.ch/url/3609786/
  
URLhaus
https://urlhaus.abuse.ch/url/3610190/
  
Dropped by
SHA256 331027ed453f9de1d2640644a421b727408dddc443db65076e7d91fedc51e09c
  
Dropped by
MD5 0030845ccbe63e932d0910724e7452a2
  
URLhaus
https://urlhaus.abuse.ch/url/3591799/
  
Dropped by
SHA256 401891b4657af06f592cfcd06905ae9cc8cb59d1a9eec6323477161dda0efd45
  
Dropped by
MD5 ec7ae02ad9f2fdac1dfcd381f79f47e6
  
Dropped by
SHA256 0abde5d125fd13bbac99e365d34027d52792c8e8b8f44ebab1bf7712aed54297
  
Dropped by
MD5 2abe94113f8e830668cbb83bdd60111c
  
URLhaus
https://urlhaus.abuse.ch/url/3610572/
  
URLhaus
https://urlhaus.abuse.ch/url/3610573/

Comments