MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c851b2d5ce23951eff1e62b28255b984f01958e93a5b3fdb9f7f7b6fd30a670. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c851b2d5ce23951eff1e62b28255b984f01958e93a5b3fdb9f7f7b6fd30a670
SHA3-384 hash: 20c2998b94b3c453e98dacbcd487dae57f7c773001874ce1ebfe03d84ffae99e8c4d54961ce77d4c38dfb97d52caf326
SHA1 hash: da8f2a66b8f9e55a35944d92143b581b563dfffd
MD5 hash: b58584e4efebe4f330931f7acbc53ae4
humanhash: happy-butter-crazy-berlin
File name:x86
Download: download sample
Signature Mirai
Create hunting rule
File size:47'044 bytes
First seen:2025-11-25 22:36:41 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:vlaOZ8Da9hSAvgXkmKSu3+5Kem6xFpNzKbrn2qO7uzHNB08nA6KabhsOsEfdArbE:v3Z8+9hSAvgPM3+0eVxFpNWbyWzHNB0s
TLSH T1232302748362C235C47CC6FEB3AB17A836DA2E268C8E276571896C3D3E350DE01F0942
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :47'044 bytes
File size (de-compressed) :100'584 bytes
Format:linux/i386
Unpacked file: e7350a4f0cb00e52e76380e919492da6a411e36a146bd913829b2afc6ce04ac2

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Kills processes
Mounts file systems
Runs as daemon
Opens a port
Substitutes an application name
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
mirai packed upx
Link:
https://www.filescan.io/uploads/69262f9af5b8bc6001528883/reports/9692fbf8-ecc9-4a08-bc72-9bfd9f65c2e2/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
40
Number of processes launched:
7
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/3c851b2d5ce23951eff1e62b28255b984f01958e93a5b3fdb9f7f7b6fd30a670
Behaviour
Anti-VM
Process Renaming
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Clean
File Type:
elf.32.le
First seen:
2025-11-25T19:44:00Z UTC
Last seen:
2025-11-25T19:56:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/3c851b2d5ce23951eff1e62b28255b984f01958e93a5b3fdb9f7f7b6fd30a670/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/2b1b8e76-e081-4fee-809b-c9141460519a
Behavior Graph:
Download SVG
%3 guuid=171283e0-1700-0000-8b65-9120e80b0000 pid=3048 /usr/bin/sudo guuid=953f33e2-1700-0000-8b65-9120f00b0000 pid=3056 /tmp/sample.bin guuid=171283e0-1700-0000-8b65-9120e80b0000 pid=3048->guuid=953f33e2-1700-0000-8b65-9120f00b0000 pid=3056 execve guuid=3c8188e2-1700-0000-8b65-9120f10b0000 pid=3057 /tmp/sample.bin guuid=953f33e2-1700-0000-8b65-9120f00b0000 pid=3056->guuid=3c8188e2-1700-0000-8b65-9120f10b0000 pid=3057 clone guuid=c8ce94e2-1700-0000-8b65-9120f20b0000 pid=3058 /tmp/sample.bin zombie guuid=3c8188e2-1700-0000-8b65-9120f10b0000 pid=3057->guuid=c8ce94e2-1700-0000-8b65-9120f20b0000 pid=3058 clone guuid=0742fde3-1700-0000-8b65-9120f50b0000 pid=3061 /tmp/sample.bin guuid=c8ce94e2-1700-0000-8b65-9120f20b0000 pid=3058->guuid=0742fde3-1700-0000-8b65-9120f50b0000 pid=3061 clone guuid=ae5800e4-1700-0000-8b65-9120f60b0000 pid=3062 /tmp/sample.bin guuid=c8ce94e2-1700-0000-8b65-9120f20b0000 pid=3058->guuid=ae5800e4-1700-0000-8b65-9120f60b0000 pid=3062 clone guuid=7c1cb01f-1800-0000-8b65-9120c60c0000 pid=3270 /tmp/sample.bin guuid=c8ce94e2-1700-0000-8b65-9120f20b0000 pid=3058->guuid=7c1cb01f-1800-0000-8b65-9120c60c0000 pid=3270 clone guuid=b3731420-1800-0000-8b65-9120c70c0000 pid=3271 /tmp/sample.bin dns net send-data zombie guuid=7c1cb01f-1800-0000-8b65-9120c60c0000 pid=3270->guuid=b3731420-1800-0000-8b65-9120c70c0000 pid=3271 clone 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=b3731420-1800-0000-8b65-9120c70c0000 pid=3271->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 798B
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb2fd81e-ad55-4e5d-89c9-520fca5e2d95
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1820873
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Reads system files that contain records of logged in users
Sample is packed with UPX
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1820873 Sample: x86.elf Startdate: 25/11/2025 Architecture: LINUX Score: 84 140 adkadoad.xcvx.online 2->140 148 Suricata IDS alerts for network traffic 2->148 150 Malicious sample detected (through community Yara rule) 2->150 152 Multi AV Scanner detection for submitted file 2->152 154 Sample is packed with UPX 2->154 15 systemd gdm3 2->15         started        17 x86.elf 2->17         started        19 systemd gpu-manager 2->19         started        21 24 other processes 2->21 signatures3 156 Performs DNS TXT record lookups 140->156 process4 file5 25 gdm3 gdm-session-worker 15->25         started        27 gdm3 gdm-session-worker 15->27         started        37 3 other processes 15->37 29 x86.elf 17->29         started        31 gpu-manager sh 19->31         started        33 gpu-manager sh 19->33         started        35 gpu-manager sh 19->35         started        39 5 other processes 19->39 138 /var/log/wtmp, data 21->138 dropped 158 Sample reads /proc/mounts (often used for finding a writable filesystem) 21->158 160 Reads system files that contain records of logged in users 21->160 41 5 other processes 21->41 signatures6 process7 process8 43 gdm-session-worker gdm-x-session 25->43         started        45 gdm-session-worker gdm-wayland-session 27->45         started        47 x86.elf 29->47         started        49 sh grep 31->49         started        51 sh grep 33->51         started        53 sh grep 35->53         started        55 sh grep 39->55         started        59 4 other processes 39->59 57 language-validate 41->57         started        process9 61 gdm-x-session dbus-run-session 43->61         started        63 gdm-x-session Xorg Xorg.wrap Xorg 43->63         started        65 gdm-x-session Default 43->65         started        67 gdm-wayland-session dbus-run-session 45->67         started        69 x86.elf 47->69         started        72 x86.elf 47->72         started        74 x86.elf 47->74         started        signatures10 76 dbus-run-session dbus-daemon 61->76         started        79 dbus-run-session gnome-session gnome-session-binary 1 61->79         started        81 Xorg sh 63->81         started        83 Xorg sh 63->83         started        85 dbus-run-session dbus-daemon 67->85         started        87 dbus-run-session gnome-session gnome-session-binary 1 67->87         started        162 Sample tries to kill multiple processes (SIGKILL) 69->162 164 Sample reads /proc/mounts (often used for finding a writable filesystem) 69->164 89 x86.elf 74->89         started        process11 signatures12 166 Sample tries to kill multiple processes (SIGKILL) 76->166 168 Sample reads /proc/mounts (often used for finding a writable filesystem) 76->168 91 dbus-daemon 76->91         started        93 dbus-daemon 76->93         started        102 8 other processes 76->102 95 gnome-session-binary sh gnome-shell 79->95         started        104 18 other processes 79->104 98 sh xkbcomp 81->98         started        100 sh xkbcomp 83->100         started        106 7 other processes 85->106 108 2 other processes 87->108 process13 signatures14 110 dbus-daemon at-spi-bus-launcher 91->110         started        112 dbus-daemon gjs 93->112         started        170 Sample reads /proc/mounts (often used for finding a writable filesystem) 95->170 115 gnome-shell ibus-daemon 95->115         started        125 8 other processes 102->125 117 gsd-print-notifications 104->117         started        119 gnome-session-check-accelerated gnome-session-check-accelerated-gl-helper 104->119         started        121 gnome-session-check-accelerated gnome-session-check-accelerated-gles-helper 104->121         started        123 dbus-daemon false 106->123         started        127 6 other processes 106->127 process15 signatures16 129 at-spi-bus-launcher dbus-daemon 110->129         started        142 Sample reads /proc/mounts (often used for finding a writable filesystem) 112->142 132 gsd-print-notifications gsd-printer 117->132         started        process17 signatures18 144 Sample tries to kill multiple processes (SIGKILL) 129->144 146 Sample reads /proc/mounts (often used for finding a writable filesystem) 129->146 134 dbus-daemon 129->134         started        process19 process20 136 dbus-daemon at-spi2-registryd 134->136         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/3c851b2d5ce23951eff1e62b28255b984f01958e93a5b3fdb9f7f7b6fd30a670
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c851b2d5ce23951eff1e62b28255b984f01958e93a5b3fdb9f7f7b6fd30a670/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/3c851b2d5ce23951eff1e62b28255b984f01958e93a5b3fdb9f7f7b6fd30a670
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-11-25 22:37:21 UTC
File Type:
ELF32 Little (Exe)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hscrwlk44i4vd37r4yvsqjk3tbhqdfmosos3h7nz6733n7jquzya._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery linux upx
Link:
https://tria.ge/reports/251125-2jwy7ayqdt/
Behaviour
Reads runtime system information
Changes its process name
Enumerates running processes
Unexpected DNS network traffic destination
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8eb7118c-0df0-4341-b2c7-50f1e41cc8ce
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c851b2d5ce23951eff1e62b28255b984f01958e93a5b3fdb9f7f7b6fd30a670

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 3c851b2d5ce23951eff1e62b28255b984f01958e93a5b3fdb9f7f7b6fd30a670

(this sample)

Mirai

elf e7350a4f0cb00e52e76380e919492da6a411e36a146bd913829b2afc6ce04ac2

  
URLhaus
https://urlhaus.abuse.ch/url/3716336/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 e7350a4f0cb00e52e76380e919492da6a411e36a146bd913829b2afc6ce04ac2
  
Dropping
MD5 648273ed035afab2869138b62f01fb98

Comments