MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fea6d750543a170539b6ec6d2b7de4fd998fdd95586f12168df9fb213868cba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fea6d750543a170539b6ec6d2b7de4fd998fdd95586f12168df9fb213868cba
SHA3-384 hash: cf5f396a5fae84b362af1bf19316f32facfc22312c908a66db6500cc2cbb86019262a25ea1a3ccf8934feb99b3f74259
SHA1 hash: c4360e3e19a38319882e1ab66bbb112743fd2612
MD5 hash: f9c9a3beb0a8e2bc19095160ecc0b464
humanhash: harry-mountain-iowa-echo
File name:f9c9a3beb0a8e2bc19095160ecc0b464
Download: download sample
Signature Mirai
Create hunting rule
File size:41'828 bytes
First seen:2023-02-26 15:04:17 UTC
Last seen:2023-02-26 16:27:38 UTC
File type: elf
MIME type:application/x-executable
ssdeep 768:F6JOJw1Zl9yEJ+mjJDLh7IG9IXtl95PRayJS5MXYWapEcGTQdSidPLe2nXWw:F1AUE3xz6L95PRabWq9cbitL9
TLSH T1EA13E16DE0E6A903CDED5E767AD79F2DC61094C172CBBF3997078C54A8A840F744883A
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter zbetcheckin
Tags:32 elf mips mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ELF.Mirai-ACT.27998.28727.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug mirai
Link:
https://www.filescan.io/uploads/63fb752181c7f31327fa194c/reports/e09ca335-0b7a-41de-9679-abb48252c9ff/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
UPX
Botnet:
unknown
Number of open files:
7
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/3fea6d750543a170539b6ec6d2b7de4fd998fdd95586f12168df9fb213868cba
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Verdict:
UNKNOWN
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/adda9139-7efd-48ce-863f-2389d8ed83cd
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1182662
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample is packed with UPX
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 815494 Sample: 6yfF5m0LiJ.elf Startdate: 26/02/2023 Architecture: LINUX Score: 80 99 164.110.201.83, 23 WSDOT-ASNUS United States 2->99 101 14.224.233.210 VNPT-AS-VNVNPTCorpVN Viet Nam 2->101 103 98 other IPs or domains 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 Yara detected Mirai 2->109 111 Sample is packed with UPX 2->111 11 gdm3 gdm-session-worker 2->11         started        13 6yfF5m0LiJ.elf 2->13         started        15 systemd accounts-daemon 2->15         started        18 27 other processes 2->18 signatures3 process4 signatures5 20 gdm-session-worker gdm-wayland-session 11->20         started        22 6yfF5m0LiJ.elf 13->22         started        24 6yfF5m0LiJ.elf 13->24         started        27 6yfF5m0LiJ.elf 13->27         started        119 Reads system files that contain records of logged in users 15->119 29 accounts-daemon language-validate 15->29         started        121 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->121 31 gdm-session-worker gdm-x-session 18->31         started        33 accounts-daemon language-validate 18->33         started        35 xfce4-panel wrapper-2.0 18->35         started        37 11 other processes 18->37 process6 signatures7 39 gdm-wayland-session dbus-run-session 20->39         started        41 6yfF5m0LiJ.elf 22->41         started        44 6yfF5m0LiJ.elf 22->44         started        46 6yfF5m0LiJ.elf 22->46         started        113 Sample tries to kill multiple processes (SIGKILL) 24->113 48 language-validate language-options 29->48         started        50 gdm-x-session Xorg Xorg.wrap Xorg 31->50         started        52 language-validate language-options 33->52         started        54 wrapper-2.0 xfpm-power-backlight-helper 35->54         started        process8 signatures9 56 dbus-run-session dbus-daemon 39->56         started        59 dbus-run-session gnome-session gnome-session-binary 1 39->59         started        117 Sample tries to kill multiple processes (SIGKILL) 41->117 61 language-options sh 48->61         started        63 Xorg sh 50->63         started        65 language-options sh 52->65         started        process10 signatures11 115 Sample reads /proc/mounts (often used for finding a writable filesystem) 56->115 67 dbus-daemon 56->67         started        69 dbus-daemon 56->69         started        71 dbus-daemon 56->71         started        79 4 other processes 56->79 73 gnome-session-binary sh gnome-shell 59->73         started        75 gnome-session-binary session-migration 59->75         started        81 2 other processes 61->81 77 sh xkbcomp 63->77         started        83 2 other processes 65->83 process12 process13 85 dbus-daemon false 67->85         started        87 dbus-daemon false 69->87         started        89 dbus-daemon false 71->89         started        91 dbus-daemon false 79->91         started        93 dbus-daemon false 79->93         started        95 dbus-daemon false 79->95         started        97 dbus-daemon false 79->97         started       
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3fea6d750543a170539b6ec6d2b7de4fd998fdd95586f12168df9fb213868cba/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2023-02-26 15:05:07 UTC
File Type:
ELF32 Little (Exe)
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h7vg25ifioqxau43n3dnfn66j7mzr7ozkwdpcili36p3ee4grs5a._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery
Link:
https://tria.ge/reports/230226-sf6vjshc37/
Behaviour
Reads runtime system information
Reads system network configuration
Enumerates active TCP sockets
Contacts a large (20419) amount of remote hosts
Creates a large amount of network flows
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/3fea6d750543a170539b6ec6d2b7de4fd998fdd95586f12168df9fb213868cba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 3fea6d750543a170539b6ec6d2b7de4fd998fdd95586f12168df9fb213868cba

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2551076/

Comments


Avatar
zbet commented on 2023-02-26 15:04:19 UTC

url : hxxp://212.87.204.161/d/hotnet.mpsl