MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40e2855c5d63df422ddbc989f670b344c717dd5b54234e0ba70885375b1316e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40e2855c5d63df422ddbc989f670b344c717dd5b54234e0ba70885375b1316e1
SHA3-384 hash: a10f18a310cd510cf52084ebd0a1fe0ae40c3be38aa5329032742853a8801afdf4b1cb08640b19fab4a71c55b29fff4f
SHA1 hash: 4ed0a8a5006ad4a6a2b3ca1edff8f3280628aa26
MD5 hash: 0d3fb30be4dc681a79f5c7422f3e8783
humanhash: table-sink-indigo-ohio
File name:iran.armv4l
Download: download sample
Signature Mirai
Create hunting rule
File size:154'168 bytes
First seen:2026-01-02 22:36:36 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:6W6jpYCB/C/cUFcpwir02hEZXnPh70sKe4EDYahyKnpmYLLdl/Q:F6jpYCBicUFcq+3MJgsb4AYaoKsIpl/Q
TLSH T165E31945FC518B16CAC662BBFB4E428D77271768D2EE31039D256F21378B96B0E3B142
telfhash t1fa119062cf195aec57d9b25090d8701a67ecb1a01b3a24821afe8f5bc1029e5b11501b
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 5c975a5c1e9983dd8e204fe207d44c1bd2389b6825d6bdbe44f635eb90bba318
File size (compressed) :59'156 bytes
File size (de-compressed) :154'168 bytes
Format:linux/arm
Packed file: 5c975a5c1e9983dd8e204fe207d44c1bd2389b6825d6bdbe44f635eb90bba318

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.32133.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-01-02T21:00:00Z UTC
Last seen:
2026-01-04T02:01:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/40e2855c5d63df422ddbc989f670b344c717dd5b54234e0ba70885375b1316e1/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/43e40b13-6080-4ecf-8e1e-d10f34e6ad47
Behavior Graph:
Download SVG
%3 guuid=e4a5a274-1b00-0000-5018-e0ecae090000 pid=2478 /usr/bin/sudo guuid=6e96ee76-1b00-0000-5018-e0ecb6090000 pid=2486 /tmp/sample.bin guuid=e4a5a274-1b00-0000-5018-e0ecae090000 pid=2478->guuid=6e96ee76-1b00-0000-5018-e0ecb6090000 pid=2486 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/febc8ca0-f096-4294-be40-aa6e9532f567
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1843867
Signature
Multi AV Scanner detection for submitted file
Sample deletes itself
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1843867 Sample: iran.armv4l.elf Startdate: 02/01/2026 Architecture: LINUX Score: 52 23 87.121.84.11, 57560, 57562, 57564 SKATTV-ASBG Bulgaria 2->23 25 daisy.ubuntu.com 2->25 27 Multi AV Scanner detection for submitted file 2->27 8 iran.armv4l.elf 2->8         started        10 systemd snap-failure 2->10         started        12 python3.8 dpkg 2->12         started        signatures3 process4 process5 14 iran.armv4l.elf 8->14         started        16 snap-failure systemctl 10->16         started        18 snap-failure 10->18         started        process6 20 iran.armv4l.elf 14->20         started        signatures7 29 Sample deletes itself 20->29
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/40e2855c5d63df422ddbc989f670b344c717dd5b54234e0ba70885375b1316e1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40e2855c5d63df422ddbc989f670b344c717dd5b54234e0ba70885375b1316e1/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-02 22:37:32 UTC
File Type:
ELF32 Little (Exe)
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=idrikxc5mppuelo3zge7m4ftitdrpxk3kqru4c5hbcctowytc3qq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/260102-2jw9ysfx3h/
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eea33924-6498-4cc7-8e07-4c2a56a03ec0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/40e2855c5d63df422ddbc989f670b344c717dd5b54234e0ba70885375b1316e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:Linux_Generic_Threat_d94e1020
Create hunting rule
Author:Elastic Security
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 5c975a5c1e9983dd8e204fe207d44c1bd2389b6825d6bdbe44f635eb90bba318

Mirai

elf 40e2855c5d63df422ddbc989f670b344c717dd5b54234e0ba70885375b1316e1

(this sample)

  
Dropped by
SHA256 5c975a5c1e9983dd8e204fe207d44c1bd2389b6825d6bdbe44f635eb90bba318
  
URLhaus
https://urlhaus.abuse.ch/url/3749328/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 fe991cfeb2b68246f86037dc2a45bcc2

Comments