MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 413b6ea96fcb76d4a00f67b35d63d0823b36fdf18fc18a8a8c5aadb2c357a08f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 413b6ea96fcb76d4a00f67b35d63d0823b36fdf18fc18a8a8c5aadb2c357a08f
SHA3-384 hash: ee14c783fc6918afe88798403a5bbe744a662ac3db75d66df9bbcd286dfcb59588023eb41b259cca9da20e088aa6928d
SHA1 hash: ededc71eae8a4f9d80502d3fc24eded0edda5829
MD5 hash: 144f43f07829e7f9efc583d8b0d6e039
humanhash: robin-blossom-freddie-king
File name:Fantazy.ppc
Download: download sample
Signature Mirai
Create hunting rule
File size:58'960 bytes
First seen:2026-01-06 12:22:50 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:8Z7mYHm6RK0+PFaXgqkM+3xiWXRdIw33H5JTFYrPZV8rF6GHR1b03Ey20o:evHm6R+ANDRWhKwHZdFUdGHR1bGlK
TLSH T118434A0073588D43F4AA1EF6283F17D483BFFE4112E5E0456E0EAA4A8236E735956F6D
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Link:
https://research.acce.ciphertechsolutions.com/results/23fd9824-9e81-4984-a4d1-d35d877256ed/
Detection(s):
Unix.Trojan.Mirai-7135937-0
Create hunting rule

Unix.Dropper.Mirai-7135957-0
Create hunting rule

Unix.Dropper.Mirai-7136014-0
Create hunting rule

Unix.Dropper.Mirai-7139230-0
Create hunting rule

Unix.Trojan.Mirai-9940367-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
gafgyt masquerade mirai obfuscated
Link:
https://www.filescan.io/uploads/695cfeb54d541a97c66c3098/reports/82261197-8876-4978-8341-41fa215cce3d/overview
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2026-01-06T09:59:00Z UTC
Last seen:
2026-01-06T11:01:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Mirai.b
Link:
https://opentip.kaspersky.com/413b6ea96fcb76d4a00f67b35d63d0823b36fdf18fc18a8a8c5aadb2c357a08f/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/51d88ce1-54ba-492b-b1c4-15e3e316791c
Behavior Graph:
Download SVG
%3 guuid=8a422482-1900-0000-3fed-0a8c7d110000 pid=4477 /usr/bin/sudo guuid=9bdc1984-1900-0000-3fed-0a8c84110000 pid=4484 /tmp/sample.bin guuid=8a422482-1900-0000-3fed-0a8c7d110000 pid=4477->guuid=9bdc1984-1900-0000-3fed-0a8c84110000 pid=4484 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c13adef3-7eb8-47eb-b25f-5a0f52a75feb
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1845425
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1845425 Sample: Fantazy.ppc.elf Startdate: 06/01/2026 Architecture: LINUX Score: 68 103 170.6.211.1, 23 XUS United States 2->103 105 162.76.165.185, 23 VIASAT-SP-BACKBONEUS United States 2->105 107 99 other IPs or domains 2->107 113 Antivirus / Scanner detection for submitted sample 2->113 115 Multi AV Scanner detection for submitted file 2->115 11 systemd gdm3 2->11         started        13 systemd gdm3 2->13         started        15 systemd systemd 2->15         started        17 79 other processes 2->17 signatures3 process4 file5 21 gdm3 gdm-session-worker 11->21         started        32 3 other processes 11->32 23 gdm3 gdm-session-worker 13->23         started        34 3 other processes 13->34 25 systemd dbus-daemon 15->25         started        36 3 other processes 15->36 101 /var/log/wtmp, data 17->101 dropped 109 Sample reads /proc/mounts (often used for finding a writable filesystem) 17->109 111 Reads system files that contain records of logged in users 17->111 28 Fantazy.ppc.elf 17->28         started        30 accounts-daemon language-validate 17->30         started        38 47 other processes 17->38 signatures6 process7 signatures8 40 gdm-session-worker gdm-wayland-session 21->40         started        42 gdm-session-worker gdm-wayland-session 23->42         started        117 Sample reads /proc/mounts (often used for finding a writable filesystem) 25->117 44 Fantazy.ppc.elf 28->44         started        55 2 other processes 28->55 47 language-validate language-options 30->47         started        49 systemd 30-systemd-environment-d-generator 36->49         started        51 language-validate language-options 38->51         started        53 language-validate language-options 38->53         started        57 35 other processes 38->57 process9 signatures10 59 gdm-wayland-session dbus-run-session 40->59         started        61 gdm-wayland-session dbus-daemon 40->61         started        64 gdm-wayland-session dbus-run-session 42->64         started        66 gdm-wayland-session dbus-daemon 42->66         started        119 Sample tries to kill multiple processes (SIGKILL) 44->119 68 language-options sh 47->68         started        70 language-options sh 51->70         started        72 language-options sh 53->72         started        74 language-options sh 57->74         started        76 gdm-wayland-session dbus-daemon 57->76         started        process11 signatures12 78 dbus-run-session dbus-daemon 59->78         started        121 Sample reads /proc/mounts (often used for finding a writable filesystem) 61->121 81 dbus-daemon 61->81         started        83 dbus-run-session dbus-daemon 64->83         started        85 dbus-daemon 66->85         started        87 sh locale 68->87         started        89 sh grep 68->89         started        91 2 other processes 70->91 93 2 other processes 72->93 95 2 other processes 74->95 process13 signatures14 123 Sample reads /proc/mounts (often used for finding a writable filesystem) 78->123 97 dbus-daemon false 81->97         started        99 dbus-daemon false 85->99         started        process15
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/413b6ea96fcb76d4a00f67b35d63d0823b36fdf18fc18a8a8c5aadb2c357a08f
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/413b6ea96fcb76d4a00f67b35d63d0823b36fdf18fc18a8a8c5aadb2c357a08f/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/413b6ea96fcb76d4a00f67b35d63d0823b36fdf18fc18a8a8c5aadb2c357a08f
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-06 12:24:07 UTC
File Type:
ELF32 Big (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ie5w5klpzn3njiapm6zv2y6qqi5tn7prr7ayvcumlkw3fq2xuchq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai linux
Link:
https://tria.ge/reports/260106-p5m7yshy9f/
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-7135937-0
YARA:
n/a
Link:
https://app.threat.zone/submission/33d688f5-4776-49cf-b67b-e71005a5eb1c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/413b6ea96fcb76d4a00f67b35d63d0823b36fdf18fc18a8a8c5aadb2c357a08f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 413b6ea96fcb76d4a00f67b35d63d0823b36fdf18fc18a8a8c5aadb2c357a08f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3750054/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3750695/

Comments