MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4257f0992f19704aa44249881566901db0943a83f90c7ae563777473a7017b25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4257f0992f19704aa44249881566901db0943a83f90c7ae563777473a7017b25
SHA3-384 hash: 619fbc6881d5e5a130d9548f64a4750194f77692b3322cbffc9c44245f5bcd4e70a77b84223d170b624435472f7d6b17
SHA1 hash: d44ffa917c3813521f7a90e2751961c6dafda1e0
MD5 hash: 234b3c9d8767b46c2c176a9e87dcdbfd
humanhash: kentucky-tango-winter-venus
File name:x86_32.urbotnetisass
Download: download sample
Signature Mirai
Create hunting rule
File size:161'964 bytes
First seen:2025-09-11 03:47:20 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:lQNuwQFO3vTXmnPz+GHtj+thNpCI2mDM7ogvKDwvVHm2QBRA:lh1FO3vTXmP6GHu9DjstHOBRA
TLSH T177F37D42EA43D0F1F89611B011E787265EB3EE36543ADA46D7B52E30AC66600D72F7BC
telfhash t1b0718fb22eba1eec7390dd01c74e1b12fd4ad6bb395035b9067307e823f6e411462879
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
no reply from clamd
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Receives data from a server
Opens a port
Kills processes
Mounts file systems
Collects information on the network activity
Runs as daemon
Creating a file
Deletes a file
Unmounts file systems
Sends data to a server
Connection attempt
Writes files to system directory
Deletes a system binary file
Substitutes an application name
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
anti-vm lolbin remote threat
Link:
https://www.filescan.io/uploads/68c2469bdbc6f5a29c3f5dd0/reports/1af90eb7-6597-4db6-8b47-f19a07312012/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-09-11T01:12:00Z UTC
Last seen:
2025-09-11T01:12:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/4257f0992f19704aa44249881566901db0943a83f90c7ae563777473a7017b25/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/364e193c-3b42-4016-8cd4-784c52f5a70b
Behavior Graph:
Download SVG
%3 guuid=fe6b0117-1b00-0000-5c50-4a92640c0000 pid=3172 /usr/bin/sudo guuid=d6a78c19-1b00-0000-5c50-4a92680c0000 pid=3176 /tmp/sample.bin guuid=fe6b0117-1b00-0000-5c50-4a92640c0000 pid=3172->guuid=d6a78c19-1b00-0000-5c50-4a92680c0000 pid=3176 execve guuid=8ab5b419-1b00-0000-5c50-4a926a0c0000 pid=3178 /tmp/sample.bin delete-file net write-file zombie guuid=d6a78c19-1b00-0000-5c50-4a92680c0000 pid=3176->guuid=8ab5b419-1b00-0000-5c50-4a926a0c0000 pid=3178 clone 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=8ab5b419-1b00-0000-5c50-4a926a0c0000 pid=3178->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=750a5f1b-1b00-0000-5c50-4a92700c0000 pid=3184 /tmp/sample.bin guuid=8ab5b419-1b00-0000-5c50-4a926a0c0000 pid=3178->guuid=750a5f1b-1b00-0000-5c50-4a92700c0000 pid=3184 clone guuid=fb9d641b-1b00-0000-5c50-4a92710c0000 pid=3185 /tmp/sample.bin guuid=8ab5b419-1b00-0000-5c50-4a926a0c0000 pid=3178->guuid=fb9d641b-1b00-0000-5c50-4a92710c0000 pid=3185 clone guuid=3d568d1b-1b00-0000-5c50-4a92730c0000 pid=3187 /tmp/sample.bin net send-data guuid=750a5f1b-1b00-0000-5c50-4a92700c0000 pid=3184->guuid=3d568d1b-1b00-0000-5c50-4a92730c0000 pid=3187 clone guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186 /tmp/sample.bin delete-file guuid=fb9d641b-1b00-0000-5c50-4a92710c0000 pid=3185->guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186 clone guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238 /tmp/sample.bin delete-file guuid=fb9d641b-1b00-0000-5c50-4a92710c0000 pid=3185->guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238 clone guuid=a1244820-1b00-0000-5c50-4a927e0c0000 pid=3198 /tmp/sample.bin guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186->guuid=a1244820-1b00-0000-5c50-4a927e0c0000 pid=3198 clone guuid=dbdb4c20-1b00-0000-5c50-4a927f0c0000 pid=3199 /tmp/sample.bin guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186->guuid=dbdb4c20-1b00-0000-5c50-4a927f0c0000 pid=3199 clone guuid=f6295120-1b00-0000-5c50-4a92800c0000 pid=3200 /tmp/sample.bin guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186->guuid=f6295120-1b00-0000-5c50-4a92800c0000 pid=3200 clone guuid=772f5620-1b00-0000-5c50-4a92810c0000 pid=3201 /tmp/sample.bin guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186->guuid=772f5620-1b00-0000-5c50-4a92810c0000 pid=3201 clone guuid=e3de5e20-1b00-0000-5c50-4a92820c0000 pid=3202 /tmp/sample.bin guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186->guuid=e3de5e20-1b00-0000-5c50-4a92820c0000 pid=3202 clone guuid=ad566820-1b00-0000-5c50-4a92830c0000 pid=3203 /tmp/sample.bin guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186->guuid=ad566820-1b00-0000-5c50-4a92830c0000 pid=3203 clone guuid=17437320-1b00-0000-5c50-4a92840c0000 pid=3204 /tmp/sample.bin guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186->guuid=17437320-1b00-0000-5c50-4a92840c0000 pid=3204 clone guuid=c3987b20-1b00-0000-5c50-4a92850c0000 pid=3205 /tmp/sample.bin guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186->guuid=c3987b20-1b00-0000-5c50-4a92850c0000 pid=3205 clone guuid=ea8a8420-1b00-0000-5c50-4a92860c0000 pid=3206 /tmp/sample.bin guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186->guuid=ea8a8420-1b00-0000-5c50-4a92860c0000 pid=3206 clone guuid=9b0a8d20-1b00-0000-5c50-4a92870c0000 pid=3207 /tmp/sample.bin guuid=7ac5821b-1b00-0000-5c50-4a92720c0000 pid=3186->guuid=9b0a8d20-1b00-0000-5c50-4a92870c0000 pid=3207 clone 3c219693-211f-5894-b9fe-a6c2d41f8f1c 94.154.35.153:43212 guuid=3d568d1b-1b00-0000-5c50-4a92730c0000 pid=3187->3c219693-211f-5894-b9fe-a6c2d41f8f1c send: 5300B guuid=569a745d-1f00-0000-5c50-4a9280140000 pid=5248 /tmp/sample.bin guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238->guuid=569a745d-1f00-0000-5c50-4a9280140000 pid=5248 clone guuid=712c7c5d-1f00-0000-5c50-4a9281140000 pid=5249 /tmp/sample.bin guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238->guuid=712c7c5d-1f00-0000-5c50-4a9281140000 pid=5249 clone guuid=bc3f815d-1f00-0000-5c50-4a9282140000 pid=5250 /tmp/sample.bin guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238->guuid=bc3f815d-1f00-0000-5c50-4a9282140000 pid=5250 clone guuid=e34b865d-1f00-0000-5c50-4a9283140000 pid=5251 /tmp/sample.bin guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238->guuid=e34b865d-1f00-0000-5c50-4a9283140000 pid=5251 clone guuid=0d528a5d-1f00-0000-5c50-4a9284140000 pid=5252 /tmp/sample.bin guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238->guuid=0d528a5d-1f00-0000-5c50-4a9284140000 pid=5252 clone guuid=45628e5d-1f00-0000-5c50-4a9285140000 pid=5253 /tmp/sample.bin guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238->guuid=45628e5d-1f00-0000-5c50-4a9285140000 pid=5253 clone guuid=6695955d-1f00-0000-5c50-4a9286140000 pid=5254 /tmp/sample.bin guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238->guuid=6695955d-1f00-0000-5c50-4a9286140000 pid=5254 clone guuid=cd9d995d-1f00-0000-5c50-4a9287140000 pid=5255 /tmp/sample.bin guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238->guuid=cd9d995d-1f00-0000-5c50-4a9287140000 pid=5255 clone guuid=7125a15d-1f00-0000-5c50-4a9288140000 pid=5256 /tmp/sample.bin guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238->guuid=7125a15d-1f00-0000-5c50-4a9288140000 pid=5256 clone guuid=5184a95d-1f00-0000-5c50-4a9289140000 pid=5257 /tmp/sample.bin guuid=4f2603d6-1e00-0000-5c50-4a9276140000 pid=5238->guuid=5184a95d-1f00-0000-5c50-4a9289140000 pid=5257 clone
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dafcd08d-1de1-4367-8506-d08cb36c94bc
Result
Threat name:
Gafgyt, Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1775280
Signature
Deletes system log files
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Writes identical ELF files to multiple locations
Yara detected Gafgyt
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1775280 Sample: x86_32.urbotnetisass.elf Startdate: 11/09/2025 Architecture: LINUX Score: 96 64 94.154.35.153, 43212 SELECTELRU Ukraine 2->64 66 109.202.202.202, 80 INIT7CH Switzerland 2->66 68 2 other IPs or domains 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected Gafgyt 2->74 76 Yara detected Mirai 2->76 10 x86_32.urbotnetisass.elf 2->10         started        12 udisksd dumpe2fs 2->12         started        14 udisksd dumpe2fs 2->14         started        16 322 other processes 2->16 signatures3 process4 process5 18 x86_32.urbotnetisass.elf 10->18         started        file6 56 /memfd:/usr/lib/librt.so.1 (deleted), ELF 18->56 dropped 58 /memfd:/usr/lib/libpthread.so.0 (deleted), ELF 18->58 dropped 60 /memfd:/usr/lib/libm.so.6 (deleted), ELF 18->60 dropped 62 41 other malicious files 18->62 dropped 78 Writes identical ELF files to multiple locations 18->78 22 x86_32.urbotnetisass.elf 18->22         started        24 x86_32.urbotnetisass.elf 18->24         started        signatures7 process8 process9 26 x86_32.urbotnetisass.elf 22->26         started        29 x86_32.urbotnetisass.elf 22->29         started        31 x86_32.urbotnetisass.elf 22->31         started        35 14 other processes 22->35 33 x86_32.urbotnetisass.elf 24->33         started        signatures10 82 Sample reads /proc/mounts (often used for finding a writable filesystem) 26->82 84 Deletes system log files 26->84 37 x86_32.urbotnetisass.elf 26->37         started        48 9 other processes 26->48 40 x86_32.urbotnetisass.elf 29->40         started        50 9 other processes 29->50 42 x86_32.urbotnetisass.elf 31->42         started        52 9 other processes 31->52 44 x86_32.urbotnetisass.elf 35->44         started        46 x86_32.urbotnetisass.elf 35->46         started        54 128 other processes 35->54 process11 signatures12 80 Sample tries to kill multiple processes (SIGKILL) 37->80
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/4257f0992f19704aa44249881566901db0943a83f90c7ae563777473a7017b25
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4257f0992f19704aa44249881566901db0943a83f90c7ae563777473a7017b25/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-09-11 03:49:30 UTC
File Type:
ELF32 Little (Exe)
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijl7bgjpdfyevjccjgebkzuqdwyjioud7eghvzldo52hhjybpmsq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/250911-ec3f3avlv9/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Reads process memory
Deletes log files
Enumerates running processes
Writes file to system bin folder
Deletes system logs
Modifies Watchdog functionality
Verdict:
Malicious
Tags:
trojan gafgyt mirai Unix.Trojan.Mirai-7755770-0
YARA:
Linux_Trojan_Gafgyt_5bf62ce4 Linux_Trojan_Mirai_5f7b67b8 Linux_Trojan_Mirai_389ee3e9 Linux_Trojan_Mirai_cc93863b
Link:
https://app.threat.zone/submission/f9992862-e56d-49b0-9165-067c81fec98e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4257f0992f19704aa44249881566901db0943a83f90c7ae563777473a7017b25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202503_elf_Mirai
Create hunting rule
Author:abuse.ch
Description:Detects Mirai 'TSource' ELF files
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_5bf62ce4
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_5f7b67b8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 4257f0992f19704aa44249881566901db0943a83f90c7ae563777473a7017b25

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3618255/
  
Delivery method
Distributed via web download

Comments