MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43aa65b2a3d9971e9f26b5f04242ee83629eb141b4fbd41e7929c1ddea4d35d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43aa65b2a3d9971e9f26b5f04242ee83629eb141b4fbd41e7929c1ddea4d35d6
SHA3-384 hash: e151e9b2b3ecf1145464bfe39adb507ee7b162fc14800e928afe2658beaf0c1116141cc981722e5c4d95c71d655b94e7
SHA1 hash: 8b01436a2259356be32ee296f23ace00b4765d32
MD5 hash: b5075652fb5b9037e446ac7abe7e1d33
humanhash: sodium-monkey-michigan-arizona
File name:nabppc
Download: download sample
Signature Mirai
Create hunting rule
File size:58'860 bytes
First seen:2026-01-28 12:03:52 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:PxKstRro7TyarGWbzU4FsQ4vtDq4cDTCXn:PxKsUrhxFsB1Xn
TLSH T1C3435C41B3190983E1675DF43D3B2BD0839EA6D112F5F349760FAF4A91B2E324582EAD
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Unix.Trojan.Mirai-9885259-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Kills processes
Sends data to a server
Creating a process from a recently created file
Receives data from a server
Creating a file
Runs as daemon
Deletes a file
Opens a port
DNS request
Deleting of the original file
Performs a bruteforce attack in the network
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
mirai
Link:
https://www.filescan.io/uploads/6979fb47a57b6af70d107381/reports/dc3b9946-baa4-4532-b3e2-fea09a4f4c21/overview
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b2a3d3f8-dd2b-4734-9d33-feccc0f59f38
Behavior Graph:
Download SVG
%3 guuid=e4bc26d0-1800-0000-550b-d5e3090e0000 pid=3593 /usr/bin/sudo guuid=82db44d2-1800-0000-550b-d5e30d0e0000 pid=3597 /tmp/sample.bin guuid=e4bc26d0-1800-0000-550b-d5e3090e0000 pid=3593->guuid=82db44d2-1800-0000-550b-d5e30d0e0000 pid=3597 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fbdb7f41-edef-4226-acbc-2cd71f0a993e
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1858943
Signature
Connects to many IPs within the same subnet mask (likely port scanning)
Drops invisible ELF files
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Sends malformed DNS queries
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1858943 Sample: nabppc.elf Startdate: 28/01/2026 Architecture: LINUX Score: 76 151 slursontel.ru. [malformed] 2->151 153 slursbeback.ru. [malformed] 2->153 155 103 other IPs or domains 2->155 173 Multi AV Scanner detection for submitted file 2->173 175 Connects to many IPs within the same subnet mask (likely port scanning) 2->175 15 systemd gdm3 2->15         started        17 nabppc.elf .systemd-resolved 2->17         started        21 systemd gpu-manager 2->21         started        23 33 other processes 2->23 signatures3 177 Sends malformed DNS queries 153->177 process4 file5 25 gdm3 gdm-session-worker 15->25         started        27 gdm3 gdm-session-worker 15->27         started        38 3 other processes 15->38 147 /dev/shm/.systemd-resolved, ELF 17->147 dropped 161 Drops invisible ELF files 17->161 163 Sample deletes itself 17->163 29 .systemd-resolved 17->29         started        32 gpu-manager sh 21->32         started        34 gpu-manager sh 21->34         started        40 4 other processes 21->40 149 /var/log/wtmp, data 23->149 dropped 165 Sample reads /proc/mounts (often used for finding a writable filesystem) 23->165 167 Reads system files that contain records of logged in users 23->167 36 accounts-daemon language-validate 23->36         started        42 4 other processes 23->42 signatures6 process7 signatures8 44 gdm-session-worker gdm-x-session 25->44         started        46 gdm-session-worker gdm-wayland-session 27->46         started        185 Sample tries to kill multiple processes (SIGKILL) 29->185 48 .systemd-resolved 29->48         started        58 2 other processes 29->58 50 sh grep 32->50         started        52 sh grep 34->52         started        54 language-validate language-options 36->54         started        56 sh grep 40->56         started        60 3 other processes 40->60 process9 process10 62 gdm-x-session dbus-run-session 44->62         started        64 gdm-x-session Xorg Xorg.wrap Xorg 44->64         started        66 gdm-x-session Default 44->66         started        68 gdm-wayland-session dbus-run-session 46->68         started        70 .systemd-resolved 48->70         started        73 language-options sh 54->73         started        signatures11 75 dbus-run-session dbus-daemon 62->75         started        78 dbus-run-session gnome-session gnome-session-binary 62->78         started        80 Xorg sh 64->80         started        82 Xorg sh 64->82         started        84 dbus-run-session dbus-daemon 68->84         started        86 dbus-run-session gnome-session gnome-session-binary 1 68->86         started        179 Sample tries to kill multiple processes (SIGKILL) 70->179 88 sh locale 73->88         started        90 sh grep 73->90         started        process12 signatures13 181 Sample tries to kill multiple processes (SIGKILL) 75->181 183 Sample reads /proc/mounts (often used for finding a writable filesystem) 75->183 92 dbus-daemon 75->92         started        94 dbus-daemon 75->94         started        103 9 other processes 75->103 96 gnome-session-binary sh gnome-shell 78->96         started        105 18 other processes 78->105 99 sh xkbcomp 80->99         started        101 sh xkbcomp 82->101         started        107 7 other processes 84->107 109 2 other processes 86->109 process14 signatures15 111 dbus-daemon at-spi-bus-launcher 92->111         started        113 dbus-daemon gjs 94->113         started        157 Sample reads /proc/mounts (often used for finding a writable filesystem) 96->157 116 gnome-shell ibus-daemon 96->116         started        124 9 other processes 103->124 118 gsd-print-notifications 105->118         started        126 2 other processes 105->126 120 dbus-daemon false 107->120         started        122 dbus-daemon false 107->122         started        128 5 other processes 107->128 process16 signatures17 130 at-spi-bus-launcher dbus-daemon 111->130         started        159 Sample reads /proc/mounts (often used for finding a writable filesystem) 113->159 133 ibus-daemon 116->133         started        135 ibus-daemon ibus-memconf 116->135         started        137 ibus-daemon ibus-engine-simple 116->137         started        139 gsd-print-notifications gsd-printer 118->139         started        process18 signatures19 169 Sample tries to kill multiple processes (SIGKILL) 130->169 171 Sample reads /proc/mounts (often used for finding a writable filesystem) 130->171 141 dbus-daemon 130->141         started        143 ibus-daemon ibus-x11 133->143         started        process20 process21 145 dbus-daemon at-spi2-registryd 141->145         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/43aa65b2a3d9971e9f26b5f04242ee83629eb141b4fbd41e7929c1ddea4d35d6
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/43aa65b2a3d9971e9f26b5f04242ee83629eb141b4fbd41e7929c1ddea4d35d6/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-28 12:04:34 UTC
File Type:
ELF32 Big (Exe)
AV detection:
9 of 36 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iovglmvd3glr5hzgwxyeeqxoqnrj5mkbwt55ihtzfha532sngxla._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/260128-n8tcpsft3e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/43aa65b2a3d9971e9f26b5f04242ee83629eb141b4fbd41e7929c1ddea4d35d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 43aa65b2a3d9971e9f26b5f04242ee83629eb141b4fbd41e7929c1ddea4d35d6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3739223/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3740300/

Comments