MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 456eae96757d36fcc6ae79c6639a68f29648cfacfa8e3d0e1a007f666ad8d28e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 456eae96757d36fcc6ae79c6639a68f29648cfacfa8e3d0e1a007f666ad8d28e
SHA3-384 hash: 2ce901e899ba277cba436d2d8e56e225f4406464ca4635aabade982a67a029bd78b7290b8a882086603e4e770bcbff48
SHA1 hash: 92671e31adf55563f7929ed455fcde27c9f6d4e5
MD5 hash: 6b3584d12b899c20abed1f012fd4f60c
humanhash: speaker-purple-wyoming-victor
File name:powerpc.kok
Download: download sample
Signature Mirai
Create hunting rule
File size:99'636 bytes
First seen:2026-01-05 06:43:04 UTC
Last seen:2026-01-06 05:06:12 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:hnrVWCd6x+4hs9IaK0kR0QSXwqj4fARuKydCRg3y+9Zux6:hI64tt0QNURpyj36x6
TLSH T128A36C02B70C0A43E1736DB47F3F27D1D3DAAAD122F4A648251ABB49D0B2A325546FDD
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30455.LC.BadVar.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-10001386-0
Create hunting rule

Unix.Trojan.Mirai-10010127-0
Create hunting rule

Unix.Trojan.Mirai-10017351-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade mirai
Link:
https://www.filescan.io/uploads/695b5d8265e07687fdf3e935/reports/82b84fa6-e66e-4793-ab1b-f41abd94bc1b/overview
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2026-01-05T05:43:00Z UTC
Last seen:
2026-01-05T15:35:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/456eae96757d36fcc6ae79c6639a68f29648cfacfa8e3d0e1a007f666ad8d28e/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/e6adf78c-78df-4e74-8289-9059479caac6
Behavior Graph:
Download SVG
%3 guuid=759c78a6-3100-0000-1fb6-59f4a0030000 pid=928 /usr/bin/sudo guuid=b47d93a8-3100-0000-1fb6-59f4a1030000 pid=929 /tmp/sample.bin guuid=759c78a6-3100-0000-1fb6-59f4a0030000 pid=928->guuid=b47d93a8-3100-0000-1fb6-59f4a1030000 pid=929 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b635cf1e-8d92-431d-801b-7ee181f125b0
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1844714
Signature
Drops files in suspicious directories
Drops invisible ELF files
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Terminates several processes with shell command 'killall'
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1844714 Sample: powerpc.kok.elf Startdate: 05/01/2026 Architecture: LINUX Score: 100 94 Multi AV Scanner detection for submitted file 2->94 10 powerpc.kok.elf 2->10         started        13 dash rm 2->13         started        15 dash rm 2->15         started        process3 signatures4 104 Sample tries to kill multiple processes (SIGKILL) 10->104 106 Sample reads /proc/mounts (often used for finding a writable filesystem) 10->106 17 powerpc.kok.elf 10->17         started        process5 file6 76 /var/spool/cron/root, ASCII 17->76 dropped 78 /var/spool/cron/crontabs/root, ASCII 17->78 dropped 80 /root/.bashrc, ASCII 17->80 dropped 82 11 other files (10 malicious) 17->82 dropped 96 Sample tries to set files in /etc globally writable 17->96 98 Sample tries to persist itself using /etc/profile 17->98 100 Drops files in suspicious directories 17->100 102 4 other signatures 17->102 21 powerpc.kok.elf sh 17->21         started        23 powerpc.kok.elf sh 17->23         started        25 powerpc.kok.elf sh 17->25         started        27 78 other processes 17->27 signatures7 process8 process9 29 sh cp 21->29         started        33 sh crontab 23->33         started        35 sh 23->35         started        37 sh cp 25->37         started        39 sh cp 27->39         started        41 sh cp 27->41         started        43 sh rm 27->43         started        45 77 other processes 27->45 file10 84 /usr/bin/.update, ELF 29->84 dropped 108 Writes identical ELF files to multiple locations 29->108 110 Drops invisible ELF files 29->110 112 Drops files in suspicious directories 29->112 86 /var/spool/cron/crontabs/tmp.FzVCeq, ASCII 33->86 dropped 114 Sample tries to persist itself using cron 33->114 116 Executes the "crontab" command typically for achieving persistence 33->116 47 sh crontab 35->47         started        88 /boot/.update, ELF 37->88 dropped 90 /var/jbx/shared/.update, ELF 39->90 dropped 92 /var/log/.update, ELF 41->92 dropped 118 Sample deletes itself 43->118 120 Sample tries to kill multiple processes (SIGKILL) 45->120 122 Terminates several processes with shell command 'killall' 45->122 50 S99backup0 45->50         started        52 S99backup1 45->52         started        54 S99backup2 45->54         started        56 6 other processes 45->56 signatures11 process12 signatures13 124 Executes the "crontab" command typically for achieving persistence 47->124 58 S99backup0 .update 50->58         started        68 5 other processes 50->68 60 S99backup1 .update 52->60         started        70 5 other processes 52->70 62 S99backup2 .update 54->62         started        72 5 other processes 54->72 64 S99network .update 56->64         started        66 .monitor .update 56->66         started        74 10 other processes 56->74 process14
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/456eae96757d36fcc6ae79c6639a68f29648cfacfa8e3d0e1a007f666ad8d28e
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/456eae96757d36fcc6ae79c6639a68f29648cfacfa8e3d0e1a007f666ad8d28e/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-05 06:43:15 UTC
File Type:
ELF32 Big (Exe)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ivxk5ftvpu3pzrvophdghgti6klert5m7khd2dq2ab7wm2wy2kha._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/260105-hg7s5asnet/
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-10001386-0
YARA:
n/a
Link:
https://app.threat.zone/submission/7b94287a-59f2-4835-a4be-df359841eb4a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/456eae96757d36fcc6ae79c6639a68f29648cfacfa8e3d0e1a007f666ad8d28e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202503_elf_Mirai
Create hunting rule
Author:abuse.ch
Description:Detects Mirai 'TSource' ELF files
Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 456eae96757d36fcc6ae79c6639a68f29648cfacfa8e3d0e1a007f666ad8d28e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3749713/
  
Delivery method
Distributed via web download

Comments