MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46cfad24a61fd8087b5c28c438e8cee7b42f0bfeb471d55e0a5d3e2f14b070cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 17 File information Comments

SHA256 hash: 46cfad24a61fd8087b5c28c438e8cee7b42f0bfeb471d55e0a5d3e2f14b070cb
SHA3-384 hash: 0bdc35c830927582d9fe9555fa7553278674f91f6a530f7dd2a9ca20aeaa13b642fe4d2610d17e1cafa579769c905e14
SHA1 hash: 8e42add60dc5432f58533c31b1e0b119289077a1
MD5 hash: 6567ef574c33a879033a082fa3ba9bf3
humanhash: jersey-delta-cardinal-happy
File name:kworkerd
Download: download sample
Signature Mirai
File size:294'152 bytes
First seen:2026-07-11 15:04:34 UTC
Last seen:2026-07-12 09:32:44 UTC
File type: elf
MIME type:application/x-executable
ssdeep 6144:GcViMFwCX6C6HmpnwLc3g+bmbTRYqxyPXTqQlz78:GLMFX6xmpnwLc3sTRmqQlH8
TLSH T1E9544B03658095B6C483E0B6CBDFA2235A61783D5C3A724A27E0BF667F56DF05B19B03
telfhash t17ba1ec3419d2314072e396817346c72a9d390c18d3ee7ae6abd2fcf9eccb5c58c61866
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence


File Origin
# of uploads :
2
# of downloads :
63
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Manages services
Runs as daemon
Opens a port
Creating a file
Sets a written file as executable
Creating a file in the %temp% directory
Collects information on the CPU
Connection attempt
Receives data from a server
Changes access rights for a written file
Kills processes
Changes the time when the file was created, accessed, or modified
Deleting a recently created file
Sends data to a server
Creates or modifies files in /cron to set up autorun
Writes files to system directory
Substitutes an application name
Creates or modifies files to set up autorun
Deleting of the original file
Creates or modifies files in /init.d to set up autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 bashlite dropper gcc mirai
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
0
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-07-11T03:24:00Z UTC
Last seen:
2026-07-12T00:40:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=14107151-1900-0000-c27b-7dbd2e140000 pid=5166 /usr/bin/sudo guuid=d3653955-1900-0000-c27b-7dbd2f140000 pid=5167 /tmp/sample.bin guuid=14107151-1900-0000-c27b-7dbd2e140000 pid=5166->guuid=d3653955-1900-0000-c27b-7dbd2f140000 pid=5167 execve guuid=42d00e56-1900-0000-c27b-7dbd30140000 pid=5168 /tmp/sample.bin zombie guuid=d3653955-1900-0000-c27b-7dbd2f140000 pid=5167->guuid=42d00e56-1900-0000-c27b-7dbd30140000 pid=5168 clone guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169 /tmp/sample.bin delete-file net send-data write-config write-file zombie guuid=42d00e56-1900-0000-c27b-7dbd30140000 pid=5168->guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169 clone ffee5cfb-bb94-52c2-8935-ae3a87e774db 127.0.0.1:42780 guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->ffee5cfb-bb94-52c2-8935-ae3a87e774db con 82b03cd2-8196-5a85-bbf6-6eae5f31c4aa 91.92.40.118:443 guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->82b03cd2-8196-5a85-bbf6-6eae5f31c4aa send: 249B guuid=363f6756-1900-0000-c27b-7dbd32140000 pid=5170 /tmp/sample.bin guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=363f6756-1900-0000-c27b-7dbd32140000 pid=5170 clone guuid=7e3ec756-1900-0000-c27b-7dbd34140000 pid=5172 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=7e3ec756-1900-0000-c27b-7dbd34140000 pid=5172 execve guuid=12c08aa9-1900-0000-c27b-7dbd4a140000 pid=5194 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=12c08aa9-1900-0000-c27b-7dbd4a140000 pid=5194 execve guuid=a77389ec-1900-0000-c27b-7dbd6c140000 pid=5228 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=a77389ec-1900-0000-c27b-7dbd6c140000 pid=5228 execve guuid=f1f17103-1a00-0000-c27b-7dbd6e140000 pid=5230 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=f1f17103-1a00-0000-c27b-7dbd6e140000 pid=5230 execve guuid=5c2e8604-1a00-0000-c27b-7dbd71140000 pid=5233 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=5c2e8604-1a00-0000-c27b-7dbd71140000 pid=5233 execve guuid=b726be0a-1a00-0000-c27b-7dbd76140000 pid=5238 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=b726be0a-1a00-0000-c27b-7dbd76140000 pid=5238 execve guuid=34215f0c-1a00-0000-c27b-7dbd79140000 pid=5241 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=34215f0c-1a00-0000-c27b-7dbd79140000 pid=5241 execve guuid=e4126b0e-1a00-0000-c27b-7dbd7c140000 pid=5244 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=e4126b0e-1a00-0000-c27b-7dbd7c140000 pid=5244 execve guuid=d5dcc80f-1a00-0000-c27b-7dbd7f140000 pid=5247 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=d5dcc80f-1a00-0000-c27b-7dbd7f140000 pid=5247 execve guuid=4bbe1c11-1a00-0000-c27b-7dbd82140000 pid=5250 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=4bbe1c11-1a00-0000-c27b-7dbd82140000 pid=5250 execve guuid=0be9bd12-1a00-0000-c27b-7dbd85140000 pid=5253 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=0be9bd12-1a00-0000-c27b-7dbd85140000 pid=5253 execve guuid=6a9ee214-1a00-0000-c27b-7dbd88140000 pid=5256 /usr/bin/dash guuid=95fd1c56-1900-0000-c27b-7dbd31140000 pid=5169->guuid=6a9ee214-1a00-0000-c27b-7dbd88140000 pid=5256 execve guuid=eb8d6e56-1900-0000-c27b-7dbd33140000 pid=5171 /tmp/sample.bin guuid=363f6756-1900-0000-c27b-7dbd32140000 pid=5170->guuid=eb8d6e56-1900-0000-c27b-7dbd33140000 pid=5171 clone guuid=e6b05817-1a00-0000-c27b-7dbd8b140000 pid=5259 /tmp/sample.bin guuid=363f6756-1900-0000-c27b-7dbd32140000 pid=5170->guuid=e6b05817-1a00-0000-c27b-7dbd8b140000 pid=5259 clone guuid=1009411b-1a00-0000-c27b-7dbd8c140000 pid=5260 /tmp/sample.bin guuid=363f6756-1900-0000-c27b-7dbd32140000 pid=5170->guuid=1009411b-1a00-0000-c27b-7dbd8c140000 pid=5260 clone guuid=bee88757-1900-0000-c27b-7dbd35140000 pid=5173 /usr/bin/systemctl guuid=7e3ec756-1900-0000-c27b-7dbd34140000 pid=5172->guuid=bee88757-1900-0000-c27b-7dbd35140000 pid=5173 execve guuid=efc4d2a9-1900-0000-c27b-7dbd4b140000 pid=5195 /usr/bin/systemctl guuid=12c08aa9-1900-0000-c27b-7dbd4a140000 pid=5194->guuid=efc4d2a9-1900-0000-c27b-7dbd4b140000 pid=5195 execve guuid=a2f970e2-1900-0000-c27b-7dbd62140000 pid=5218 /usr/bin/dash guuid=60c54aea-1900-0000-c27b-7dbd68140000 pid=5224 /tmp/.k guuid=a2f970e2-1900-0000-c27b-7dbd62140000 pid=5218->guuid=60c54aea-1900-0000-c27b-7dbd68140000 pid=5224 execve guuid=d501e1ea-1900-0000-c27b-7dbd69140000 pid=5225 /tmp/.k zombie guuid=60c54aea-1900-0000-c27b-7dbd68140000 pid=5224->guuid=d501e1ea-1900-0000-c27b-7dbd69140000 pid=5225 clone guuid=0289f0ea-1900-0000-c27b-7dbd6a140000 pid=5226 /tmp/.k net send-data write-file zombie guuid=d501e1ea-1900-0000-c27b-7dbd69140000 pid=5225->guuid=0289f0ea-1900-0000-c27b-7dbd6a140000 pid=5226 clone guuid=0289f0ea-1900-0000-c27b-7dbd6a140000 pid=5226->ffee5cfb-bb94-52c2-8935-ae3a87e774db send: 15B guuid=9a82afec-1900-0000-c27b-7dbd6d140000 pid=5229 /usr/bin/dash guuid=a77389ec-1900-0000-c27b-7dbd6c140000 pid=5228->guuid=9a82afec-1900-0000-c27b-7dbd6d140000 pid=5229 clone guuid=b482f203-1a00-0000-c27b-7dbd70140000 pid=5232 /usr/bin/dash guuid=f1f17103-1a00-0000-c27b-7dbd6e140000 pid=5230->guuid=b482f203-1a00-0000-c27b-7dbd70140000 pid=5232 clone guuid=a64ef104-1a00-0000-c27b-7dbd72140000 pid=5234 /usr/sbin/update-rc.d guuid=5c2e8604-1a00-0000-c27b-7dbd71140000 pid=5233->guuid=a64ef104-1a00-0000-c27b-7dbd72140000 pid=5234 execve guuid=5d7c740b-1a00-0000-c27b-7dbd77140000 pid=5239 /usr/bin/cp guuid=b726be0a-1a00-0000-c27b-7dbd76140000 pid=5238->guuid=5d7c740b-1a00-0000-c27b-7dbd77140000 pid=5239 execve guuid=ea66f80b-1a00-0000-c27b-7dbd78140000 pid=5240 /usr/bin/chmod guuid=b726be0a-1a00-0000-c27b-7dbd76140000 pid=5238->guuid=ea66f80b-1a00-0000-c27b-7dbd78140000 pid=5240 execve guuid=d3cca90c-1a00-0000-c27b-7dbd7a140000 pid=5242 /usr/bin/cp guuid=34215f0c-1a00-0000-c27b-7dbd79140000 pid=5241->guuid=d3cca90c-1a00-0000-c27b-7dbd7a140000 pid=5242 execve guuid=3244f80d-1a00-0000-c27b-7dbd7b140000 pid=5243 /usr/bin/chmod guuid=34215f0c-1a00-0000-c27b-7dbd79140000 pid=5241->guuid=3244f80d-1a00-0000-c27b-7dbd7b140000 pid=5243 execve guuid=bf42cf0e-1a00-0000-c27b-7dbd7d140000 pid=5245 /usr/bin/cp guuid=e4126b0e-1a00-0000-c27b-7dbd7c140000 pid=5244->guuid=bf42cf0e-1a00-0000-c27b-7dbd7d140000 pid=5245 execve guuid=78945e0f-1a00-0000-c27b-7dbd7e140000 pid=5246 /usr/bin/chmod guuid=e4126b0e-1a00-0000-c27b-7dbd7c140000 pid=5244->guuid=78945e0f-1a00-0000-c27b-7dbd7e140000 pid=5246 execve guuid=747f3310-1a00-0000-c27b-7dbd80140000 pid=5248 /usr/bin/cp guuid=d5dcc80f-1a00-0000-c27b-7dbd7f140000 pid=5247->guuid=747f3310-1a00-0000-c27b-7dbd80140000 pid=5248 execve guuid=8441bc10-1a00-0000-c27b-7dbd81140000 pid=5249 /usr/bin/chmod guuid=d5dcc80f-1a00-0000-c27b-7dbd7f140000 pid=5247->guuid=8441bc10-1a00-0000-c27b-7dbd81140000 pid=5249 execve guuid=6adc7d11-1a00-0000-c27b-7dbd83140000 pid=5251 /usr/bin/cp guuid=4bbe1c11-1a00-0000-c27b-7dbd82140000 pid=5250->guuid=6adc7d11-1a00-0000-c27b-7dbd83140000 pid=5251 execve guuid=ba925312-1a00-0000-c27b-7dbd84140000 pid=5252 /usr/bin/chmod guuid=4bbe1c11-1a00-0000-c27b-7dbd82140000 pid=5250->guuid=ba925312-1a00-0000-c27b-7dbd84140000 pid=5252 execve guuid=36003513-1a00-0000-c27b-7dbd86140000 pid=5254 /usr/bin/cp guuid=0be9bd12-1a00-0000-c27b-7dbd85140000 pid=5253->guuid=36003513-1a00-0000-c27b-7dbd86140000 pid=5254 execve guuid=b58e7614-1a00-0000-c27b-7dbd87140000 pid=5255 /usr/bin/chmod guuid=0be9bd12-1a00-0000-c27b-7dbd85140000 pid=5253->guuid=b58e7614-1a00-0000-c27b-7dbd87140000 pid=5255 execve guuid=e4765815-1a00-0000-c27b-7dbd89140000 pid=5257 /usr/bin/cp write-file guuid=6a9ee214-1a00-0000-c27b-7dbd88140000 pid=5256->guuid=e4765815-1a00-0000-c27b-7dbd89140000 pid=5257 execve guuid=592dea16-1a00-0000-c27b-7dbd8a140000 pid=5258 /usr/bin/chmod guuid=6a9ee214-1a00-0000-c27b-7dbd88140000 pid=5256->guuid=592dea16-1a00-0000-c27b-7dbd8a140000 pid=5258 execve guuid=fb18a61b-1a00-0000-c27b-7dbd8d140000 pid=5261 /tmp/sample.bin guuid=1009411b-1a00-0000-c27b-7dbd8c140000 pid=5260->guuid=fb18a61b-1a00-0000-c27b-7dbd8d140000 pid=5261 clone
Result
Threat name:
Mirai, Xmrig
Detection:
malicious
Classification:
spre.troj.spyw.evad.mine
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops files in suspicious directories
Drops invisible ELF files
Executes itself again with its parent PID as an argument (indicative of hampering debugging)
Executes the "crontab" command typically for achieving persistence
Found strings related to Crypto-Mining
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to set files in /etc globally writable
Writes identical ELF files to multiple locations
Yara detected Mirai
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1941009 Sample: kworkerd.elf Startdate: 11/07/2026 Architecture: LINUX Score: 100 114 91.92.40.118, 443, 44468, 44470 TODYL-CLOUD-TodylIncUS Bulgaria 2->114 116 109.202.202.202, 80 INIT7CH Switzerland 2->116 118 4 other IPs or domains 2->118 122 Malicious sample detected (through community Yara rule) 2->122 124 Antivirus detection for dropped file 2->124 126 Antivirus / Scanner detection for submitted sample 2->126 128 3 other signatures 2->128 11 kworkerd.elf 2->11         started        14 systemd sh 2->14         started        16 systemd accounts-daemon 2->16         started        18 20 other processes 2->18 signatures3 process4 signatures5 154 Found strings related to Crypto-Mining 11->154 20 kworkerd.elf 11->20         started        22 sh sh 14->22         started        24 sh wget 14->24         started        27 sh rm 14->27         started        156 Reads system files that contain records of logged in users 16->156 29 accounts-daemon language-validate 16->29         started        158 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->158 31 gnome-shell ibus-daemon 18->31         started        33 sh xkbcomp 18->33         started        process6 file7 35 kworkerd.elf 20->35         started        39 sh wget 22->39         started        41 sh .k 22->41         started        43 sh chmod 22->43         started        112 /tmp/..redis-sentinel, POSIX 24->112 dropped 45 language-validate language-options 29->45         started        47 ibus-daemon 31->47         started        49 ibus-daemon ibus-memconf 31->49         started        51 ibus-daemon ibus-engine-simple 31->51         started        process8 file9 90 /etc/profile.d/red...aof-rewrite-dv04.sh, ASCII 35->90 dropped 92 /etc/init.d/redis-...ck aof-rewrite-sq7y, POSIX 35->92 dropped 130 Sample tries to set files in /etc globally writable 35->130 132 Opens /sys/class/net/* files useful for querying network interface information 35->132 134 Sample tries to persist itself using /etc/profile 35->134 140 2 other signatures 35->140 53 kworkerd.elf sh 35->53         started        55 kworkerd.elf sh 35->55         started        57 kworkerd.elf sh 35->57         started        65 10 other processes 35->65 94 /tmp/.k, ELF 39->94 dropped 136 Writes identical ELF files to multiple locations 39->136 138 Drops invisible ELF files 39->138 59 .k 41->59         started        61 language-options sh 45->61         started        63 ibus-daemon ibus-x11 47->63         started        signatures10 process11 signatures12 68 sh cp 53->68         started        72 sh chmod 53->72         started        74 sh cp 55->74         started        76 sh chmod 55->76         started        82 2 other processes 57->82 78 .k 59->78         started        84 2 other processes 61->84 120 Executes itself again with its parent PID as an argument (indicative of hampering debugging) 65->120 80 sh crontab 65->80         started        86 15 other processes 65->86 process13 file14 96 /usr/bin/redis-ser...ck aof-rewrite-boaw, ELF 68->96 dropped 142 Writes identical ELF files to multiple locations 68->142 144 Drops files in suspicious directories 68->144 98 /usr/sbin/redis-se...ck aof-rewrite-hxkm, ELF 74->98 dropped 100 /var/spool/cron/crontabs/tmp.lMfbrg, ASCII 80->100 dropped 146 Sample tries to persist itself using cron 80->146 148 Executes the "crontab" command typically for achieving persistence 80->148 102 /tmp/.redis-server...ck aof-rewrite-d4tx, ELF 82->102 dropped 104 /var/redis-server ...ck aof-rewrite-9lad, ELF 86->104 dropped 106 /usr/lib/redis-ser...ck aof-rewrite-hamb, ELF 86->106 dropped 108 /usr/lib/redis-ser...ck aof-rewrite-cqdb, ELF 86->108 dropped 110 /dev/shm/.redis-se...ck aof-rewrite-089n, ELF 86->110 dropped 150 Sample tries to kill multiple processes (SIGKILL) 86->150 152 Drops invisible ELF files 86->152 88 kworkerd.elf 86->88         started        signatures15 process16
Threat name:
Linux.Worm.Mirai
Status:
Malicious
First seen:
2026-07-11 08:16:09 UTC
File Type:
ELF64 Little (Exe)
AV detection:
14 of 36 (38.89%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm credential_access defense_evasion discovery execution linux persistence privilege_escalation
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to shm directory
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Modifies Bash startup script
Reads process memory
Creates/modifies Cron job
Creates/modifies environment variables
Enumerates active TCP sockets
Enumerates running processes
Modifies init.d
Modifies systemd
Reads MAC address of network interface
Write file to user bin folder
File and Directory Permissions Modification
Deletes itself
Modifies Watchdog functionality
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Mirai
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:ELF_Toriilike_persist
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:enterpriseapps2
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_0cd591cd
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_a33a8363
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d0c57a2e
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d996d335
Author:Elastic Security
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 46cfad24a61fd8087b5c28c438e8cee7b42f0bfeb471d55e0a5d3e2f14b070cb

(this sample)

  
Delivery method
Distributed via web download

Comments