MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b41223ca64ab6ef4b3b9c9d4257902a32f9fa8cdf4d9f6261b24b8dee81d233. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mozi

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	4b41223ca64ab6ef4b3b9c9d4257902a32f9fa8cdf4d9f6261b24b8dee81d233
SHA3-384 hash:	747fcb645710fb50593c27dbb2dadde9811a0ca5ed6cd1cb232eb61ab0bc55b83f973f99cb1157715b416a674f89589b
SHA1 hash:	8b72f28a72f46752dc44b6af73a40d4fce2784ea
MD5 hash:	16cb4b59e16767a4435ab40820474b76
humanhash:	october-thirteen-spring-nine
File name:	Mozi.m
Download:	download sample
Signature	Mozi Create hunting rule
File size:	307'960 bytes
First seen:	2021-06-15 08:04:45 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	6144:p3lOYoaja8xzx/0wsxzSin5wKSDP99zBa77oNsKqqfPqOJ:p1CG/jsxzXnDSDP99zBa/HKqoPqOJ
TLSH	D464D08AFE01AF25E9C026BAFE5F034973634B6CD3DBB111E620972936CA55B4F76044
Reporter	tolisec
Tags:	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL

SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL

Unix.Dropper.Botnet-6566040-0

Unix.Packed.Botnet-6566031-0

Unix.Trojan.Gafgyt-6735924-0

Unix.Trojan.Gafgyt-6748839-0

Unix.Trojan.Mirai-7100807-0

Unix.Dropper.Mirai-7135934-0

Unix.Dropper.Mirai-7136013-0

Unix.Dropper.Mirai-7136057-0

Unix.Dropper.Mirai-7136070-0

Unix.Trojan.Mirai-8025795-0

Unix.Trojan.Mirai-9762350-0

Unix.Trojan.Mirai-9763616-0

Unix.Trojan.Mirai-9769616-0

Unix.Exploit.Mirai-9795501-0

Unix.Trojan.Mozi-9840825-0

Unix.Trojan.Mirai-9843255-0

Unix.Trojan.Mirai-9858729-0

Verdict:

Malicious

Uses P2P?:

true

Uses anti-vm?:

false

Architecture:

mips

Packer:

not-packed

Botnet:

61.3.151.45:37195

Number of open files:

375

Number of processes launched:

Processes remaning?

true

Remote TCP ports scanned:

8080,52869,49152,80,7574,5555,8081,8181,81,60001,8443,37215,2323,23

Full report:

https://elfdigest.com/brief/4b41223ca64ab6ef4b3b9c9d4257902a32f9fa8cdf4d9f6261b24b8dee81d233

Behaviour

Process Renaming

Firewall Changes

Information Gathering

Botnet C2s

TCP botnet C2(s):

212.129.33.59:6881
87.98.162.88:6881
67.215.246.10:6881
82.221.103.244:6881
130.239.18.159:6881
117.194.161.59:6881
78.90.77.217:6881
31.184.254.119:6881
58.153.204.9:6881
151.71.103.107:6881
169.61.218.53:6881
178.175.105.163:6881
85.83.133.45:6881
178.175.69.241:6881
134.119.193.138:6881
78.130.237.60:30154
93.123.90.39:56361
85.11.171.247:28749
88.80.102.35:18136
188.209.56.10:28038
178.72.75.189:1264
37.194.148.191:17247
130.239.18.159:8646
125.25.191.233:1434
176.99.142.210:1434
213.163.119.15:1434
178.175.49.1:3884
94.254.125.20:51413
89.169.50.19:51413
212.47.227.255:51413
87.121.61.146:32895
95.42.106.240:46797
87.121.60.145:41787
178.175.122.120:45746
178.216.125.66:17331
87.172.157.213:55500
188.0.11.122:49001
188.209.56.49:28028
123.130.214.244:24684
49.83.240.235:20805
77.70.127.32:63786
117.215.211.164:56042
83.148.81.95:41382
94.236.255.92:57399
79.100.94.239:64155
77.70.5.68:14335
178.175.90.43:10032
140.82.57.106:6995
178.175.51.17:44062
73.123.252.123:42068
179.210.76.174:32846
81.171.17.89:50000
65.21.125.99:50000
85.217.205.235:32394
83.239.19.142:57264
46.20.203.254:8083
213.163.117.48:29340
116.68.111.210:40084
117.221.181.48:8000
178.175.23.130:8000
124.123.238.112:8000
130.239.18.159:8744
51.15.126.85:24007
213.152.161.219:39015
46.10.21.237:54867
77.70.64.137:51417
178.168.73.85:51417
42.111.143.113:46265
111.92.80.205:2290
130.239.18.159:8547
130.239.18.159:8896
130.239.18.159:8549
130.239.18.159:8978
130.239.18.159:8926
130.239.18.159:8673
94.26.3.178:15249
178.175.114.74:17726
117.221.182.109:30301
182.57.71.104:5353
113.161.208.9:5353
111.92.81.109:30830
46.10.58.230:55966
195.154.227.213:1775
86.157.185.242:61703
70.77.31.212:8999
170.249.44.26:25855
14.133.79.64:31204
95.42.122.244:15652
87.227.228.115:29282
70.52.55.132:33764
76.65.169.41:52663
91.92.56.171:59331
79.100.230.5:53114
116.68.99.92:13933
178.141.70.64:12938
178.175.50.115:4000
94.236.250.141:56888
202.164.139.37:5832
149.255.6.193:27214
168.195.133.16:5574
176.10.206.228:49354
83.102.217.52:8869
93.173.84.81:27191
213.108.36.115:49160
94.26.48.17:61422
202.164.138.74:46233
218.215.81.165:37627
93.152.170.47:18137
24.126.210.135:8462
109.252.47.117:2069
148.63.87.6:1107
83.85.194.134:34413
95.73.16.112:38813
81.171.18.105:53461
195.154.216.53:55389
82.102.27.163:47917
77.236.161.34:52279
120.48.30.81:11767
119.195.9.2:5611
188.254.247.90:37294
46.229.199.126:53822

Result

Verdict:

MALICIOUS

Malware family:

Mozi

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/49d58ce4-7a32-4bb0-94d0-f3eaf3e07aa7

Detection:

mirai

Link:

https://mwdb.cert.pl/sample/4b41223ca64ab6ef4b3b9c9d4257902a32f9fa8cdf4d9f6261b24b8dee81d233/

Threat name:

Linux.Trojan.Skeeyah

Status:

Malicious

First seen:

2021-06-15 08:05:15 UTC

AV detection:

18 of 46 (39.13%)

Threat level:

5/5

Result

Malware family:

n/a

Score:

8/10

Tags:

linux

Link:

https://tria.ge/reports/210615-sncvf435wx/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/4b41223ca64ab6ef4b3b9c9d4257902a32f9fa8cdf4d9f6261b24b8dee81d233

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mozi

elf 4b41223ca64ab6ef4b3b9c9d4257902a32f9fa8cdf4d9f6261b24b8dee81d233

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1367895/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample