MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e678b50f6e15a144a2694f72484193331823aa8b00abd698a9c5d7114e6ad5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e678b50f6e15a144a2694f72484193331823aa8b00abd698a9c5d7114e6ad5f
SHA3-384 hash: 2fbe0c66ad490606cb5673a35db227d4466d5b04d9b50e96f5f7f8642132290bf359b883550daff18e1dc20c3a60ac4e
SHA1 hash: 4a6e0ae10b46afc2358c4589e4d179bdb43caa0b
MD5 hash: 6b29b9cf319828a24d9133ba56179e34
humanhash: papa-maryland-freddie-edward
File name:mirai.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:125'384 bytes
First seen:2025-12-28 09:31:00 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:cq1aLtYCX1jMmlUXjHG58H+ZfFbjiuwIYDXEUvh4pV9gpKeyYf3:B1amCFwmGjHBkIIlU6xgryYf3
TLSH T1C3C36BC1EA43D5F2F85211B5103BA7728B73D0362529EA56D3A92D36EC12F60C61B3AD
telfhash t1665127fdb6ba0ce9a7909802d24d57617d4ebbbb247036b705f35870327aa4141bbc39
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29052.TSource.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gafgyt masquerade mirai
Link:
https://www.filescan.io/uploads/6950f8e0e126b9ff4393d3bc/reports/21a2943a-d9c0-4bb2-ae02-a4d57f25d012/overview
Result
Gathering data
Verdict:
Malicious
File Type:
Elf
First seen:
2025-12-28T05:08:00Z UTC
Last seen:
2025-12-28T05:08:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/4e678b50f6e15a144a2694f72484193331823aa8b00abd698a9c5d7114e6ad5f/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/82333e4e-f8ec-4da2-8100-2ee48a62fca9
Behavior Graph:
Download SVG
%3 guuid=bbc7cf56-1900-0000-ced8-e2dee60e0000 pid=3814 /usr/bin/sudo guuid=3ed06458-1900-0000-ced8-e2deeb0e0000 pid=3819 /tmp/sample.bin net guuid=bbc7cf56-1900-0000-ced8-e2dee60e0000 pid=3814->guuid=3ed06458-1900-0000-ced8-e2deeb0e0000 pid=3819 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=3ed06458-1900-0000-ced8-e2deeb0e0000 pid=3819->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ded18858-1900-0000-ced8-e2deed0e0000 pid=3821 /tmp/sample.bin guuid=3ed06458-1900-0000-ced8-e2deeb0e0000 pid=3819->guuid=ded18858-1900-0000-ced8-e2deed0e0000 pid=3821 clone guuid=54f19458-1900-0000-ced8-e2deee0e0000 pid=3822 /tmp/sample.bin delete-file write-config write-file zombie guuid=ded18858-1900-0000-ced8-e2deed0e0000 pid=3821->guuid=54f19458-1900-0000-ced8-e2deee0e0000 pid=3822 clone guuid=836ca05c-1900-0000-ced8-e2de030f0000 pid=3843 /usr/bin/dash guuid=54f19458-1900-0000-ced8-e2deee0e0000 pid=3822->guuid=836ca05c-1900-0000-ced8-e2de030f0000 pid=3843 execve guuid=7e96e997-1900-0000-ced8-e2dee30f0000 pid=4067 /usr/bin/dash guuid=54f19458-1900-0000-ced8-e2deee0e0000 pid=3822->guuid=7e96e997-1900-0000-ced8-e2dee30f0000 pid=4067 execve guuid=ea41e7c9-1900-0000-ced8-e2de78100000 pid=4216 /usr/bin/dash guuid=54f19458-1900-0000-ced8-e2deee0e0000 pid=3822->guuid=ea41e7c9-1900-0000-ced8-e2de78100000 pid=4216 execve guuid=54ea71d0-1900-0000-ced8-e2de8b100000 pid=4235 /tmp/sample.bin net send-data guuid=54f19458-1900-0000-ced8-e2deee0e0000 pid=3822->guuid=54ea71d0-1900-0000-ced8-e2de8b100000 pid=4235 clone guuid=0f0ccc5c-1900-0000-ced8-e2de050f0000 pid=3845 /usr/bin/systemctl guuid=836ca05c-1900-0000-ced8-e2de030f0000 pid=3843->guuid=0f0ccc5c-1900-0000-ced8-e2de050f0000 pid=3845 execve guuid=ab2e2498-1900-0000-ced8-e2dee40f0000 pid=4068 /usr/bin/systemctl guuid=7e96e997-1900-0000-ced8-e2dee30f0000 pid=4067->guuid=ab2e2498-1900-0000-ced8-e2dee40f0000 pid=4068 execve guuid=15911dca-1900-0000-ced8-e2de79100000 pid=4217 /usr/bin/systemctl guuid=ea41e7c9-1900-0000-ced8-e2de78100000 pid=4216->guuid=15911dca-1900-0000-ced8-e2de79100000 pid=4217 execve guuid=2fdaba13-0000-0000-ced8-e2de01000000 pid=1 /usr/lib/systemd/systemd guuid=5af187cb-1900-0000-ced8-e2de7e100000 pid=4222 /usr/bin/.sh net guuid=2fdaba13-0000-0000-ced8-e2de01000000 pid=1->guuid=5af187cb-1900-0000-ced8-e2de7e100000 pid=4222 execve guuid=5af187cb-1900-0000-ced8-e2de7e100000 pid=4222->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=f788c9cd-1900-0000-ced8-e2de89100000 pid=4233 /usr/bin/.sh guuid=5af187cb-1900-0000-ced8-e2de7e100000 pid=4222->guuid=f788c9cd-1900-0000-ced8-e2de89100000 pid=4233 clone guuid=be04d3cd-1900-0000-ced8-e2de8a100000 pid=4234 /usr/bin/.sh delete-file write-config zombie guuid=f788c9cd-1900-0000-ced8-e2de89100000 pid=4233->guuid=be04d3cd-1900-0000-ced8-e2de8a100000 pid=4234 clone guuid=a6ba2cd1-1900-0000-ced8-e2de8d100000 pid=4237 /usr/bin/dash guuid=be04d3cd-1900-0000-ced8-e2de8a100000 pid=4234->guuid=a6ba2cd1-1900-0000-ced8-e2de8d100000 pid=4237 execve guuid=5f84a8d1-1900-0000-ced8-e2de90100000 pid=4240 /usr/bin/dash guuid=be04d3cd-1900-0000-ced8-e2de8a100000 pid=4234->guuid=5f84a8d1-1900-0000-ced8-e2de90100000 pid=4240 execve guuid=664bd5f8-1900-0000-ced8-e2de47110000 pid=4423 /usr/bin/dash guuid=be04d3cd-1900-0000-ced8-e2de8a100000 pid=4234->guuid=664bd5f8-1900-0000-ced8-e2de47110000 pid=4423 execve guuid=af03801b-1a00-0000-ced8-e2deee110000 pid=4590 /usr/bin/dash guuid=be04d3cd-1900-0000-ced8-e2de8a100000 pid=4234->guuid=af03801b-1a00-0000-ced8-e2deee110000 pid=4590 execve guuid=fdb02a1f-1a00-0000-ced8-e2def7110000 pid=4599 /usr/bin/.sh net send-data guuid=be04d3cd-1900-0000-ced8-e2de8a100000 pid=4234->guuid=fdb02a1f-1a00-0000-ced8-e2def7110000 pid=4599 clone guuid=54ea71d0-1900-0000-ced8-e2de8b100000 pid=4235->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con c70544fc-d01a-5ba5-9c82-b6dcd8b2f0fa 86.54.42.154:443 guuid=54ea71d0-1900-0000-ced8-e2de8b100000 pid=4235->c70544fc-d01a-5ba5-9c82-b6dcd8b2f0fa send: 38B guuid=124e9fd0-1900-0000-ced8-e2de8c100000 pid=4236 /tmp/sample.bin guuid=54ea71d0-1900-0000-ced8-e2de8b100000 pid=4235->guuid=124e9fd0-1900-0000-ced8-e2de8c100000 pid=4236 clone guuid=0ed755d1-1900-0000-ced8-e2de8e100000 pid=4238 /usr/bin/cp guuid=a6ba2cd1-1900-0000-ced8-e2de8d100000 pid=4237->guuid=0ed755d1-1900-0000-ced8-e2de8e100000 pid=4238 execve guuid=d4810bd2-1900-0000-ced8-e2de92100000 pid=4242 /usr/bin/systemctl guuid=5f84a8d1-1900-0000-ced8-e2de90100000 pid=4240->guuid=d4810bd2-1900-0000-ced8-e2de92100000 pid=4242 execve guuid=921f36f9-1900-0000-ced8-e2de49110000 pid=4425 /usr/bin/systemctl guuid=664bd5f8-1900-0000-ced8-e2de47110000 pid=4423->guuid=921f36f9-1900-0000-ced8-e2de49110000 pid=4425 execve guuid=3f3dfa1b-1a00-0000-ced8-e2deef110000 pid=4591 /usr/bin/systemctl guuid=af03801b-1a00-0000-ced8-e2deee110000 pid=4590->guuid=3f3dfa1b-1a00-0000-ced8-e2deef110000 pid=4591 execve guuid=fdb02a1f-1a00-0000-ced8-e2def7110000 pid=4599->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=fdb02a1f-1a00-0000-ced8-e2def7110000 pid=4599->c70544fc-d01a-5ba5-9c82-b6dcd8b2f0fa send: 931B 57d16544-f04f-5b5b-9557-de493f14ae55 0.0.0.0:48102 guuid=fdb02a1f-1a00-0000-ced8-e2def7110000 pid=4599->57d16544-f04f-5b5b-9557-de493f14ae55 con guuid=9b91354c-1b00-0000-ced8-e2dec5140000 pid=5317 /usr/bin/.sh net send-data guuid=fdb02a1f-1a00-0000-ced8-e2def7110000 pid=4599->guuid=9b91354c-1b00-0000-ced8-e2dec5140000 pid=5317 clone guuid=9b91354c-1b00-0000-ced8-e2dec5140000 pid=5317->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=9b91354c-1b00-0000-ced8-e2dec5140000 pid=5317->c70544fc-d01a-5ba5-9c82-b6dcd8b2f0fa send: 817B
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c859a36-c51b-4e30-9ef8-bab8b334970c
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1840765
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops files in suspicious directories
Drops invisible ELF files
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample deletes itself
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1840765 Sample: mirai.x86.elf Startdate: 28/12/2025 Architecture: LINUX Score: 92 70 86.54.42.154, 37364, 37366, 37368 KCOM-SPNService-ProviderNetworkex-MistralGB United Kingdom 2->70 72 109.202.202.202, 80 INIT7CH Switzerland 2->72 74 2 other IPs or domains 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for dropped file 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 2 other signatures 2->82 10 dash rm mirai.x86.elf 2->10         started        12 systemd .sh 2->12         started        14 systemd .sh 2->14         started        16 15 other processes 2->16 signatures3 process4 process5 18 mirai.x86.elf 10->18         started        20 .sh 12->20         started        22 .sh 14->22         started        process6 24 mirai.x86.elf 18->24         started        28 .sh 20->28         started        30 .sh 22->30         started        file7 68 /usr/bin/.sh, ELF 24->68 dropped 84 Drops invisible ELF files 24->84 86 Drops files in suspicious directories 24->86 88 Sample deletes itself 24->88 32 mirai.x86.elf sh 24->32         started        34 mirai.x86.elf sh 24->34         started        36 mirai.x86.elf sh 24->36         started        38 mirai.x86.elf 24->38         started        40 .sh sh 28->40         started        42 .sh sh 28->42         started        44 .sh sh 28->44         started        46 .sh sh 28->46         started        48 4 other processes 30->48 signatures8 process9 process10 50 sh systemctl 32->50         started        52 sh systemctl 34->52         started        54 sh systemctl 36->54         started        56 mirai.x86.elf 38->56         started        58 sh cp 40->58         started        60 sh systemctl 42->60         started        62 sh systemctl 44->62         started        64 sh systemctl 46->64         started        66 4 other processes 48->66
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/4e678b50f6e15a144a2694f72484193331823aa8b00abd698a9c5d7114e6ad5f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e678b50f6e15a144a2694f72484193331823aa8b00abd698a9c5d7114e6ad5f/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/4e678b50f6e15a144a2694f72484193331823aa8b00abd698a9c5d7114e6ad5f
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-28 09:31:16 UTC
File Type:
ELF32 Little (Exe)
AV detection:
14 of 36 (38.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jztywuhw4fnbisrgst3sjbazgmyyeoviwafl22mktroxcfhgvvpq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery linux persistence privilege_escalation
Link:
https://tria.ge/reports/251228-lg5wbag17b/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
Modifies systemd
Write file to user bin folder
Deletes itself
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/73e60340-2831-4791-b798-6b46e8c7e1a8
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/4e678b50f6e15a144a2694f72484193331823aa8b00abd698a9c5d7114e6ad5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202503_elf_Mirai
Create hunting rule
Author:abuse.ch
Description:Detects Mirai 'TSource' ELF files
Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Mirai_Generic
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Mirai/Gafgyt samples
Rule name:Linux_Trojan_Gafgyt_5bf62ce4
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_5f7b67b8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 4e678b50f6e15a144a2694f72484193331823aa8b00abd698a9c5d7114e6ad5f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3735495/
  
Delivery method
Distributed via web download

Comments