MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fb0b2a3175d1dc6d7892b0a97fef6500ac9aed5c2f11b90a805b2b6a6ba5059. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fb0b2a3175d1dc6d7892b0a97fef6500ac9aed5c2f11b90a805b2b6a6ba5059
SHA3-384 hash: e6ee8072765874e6f464033e2d62ad0a24a1f41fa159ed26a149452336fa4549d21be57108e1db647e98555aec7abd1f
SHA1 hash: 87fafa8eeec9fe88acecc956a3c4faff922083b3
MD5 hash: f716e7b270c57a17584acc91b96f19a3
humanhash: magazine-pizza-ack-romeo
File name:mips-20230706-2123
Download: download sample
Signature Mirai
Create hunting rule
File size:119'321 bytes
First seen:2023-07-06 21:23:46 UTC
Last seen:2023-07-07 11:43:09 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:1TFHl7FYw3jY3j7gjLmrSnP+heMWf6ye028UUS3B5Oln4jId4:19cq+heMWS6bvS3B5OR4jId4
TLSH T1B1C3B68A6E227FBEF6DDD77087F3DA3056D6659227928280E1DCDD400E253CD281E768
telfhash t14c21218124f689195f9699389cfc56b34a41621732052fb49d3985dc583b0a1e73dc8a
Reporter elfdigest
Tags:gafgyt mirai

Intelligence

File Origin
# of uploads :
31
# of downloads :
84
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Mirai-69.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Mirai-78.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29523.LC.UNOFFICIAL
Create hunting rule

Unix.Dropper.Mirai-7355719-0
Create hunting rule

Unix.Dropper.Mirai-9977145-0
Create hunting rule

Unix.Trojan.Mirai-5607483-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug lolbin mirai remote
Link:
https://www.filescan.io/uploads/64a730f489e309292a8ae227/reports/b4653565-6e65-4a5b-91be-25036a9ae746/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
not packed
Botnet:
5.181.80.102
Number of open files:
14
Number of processes launched:
77
Processes remaning?
true
Remote TCP ports scanned:
37215,5555
Full report:
https://elfdigest.com/brief/4fb0b2a3175d1dc6d7892b0a97fef6500ac9aed5c2f11b90a805b2b6a6ba5059
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f375dd4c-e761-42dc-a766-12d8e098ccf2
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1268617
Signature
Antivirus / Scanner detection for submitted sample
Drops files in suspicious directories
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings indicative of a multi-platform dropper
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1268617 Sample: mips-20230706-2123.elf Startdate: 07/07/2023 Architecture: LINUX Score: 100 117 fucking.blackpeople.lol 2->117 119 82.70.92.53 ZEN-ASZenInternet-UKGB United Kingdom 2->119 121 99 other IPs or domains 2->121 131 Snort IDS alert for network traffic 2->131 133 Antivirus / Scanner detection for submitted sample 2->133 135 Multi AV Scanner detection for submitted file 2->135 137 3 other signatures 2->137 12 dash rm mips-20230706-2123.elf 2->12         started        15 systemd logrotate 2->15         started        17 python3.8 uname 2->17         started        19 11 other processes 2->19 signatures3 process4 signatures5 143 Sample deletes itself 12->143 21 mips-20230706-2123.elf 12->21         started        23 mips-20230706-2123.elf 12->23         started        25 logrotate sh 15->25         started        27 logrotate sh 15->27         started        29 logrotate gzip 15->29         started        31 logrotate gzip 15->31         started        process6 process7 33 mips-20230706-2123.elf 21->33         started        35 mips-20230706-2123.elf 21->35         started        37 mips-20230706-2123.elf 21->37         started        43 2 other processes 21->43 39 sh invoke-rc.d 25->39         started        41 sh rsyslog-rotate 27->41         started        process8 45 mips-20230706-2123.elf 33->45         started        47 mips-20230706-2123.elf 33->47         started        49 mips-20230706-2123.elf 33->49         started        61 18 other processes 33->61 51 invoke-rc.d runlevel 39->51         started        53 invoke-rc.d systemctl 39->53         started        55 invoke-rc.d ls 39->55         started        57 invoke-rc.d systemctl 39->57         started        59 rsyslog-rotate systemctl 41->59         started        process9 63 mips-20230706-2123.elf 45->63         started        65 mips-20230706-2123.elf sh 47->65         started        69 mips-20230706-2123.elf sh 47->69         started        71 mips-20230706-2123.elf sh 49->71         started        73 mips-20230706-2123.elf sh 49->73         started        75 mips-20230706-2123.elf sh 61->75         started        77 mips-20230706-2123.elf sh 61->77         started        79 mips-20230706-2123.elf sh 61->79         started        81 34 other processes 61->81 file10 83 mips-20230706-2123.elf sh 63->83         started        87 mips-20230706-2123.elf sh 63->87         started        105 /etc/rc.local, ASCII 65->105 dropped 123 Sample tries to persist itself using System V runlevels 65->123 89 sh chmod 65->89         started        107 /etc/init.d/rcD, ASCII 71->107 dropped 125 Drops files in suspicious directories 71->125 91 sh chmod 71->91         started        109 /etc/profile, ASCII 75->109 dropped 127 Sample tries to persist itself using /etc/profile 75->127 111 /etc/cron.hourly/0, ASCII 77->111 dropped 129 Sample tries to persist itself using cron 77->129 93 sh iptables 79->93         started        113 /etc/passwd, ASCII 81->113 dropped 95 mips-20230706-2123.elf sh 81->95         started        97 mips-20230706-2123.elf sh 81->97         started        signatures11 process12 file13 115 /etc/init.d/multipath-tools, ASCII 83->115 dropped 139 Drops files in suspicious directories 83->139 99 sh chmod 83->99         started        141 Executes the "iptables" command to insert, remove and/or manipulate rules 93->141 101 sh su 95->101         started        103 sh 95->103         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fb0b2a3175d1dc6d7892b0a97fef6500ac9aed5c2f11b90a805b2b6a6ba5059/
Threat name:
Linux.Trojan.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2023-07-06 21:24:06 UTC
File Type:
ELF32 Big (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j6ylfiyxluo4nv4jfmfjp7xwkafmtlwvylyrxefiawzlnjv2kbmq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery
Link:
https://tria.ge/reports/230706-z8184aed43/
Behaviour
Writes file to tmp directory
Reads system network configuration
Creates a large amount of network flows
Enumerates active TCP sockets
Writes file to system bin folder
Deletes itself
Modifies Watchdog functionality
Contacts a large (5648) amount of remote hosts
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4fb0b2a3175d1dc6d7892b0a97fef6500ac9aed5c2f11b90a805b2b6a6ba5059

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:myMirai
Create hunting rule
Description:Mirai
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 4fb0b2a3175d1dc6d7892b0a97fef6500ac9aed5c2f11b90a805b2b6a6ba5059

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2676951/
  
Delivery method
Distributed via web download

Comments