MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5052712db6c5ffc8ae17701e6df93b53b2ff65c3860ac8beb5f565dda8ea9047. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	5052712db6c5ffc8ae17701e6df93b53b2ff65c3860ac8beb5f565dda8ea9047
SHA3-384 hash:	715568ed5c935c0a0f320cca1f99db09668f91a61e79512d60a68b4613d828876ce4d504ac591057c2510ec9798da837
SHA1 hash:	5dae16397d3e671e2debcc29ba7a192983040fcc
MD5 hash:	c6f0143f20666b9285394f2a4f6be0cd
humanhash:	bravo-comet-bakerloo-july
File name:	morte.arm6
Download:	download sample
Signature	Mirai Create hunting rule
File size:	95'812 bytes
First seen:	2025-06-29 16:46:24 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	1536:+4n8F3IvWmY59g3dFpLI4O04eCL682aWidb9CXD9Ri5X8hEVG7Sl75AYf:CF4PLlYBL682aWmX8hEVG47Ko
TLSH	T1A6933B46FC829B21D5D512BEFE1E118E33131778E2DE72229D18AF21778A52B0E7B805
telfhash	t18221c0d78f2d0e8c8be5d108401b321e9bf936f8270776668e6d7b6f445289235d9039
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf mirai upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 c65588aaecfb798af3521ad87a86dcf9ab9f35015e63ad4c9d615f14fdf3bc2c

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	43'812 bytes
File size (de-compressed) :	95'812 bytes
Format:	linux/arm
Packed file:	c65588aaecfb798af3521ad87a86dcf9ab9f35015e63ad4c9d615f14fdf3bc2c

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30435.LC.UNOFFICIAL

Unix.Trojan.Mirai-7100807-0

Unix.Trojan.Mirai-7135916-0

Unix.Dropper.Mirai-7136016-0

Unix.Trojan.Mirai-8025795-0

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68616df537c3436779475131linux22vpnfull_triage

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Verdict:

Unknown

Threat level:

0/10

Confidence:

100%

Tags:

lolbin remote

Link:

https://www.filescan.io/uploads/68616dea8cd0d23e5bea7374/reports/34f2265d-388f-4ca4-b206-6ce2892a76aa/overview

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

false

Architecture:

arm

Packer:

not packed

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/5052712db6c5ffc8ae17701e6df93b53b2ff65c3860ac8beb5f565dda8ea9047

Behaviour

no suspicious findings

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

not identified

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/442d29aa-edb6-48ee-8dc7-debd1c072000

Behavior Graph:

Download SVG

Malware family:

Mirai

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/fbb94018-7fd9-408a-884b-97e314e379c9

Result

Threat name:

Mirai, Xmrig

Detection:

malicious

Classification:

troj.mine

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1725070

Signature

Antivirus / Scanner detection for submitted sample

Found strings related to Crypto-Mining

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/5052712db6c5ffc8ae17701e6df93b53b2ff65c3860ac8beb5f565dda8ea9047

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5052712db6c5ffc8ae17701e6df93b53b2ff65c3860ac8beb5f565dda8ea9047/

Threat name:

Linux.Worm.Mirai

Status:

Malicious

First seen:

2025-06-29 16:47:26 UTC

File Type:

ELF32 Little (Exe)

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kbjhclnwyx74rlqxoapg36j3kozp6zodqyfmrpvv6vs53khksbdq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai

Link:

https://tria.ge/reports/250629-t983fawnt8/

Malware Config

C2 Extraction:

abc.galaxias.cc

Verdict:

Malicious

Tags:

Unix.Trojan.Mirai-7100807-0

YARA:

n/a

Link:

https://app.threat.zone/submission/ac88b5bb-8d26-434f-8388-a2e1194abae9

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Mirai

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/5052712db6c5ffc8ae17701e6df93b53b2ff65c3860ac8beb5f565dda8ea9047

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ELF_Mirai Create hunting rule
Author:	NDA0E
Description:	Detects multiple Mirai variants

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research