MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5432f3caa45385056579f0bba463790b31760e012fc058f169d58c9e23a836a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5432f3caa45385056579f0bba463790b31760e012fc058f169d58c9e23a836a7
SHA3-384 hash: 15a0e729f3cf69d029ebf859839439cefccb58ba20800d657602286309270ef6aa78482385f27cdad54e326761328a64
SHA1 hash: e76ff465d4300c88aa78806754a1d57da1675aca
MD5 hash: e092b74f360a0bd51535d470f094743e
humanhash: cola-twelve-autumn-purple
File name:uYtea.ppc
Download: download sample
Signature Mirai
Create hunting rule
File size:60'356 bytes
First seen:2025-07-18 23:37:32 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:mrJWkmM0yJ/sWUzNZI/rJv/pM60sov+Sp/02D4u+qgw09U:2L0y5sWQI/rhqrVck4u+qgw5
TLSH T119430271C2AD88E4D779DE607ADBC2D2F1A11C5F3AC30AA1146D53F3402FC156AA18ED
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
18
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Unix.Trojan.Mirai-9936831-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Opens a port
Collects information on the RAM
Creating a file
Manages services
Sets a written file as executable
Launching a process
Connection attempt
Kills processes
Mounts file systems
Runs as daemon
Kills critical processes
Substitutes an application name
Writes files to system directory
Creates or modifies files in /cron to set up autorun
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade packed upx
Link:
https://www.filescan.io/uploads/687adaed5076b202e43e3661/reports/4f7c1b99-4ae6-4f60-a82f-94dc7e5c635d/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/72ac5ab1-a110-4556-ab0f-b80d1f84eef2
Behavior Graph:
Download SVG
%3 guuid=e70ef36a-1700-0000-334d-4d9e6c0b0000 pid=2924 /usr/bin/sudo guuid=409b656c-1700-0000-334d-4d9e700b0000 pid=2928 /tmp/sample.bin guuid=e70ef36a-1700-0000-334d-4d9e6c0b0000 pid=2924->guuid=409b656c-1700-0000-334d-4d9e700b0000 pid=2928 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5fea4b91-6262-49e2-bc97-c069e1f709c8
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1739884
Signature
Antivirus / Scanner detection for submitted sample
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1739884 Sample: uYtea.ppc.elf Startdate: 19/07/2025 Architecture: LINUX Score: 76 148 156.238.225.44, 38441, 57872, 57874 XHOSTSERVERUS Seychelles 2->148 154 Antivirus / Scanner detection for submitted sample 2->154 156 Multi AV Scanner detection for submitted file 2->156 158 Sample is packed with UPX 2->158 13 uYtea.ppc.elf 2->13         started        15 systemd uYtea.ppc.elf 2->15         started        18 systemd uYtea.ppc.elf 2->18         started        20 34 other processes 2->20 signatures3 process4 signatures5 22 uYtea.ppc.elf 13->22         started        172 Sample tries to kill multiple processes (SIGKILL) 15->172 24 uYtea.ppc.elf 15->24         started        26 uYtea.ppc.elf 18->26         started        28 wrapper-2.0 xfpm-power-backlight-helper 20->28         started        30 wrapper-2.0 xfpm-power-backlight-helper 20->30         started        process6 process7 32 uYtea.ppc.elf sh 22->32         started        34 uYtea.ppc.elf 22->34         started        37 uYtea.ppc.elf 22->37         started        46 4 other processes 22->46 39 uYtea.ppc.elf 24->39         started        41 uYtea.ppc.elf 24->41         started        48 3 other processes 24->48 43 uYtea.ppc.elf 26->43         started        50 4 other processes 26->50 file8 54 2 other processes 32->54 150 Sample tries to kill multiple processes (SIGKILL) 34->150 58 2 other processes 34->58 60 3 other processes 37->60 152 Drops files in suspicious directories 39->152 52 uYtea.ppc.elf sh 39->52         started        62 2 other processes 39->62 146 /usr/bin/mounted, Bourne-Again 43->146 dropped 64 3 other processes 43->64 66 3 other processes 46->66 68 2 other processes 48->68 70 2 other processes 50->70 signatures9 process10 file11 72 sh mounted 52->72         started        142 /var/spool/cron/crontabs/tmp.lGCXng, data 54->142 dropped 160 Executes the "crontab" command typically for achieving persistence 54->160 74 sh crontab 54->74         started        162 Sample tries to kill multiple processes (SIGKILL) 58->162 77 uYtea.ppc.elf 58->77         started        79 uYtea.ppc.elf 58->79         started        81 sh mounted 60->81         started        83 sh chmod 60->83         started        144 /etc/cron.d/mount.sh, ASCII 64->144 dropped 164 Sample tries to persist itself using cron 64->164 85 sh mounted 64->85         started        signatures12 process13 signatures14 87 mounted 72->87         started        90 mounted 72->90         started        92 mounted 72->92         started        102 6 other processes 72->102 168 Executes the "crontab" command typically for achieving persistence 74->168 170 Sample tries to kill multiple processes (SIGKILL) 77->170 94 uYtea.ppc.elf 77->94         started        96 mounted cat 81->96         started        98 mounted 81->98         started        100 mounted 85->100         started        104 2 other processes 85->104 process15 signatures16 166 Sample tries to kill multiple processes (SIGKILL) 87->166 106 mounted 87->106         started        108 mounted 87->108         started        110 mounted 87->110         started        112 mounted 90->112         started        114 mounted 90->114         started        116 mounted 92->116         started        118 mounted 92->118         started        120 mounted 100->120         started        122 2 other processes 100->122 process17 process18 124 3 other processes 106->124 126 3 other processes 108->126 128 3 other processes 110->128 130 3 other processes 112->130 132 3 other processes 114->132 134 3 other processes 116->134 136 3 other processes 118->136 138 3 other processes 120->138 140 6 other processes 122->140
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/5432f3caa45385056579f0bba463790b31760e012fc058f169d58c9e23a836a7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5432f3caa45385056579f0bba463790b31760e012fc058f169d58c9e23a836a7/
Verdict:
Malicious
Threat:
Linux.Worm.Mirai
Link:
https://tip.neiki.dev/file/5432f3caa45385056579f0bba463790b31760e012fc058f169d58c9e23a836a7
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-07-18 23:33:00 UTC
File Type:
ELF32 Big (Exe)
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kqzphsvekocqkzlz6c52iy3zbmyxmdqbf7afr4lj2wgj4i5ig2tq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
linux upx
Link:
https://tria.ge/reports/250718-3mve7sxpt5/
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-9936831-0
YARA:
n/a
Link:
https://app.threat.zone/submission/678c0e9d-cbe1-40c4-88fb-1f87f63a9f3d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5432f3caa45385056579f0bba463790b31760e012fc058f169d58c9e23a836a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 5432f3caa45385056579f0bba463790b31760e012fc058f169d58c9e23a836a7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3582312/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3575072/

Comments