MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55cf565e69c49d64c75e7f71a404f12543c99eaaab04219f11442dccabe6e019. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	55cf565e69c49d64c75e7f71a404f12543c99eaaab04219f11442dccabe6e019
SHA3-384 hash:	7bda823725e6c9e1b0c7370e965692aa68f24bdaff4373f1f35c3e9580d13717ee1b6effe9e81383b2959b3675817707
SHA1 hash:	41a025fd0c8e0555e163eb918ebe8191042ee76a
MD5 hash:	47c8d185797dd8d8065d7e9ee42c5345
humanhash:	single-twenty-pip-ack
File name:	Mozi.m
Download:	download sample
Signature	Mirai Create hunting rule
File size:	307'960 bytes
First seen:	2021-07-28 01:01:22 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xio:p3lOYoaja8xzx/0wsxzSi
TLSH	T15F64028BEF36BC1BCB001BF125DB4F9DA96C665B82C7E0A1B6C0444F26E51C6B6912C5
Reporter	tolisec
Tags:	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL

SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL

Unix.Dropper.Botnet-6566040-0

Unix.Packed.Botnet-6566031-0

Unix.Trojan.Mozi-9840825-0

Unix.Trojan.Mirai-9843255-0

Verdict:

Malicious

Uses P2P?:

true

Uses anti-vm?:

false

Architecture:

mips

Packer:

UPX

Botnet:

59.99.43.148:47396

Number of open files:

430

Number of processes launched:

Processes remaning?

true

Remote TCP ports scanned:

60001,7574,80,37215,8081,8080,8181,8443,81,49152,52869,5555,2323,23

Full report:

https://elfdigest.com/brief/55cf565e69c49d64c75e7f71a404f12543c99eaaab04219f11442dccabe6e019

Behaviour

Process Renaming

Firewall Changes

Information Gathering

Botnet C2s

TCP botnet C2(s):

87.98.162.88:6881
212.129.33.59:6881
67.215.246.10:6881
82.221.103.244:6881
130.239.18.159:6881
85.224.49.140:6881
178.141.215.10:6881
169.47.111.135:6881
99.239.238.164:6881
223.83.241.230:6881
138.43.157.5:6881
31.184.254.119:6881
35.137.255.38:6881
182.45.39.193:6881
141.179.37.19:6881
165.22.107.162:6881
111.170.118.87:6881
4.79.112.19:6881
77.101.182.211:6881
198.98.56.221:6881
206.189.96.59:8081
198.16.58.241:8081
167.99.249.26:8081
42.202.100.198:8081
27.6.203.66:8081
59.96.24.13:8081
130.239.18.159:8723
130.239.18.159:8792
178.141.89.7:8080
117.221.183.252:8080
81.68.244.151:8080
85.95.240.200:8080
130.239.18.159:8896
178.174.155.104:9149
117.223.83.7:4000
18.163.61.129:4000
175.11.200.158:4000
61.3.188.244:1027
117.221.183.29:1027
117.196.17.170:1027
111.92.75.167:48683
113.211.208.20:32300
42.91.136.181:13316
221.215.123.18:63977
180.74.213.157:51204
73.49.121.152:21152
180.188.224.197:34179
130.239.18.159:8646
130.239.18.159:9031
130.239.18.159:8700
130.239.18.159:8547
81.171.22.94:51413
84.231.165.121:51413
49.245.18.91:51413
167.71.88.63:51413
31.44.225.133:51413
104.184.3.186:51413
66.228.49.123:51413
161.53.29.208:51413
80.243.106.186:51413
128.69.179.116:39999
81.198.240.73:29328
98.128.147.115:29799
101.0.41.59:30608
125.25.148.245:8083
178.141.10.226:8083
117.201.196.224:8083
157.48.89.102:54788
61.3.189.25:5353
178.141.147.36:5353
218.16.204.227:17624
120.209.126.235:30301
112.27.124.120:30301
180.188.224.96:17372
201.7.4.177:6892
218.186.147.173:61537
47.200.54.107:50321
206.138.21.119:50321
211.54.114.210:8999
221.165.24.55:28191
180.188.237.180:59211
24.162.7.171:6889
181.46.68.247:42231
182.212.19.214:19922
60.97.156.48:19200
194.36.207.219:48597
73.135.138.255:60212
130.239.18.159:8606
130.239.18.159:8549
130.239.18.159:8978
130.239.18.159:8926
130.239.18.159:8673
135.181.182.188:20747
178.141.23.189:34867
83.254.58.178:8082
221.158.139.154:8082
116.30.121.155:8082
178.141.216.59:15609
130.239.18.159:8973
95.158.19.130:4872
202.164.139.158:55025
117.213.43.189:23045
116.106.70.1:1434
117.201.198.121:54708
130.239.18.159:8744
185.34.240.248:53311
62.210.209.183:51249
45.79.48.215:51345
172.127.44.162:51416
198.71.63.92:53113
97.91.248.247:48131
178.46.121.90:1537
112.27.124.119:48840
59.44.149.124:48840
104.14.161.81:42486
135.181.182.188:8449
175.201.76.216:7935
87.10.180.56:62726
81.171.6.71:61523
1.36.18.130:9430
112.26.92.129:5060
113.88.194.204:5060
121.62.188.82:5060
112.27.124.175:13274
202.164.139.173:41929
202.164.139.51:30733
111.92.81.129:34115
111.92.116.245:20715
92.126.25.101:49001
121.6.7.16:10200
27.104.147.134:7271
223.17.19.117:23947
219.79.138.140:24991
210.195.161.243:50766
47.241.123.250:49123
67.254.215.172:51868
113.110.241.20:64456
117.201.194.132:7724
185.120.124.33:55475
180.188.248.107:18896
114.134.24.139:41489
41.207.248.243:15703
202.164.139.216:39709
211.227.70.184:40773
176.130.203.80:50192
46.173.141.96:28825
89.178.18.173:17618
195.181.67.88:14797
121.238.201.154:31890
117.222.170.240:40111
118.34.171.147:28484
114.35.70.117:27068
183.97.25.248:64314
198.13.57.50:59027
125.136.239.81:31921
49.228.228.147:16762
89.158.129.33:12345
46.242.15.109:9929
5.189.183.129:51288
158.174.62.108:59710
209.141.37.251:37592
81.235.133.169:57147
59.96.27.216:5135
190.216.251.185:50188
88.249.91.162:8000
178.141.167.187:8000
130.239.18.159:8803
135.181.182.188:19909
81.231.82.121:32812
130.239.18.159:8559
130.239.18.159:8623
130.239.18.159:8763
130.239.18.159:8944

UDP botnet C2(s):

not identified

Result

Verdict:

MALICIOUS

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6d293828-f3dd-48e3-a0f8-c4b15294d79c

Result

Threat name:

Mirai

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/822836

Signature

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Yara detected Mirai

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Linux.Trojan.Skeeyah

Status:

Malicious

First seen:

2021-07-28 00:55:19 UTC

AV detection:

18 of 46 (39.13%)

Threat level:

5/5

Result

Malware family:

n/a

Score:

9/10

Tags:

linux

Link:

https://tria.ge/reports/210728-8kkaxnwnh6/

Behaviour

Reads runtime system information

Writes file to tmp directory

Reads system network configuration

Enumerates active TCP sockets

Reads system routing table

Modifies hosts file

Modifies the Watchdog daemon

Writes file to system bin folder

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/55cf565e69c49d64c75e7f71a404f12543c99eaaab04219f11442dccabe6e019

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	SUSP_ELF_LNX_UPX_Compressed_File Create hunting rule
Author:	Florian Roth
Description:	Detects a suspicious ELF binary with UPX compression
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 55cf565e69c49d64c75e7f71a404f12543c99eaaab04219f11442dccabe6e019

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1486114/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample