MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b955e121c9406d4187c6e03dbc4b5d6103c2b3d2d93f85e74a442e8f5c3a64f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	5b955e121c9406d4187c6e03dbc4b5d6103c2b3d2d93f85e74a442e8f5c3a64f
SHA3-384 hash:	6d0ebacac0258df12a5964d9fd964aa85ba2f33bfff7980f74bbce5d3127fce38775d6db347a06364f1e6931e62438bf
SHA1 hash:	95bf7acd435282c56f1939a111f07a035e7afbb9
MD5 hash:	a26ba3ce3057a0c5aab83e565c5c8c77
humanhash:	table-lake-carpet-orange
File name:	splmips
Download:	download sample
Signature	Mirai Create hunting rule
File size:	72'300 bytes
First seen:	2025-02-25 13:42:30 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	1536:W9QP7GB1L1I13yHPtYdf1Gewc4fAH9i/jgDO:rP7Q1LSWPtsIAs/jcO
TLSH	T17D63A61D2E218FADFBAC833547B78F209758379527E1C285E19CE9011E7034E646FBA9
telfhash	t1ba01811c853813f1d7855dee6bedff75e05080df8a565e338d00e99a9b11a824e01c2c
Magika	elf
Reporter	abuse_ch
Tags:	elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Unix.Trojan.Mirai-9970440-0

Unix.Trojan.Mirai-1

Verdict:

Clean

Score:

82.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67bdc96da0fd713c335cb913linux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

DNS request

Sends data to a server

Opens a port

Creating a file

Receives data from a server

Runs as daemon

Substitutes an application name

Performs a bruteforce attack in the network

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/67bdc8f85209792b4b3a60b3/reports/f4cc7831-bfb9-407f-85ff-1b29ad06624d/overview

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

false

Architecture:

mips

Packer:

not packed

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

true

Remote TCP ports scanned:

Full report:

https://elfdigest.com/brief/5b955e121c9406d4187c6e03dbc4b5d6103c2b3d2d93f85e74a442e8f5c3a64f

Behaviour

Process Renaming

Information Gathering

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

not identified

Result

Verdict:

UNKNOWN

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/d4c6a4bd-d950-43b1-93b7-2f288eef3fa5

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1623740

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/5b955e121c9406d4187c6e03dbc4b5d6103c2b3d2d93f85e74a442e8f5c3a64f

Detection:

mirai

Link:

https://mwdb.cert.pl/sample/5b955e121c9406d4187c6e03dbc4b5d6103c2b3d2d93f85e74a442e8f5c3a64f/

Threat name:

Linux.Backdoor.Mirai

Status:

Malicious

First seen:

2025-02-25 13:43:17 UTC

File Type:

ELF32 Big (Exe)

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lokv4eq4sqdnigd4nyb5xrfv2yidykz5fwj7qxtuurbor5oduzhq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:botnet credential_access defense_evasion discovery

Link:

https://tria.ge/reports/250225-q1cq4axqv6/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Changes its process name

Reads system network configuration

Reads process memory

Enumerates active TCP sockets

Enumerates running processes

Modifies Watchdog functionality

Renames itself

Unexpected DNS network traffic destination

Contacts a large (67024) amount of remote hosts

Creates a large amount of network flows

Verdict:

Malicious

Tags:

Unix.Trojan.Mirai-9970440-0

YARA:

n/a

Link:

https://app.threat.zone/submission/91ff20bd-e148-4ec3-9202-4adfd721dd2f

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Mirai

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/5b955e121c9406d4187c6e03dbc4b5d6103c2b3d2d93f85e74a442e8f5c3a64f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 88c8b2f417f84c2c5ed3620221676323be8c6653cae0813a2f570da36f39f905

Mirai

elf 5b955e121c9406d4187c6e03dbc4b5d6103c2b3d2d93f85e74a442e8f5c3a64f

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3422911/

Delivery method

Distributed via web download

Dropped by

SHA256 88c8b2f417f84c2c5ed3620221676323be8c6653cae0813a2f570da36f39f905

Dropped by

MD5 13051e1f2c7863e1d3b8a098bf5e6ffe

Dropped by

SHA256 c09710cc631c1d6e4000c8ba957555a5feb4fa13a85869b63732757cdc493a95

Dropped by

MD5 89bfde2de895dd7932eb5cc4b2a2af0d

URLhaus

https://urlhaus.abuse.ch/url/3458218/

URLhaus

https://urlhaus.abuse.ch/url/3458476/

URLhaus

https://urlhaus.abuse.ch/url/3458697/

URLhaus

https://urlhaus.abuse.ch/url/3458806/

URLhaus

https://urlhaus.abuse.ch/url/3458912/

URLhaus

https://urlhaus.abuse.ch/url/3458920/

URLhaus

https://urlhaus.abuse.ch/url/3458422/

URLhaus

https://urlhaus.abuse.ch/url/3458585/

URLhaus

https://urlhaus.abuse.ch/url/3458874/

URLhaus

https://urlhaus.abuse.ch/url/3458899/

URLhaus

https://urlhaus.abuse.ch/url/3458902/

URLhaus

https://urlhaus.abuse.ch/url/3458908/

Dropped by

SHA256 917e1583e972496dbef39a32a6f879f2287a488aae1e042b2f2aac60e5f23b82

Dropped by

MD5 918d020fbaadab5297513cc71a1e69d6

Dropped by

SHA256 f834c7b407c1e81ee21765c9d81c52e62c6bf0197286c49dde4883d7886547c7

Dropped by

MD5 75d4942431f01ccd7692ff6ffdcbb7ae

Dropped by

SHA256 8d3ce321a42b6b7ddbf5d0d44b751efd9addbd587490e7e6f052fa00cbccd7fe

Dropped by

MD5 2cb936bea3fa2d7d60e566e339712042

URLhaus

https://urlhaus.abuse.ch/url/3458302/

URLhaus

https://urlhaus.abuse.ch/url/3458305/

URLhaus

https://urlhaus.abuse.ch/url/3458319/

URLhaus

https://urlhaus.abuse.ch/url/3458475/

URLhaus

https://urlhaus.abuse.ch/url/3458896/

URLhaus

https://urlhaus.abuse.ch/url/3458930/

URLhaus

https://urlhaus.abuse.ch/url/3458306/

URLhaus

https://urlhaus.abuse.ch/url/3458406/

URLhaus

https://urlhaus.abuse.ch/url/3458496/

URLhaus

https://urlhaus.abuse.ch/url/3458508/

URLhaus

https://urlhaus.abuse.ch/url/3458706/

URLhaus

https://urlhaus.abuse.ch/url/3458766/

URLhaus

https://urlhaus.abuse.ch/url/3458348/

URLhaus

https://urlhaus.abuse.ch/url/3458381/

URLhaus

https://urlhaus.abuse.ch/url/3458465/

URLhaus

https://urlhaus.abuse.ch/url/3458540/

URLhaus

https://urlhaus.abuse.ch/url/3458795/

URLhaus

https://urlhaus.abuse.ch/url/3458831/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample