MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bd85b7e8a6bb58c62f9509265f29b9810e4b3639631944313706ee04556898b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 11

Intelligence 11 IOCs YARA 6 File information Comments 1

SHA256 hash:	5bd85b7e8a6bb58c62f9509265f29b9810e4b3639631944313706ee04556898b
SHA3-384 hash:	45bfe4d5c69b17b75d9e2a79362d0a777b0a34ef7759c73ba1d6df1a853b89e9d40063ae6c6371b966135deaa20b4a66
SHA1 hash:	0760583372d00fce09bf3323e6c8a2b2cd2902f8
MD5 hash:	43a4b05ff577529e0d664d9dcc31e3cf
humanhash:	low-sodium-glucose-yankee
File name:	43a4b05ff577529e0d664d9dcc31e3cf
Download:	download sample
Signature	Mirai Create hunting rule
File size:	43'860 bytes
First seen:	2023-03-31 00:57:54 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	768:lgKiLUpbwLgK9S75XfXS4nxoTfTZsBV99peGpiHjDmfxsN9jL9oeQ/NZwW:lplb6gKq5PXSKyx0HeG8DDmqLsIW
TLSH	T17D13F755B8815A3BC2E0237BB9AE568D336067E8C2CF721BDD215B207A8651F0D37F85
telfhash	t1d9e0c240adb89a1e9ce35bb8ddcd07b1a1116253a4270b10cf58e6e0c83f988a60de6d
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter	zbetcheckin
Tags:	32 arm elf mirai

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.28880.LC.UNOFFICIAL

SecuriteInfo.com.Linux.Mirai-81.UNOFFICIAL

Sanesecurity.Malware.28886.LC.UNOFFICIAL

Sanesecurity.Malware.28878.LC.UNOFFICIAL

Sanesecurity.Malware.28879.LC.UNOFFICIAL

Sanesecurity.Malware.28877.LC.UNOFFICIAL

Unix.Trojan.Mirai-9441505-0

Unix.Dropper.Mirai-9977145-0

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug exploit gafgyt mirai

Link:

https://www.filescan.io/uploads/642630204fbb909ff92e6012/reports/6549de63-a00d-4bb0-91ae-f3ac25d0c73b/overview

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

false

Architecture:

arm

Packer:

not packed

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/5bd85b7e8a6bb58c62f9509265f29b9810e4b3639631944313706ee04556898b

Behaviour

no suspicious findings

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

not identified

Result

Verdict:

MALICIOUS

Malware family:

Mirai

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3a5deae7-d342-44c7-8212-bdb51b5b17ab

Result

Threat name:

Mirai

Detection:

malicious

Classification:

troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1205683

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Behaviour

Behavior Graph:

Download SVG

Detection:

mirai

Link:

https://mwdb.cert.pl/sample/5bd85b7e8a6bb58c62f9509265f29b9810e4b3639631944313706ee04556898b/

Threat name:

Linux.Trojan.Mirai

Status:

Malicious

First seen:

2023-03-31 00:58:09 UTC

File Type:

ELF32 Little (Exe)

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lpmfw7ukno2yyyxzkcjgl4u3taiojm3dsyyziqytobxoarkwrgfq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai

Link:

https://tria.ge/reports/230331-bbhhqahd31/

Malware Config

C2 Extraction:

bruh123.hopto.org

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.60

Link:

https://yomi.yoroi.company/submissions/5bd85b7e8a6bb58c62f9509265f29b9810e4b3639631944313706ee04556898b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Linux_Trojan_Gafgyt_28a2fe0c Create hunting rule
Author:	Elastic Security

Rule name:	myMirai Create hunting rule
Description:	Mirai

Rule name:	setsockopt Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for setsockopt() red flags

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 5bd85b7e8a6bb58c62f9509265f29b9810e4b3639631944313706ee04556898b

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2592118/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-03-31 00:57:56 UTC

url : hxxp://141.98.6.202/arm5