MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c1734e8d5d7bc56cfd516baab7b77f718041aee071341f96851246e42feb93f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 14 File information Comments

SHA256 hash: 5c1734e8d5d7bc56cfd516baab7b77f718041aee071341f96851246e42feb93f
SHA3-384 hash: bb894c32df4aa2efd47b7e00e5288596b3281040db0b2e32b66cac00b0dcb920a0e7a699699cc0dab00e374a0cb05709
SHA1 hash: d843458e0d67cdbc8927ea7676982f89c19a964c
MD5 hash: 83c855ebf7ad2f4353db0c02b7f38ac6
humanhash: magazine-undress-fillet-floor
File name:x86_64
Download: download sample
Signature Mirai
File size:50'432 bytes
First seen:2026-07-09 07:42:54 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:SxbNBwOoPUg/Wv1AKz4O3pRiY0ylhKoIh1w2E4nLB21/AL/dvEK:AbHwRPUgeviK8UziY0C2124nLB2gdvp
TLSH T1B733FA07F58285FDC04AC134076BBA3EDD26B5FE9278B2A77BD0EB226D91E214D19C44
telfhash t1dd11e1b6686d2c94f0fbdb652b82e21109a40a2900c036e3e6b16df6da517430c74cb7
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence


File Origin
# of uploads :
1
# of downloads :
59
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Receives data from a server
Sends data to a server
Opens a port
Connection attempt
Runs as daemon
Substitutes an application name
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-07-09T05:07:00Z UTC
Last seen:
2026-07-09T12:58:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=212c62af-1e00-0000-a823-af9836140000 pid=5174 /usr/bin/sudo guuid=511e1eb2-1e00-0000-a823-af9837140000 pid=5175 /tmp/sample.bin net guuid=212c62af-1e00-0000-a823-af9836140000 pid=5174->guuid=511e1eb2-1e00-0000-a823-af9837140000 pid=5175 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=511e1eb2-1e00-0000-a823-af9837140000 pid=5175->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=59634fb2-1e00-0000-a823-af9838140000 pid=5176 /tmp/sample.bin dns net send-data zombie guuid=511e1eb2-1e00-0000-a823-af9837140000 pid=5175->guuid=59634fb2-1e00-0000-a823-af9838140000 pid=5176 clone guuid=59634fb2-1e00-0000-a823-af9838140000 pid=5176->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 1881B abf5d304-b191-573b-90f3-ef6e15cfa605 lynxsecurity.ru:2852 guuid=59634fb2-1e00-0000-a823-af9838140000 pid=5176->abf5d304-b191-573b-90f3-ef6e15cfa605 send: 280B guuid=226a57b2-1e00-0000-a823-af9839140000 pid=5177 /tmp/sample.bin guuid=59634fb2-1e00-0000-a823-af9838140000 pid=5176->guuid=226a57b2-1e00-0000-a823-af9839140000 pid=5177 clone
Threat name:
Linux.Worm.Mirai
Status:
Malicious
First seen:
2026-07-09 07:44:35 UTC
File Type:
ELF64 Little (Exe)
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:mirai botnet credential_access discovery linux
Behaviour
Reads runtime system information
Changes its process name
Reads process memory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_28a2fe0c
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_01e4a728
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_1e0c5ce0
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_520deeb8
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_6a77af0f
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_e0cf29e2
Author:Elastic Security
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 5c1734e8d5d7bc56cfd516baab7b77f718041aee071341f96851246e42feb93f

(this sample)

  
Delivery method
Distributed via web download

Comments