MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fe598ea2e5da8a44af43529d3e896c3641844f5cdada0d0a41b4b5663d8b8e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fe598ea2e5da8a44af43529d3e896c3641844f5cdada0d0a41b4b5663d8b8e0
SHA3-384 hash: 35241ce794edd0cdfd258bb8303e11b2a4ec402421fa759e57ecbf7de6352076ac1e6fe19fd453d258b9ab76e61d45c9
SHA1 hash: 5104085f8a6fcd8a9db45ee61dccdc3714a49160
MD5 hash: 660ebefca1ecfc1de8f71a991300eb57
humanhash: quiet-social-texas-failed
File name:mips
Download: download sample
Signature Mirai
Create hunting rule
File size:254'460 bytes
First seen:2026-01-26 13:09:24 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:EAS09Z48bbx4qwSVoi0W/s71iBGTh1IvMILAgRLpr6QfpT/Z+pfmqBOKWOI1:EAS09Z48blDwEoUdEg9ftEpftBOvF
TLSH T16144661A2E22DF7FF66D867047F38A30579836D63AE1D584F16CD61C1E2028E641FBA4
telfhash t1dc51a228097813e4a6656c9d49ddff36d6a320df7e162c338e50e85eab69f839d11c0c
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.32133.LX.BOT.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-8041698-0
Create hunting rule

Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
8
Number of processes launched:
227
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/5fe598ea2e5da8a44af43529d3e896c3641844f5cdada0d0a41b4b5663d8b8e0
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2026-01-26T10:49:00Z UTC
Last seen:
2026-01-28T01:33:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/5fe598ea2e5da8a44af43529d3e896c3641844f5cdada0d0a41b4b5663d8b8e0/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f5e32cc7-b20d-4e51-984d-d5e64dfdbf54
Behavior Graph:
Download SVG
%3 guuid=81c1d261-1a00-0000-2b3b-2b10290b0000 pid=2857 /usr/bin/sudo guuid=ae16d963-1a00-0000-2b3b-2b10320b0000 pid=2866 /tmp/sample.bin guuid=81c1d261-1a00-0000-2b3b-2b10290b0000 pid=2857->guuid=ae16d963-1a00-0000-2b3b-2b10320b0000 pid=2866 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/949573c6-7b6c-4b2c-a564-6b9de8ffc109
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1857586
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1857586 Sample: mips.elf Startdate: 26/01/2026 Architecture: LINUX Score: 84 109 xxx.caoxxip.top 198.98.61.207, 2235, 40616, 40618 PONYNETUS United States 2->109 111 34.254.182.186, 443, 54684 AMAZON-02US United States 2->111 113 54.247.62.1, 443 AMAZON-02US United States 2->113 115 Antivirus detection for dropped file 2->115 117 Antivirus / Scanner detection for submitted sample 2->117 119 Multi AV Scanner detection for submitted file 2->119 13 mips.elf 2->13         started        15 systemd ifconfig_xxs.cfg 2->15         started        17 systemd ifconfig_xxs.cfg 2->17         started        19 65 other processes 2->19 signatures3 process4 process5 21 mips.elf 13->21         started        23 ifconfig_xxs.cfg 15->23         started        25 ifconfig_xxs.cfg 17->25         started        27 ifconfig_xxs.cfg 19->27         started        29 ifconfig_xxs.cfg 19->29         started        31 ifconfig_xxs.cfg 19->31         started        33 15 other processes 19->33 process6 35 mips.elf 21->35         started        39 ifconfig_xxs.cfg 23->39         started        41 ifconfig_xxs.cfg 25->41         started        43 ifconfig_xxs.cfg 27->43         started        45 ifconfig_xxs.cfg 29->45         started        47 ifconfig_xxs.cfg 31->47         started        49 ifconfig_xxs.cfg 33->49         started        51 ifconfig_xxs.cfg 33->51         started        53 8 other processes 33->53 file7 103 /usr/local/bin/ifconfig_xxs.cfg, ELF 35->103 dropped 105 /etc/rc.local, ASCII 35->105 dropped 107 /boot/ifconfig_xxs.cfg, ELF 35->107 dropped 121 Sample tries to set files in /etc globally writable 35->121 123 Writes identical ELF files to multiple locations 35->123 125 Sample tries to persist itself using System V runlevels 35->125 55 mips.elf 35->55         started        57 mips.elf 35->57         started        60 mips.elf sh 35->60         started        62 2 other processes 35->62 signatures8 process9 signatures10 64 mips.elf 55->64         started        129 Sample deletes itself 57->129 66 sh systemctl 60->66         started        68 mips.elf 62->68         started        70 sh systemctl 62->70         started        process11 process12 72 mips.elf 64->72         started        75 mips.elf 68->75         started        signatures13 127 Sample tries to kill multiple processes (SIGKILL) 72->127 77 mips.elf sh 72->77         started        79 mips.elf sh 72->79         started        81 mips.elf sh 72->81         started        83 10 other processes 72->83 process14 process15 85 sh ps 77->85         started        87 sh awk 77->87         started        89 sh ps 79->89         started        91 sh awk 79->91         started        93 sh ps 81->93         started        95 sh awk 81->95         started        97 sh ps 83->97         started        99 sh awk 83->99         started        101 16 other processes 83->101
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/5fe598ea2e5da8a44af43529d3e896c3641844f5cdada0d0a41b4b5663d8b8e0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fe598ea2e5da8a44af43529d3e896c3641844f5cdada0d0a41b4b5663d8b8e0/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-26 13:10:14 UTC
File Type:
ELF32 Big (Exe)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l7szr2rolwukisxuguu5h2ewynsbqrhvzww2bufednfvmy6yxdqa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260126-qpca7aay2d/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Reads CPU attributes
Modifies rc script
Modifies systemd
Write file to user bin folder
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5fe598ea2e5da8a44af43529d3e896c3641844f5cdada0d0a41b4b5663d8b8e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 5fe598ea2e5da8a44af43529d3e896c3641844f5cdada0d0a41b4b5663d8b8e0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3764109/
  
Delivery method
Distributed via web download

Comments