MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6358a752919245258ae42e70ccc9126ada70903217434b46fea67ea9b89c787e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6358a752919245258ae42e70ccc9126ada70903217434b46fea67ea9b89c787e
SHA3-384 hash: ae7fe59d0af0c41802d0a736eb9f99c122eadb8b02359ad75a8f1b64e5411b315e6a9a41099aab7ed73dc1ee8ced2c62
SHA1 hash: 72a58114bf0d36cffb7f99714c0f41a50f3cd583
MD5 hash: a5665de7bd563306960227ba692bcc35
humanhash: pasta-fourteen-fruit-pasta
File name:arm
Download: download sample
Signature Mirai
Create hunting rule
File size:722'736 bytes
First seen:2025-05-20 01:52:12 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:6v2RwJ+dMp/C5Pfw+0ufLOKcoTc1EubphU+S2tagpJS2dzX2A6LZtl00DB+C:6v5J+dMpCpaoA1H9hFS2Smz2Aytl/DB+
TLSH T1CEE44B16F8809F62C5D12576FA5F82A8731347B8C3EB720689199B343BD786F4F3A641
telfhash t1f1d097b20f6884015002ec1038c200bdae8ce9002fc4f840fe4cd8820c3002c2713d4b
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Linux.Gafgyt.22786.4386.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682be0522f280a98fb42229elinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Connection attempt
Runs as daemon
Creating a file
Receives data from a server
Sets a written file as executable
Sends data to a server
Writes files to system directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash gcc lolbin remote
Link:
https://www.filescan.io/uploads/682be052c609634bd7ca4005/reports/cd0c9b44-302c-4e8b-a30f-c32b41ae4a6a/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
not packed
Botnet:
unknown
Number of open files:
9
Number of processes launched:
42
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/6358a752919245258ae42e70ccc9126ada70903217434b46fea67ea9b89c787e
Behaviour
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3b5c70ab-0c4a-4a34-9fe3-0bd9881e3a65
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1694432
Signature
Drops files in suspicious directories
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694432 Sample: arm.elf Startdate: 20/05/2025 Architecture: LINUX Score: 48 146 89.42.88.163, 1338, 36010 MOLDTELECOM-ASMoldtelecomAutonomousSystemMD Romania 2->146 148 109.202.202.202, 80 INIT7CH Switzerland 2->148 150 3 other IPs or domains 2->150 14 arm.elf 2->14         started        16 dash rm 2->16         started        18 dash rm 2->18         started        process3 process4 20 arm.elf 14->20         started        file5 144 /snap/bin/update, ELF 20->144 dropped 160 Writes identical ELF files to multiple locations 20->160 162 Drops files in suspicious directories 20->162 24 arm.elf update 20->24         started        26 arm.elf update 20->26         started        28 arm.elf update 20->28         started        30 6 other processes 20->30 signatures6 process7 process8 32 update 24->32         started        36 update 26->36         started        38 update 28->38         started        40 update 30->40         started        42 update 30->42         started        44 update 30->44         started        46 3 other processes 30->46 file9 138 /usr/local/games/update, ELF 32->138 dropped 152 Drops files in suspicious directories 32->152 48 update update 32->48         started        50 update update 32->50         started        52 update update 32->52         started        56 5 other processes 32->56 154 Writes identical ELF files to multiple locations 36->154 58 3 other processes 36->58 60 7 other processes 38->60 62 6 other processes 40->62 64 2 other processes 42->64 54 update 44->54         started        signatures10 process11 process12 66 update 48->66         started        70 update 50->70         started        72 update 52->72         started        74 update 56->74         started        76 update 56->76         started        78 update 56->78         started        file13 140 /usr/games/update, ELF 66->140 dropped 156 Drops files in suspicious directories 66->156 80 update update 66->80         started        82 update update 66->82         started        84 update update 66->84         started        92 4 other processes 66->92 94 6 other processes 70->94 96 3 other processes 72->96 86 update update 74->86         started        88 update 74->88         started        90 update update 76->90         started        signatures14 process15 process16 98 update 80->98         started        102 update 82->102         started        104 update 84->104         started        106 update 86->106         started        108 update 90->108         started        110 update 92->110         started        112 update 94->112         started        114 update 94->114         started        116 3 other processes 94->116 file17 142 /usr/bin/update, ELF 98->142 dropped 158 Drops files in suspicious directories 98->158 118 update update 98->118         started        120 update update 98->120         started        122 update update 98->122         started        132 3 other processes 98->132 124 update update 102->124         started        126 update update 102->126         started        128 update 102->128         started        130 update update 104->130         started        134 2 other processes 110->134 signatures18 process19 process20 136 update 124->136         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/6358a752919245258ae42e70ccc9126ada70903217434b46fea67ea9b89c787e
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6358a752919245258ae42e70ccc9126ada70903217434b46fea67ea9b89c787e/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-20 01:53:17 UTC
File Type:
ELF32 Little (Exe)
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mnmkouursjcslcxefzymzsisnlnhbebsc5buwrx6uz7ktoe4pb7a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/250520-cajj3asqy6/
Behaviour
Write file to user bin folder
Writes file to system bin folder
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/6358a752919245258ae42e70ccc9126ada70903217434b46fea67ea9b89c787e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:malwareelf55503
Create hunting rule
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 6358a752919245258ae42e70ccc9126ada70903217434b46fea67ea9b89c787e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3545664/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments