MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 669567291e91e723fcdf8bc612992dd45d90700eab69948d0e8255aaae7b784d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 669567291e91e723fcdf8bc612992dd45d90700eab69948d0e8255aaae7b784d
SHA3-384 hash: ad34fd7ae14cccc5bdcff773d94364eb78e32f97b3fd977f9a2103d4e7a4e4019be68a198920f99d86dc9eaa93da56be
SHA1 hash: 5dadc4350b312523315fd9764a738263c8e8308b
MD5 hash: a77c7a13905f9aba1b63bde3bb98f77e
humanhash: winner-burger-item-moon
File name:db0fa4b8db0333367e9bda3ab68b8042.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:33'024 bytes
First seen:2025-07-28 19:59:15 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:72lOCUQJ6viHkg0ZhjRATA05N1o9g1L3/DoRAHnbcuyD7Uiyqk:SyQJ0ygj2c05Hos3roRAHnouy8Zqk
TLSH T191E2E1FF71931680D4DFA1399A0DEB1B0A94F10EE0666B60DF547CA64572E482BD07C3
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf gafgyt mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
20
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Unix.Trojan.Mirai-7669677-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Opens a port
Sends data to a server
Receives data from a server
Connection attempt
DNS request
Runs as daemon
Substitutes an application name
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
0
Number of processes launched:
8
Processes remaning?
true
Remote TCP ports scanned:
80,23,37215,443
Full report:
https://elfdigest.com/brief/669567291e91e723fcdf8bc612992dd45d90700eab69948d0e8255aaae7b784d
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b76ad9ee-27ac-494e-b83f-f2ad06a3c6c3
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1745866
Signature
Detected Mirai
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample tries to kill multiple processes (SIGKILL)
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1745866 Sample: db0fa4b8db0333367e9bda3ab68... Startdate: 28/07/2025 Architecture: LINUX Score: 100 29 123.218.39.190 OCNNTTCommunicationsCorporationJP Japan 2->29 31 197.212.239.103 ZAIN-ZAMBIAZM Zambia 2->31 33 99 other IPs or domains 2->33 35 Suricata IDS alerts for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Detected Mirai 2->39 41 4 other signatures 2->41 8 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 2->8         started        10 xfce4-panel wrapper-2.0 2->10         started        12 xfce4-panel wrapper-2.0 2->12         started        14 6 other processes 2->14 signatures3 process4 process5 16 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 8->16         started        18 wrapper-2.0 xfpm-power-backlight-helper 10->18         started        process6 20 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 16->20         started        23 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 16->23         started        25 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 16->25         started        27 3 other processes 16->27 signatures7 43 Sample tries to kill multiple processes (SIGKILL) 20->43
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/669567291e91e723fcdf8bc612992dd45d90700eab69948d0e8255aaae7b784d
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/669567291e91e723fcdf8bc612992dd45d90700eab69948d0e8255aaae7b784d/
Threat name:
Linux.Backdoor.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2025-07-28 20:00:37 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m2kwoki6shtsh7g7rpdbfgjn2roza4aovnuzjdioqjk2vlt3pbgq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:unstable botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/250728-yqkmys1mx7/
Behaviour
Reads runtime system information
Changes its process name
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Contacts a large (203461) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-7669677-0
YARA:
n/a
Link:
https://app.threat.zone/submission/974f4bd0-b1a0-414e-a8e2-128114b96199
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/669567291e91e723fcdf8bc612992dd45d90700eab69948d0e8255aaae7b784d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh b0240dbd0617517f0dd74ff6e9754ecf839bc0abf1283d95206ae24b29952392

Mirai

elf 669567291e91e723fcdf8bc612992dd45d90700eab69948d0e8255aaae7b784d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3591750/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 b0240dbd0617517f0dd74ff6e9754ecf839bc0abf1283d95206ae24b29952392
  
Dropped by
MD5 a5ae2d52fe70d6177b2c243f292584a8
  
Dropped by
SHA256 1ce3ab0f0372aee3016a9f17ba757626c2e36972490c11f174e58ac3971f7d64
  
Dropped by
MD5 8cfd7142d861d9cde78d4f16603e268e
  
Dropped by
SHA256 27477e99ef1e6641f7acdf7485ea4655c2cad212a9945b5dc1a4cbfdbde2c8bc
  
Dropped by
MD5 24d843e48989717bacd6c71e24e2fb5a
  
Dropped by
SHA256 3c8925f5a979d34599344189eb9cedce5d2978e9e406ad1963168bd930a2a36f
  
Dropped by
MD5 5e0468457f237291b81fc7160a754776
  
URLhaus
https://urlhaus.abuse.ch/url/3591745/
  
URLhaus
https://urlhaus.abuse.ch/url/3591756/
  
URLhaus
https://urlhaus.abuse.ch/url/3591757/
  
URLhaus
https://urlhaus.abuse.ch/url/3591758/
  
Dropped by
SHA256 5bc4942c8401ef36219b37f6ad03ee6cf09e0b2ec5c81e5527d557db9891314a
  
Dropped by
MD5 fec509d44363926c59ae6d7c3bec3d2b
  
Dropped by
SHA256 d006338f7984eed9ab94b767f3bacf8d2923c98cd1c2812be37da605166f9e09
  
Dropped by
MD5 2f5347d682308406cdfefcd2232a0988
  
Dropped by
SHA256 7e2fe73b5034bcc7576b9e5031a84aa1e263ea8430b50192e308d28530f82cde
  
Dropped by
MD5 4a817a4fdef00ceba06a69b7381b32ea
  
Dropped by
SHA256 809c5c2e3fd14e866d8dfc977f06edee73497d9b3ffe7300d2f53c7b0044885b
  
Dropped by
MD5 630822840c5a1285e94c416c2be688f4
  
Dropped by
SHA256 1469917a1b0b60ed411dcba1b19d148b3f95213ab8dfa0f8a987c877a63ec5df
  
Dropped by
MD5 05d01293d3de4e99b50c7dd16489c4d9
  
Dropped by
SHA256 6abf88412443463824832afdb46268a02767288fff4f36a39b780d5c130a9c8e
  
Dropped by
MD5 48807f1deee353f1c4988ce6a4f11d7c
  
Dropped by
SHA256 eb73ad2b27f1829cc6d0706fe932495ef97b518ba66272558214990151c981c7
  
Dropped by
MD5 5e594dc6b3b03ef19f8960e2cdb41826
  
Dropped by
SHA256 8402be005493cb2836c6ff2334ea8bc3e14cc91f8e597bbc59ce49388d56819c
  
Dropped by
MD5 84588db847c49aec4b133789fd2cea86
  
Dropped by
SHA256 a8bdf727e83114f5acb1372ac33af07daacb7ba99d0b1a5a71af9fb9de1439bd
  
Dropped by
MD5 4a04abf2784c7b35292308ff0e5e5e6f
  
Dropped by
SHA256 2c23d75876a5526854d019a5c481325b5d9a40ae03ef86a43e2f9e9b2ba5f52b
  
Dropped by
MD5 beaff91c61bceb4f1c58d8a3ccffc92d
  
URLhaus
https://urlhaus.abuse.ch/url/3591759/
  
URLhaus
https://urlhaus.abuse.ch/url/3591760/
  
URLhaus
https://urlhaus.abuse.ch/url/3591761/
  
URLhaus
https://urlhaus.abuse.ch/url/3591762/
  
URLhaus
https://urlhaus.abuse.ch/url/3591763/
  
URLhaus
https://urlhaus.abuse.ch/url/3591765/
  
URLhaus
https://urlhaus.abuse.ch/url/3591764/
  
URLhaus
https://urlhaus.abuse.ch/url/3591766/
  
URLhaus
https://urlhaus.abuse.ch/url/3591767/
  
URLhaus
https://urlhaus.abuse.ch/url/3591769/

Comments