MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6805ad644dfc9fcc8a7fe26c63ee61f2cac759ebf5518f65ce3ae05cd170f1c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 15 File information Comments

SHA256 hash: 6805ad644dfc9fcc8a7fe26c63ee61f2cac759ebf5518f65ce3ae05cd170f1c9
SHA3-384 hash: 7ab0f75e901a3c84383fef9cee5b83bb2a2f3687425b1f9ac7547f6bb0f69e4c422f2f46ef503ea58a3087b6dd769547
SHA1 hash: a2a9013d61d7072854e622bd3cbd0e608287b93f
MD5 hash: e4fe2aef31a0504080b5b579203998af
humanhash: fish-ink-washington-speaker
File name:Space.i686
Download: download sample
Signature Mirai
File size:74'836 bytes
First seen:2025-10-29 14:57:38 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:8A9Uqtm/qzBpzah2tYeQmP7uW2wORzBbkivom3aJ2KdLNn:8A9U7KB9ah2tYe3PrXORzBbVvfKdLN
TLSH T124733985F987C6F2D4474830426BFB3FCB32D8A511B19B0DDF569F35DA33602AA22649
telfhash t1c121bffb1dbe08fda7d89940c25e6fe22826c77b556036b00563c6353367ea144a8c3d
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 10e34ed179fdbfa963054766c49e534a77ddcb84abef5b17d5e83531013c0b36
File size (compressed) :35'948 bytes
File size (de-compressed) :74'836 bytes
Format:linux/i386
Packed file: 10e34ed179fdbfa963054766c49e534a77ddcb84abef5b17d5e83531013c0b36

Intelligence


File Origin
# of uploads :
1
# of downloads :
32
Origin country :
NL NL
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Connection attempt
Sends data to a server
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
lolbin masquerade remote
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-08-11T02:29:00Z UTC
Last seen:
2025-08-11T02:57:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=a2f273be-1a00-0000-fe4d-912f350d0000 pid=3381 /usr/bin/sudo guuid=c293dac0-1a00-0000-fe4d-912f3e0d0000 pid=3390 /tmp/sample.bin net guuid=a2f273be-1a00-0000-fe4d-912f350d0000 pid=3381->guuid=c293dac0-1a00-0000-fe4d-912f3e0d0000 pid=3390 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=c293dac0-1a00-0000-fe4d-912f3e0d0000 pid=3390->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=712f03c1-1a00-0000-fe4d-912f3f0d0000 pid=3391 /tmp/sample.bin guuid=c293dac0-1a00-0000-fe4d-912f3e0d0000 pid=3390->guuid=712f03c1-1a00-0000-fe4d-912f3f0d0000 pid=3391 clone guuid=2abe86ed-1b00-0000-fe4d-912f66100000 pid=4198 /tmp/sample.bin guuid=c293dac0-1a00-0000-fe4d-912f3e0d0000 pid=3390->guuid=2abe86ed-1b00-0000-fe4d-912f66100000 pid=4198 clone guuid=979d8aed-1b00-0000-fe4d-912f67100000 pid=4199 /tmp/sample.bin net send-data zombie guuid=c293dac0-1a00-0000-fe4d-912f3e0d0000 pid=3390->guuid=979d8aed-1b00-0000-fe4d-912f67100000 pid=4199 clone guuid=e23809c1-1a00-0000-fe4d-912f400d0000 pid=3392 /tmp/sample.bin guuid=712f03c1-1a00-0000-fe4d-912f3f0d0000 pid=3391->guuid=e23809c1-1a00-0000-fe4d-912f400d0000 pid=3392 clone guuid=2e1a13c1-1a00-0000-fe4d-912f410d0000 pid=3393 /tmp/sample.bin net send-data zombie guuid=712f03c1-1a00-0000-fe4d-912f3f0d0000 pid=3391->guuid=2e1a13c1-1a00-0000-fe4d-912f410d0000 pid=3393 clone 0b7fcb0e-329d-5230-a4b3-03ad05baa1cd 103.67.244.57:3778 guuid=2e1a13c1-1a00-0000-fe4d-912f410d0000 pid=3393->0b7fcb0e-329d-5230-a4b3-03ad05baa1cd send: 2B guuid=979d8aed-1b00-0000-fe4d-912f67100000 pid=4199->0b7fcb0e-329d-5230-a4b3-03ad05baa1cd send: 2B
Result
Threat name:
Detection:
malicious
Classification:
troj
Score:
64 / 100
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Yara detected Mirai
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1804012 Sample: Space.i686.elf Startdate: 29/10/2025 Architecture: LINUX Score: 64 24 103.67.244.57, 3778 WLPL-AS-APWowwayLabsPrivateLimitedIN India 2->24 26 109.202.202.202, 80 INIT7CH Switzerland 2->26 28 4 other IPs or domains 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Yara detected Mirai 2->34 8 Space.i686.elf 2->8         started        10 dash rm 2->10         started        12 dash rm 2->12         started        signatures3 process4 process5 14 Space.i686.elf 8->14         started        16 Space.i686.elf 8->16         started        18 Space.i686.elf 8->18         started        process6 20 Space.i686.elf 14->20         started        22 Space.i686.elf 14->22         started       
Threat name:
Linux.Worm.Mirai
Status:
Malicious
First seen:
2025-10-29 16:14:48 UTC
File Type:
ELF32 Little (Exe)
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:mirai botnet:lzrd defense_evasion discovery linux
Behaviour
Reads runtime system information
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Verdict:
Malicious
Tags:
trojan gafgyt mirai Unix.Trojan.Mirai-7100807-0
YARA:
Linux_Trojan_Gafgyt_28a2fe0c Linux_Trojan_Mirai_268aac0b Linux_Trojan_Mirai_0cb1699c Linux_Trojan_Mirai_70ef58f1 Linux_Trojan_Mirai_485c4b13 Linux_Trojan_Mirai_7d05725e Linux_Trojan_Mirai_2e3f67a9 Linux_Trojan_Mirai_0d73971c Linux_Trojan_Mirai_88de437f Linux_Trojan_Mirai_cc93863b Linux_Gafgyt_May_2024
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Mirai
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_28a2fe0c
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_0cb1699c
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_0d73971c
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_268aac0b
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_2e3f67a9
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_485c4b13
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_70ef58f1
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_7d05725e
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Author:Elastic Security
Rule name:SUSP_XORed_Mozilla_Oct19
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 6805ad644dfc9fcc8a7fe26c63ee61f2cac759ebf5518f65ce3ae05cd170f1c9

(this sample)

  
Delivery method
Distributed via web download

Comments