MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68c8ece53ef50b169f7c023aab3477c6271335c3025804500f5140d662055d25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68c8ece53ef50b169f7c023aab3477c6271335c3025804500f5140d662055d25
SHA3-384 hash: 646d985db73ff4d85fa2d91040501a8cdc80ddabe432a1e72521bd9fa064f1b1c09cdd7edea23dc61f5f3a5038735c5f
SHA1 hash: 0daf549845160abeb30ee578c99a3d53b89927d0
MD5 hash: 02655bec5b12cb849c2fa7fa418910d7
humanhash: magazine-william-social-sweet
File name:xova.arm
Download: download sample
Signature Mirai
Create hunting rule
File size:30'456 bytes
First seen:2026-01-11 05:53:09 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:yfmljOAm1MbhvmYdf+Ku7/LMkfzA1NpV13wq2Is3Uozc:x9m1y9FSLMWzA1/529zc
TLSH T1E2D2F1B1516A4AB1E6F6763ADB3449C352F1197EA39F6F31181107A85F8046DB07CEC3
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :30'456 bytes
File size (de-compressed) :71'004 bytes
Format:linux/arm
Unpacked file: 1201db877276ef2c19ccd61455a79f815c2a10c58353496aaedf9f8ac202e1b7

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/5f19f21a-e9b7-4f0c-99da-f91ba681e55b/
Detection(s):
SecuriteInfo.com.Linux.Mirai-18.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
masquerade mirai packed upx
Link:
https://www.filescan.io/uploads/69633ad907ef5fa68e841950/reports/556efa6c-3262-4487-8ab1-3d8dfc3d5dde/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-01-11T03:01:00Z UTC
Last seen:
2026-01-12T12:48:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/68c8ece53ef50b169f7c023aab3477c6271335c3025804500f5140d662055d25/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/87881876-88a3-4294-a01e-3975f708c521
Behavior Graph:
Download SVG
%3 guuid=1a16e2c9-2000-0000-aa5d-42595f0c0000 pid=3167 /usr/bin/sudo guuid=0d84f3cb-2000-0000-aa5d-4259640c0000 pid=3172 /tmp/sample.bin guuid=1a16e2c9-2000-0000-aa5d-42595f0c0000 pid=3167->guuid=0d84f3cb-2000-0000-aa5d-4259640c0000 pid=3172 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cc9099ef-ef46-4113-bcd3-bd4e76dadc3e
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1848256
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample is packed with UPX
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1848256 Sample: xova.arm.elf Startdate: 11/01/2026 Architecture: LINUX Score: 88 131 197.241.174.238, 23 movicel-asAO Angola 2->131 133 66.44.242.193, 23 YADTELNETUS United States 2->133 135 98 other IPs or domains 2->135 143 Malicious sample detected (through community Yara rule) 2->143 145 Multi AV Scanner detection for submitted file 2->145 147 Yara detected Mirai 2->147 149 Sample is packed with UPX 2->149 12 systemd gdm3 2->12         started        14 systemd gdm3 2->14         started        16 systemd gpu-manager 2->16         started        18 96 other processes 2->18 signatures3 process4 file5 22 gdm3 gdm-session-worker 12->22         started        24 gdm3 gdm-session-worker 12->24         started        35 5 other processes 12->35 26 gdm3 gdm-session-worker 14->26         started        28 gdm3 plymouth 14->28         started        37 8 other processes 16->37 129 /var/log/wtmp, data 18->129 dropped 139 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->139 141 Reads system files that contain records of logged in users 18->141 30 xova.arm.elf 18->30         started        32 xova.arm.elf 18->32         started        39 48 other processes 18->39 signatures6 process7 signatures8 41 gdm-session-worker gdm-wayland-session 22->41         started        43 gdm-session-worker gdm-x-session 24->43         started        45 gdm-session-worker gdm-wayland-session 26->45         started        47 xova.arm.elf 30->47         started        54 2 other processes 30->54 137 Sample tries to kill multiple processes (SIGKILL) 32->137 56 8 other processes 37->56 50 language-validate language-options 39->50         started        52 language-validate language-options 39->52         started        58 34 other processes 39->58 process9 signatures10 60 gdm-wayland-session dbus-run-session 41->60         started        62 gdm-x-session Xorg Xorg.wrap Xorg 43->62         started        64 gdm-wayland-session dbus-run-session 45->64         started        153 Sample tries to kill multiple processes (SIGKILL) 47->153 66 language-options sh 50->66         started        68 language-options sh 52->68         started        70 language-options sh 58->70         started        72 language-options sh 58->72         started        process11 process12 74 dbus-run-session dbus-daemon 60->74         started        77 dbus-run-session gnome-session gnome-session-binary 1 60->77         started        79 Xorg sh 62->79         started        81 dbus-run-session dbus-daemon 64->81         started        83 dbus-run-session gnome-session gnome-session-binary 64->83         started        85 2 other processes 66->85 87 2 other processes 68->87 89 2 other processes 70->89 91 2 other processes 72->91 signatures13 151 Sample reads /proc/mounts (often used for finding a writable filesystem) 74->151 93 dbus-daemon 74->93         started        95 dbus-daemon 74->95         started        97 dbus-daemon 74->97         started        103 4 other processes 74->103 105 2 other processes 77->105 99 sh xkbcomp 79->99         started        101 dbus-daemon 81->101         started        107 6 other processes 81->107 109 2 other processes 83->109 process14 process15 111 dbus-daemon false 93->111         started        113 dbus-daemon false 95->113         started        115 dbus-daemon false 97->115         started        117 dbus-daemon false 101->117         started        119 dbus-daemon false 103->119         started        121 dbus-daemon false 103->121         started        123 dbus-daemon false 103->123         started        125 dbus-daemon false 103->125         started        127 6 other processes 107->127
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/68c8ece53ef50b169f7c023aab3477c6271335c3025804500f5140d662055d25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68c8ece53ef50b169f7c023aab3477c6271335c3025804500f5140d662055d25/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-11 05:45:38 UTC
File Type:
ELF32 Little (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ndeozzj66ufrnh34ai5kwndxyytrgnodajmaiuapkfanmyqflusq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
upx
Link:
https://tria.ge/reports/260111-gljresbs2d/
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7149431a-4c3e-4d6a-ac42-a4daf9e1e36d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/68c8ece53ef50b169f7c023aab3477c6271335c3025804500f5140d662055d25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 68c8ece53ef50b169f7c023aab3477c6271335c3025804500f5140d662055d25

(this sample)

Mirai

elf 1201db877276ef2c19ccd61455a79f815c2a10c58353496aaedf9f8ac202e1b7

  
URLhaus
https://urlhaus.abuse.ch/url/3755775/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3755813/
  
Dropping
SHA256 1201db877276ef2c19ccd61455a79f815c2a10c58353496aaedf9f8ac202e1b7
  
Dropping
MD5 e175b71992d7101b7e6190dd58795ac8

Comments