MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f5a57ada8514eb6c7e8bbe14da714ab796825d552f7529dcdb01c7c81abc2e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f5a57ada8514eb6c7e8bbe14da714ab796825d552f7529dcdb01c7c81abc2e2
SHA3-384 hash: 7af536be872a1264ab2880c52985efbf537b3f83aff891f79013405b0e87339ca990788c28e1d7cfdcb4f7b0af2c1511
SHA1 hash: d096f1e315d7e9f5f810cada242ae010db48fee7
MD5 hash: 4fec2aedf840742418f532d1d1ab2ad0
humanhash: solar-cardinal-minnesota-blossom
File name:arm5
Download: download sample
Signature Mirai
Create hunting rule
File size:46'780 bytes
First seen:2025-12-19 17:43:20 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:q/e3KOuuCe4gWGTEN+QlWPIeeb4V5U17MXmqSPhF+dAszAcoOP:hRChgW3hb4V5XX2hF+jk
TLSH T153231A96BD824A67C5D027BAB76E428D33A267A9C2CF7753D8100B047B8690F4D7BB40
telfhash t1e8f09e04fdb48f1a59e29470dcbd22a5d4866263b1b21b21af5acbd5cc3f456e308d1e
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 68b3c7537cd59c58b64fbf3b20296a0dc41cc0a7198fd387845025751f9ba23e
File size (compressed) :23'148 bytes
File size (de-compressed) :46'780 bytes
Format:linux/arm
Packed file: 68b3c7537cd59c58b64fbf3b20296a0dc41cc0a7198fd387845025751f9ba23e

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Link:
https://research.acce.ciphertechsolutions.com/results/eb3f12e0-aa62-42c3-a05e-9765b6f31171/
Detection(s):
Unix.Trojan.Mirai-8025795-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
coinminer mirai rust
Link:
https://www.filescan.io/uploads/69458eeee126b9ff43891e61/reports/3feaa723-31fa-4c68-b2a6-f58dfe933ad4/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-12-19T14:48:00Z UTC
Last seen:
2025-12-20T00:06:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Mirai.b
Link:
https://opentip.kaspersky.com/6f5a57ada8514eb6c7e8bbe14da714ab796825d552f7529dcdb01c7c81abc2e2/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/e726b1f6-9318-49c0-9558-9b28c58068e8
Behavior Graph:
Download SVG
%3 guuid=9ec491f4-1900-0000-82f3-9489e5080000 pid=2277 /usr/bin/sudo guuid=091338f8-1900-0000-82f3-9489ec080000 pid=2284 /tmp/sample.bin guuid=9ec491f4-1900-0000-82f3-9489e5080000 pid=2277->guuid=091338f8-1900-0000-82f3-9489ec080000 pid=2284 execve
Gathering data
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
mine
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1836434
Signature
Found strings related to Crypto-Mining
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/6f5a57ada8514eb6c7e8bbe14da714ab796825d552f7529dcdb01c7c81abc2e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f5a57ada8514eb6c7e8bbe14da714ab796825d552f7529dcdb01c7c81abc2e2/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/6f5a57ada8514eb6c7e8bbe14da714ab796825d552f7529dcdb01c7c81abc2e2
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-19 17:44:17 UTC
File Type:
ELF32 Little (Exe)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n5nfplnikfhlnr7ixpqu3jyuvn4wqjovkl3vfhonwaohzanlylra._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai
Link:
https://tria.ge/reports/251219-wasyaacx8g/
Malware Config
C2 Extraction:
ahahahahahajs.unproxy.st
Verdict:
Malicious
Tags:
cryptojacking coinminer Unix.Trojan.Mirai-8025795-0
YARA:
CoinMiner_Strings
Link:
https://app.threat.zone/submission/e9d90cf6-0381-486c-96b3-8459f7d734ac
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6f5a57ada8514eb6c7e8bbe14da714ab796825d552f7529dcdb01c7c81abc2e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CoinMiner_Strings
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects mining pool protocol string in Executable
Reference:https://minergate.com/faq/what-pool-address
Rule name:CoinMiner_Strings_RID2DDE
Create hunting rule
Author:Florian Roth
Description:Detects mining pool protocol string in Executable
Reference:https://minergate.com/faq/what-pool-address
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 68b3c7537cd59c58b64fbf3b20296a0dc41cc0a7198fd387845025751f9ba23e

Mirai

elf 6f5a57ada8514eb6c7e8bbe14da714ab796825d552f7529dcdb01c7c81abc2e2

(this sample)

  
Dropped by
SHA256 68b3c7537cd59c58b64fbf3b20296a0dc41cc0a7198fd387845025751f9ba23e
  
URLhaus
https://urlhaus.abuse.ch/url/3683090/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 19f3778a1b88ddc2e9958730245961f5
  
URLhaus
https://urlhaus.abuse.ch/url/3713676/
  
URLhaus
https://urlhaus.abuse.ch/url/3713665/
  
URLhaus
https://urlhaus.abuse.ch/url/3724825/

Comments