MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fe0184b8d5715d36b4f15b0f8e82c118f70268609652dc73cd04c80b9719bc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fe0184b8d5715d36b4f15b0f8e82c118f70268609652dc73cd04c80b9719bc8
SHA3-384 hash: bbe1dffe747497a6642f8b15ebc1f5d4ff975ad6efa278e936567f717935023e3c237f972286f4ce1b9bcb1b62c3d39f
SHA1 hash: 9de857bb573977402db41fc18971495e4430383e
MD5 hash: f35dc3b5afd509457d7de3c6c3b1dcbd
humanhash: saturn-paris-tango-robin
File name:ssh-agent-auth.spc
Download: download sample
Signature Mirai
Create hunting rule
File size:88'251 bytes
First seen:2026-02-01 12:28:26 UTC
Last seen:2026-02-02 00:31:47 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:Q4z9X61Wm7XCjyX0XRvkOIQkdQWcevvUtjuo95/JgQRSt2aDy:zRX6lVgevsBuoPB7ky
TLSH T13C834C22BDB5192BC4D8A97621F34325F2F2478A24ACCA2F7D710E8DBF6464036537B5
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
55
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Detection(s):
Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Unix.Trojan.Mirai-10056463-0
Create hunting rule

Unix.Trojan.Mirai-10058414-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
gafgyt masquerade mirai
Link:
https://www.filescan.io/uploads/697f47222ffccda097654cf9/reports/6e763b98-7e1d-4f8a-89f8-291e10e69e4d/overview
Verdict:
Malicious
File Type:
ELF 32 BE
Detections:
HEUR:Backdoor.Linux.Gafgyt.bj HEUR:Backdoor.Linux.Mirai.cw HEUR:Backdoor.Linux.Mirai.b HEUR:Backdoor.Linux.Gafgyt.bl
Link:
https://opentip.kaspersky.com/6fe0184b8d5715d36b4f15b0f8e82c118f70268609652dc73cd04c80b9719bc8/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b8f872c7-e96c-46cd-a89e-2229c98a9263
Behavior Graph:
Download SVG
%3 guuid=a1738f2c-1700-0000-11d0-de81180d0000 pid=3352 /usr/bin/sudo guuid=611d232e-1700-0000-11d0-de811f0d0000 pid=3359 /tmp/sample.bin guuid=a1738f2c-1700-0000-11d0-de81180d0000 pid=3352->guuid=611d232e-1700-0000-11d0-de811f0d0000 pid=3359 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/455675c6-361b-4029-94d8-a8e4a8716edb
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1861203
Signature
Antivirus / Scanner detection for submitted sample
Drops files in suspicious directories
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1861203 Sample: ssh-agent-auth.spc.elf Startdate: 01/02/2026 Architecture: LINUX Score: 72 47 109.202.202.202, 80 INIT7CH Switzerland 2->47 49 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->49 51 2 other IPs or domains 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for submitted file 2->55 10 ssh-agent-auth.spc.elf 2->10         started        13 dash rm 2->13         started        15 dash rm 2->15         started        signatures3 process4 signatures5 63 Sample deletes itself 10->63 17 ssh-agent-auth.spc.elf 10->17         started        process6 process7 19 ssh-agent-auth.spc.elf 17->19         started        file8 45 /etc/init.d/sysd, POSIX 19->45 dropped 57 Sample tries to set files in /etc globally writable 19->57 59 Drops files in suspicious directories 19->59 61 Sample tries to persist itself using System V runlevels 19->61 23 ssh-agent-auth.spc.elf sh 19->23         started        25 ssh-agent-auth.spc.elf 19->25         started        27 ssh-agent-auth.spc.elf 19->27         started        29 60 other processes 19->29 signatures9 process10 process11 31 sh cp 23->31         started        33 ssh-agent-auth.spc.elf 25->33         started        35 ssh-agent-auth.spc.elf 27->35         started        37 ssh-agent-auth.spc.elf 29->37         started        39 ssh-agent-auth.spc.elf 29->39         started        41 ssh-agent-auth.spc.elf 29->41         started        43 57 other processes 29->43
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/6fe0184b8d5715d36b4f15b0f8e82c118f70268609652dc73cd04c80b9719bc8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fe0184b8d5715d36b4f15b0f8e82c118f70268609652dc73cd04c80b9719bc8/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/6fe0184b8d5715d36b4f15b0f8e82c118f70268609652dc73cd04c80b9719bc8
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-02-01 12:29:32 UTC
File Type:
ELF32 Big (Exe)
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n7qbqs4nk4k5g22pcwypr2bmcghxajugbfss3rz42bgibolrtpea._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai linux
Link:
https://tria.ge/reports/260201-pn3w3sev6c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6fe0184b8d5715d36b4f15b0f8e82c118f70268609652dc73cd04c80b9719bc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 6fe0184b8d5715d36b4f15b0f8e82c118f70268609652dc73cd04c80b9719bc8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3766859/
  
Delivery method
Distributed via web download

Comments