MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76ca1acc88553fefc0d22da1f0c81388662cab3013950e82cd024d6fca208a79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76ca1acc88553fefc0d22da1f0c81388662cab3013950e82cd024d6fca208a79
SHA3-384 hash: 9be25c111246b6f159ee36321e7d209e7d858e6b0d376114a8254e7a099c49074006f215be5befab8490ec524ddcbada
SHA1 hash: 7cbb319282f11e62e71fc2e7a649ce30999ca1e5
MD5 hash: 254f2fec6cba39026e9c905a574360b5
humanhash: island-eleven-tennessee-white
File name:X86_64
Download: download sample
Signature Mirai
Create hunting rule
File size:106'056 bytes
First seen:2026-05-17 06:25:29 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:c+WWbU0JOyxr5eQpsCOojBu114R8eSyN/m0RFE:VdJVQqR8eSS/fE
TLSH T103A33966F791EE7EC427E2F08ADBE5B18830B47D0639706B73A47D651EA48D01E24712
telfhash t13d4168b03d8a699592e7b72ab20bea55e83208300df5b4f5ad339de0cb677840d51853
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Link:
https://research.acce.ciphertechsolutions.com/results/54a7678f-ffdf-45b0-a339-838bde1241ec/
Detection(s):
Unix.Dropper.Mirai-7135944-0
Create hunting rule

Unix.Dropper.Mirai-7540662-0
Create hunting rule

Unix.Trojan.Mirai-9871828-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
gcc
Link:
https://www.filescan.io/uploads/6a095f5e861ee596e638da11/reports/f63ead12-16be-41c7-91ab-7b3c92ee5c3b/overview
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-05-17T05:06:00Z UTC
Last seen:
2026-05-17T05:19:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/76ca1acc88553fefc0d22da1f0c81388662cab3013950e82cd024d6fca208a79/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b89f7540-f990-4931-b058-f3959ba406dc
Behavior Graph:
Download SVG
%3 guuid=c7231902-1700-0000-1e31-dfc6550d0000 pid=3413 /usr/bin/sudo guuid=f3b4aa04-1700-0000-1e31-dfc65d0d0000 pid=3421 /tmp/sample.bin net guuid=c7231902-1700-0000-1e31-dfc6550d0000 pid=3413->guuid=f3b4aa04-1700-0000-1e31-dfc65d0d0000 pid=3421 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=f3b4aa04-1700-0000-1e31-dfc65d0d0000 pid=3421->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=f6a3eb04-1700-0000-1e31-dfc65f0d0000 pid=3423 /tmp/sample.bin zombie guuid=f3b4aa04-1700-0000-1e31-dfc65d0d0000 pid=3421->guuid=f6a3eb04-1700-0000-1e31-dfc65f0d0000 pid=3423 clone guuid=54e3ee04-1700-0000-1e31-dfc6600d0000 pid=3424 /tmp/sample.bin guuid=f3b4aa04-1700-0000-1e31-dfc65d0d0000 pid=3421->guuid=54e3ee04-1700-0000-1e31-dfc6600d0000 pid=3424 clone guuid=a9a3f104-1700-0000-1e31-dfc6610d0000 pid=3425 /tmp/sample.bin net write-config write-file zombie guuid=54e3ee04-1700-0000-1e31-dfc6600d0000 pid=3424->guuid=a9a3f104-1700-0000-1e31-dfc6610d0000 pid=3425 clone 1d93f029-49fe-5087-8eb8-4402a5c59260 176.65.139.26:6985 guuid=a9a3f104-1700-0000-1e31-dfc6610d0000 pid=3425->1d93f029-49fe-5087-8eb8-4402a5c59260 con guuid=dd594c05-1700-0000-1e31-dfc6630d0000 pid=3427 /usr/bin/dash guuid=a9a3f104-1700-0000-1e31-dfc6610d0000 pid=3425->guuid=dd594c05-1700-0000-1e31-dfc6630d0000 pid=3427 execve guuid=cb211906-1700-0000-1e31-dfc66a0d0000 pid=3434 /usr/bin/dash guuid=a9a3f104-1700-0000-1e31-dfc6610d0000 pid=3425->guuid=cb211906-1700-0000-1e31-dfc66a0d0000 pid=3434 execve guuid=5cd3eb37-1700-0000-1e31-dfc6dc0d0000 pid=3548 /usr/bin/dash guuid=a9a3f104-1700-0000-1e31-dfc6610d0000 pid=3425->guuid=5cd3eb37-1700-0000-1e31-dfc6dc0d0000 pid=3548 execve guuid=7f7bfe59-1700-0000-1e31-dfc6500e0000 pid=3664 /usr/bin/dash guuid=a9a3f104-1700-0000-1e31-dfc6610d0000 pid=3425->guuid=7f7bfe59-1700-0000-1e31-dfc6500e0000 pid=3664 execve guuid=c00e255e-1700-0000-1e31-dfc66e0e0000 pid=3694 /usr/bin/dash guuid=a9a3f104-1700-0000-1e31-dfc6610d0000 pid=3425->guuid=c00e255e-1700-0000-1e31-dfc66e0e0000 pid=3694 execve guuid=eafb7693-1700-0000-1e31-dfc6270f0000 pid=3879 /tmp/sample.bin guuid=a9a3f104-1700-0000-1e31-dfc6610d0000 pid=3425->guuid=eafb7693-1700-0000-1e31-dfc6270f0000 pid=3879 clone guuid=75fe7a05-1700-0000-1e31-dfc6640d0000 pid=3428 /usr/bin/dash guuid=dd594c05-1700-0000-1e31-dfc6630d0000 pid=3427->guuid=75fe7a05-1700-0000-1e31-dfc6640d0000 pid=3428 clone guuid=0aea8005-1700-0000-1e31-dfc6660d0000 pid=3430 /usr/bin/dash guuid=dd594c05-1700-0000-1e31-dfc6630d0000 pid=3427->guuid=0aea8005-1700-0000-1e31-dfc6660d0000 pid=3430 clone guuid=9d528a05-1700-0000-1e31-dfc6670d0000 pid=3431 /usr/bin/dash guuid=75fe7a05-1700-0000-1e31-dfc6640d0000 pid=3428->guuid=9d528a05-1700-0000-1e31-dfc6670d0000 pid=3431 clone guuid=89998f05-1700-0000-1e31-dfc6680d0000 pid=3432 /usr/bin/grep guuid=75fe7a05-1700-0000-1e31-dfc6640d0000 pid=3428->guuid=89998f05-1700-0000-1e31-dfc6680d0000 pid=3432 execve guuid=2f354906-1700-0000-1e31-dfc66c0d0000 pid=3436 /usr/bin/systemctl guuid=cb211906-1700-0000-1e31-dfc66a0d0000 pid=3434->guuid=2f354906-1700-0000-1e31-dfc66c0d0000 pid=3436 execve guuid=71d51838-1700-0000-1e31-dfc6dd0d0000 pid=3549 /usr/bin/systemctl guuid=5cd3eb37-1700-0000-1e31-dfc6dc0d0000 pid=3548->guuid=71d51838-1700-0000-1e31-dfc6dd0d0000 pid=3549 execve guuid=b474375a-1700-0000-1e31-dfc6520e0000 pid=3666 /usr/bin/systemctl guuid=7f7bfe59-1700-0000-1e31-dfc6500e0000 pid=3664->guuid=b474375a-1700-0000-1e31-dfc6520e0000 pid=3666 execve guuid=ac8a495e-1700-0000-1e31-dfc66f0e0000 pid=3695 /usr/sbin/update-rc.d guuid=c00e255e-1700-0000-1e31-dfc66e0e0000 pid=3694->guuid=ac8a495e-1700-0000-1e31-dfc66f0e0000 pid=3695 execve guuid=6bc79f5f-1700-0000-1e31-dfc6770e0000 pid=3703 /usr/bin/systemctl guuid=ac8a495e-1700-0000-1e31-dfc66f0e0000 pid=3695->guuid=6bc79f5f-1700-0000-1e31-dfc6770e0000 pid=3703 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/378d738c-245c-45bd-92e0-2aa2b0368a2c
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1914589
Signature
Drops files in suspicious directories
Drops invisible ELF files
Executes the "crontab" command typically for achieving persistence
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill a massive number of system processes
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1914589 Sample: X86_64.elf Startdate: 17/05/2026 Architecture: LINUX Score: 100 94 176.65.139.26, 38664, 38666, 38668 PALTEL-ASPALTELAutonomousSystemPS Germany 2->94 96 109.202.202.202, 80 INIT7CH Switzerland 2->96 98 2 other IPs or domains 2->98 108 Malicious sample detected (through community Yara rule) 2->108 110 Multi AV Scanner detection for submitted file 2->110 11 X86_64.elf 2->11         started        14 systemd gvfsd 2->14         started        16 systemd .systemd-helper 2->16         started        18 43 other processes 2->18 signatures3 process4 signatures5 126 Opens /proc/net/* files useful for finding connected devices and routers 11->126 20 X86_64.elf 11->20         started        22 X86_64.elf 11->22         started        24 gvfsd 14->24         started        26 gvfsd gvfsd-trash 14->26         started        28 .systemd-helper 16->28         started        30 .systemd-helper 16->30         started        128 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->128 130 Reads system files that contain records of logged in users 18->130 32 accounts-daemon language-validate 18->32         started        34 xfce4-panel wrapper-2.0 18->34         started        36 5 other processes 18->36 process6 process7 38 X86_64.elf 20->38         started        42 gvfsd gvfsd-fuse 24->42         started        44 .systemd-helper 28->44         started        46 language-validate language-options 32->46         started        48 wrapper-2.0 xfpm-power-backlight-helper 34->48         started        file8 88 /usr/local/lib/.systemd-helper, ELF 38->88 dropped 90 /etc/init.d/botnet, POSIX 38->90 dropped 118 Sample tries to set files in /etc globally writable 38->118 120 Drops invisible ELF files 38->120 122 Drops files in suspicious directories 38->122 50 X86_64.elf sh 38->50         started        52 X86_64.elf sh 38->52         started        54 X86_64.elf 38->54         started        61 3 other processes 38->61 57 gvfsd-fuse fusermount 42->57         started        124 Sample deletes itself 44->124 59 language-options sh 46->59         started        signatures9 process10 signatures11 63 sh crontab 50->63         started        67 sh 50->67         started        69 sh update-rc.d 52->69         started        112 Sample tries to kill a massive number of system processes 54->112 114 Sample tries to kill multiple processes (SIGKILL) 54->114 116 Sample reads /proc/mounts (often used for finding a writable filesystem) 57->116 71 sh locale 59->71         started        73 sh grep 59->73         started        75 sh systemctl 61->75         started        77 sh systemctl 61->77         started        79 sh systemctl 61->79         started        process12 file13 92 /var/spool/cron/crontabs/tmp.y66oCo, ASCII 63->92 dropped 100 Sample tries to persist itself using cron 63->100 102 Executes the "crontab" command typically for achieving persistence 63->102 81 sh crontab 67->81         started        84 sh grep 67->84         started        104 Sample tries to persist itself using System V runlevels 69->104 86 update-rc.d systemctl 69->86         started        signatures14 process15 signatures16 106 Executes the "crontab" command typically for achieving persistence 81->106
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/76ca1acc88553fefc0d22da1f0c81388662cab3013950e82cd024d6fca208a79
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76ca1acc88553fefc0d22da1f0c81388662cab3013950e82cd024d6fca208a79/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-05-17 06:27:09 UTC
File Type:
ELF64 Little (Exe)
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3fbvteiku767qgsfwq7bsatrbtczkzqcokq5awnajgw7srarj4q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260517-g624hag12j/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Reads process memory
Creates/modifies Cron job
Enumerates running processes
Modifies init.d
Modifies rc script
Modifies systemd
Reads system routing table
Modifies Watchdog functionality
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/76ca1acc8855/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.73
Link:
https://yomi.yoroi.company/submissions/76ca1acc88553fefc0d22da1f0c81388662cab3013950e82cd024d6fca208a79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:Linux_Trojan_Gafgyt_0cd591cd
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_46eec778
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_862c4e0e
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_a33a8363
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d0c57a2e
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d996d335
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_3fe3c668
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_637f2c04
Create hunting rule
Author:Elastic Security
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 76ca1acc88553fefc0d22da1f0c81388662cab3013950e82cd024d6fca208a79

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3838503/
  
Delivery method
Distributed via web download

Comments