MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 7789dd9f9b5d288ce93e6d6ed6b55699eeffc841244a9bf269547131fc3d6412. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Mirai
Vendor detections: 6
| SHA256 hash: | 7789dd9f9b5d288ce93e6d6ed6b55699eeffc841244a9bf269547131fc3d6412 |
|---|---|
| SHA3-384 hash: | c04ff3b145bf82899b1c9de8ecebe170496e129ac5eb04a87f7c1128b53b35d983559fdbe5fbbc243887e8f974e914a9 |
| SHA1 hash: | 694420ef66616edce6a2abc232f2fc270050e47d |
| MD5 hash: | f1114924a6ef72274a4dee2af2c6ee14 |
| humanhash: | thirteen-leopard-november-skylark |
| File name: | Mozi.m |
| Download: | download sample |
| Signature | Mirai |
| File size: | 301'196 bytes |
| First seen: | 2021-07-11 03:01:34 UTC |
| Last seen: | Never |
| File type: | elf |
| MIME type: | application/x-executable |
| ssdeep | 6144:p3lOYoaja8xzx/0wsxzSi8Ba77oNsKqqfPqOJA:p1CG/jsxzX8Ba/HKqoPqOJA |
| TLSH | T10754E08AEE01AE25E9C016BAFE5F034973774BACD3DBB111E620C72936DA54B4F76044 |
| Reporter |  tolisec |
| Tags: | mirai |
Intelligence
File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL
Unix.Dropper.Botnet-6566040-0
Unix.Packed.Botnet-6566031-0
Unix.Trojan.Gafgyt-6735924-0
Unix.Trojan.Gafgyt-6748839-0
Unix.Trojan.Mirai-7100807-0
Unix.Dropper.Mirai-7135934-0
Unix.Dropper.Mirai-7136013-0
Unix.Dropper.Mirai-7136057-0
Unix.Dropper.Mirai-7136070-0
Unix.Trojan.Mirai-8025795-0
Unix.Trojan.Mirai-9762350-0
Unix.Trojan.Mirai-9763616-0
Unix.Trojan.Mirai-9769616-0
Unix.Exploit.Mirai-9795501-0
Unix.Trojan.Mozi-9840825-0
Unix.Trojan.Mirai-9843255-0
Unix.Trojan.Mirai-9858729-0
SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL
Unix.Dropper.Botnet-6566040-0
Unix.Packed.Botnet-6566031-0
Unix.Trojan.Gafgyt-6735924-0
Unix.Trojan.Gafgyt-6748839-0
Unix.Trojan.Mirai-7100807-0
Unix.Dropper.Mirai-7135934-0
Unix.Dropper.Mirai-7136013-0
Unix.Dropper.Mirai-7136057-0
Unix.Dropper.Mirai-7136070-0
Unix.Trojan.Mirai-8025795-0
Unix.Trojan.Mirai-9762350-0
Unix.Trojan.Mirai-9763616-0
Unix.Trojan.Mirai-9769616-0
Unix.Exploit.Mirai-9795501-0
Unix.Trojan.Mozi-9840825-0
Unix.Trojan.Mirai-9843255-0
Unix.Trojan.Mirai-9858729-0
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
mips
Packer:
UPX
Botnet:
27.5.27.255:56920
Number of open files:
430
Number of processes launched:
38
Processes remaning?
true
Remote TCP ports scanned:
8081,80,5555,7574,49152,60001,52869,8080,8443,81,37215,8181,2323,23
Full report:
Behaviour
Process Renaming
Firewall Changes
Information Gathering
Botnet C2s
TCP botnet C2(s):
87.98.162.88:6881
212.129.33.59:6881
67.215.246.10:6881
82.221.103.244:6881
130.239.18.159:6881
182.126.16.34:6881
213.239.204.198:6881
221.155.6.186:6881
201.8.168.215:6881
111.38.106.48:6881
80.132.245.44:6881
62.210.102.56:7806
213.136.79.7:51472
130.239.18.159:8744
135.181.182.188:43172
211.198.209.51:62721
219.154.105.206:22131
130.239.18.159:8896
95.198.73.192:5060
27.215.109.41:5060
185.157.247.30:5060
178.141.207.199:5060
108.171.252.175:11991
183.102.58.179:4000
188.169.61.214:4000
103.219.141.49:4000
125.47.245.90:30301
117.196.26.214:30301
120.209.126.243:30301
112.27.124.145:30301
112.30.110.27:8081
182.58.233.128:8081
198.16.58.241:8081
117.222.173.26:1027
112.254.199.144:12641
201.15.198.27:50321
72.76.203.61:50321
184.148.237.233:23693
45.87.251.10:28066
130.239.18.159:8559
130.239.18.159:8623
81.198.240.73:29328
130.239.18.159:8944
80.243.106.186:51413
50.125.91.97:51413
213.136.79.27:51413
66.70.186.186:51413
84.254.4.116:64216
27.207.249.73:23872
27.209.134.25:55274
111.92.119.74:12733
112.30.110.58:1434
178.141.62.236:1434
178.141.23.249:49181
101.0.41.235:48334
223.130.31.89:61837
77.149.28.50:27032
67.140.45.246:27032
49.12.80.203:50000
178.63.54.123:50000
49.12.81.74:50000
116.202.169.226:50000
49.12.80.202:50000
116.202.166.145:50000
178.63.65.152:50000
136.243.44.2:50000
94.130.216.28:50000
49.12.81.77:50000
49.12.81.10:50000
136.243.62.113:50000
95.216.14.178:50000
116.202.225.10:50000
111.92.79.150:40520
68.82.13.98:6882
147.12.232.154:31986
62.20.166.34:8999
218.57.127.209:5255
113.226.244.141:11211
120.85.118.186:14814
42.231.94.201:44305
180.177.180.6:48524
119.250.136.177:34210
116.68.97.229:28181
130.239.18.159:8723
130.239.18.159:8549
178.141.150.246:65287
173.212.202.22:6951
130.239.18.159:8763
130.239.18.159:8700
130.239.18.159:9031
130.239.18.159:8706
130.239.18.159:8978
130.239.18.159:9118
130.239.18.159:8671
130.239.18.159:8952
130.239.18.159:8803
5.189.183.129:27906
113.169.165.189:2660
27.215.86.41:28042
130.239.18.159:8792
130.239.18.159:8547
95.211.191.96:57271
185.162.184.6:59427
157.32.75.121:55966
221.232.178.249:40797
80.246.94.112:11776
116.68.97.252:4276
212.129.33.59:6881
67.215.246.10:6881
82.221.103.244:6881
130.239.18.159:6881
182.126.16.34:6881
213.239.204.198:6881
221.155.6.186:6881
201.8.168.215:6881
111.38.106.48:6881
80.132.245.44:6881
62.210.102.56:7806
213.136.79.7:51472
130.239.18.159:8744
135.181.182.188:43172
211.198.209.51:62721
219.154.105.206:22131
130.239.18.159:8896
95.198.73.192:5060
27.215.109.41:5060
185.157.247.30:5060
178.141.207.199:5060
108.171.252.175:11991
183.102.58.179:4000
188.169.61.214:4000
103.219.141.49:4000
125.47.245.90:30301
117.196.26.214:30301
120.209.126.243:30301
112.27.124.145:30301
112.30.110.27:8081
182.58.233.128:8081
198.16.58.241:8081
117.222.173.26:1027
112.254.199.144:12641
201.15.198.27:50321
72.76.203.61:50321
184.148.237.233:23693
45.87.251.10:28066
130.239.18.159:8559
130.239.18.159:8623
81.198.240.73:29328
130.239.18.159:8944
80.243.106.186:51413
50.125.91.97:51413
213.136.79.27:51413
66.70.186.186:51413
84.254.4.116:64216
27.207.249.73:23872
27.209.134.25:55274
111.92.119.74:12733
112.30.110.58:1434
178.141.62.236:1434
178.141.23.249:49181
101.0.41.235:48334
223.130.31.89:61837
77.149.28.50:27032
67.140.45.246:27032
49.12.80.203:50000
178.63.54.123:50000
49.12.81.74:50000
116.202.169.226:50000
49.12.80.202:50000
116.202.166.145:50000
178.63.65.152:50000
136.243.44.2:50000
94.130.216.28:50000
49.12.81.77:50000
49.12.81.10:50000
136.243.62.113:50000
95.216.14.178:50000
116.202.225.10:50000
111.92.79.150:40520
68.82.13.98:6882
147.12.232.154:31986
62.20.166.34:8999
218.57.127.209:5255
113.226.244.141:11211
120.85.118.186:14814
42.231.94.201:44305
180.177.180.6:48524
119.250.136.177:34210
116.68.97.229:28181
130.239.18.159:8723
130.239.18.159:8549
178.141.150.246:65287
173.212.202.22:6951
130.239.18.159:8763
130.239.18.159:8700
130.239.18.159:9031
130.239.18.159:8706
130.239.18.159:8978
130.239.18.159:9118
130.239.18.159:8671
130.239.18.159:8952
130.239.18.159:8803
5.189.183.129:27906
113.169.165.189:2660
27.215.86.41:28042
130.239.18.159:8792
130.239.18.159:8547
95.211.191.96:57271
185.162.184.6:59427
157.32.75.121:55966
221.232.178.249:40797
80.246.94.112:11776
116.68.97.252:4276
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Malware family:
Mozi
Verdict:
Malicious
Threat name:
Linux.Trojan.Mirai
Status:
Malicious
First seen:
2021-07-09 07:39:13 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
5/5
Result
Malware family:
n/a
Score:
9/10
Tags:
linux
Behaviour
Reads runtime system information
Writes file to tmp directory
Reads system network configuration
Enumerates active TCP sockets
Reads system routing table
Modifies hosts file
Modifies the Watchdog daemon
Writes file to system bin folder
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | linux_generic_ipv6_catcher |
|---|---|
| Author: | @_lubiedo |
| Description: | ELF samples using IPv6 addresses |
| Rule name: | linux_generic_p2p_catcher |
|---|---|
| Author: | @_lubiedo |
| Description: | Generic catcher for P2P capable linux ELFs |
| Rule name: | SUSP_ELF_LNX_UPX_Compressed_File |
|---|---|
| Author: | Florian Roth |
| Description: | Detects a suspicious ELF binary with UPX compression |
| Reference: | Internal Research |
| Rule name: | SUSP_XORed_Mozilla |
|---|---|
| Author: | Florian Roth |
| Description: | Detects suspicious XORed keyword - Mozilla/5.0 |
| Reference: | Internal Research |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.