MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 788f7b8e67e9f00beb73d5a44cc2454ff8ae2caaa1c278c6535138bac5577c3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	788f7b8e67e9f00beb73d5a44cc2454ff8ae2caaa1c278c6535138bac5577c3a
SHA3-384 hash:	dc490ed86a17c8f81d107227322eaf56cab63bc471638f09072035583b517f13f7e84062e992b966a9b236f165d240c5
SHA1 hash:	ccbccea4e4e7d524e744b82da6ce267e5c5f528b
MD5 hash:	9f89d1cb290655b292ed1587cf62824a
humanhash:	lemon-july-august-glucose
File name:	arm5
Download:	download sample
Signature	Mirai Create hunting rule
File size:	67'620 bytes
First seen:	2025-12-04 00:23:25 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	1536:u6HTrvpmLYpasjtZ8d6bmZY7m+zuvRKfOfzO:u6zrvpmEDbMr+zuvRKfcO
TLSH	T182631982FC92C96AC6D82376B76E228E3321B3E4C1CE3717CD189F6537C561E5D66A40
telfhash	t1b1f05c44be778e0594e69a74ecad47b4d9031127a1a60b20cf578ae1883e448e70cd2d
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf mirai upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 4fbc8be43f8d47feab328015c4c8f5ba87562f880e73430c8c981f2868e51628

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	27'548 bytes
File size (de-compressed) :	67'620 bytes
Format:	linux/arm
Packed file:	4fbc8be43f8d47feab328015c4c8f5ba87562f880e73430c8c981f2868e51628

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Mirai

Details

Mirai

an XOR decryption key and at least a c2 socket address

Link:

https://research.acce.ciphertechsolutions.com/results/bf4375f6-2393-48cd-b4b9-86f089d772b9/

Detection(s):

Sanesecurity.Malware.30435.LC.UNOFFICIAL

SecuriteInfo.com.Linux.Siggen.9999-6.UNOFFICIAL

Unix.Trojan.Mirai-7100807-0

Unix.Dropper.Mirai-7135897-0

Unix.Dropper.Mirai-7135901-0

Unix.Dropper.Mirai-7135909-0

Unix.Trojan.Mirai-7135916-0

Unix.Dropper.Mirai-7135918-0

Unix.Dropper.Mirai-7135954-0

Unix.Dropper.Mirai-7136016-0

Unix.Dropper.Mirai-7136028-0

Unix.Trojan.Mirai-8025795-0

Unix.Trojan.Mirai-9441505-0

Unix.Dropper.Mirai-10007027-0

Unix.Trojan.Mirai-10009361-0

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

gafgyt gcc mirai obfuscated rust

Link:

https://www.filescan.io/uploads/6930d4abd12d1c79d428ead3/reports/913350a8-f053-4500-8810-47f08843b787/overview

Result

Gathering data

Malware family:

Mirai

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1b8be482-d085-4d2e-9df9-7b84f767aeb8

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1825983

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/788f7b8e67e9f00beb73d5a44cc2454ff8ae2caaa1c278c6535138bac5577c3a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/788f7b8e67e9f00beb73d5a44cc2454ff8ae2caaa1c278c6535138bac5577c3a/

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pchxxdth5hyax23t2wsezqsfj74k4lfkuhbhrrstke4lvrkxpq5a._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai

Link:

https://tria.ge/reports/251204-ap36xawnex/

Malware Config

C2 Extraction:

teamc2.duckdns.org

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ELF_Mirai Create hunting rule
Author:	NDA0E
Description:	Detects multiple Mirai variants

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	setsockopt Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for setsockopt() red flags

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research