MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78ac4725a3fdeffee93d194062e4bb7a9bf6ade097e01c1f22879e66cb566641. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78ac4725a3fdeffee93d194062e4bb7a9bf6ade097e01c1f22879e66cb566641
SHA3-384 hash: b5b2e4467da9a8a320c2d83e7210964fda5be8354a1e7aad82586c568129ea677a9d0e1774cf1f528d724723f9d6936e
SHA1 hash: 3488ea92ce6955c3ad2991f6f2bbe7276575e76f
MD5 hash: 8a808be8296d0dd325d65d48029ccd41
humanhash: wolfram-skylark-glucose-uniform
File name:S3o.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:45'080 bytes
First seen:2025-11-19 22:01:57 UTC
Last seen:2025-11-22 06:51:17 UTC
File type: elf
MIME type:application/x-executable
ssdeep 768:aPVsvPr3Jsdaxs9r8mBn09VHzjRnX9TA7bX+GBpDi8t/8g6MYGnbcuyD7UoQRjp:ysPFpslD+5xp2OkD71CCnouy8oyN
TLSH T14E13F1E0E9E4AA85D99C8032117D7BFEB010936CB41ADD8B868021F7B87EB5E1E141D5
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :45'080 bytes
File size (de-compressed) :100'564 bytes
Format:linux/i386
Unpacked file: c4abaf96663a9c63fae50eea7ea2add48508377ef4dd373cd5b7934bcab682fb

Intelligence

File Origin
# of uploads :
2
# of downloads :
44
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Unix.Dropper.Mirai-7135858-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
DNS request
Changes access rights for a written file
Runs as daemon
Receives data from a server
Opens a port
Changes access rights for a file
Sends data to a server
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
masquerade packed upx
Link:
https://www.filescan.io/uploads/691e3e855bbff1003f0ae1c8/reports/7d60fe00-2a0b-4188-a25d-a5e0d7518633/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
46
Number of processes launched:
6
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/78ac4725a3fdeffee93d194062e4bb7a9bf6ade097e01c1f22879e66cb566641
Behaviour
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-11-19T19:29:00Z UTC
Last seen:
2025-11-21T12:58:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/78ac4725a3fdeffee93d194062e4bb7a9bf6ade097e01c1f22879e66cb566641/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/bb399ba6-c3ba-4d7b-b47e-25bcc5b188d7
Behavior Graph:
Download SVG
%3 guuid=7863bd26-1a00-0000-551d-86f86b0a0000 pid=2667 /usr/bin/sudo guuid=0e1d2d29-1a00-0000-551d-86f8750a0000 pid=2677 /tmp/sample.bin net guuid=7863bd26-1a00-0000-551d-86f86b0a0000 pid=2667->guuid=0e1d2d29-1a00-0000-551d-86f8750a0000 pid=2677 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=0e1d2d29-1a00-0000-551d-86f8750a0000 pid=2677->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=f746c929-1a00-0000-551d-86f8780a0000 pid=2680 /tmp/sample.bin guuid=0e1d2d29-1a00-0000-551d-86f8750a0000 pid=2677->guuid=f746c929-1a00-0000-551d-86f8780a0000 pid=2680 clone guuid=c5500156-1b00-0000-551d-86f88f0c0000 pid=3215 /tmp/sample.bin guuid=0e1d2d29-1a00-0000-551d-86f8750a0000 pid=2677->guuid=c5500156-1b00-0000-551d-86f88f0c0000 pid=3215 clone guuid=ba881556-1b00-0000-551d-86f8900c0000 pid=3216 /tmp/sample.bin net send-data zombie guuid=0e1d2d29-1a00-0000-551d-86f8750a0000 pid=2677->guuid=ba881556-1b00-0000-551d-86f8900c0000 pid=3216 clone guuid=bb42d129-1a00-0000-551d-86f8790a0000 pid=2681 /tmp/sample.bin guuid=f746c929-1a00-0000-551d-86f8780a0000 pid=2680->guuid=bb42d129-1a00-0000-551d-86f8790a0000 pid=2681 clone guuid=434bd629-1a00-0000-551d-86f87a0a0000 pid=2682 /tmp/sample.bin dns net send-data zombie guuid=f746c929-1a00-0000-551d-86f8780a0000 pid=2680->guuid=434bd629-1a00-0000-551d-86f87a0a0000 pid=2682 clone guuid=434bd629-1a00-0000-551d-86f87a0a0000 pid=2682->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 38B 27df0594-2c83-55f0-869f-ffb273ade180 vcute69.bounceme.net:12121 guuid=434bd629-1a00-0000-551d-86f87a0a0000 pid=2682->27df0594-2c83-55f0-869f-ffb273ade180 send: 10B guuid=ba881556-1b00-0000-551d-86f8900c0000 pid=3216->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 585B 17d12814-2053-5003-8343-6c5dc360bc15 vcute69.bounceme.net:80 guuid=ba881556-1b00-0000-551d-86f8900c0000 pid=3216->17d12814-2053-5003-8343-6c5dc360bc15 send: 22B
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b23399fa-2472-4bb5-9715-3d75d18f1153
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1817306
Signature
Malicious sample detected (through community Yara rule)
Sample is packed with UPX
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1817306 Sample: S3o.x86.elf Startdate: 19/11/2025 Architecture: LINUX Score: 60 22 169.254.169.254, 80 USDOSUS Reserved 2->22 24 185.125.190.26, 443 CANONICAL-ASGB United Kingdom 2->24 26 2 other IPs or domains 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Yara detected Mirai 2->30 32 Sample is packed with UPX 2->32 8 S3o.x86.elf 2->8         started        10 python3.8 dpkg 2->10         started        signatures3 process4 process5 12 S3o.x86.elf 8->12         started        14 S3o.x86.elf 8->14         started        16 S3o.x86.elf 8->16         started        process6 18 S3o.x86.elf 12->18         started        20 S3o.x86.elf 12->20         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/78ac4725a3fdeffee93d194062e4bb7a9bf6ade097e01c1f22879e66cb566641
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/78ac4725a3fdeffee93d194062e4bb7a9bf6ade097e01c1f22879e66cb566641/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-11-19 22:02:38 UTC
File Type:
ELF32 Little (Exe)
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pcweojnd7xx752j5dfagfzf3pkn7nlpas7qbyhzcq6pgns2wmzaq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251119-1x2k6ae12e/
Behaviour
Reads runtime system information
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
vcute69.bounceme.net
Verdict:
Malicious
Tags:
Unix.Dropper.Mirai-7135858-0
YARA:
n/a
Link:
https://app.threat.zone/submission/c6a75740-4e0b-48ba-a60c-6d05576df9e9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/78ac4725a3fdeffee93d194062e4bb7a9bf6ade097e01c1f22879e66cb566641

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh b7bfaf45eef40e028b2ad7086d113547c7d7514b3f5e93ff4d6d9554a46bc6dc

Mirai

elf 78ac4725a3fdeffee93d194062e4bb7a9bf6ade097e01c1f22879e66cb566641

(this sample)

Mirai

elf c4abaf96663a9c63fae50eea7ea2add48508377ef4dd373cd5b7934bcab682fb

  
URLhaus
https://urlhaus.abuse.ch/url/3712133/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 c4abaf96663a9c63fae50eea7ea2add48508377ef4dd373cd5b7934bcab682fb
  
Dropping
MD5 b2c48b6f145c09a79e732dcdfe7eee8a
  
Dropped by
SHA256 b7bfaf45eef40e028b2ad7086d113547c7d7514b3f5e93ff4d6d9554a46bc6dc
  
Dropped by
MD5 9ae1c3fecf8c6b1e8f90775af7a8f9c1
  
Dropped by
SHA256 e011e366a071eedc3182865d528cd3b3bffdd12d4f66a11a6f3c2389c28b6715
  
Dropped by
MD5 048abc2e885a20ecd21570ef0dcae668
  
URLhaus
https://urlhaus.abuse.ch/url/3712129/
  
URLhaus
https://urlhaus.abuse.ch/url/3712132/
  
URLhaus
https://urlhaus.abuse.ch/url/3713359/
  
URLhaus
https://urlhaus.abuse.ch/url/3713360/

Comments