MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ddd7b3502a2e1c0e1358c0752b971468b88e01e4dbfbf84d9a98e5f9630624d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments

SHA256 hash: 7ddd7b3502a2e1c0e1358c0752b971468b88e01e4dbfbf84d9a98e5f9630624d
SHA3-384 hash: 46723df941bae972ef77710a112bb637db9b17a8d6bec2dc032402184f140bb1650e84a4ada06deb17287e53c60aab2c
SHA1 hash: 910f3d52a86a06ac2a4e8fbb012bf1f0bca4ff6a
MD5 hash: 97a85187eb85c70807c7c028cfc1aa15
humanhash: kansas-march-don-cola
File name:x86
Download: download sample
Signature Mirai
File size:71'152 bytes
First seen:2026-06-02 06:31:28 UTC
Last seen:2026-06-03 06:50:05 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:ouOmHbuELEV/2guKO9kAsOPsXTVxxeJq3zn5Q/5dTw9q99e/:FOm77La/BuiAsNMJq3zC/HMsU/
TLSH T1EA635DC5A653D4F1E8A206B6053BA3129F76E4374639EB87DB9539329C13F00AA1B35C
telfhash t12d31f4bb5e7a1cecb7616940c31e2b92394edb77166032f14123d979229bec090a9c38
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence


File Origin
# of uploads :
3
# of downloads :
65
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sends data to a server
Creating a file
Receives data from a server
Opens a port
DNS request
Runs as daemon
Substitutes an application name
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-06-02T01:59:00Z UTC
Last seen:
2026-06-03T19:31:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=c4a38a0b-1a00-0000-08de-81dc1c0c0000 pid=3100 /usr/bin/sudo guuid=65fe050e-1a00-0000-08de-81dc220c0000 pid=3106 /tmp/sample.bin net write-file guuid=c4a38a0b-1a00-0000-08de-81dc1c0c0000 pid=3100->guuid=65fe050e-1a00-0000-08de-81dc220c0000 pid=3106 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=65fe050e-1a00-0000-08de-81dc220c0000 pid=3106->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=37b327b1-1a00-0000-08de-81dcf10c0000 pid=3313 /tmp/sample.bin dns net send-data zombie guuid=65fe050e-1a00-0000-08de-81dc220c0000 pid=3106->guuid=37b327b1-1a00-0000-08de-81dcf10c0000 pid=3313 clone guuid=37b327b1-1a00-0000-08de-81dcf10c0000 pid=3313->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=37b327b1-1a00-0000-08de-81dcf10c0000 pid=3313->54d92a3b-1447-55af-b534-047898c60c8d send: 29B ee8e5bcf-3731-519f-b8a9-5ada106098e2 cafebabe.su:39419 guuid=37b327b1-1a00-0000-08de-81dcf10c0000 pid=3313->ee8e5bcf-3731-519f-b8a9-5ada106098e2 send: 41B b4bf20d4-f7c8-5c24-8830-c23364537aa4 8.8.4.4:53 guuid=37b327b1-1a00-0000-08de-81dcf10c0000 pid=3313->b4bf20d4-f7c8-5c24-8830-c23364537aa4 send: 29B a0528efd-1018-56b4-b518-221acb0fa7ca 9.9.9.9:53 guuid=37b327b1-1a00-0000-08de-81dcf10c0000 pid=3313->a0528efd-1018-56b4-b518-221acb0fa7ca send: 145B b0abba15-9a34-51cb-a2ff-3008f7e59616 208.67.222.222:53 guuid=37b327b1-1a00-0000-08de-81dcf10c0000 pid=3313->b0abba15-9a34-51cb-a2ff-3008f7e59616 send: 29B guuid=a16434b1-1a00-0000-08de-81dcf20c0000 pid=3314 /tmp/sample.bin guuid=37b327b1-1a00-0000-08de-81dcf10c0000 pid=3313->guuid=a16434b1-1a00-0000-08de-81dcf20c0000 pid=3314 clone guuid=7806c625-2300-0000-08de-81dc99140000 pid=5273 /tmp/sample.bin net send-data write-file guuid=37b327b1-1a00-0000-08de-81dcf10c0000 pid=3313->guuid=7806c625-2300-0000-08de-81dc99140000 pid=5273 clone ed94707f-22b7-5b8b-9423-0616c6812ea9 189.1.171.213:19357 guuid=7806c625-2300-0000-08de-81dc99140000 pid=5273->ed94707f-22b7-5b8b-9423-0616c6812ea9 send: 5044752B guuid=c0c8d125-2300-0000-08de-81dc9a140000 pid=5274 /tmp/sample.bin guuid=7806c625-2300-0000-08de-81dc99140000 pid=5273->guuid=c0c8d125-2300-0000-08de-81dc9a140000 pid=5274 clone
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1921456 Sample: x86.elf Startdate: 02/06/2026 Architecture: LINUX Score: 56 23 156.246.66.11, 2003 YANCYLIMITED-AS-HKYancyLimitedHK Hong Kong SAR China 2->23 25 50.116.37.108, 39419, 47904 AKAMAI-LINODE-APAkamaiConnectedCloudSG United States 2->25 27 cafebabe.su 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Multi AV Scanner detection for submitted file 2->31 9 x86.elf 2->9         started        signatures3 process4 process5 11 x86.elf 9->11         started        process6 13 x86.elf 11->13         started        15 x86.elf 11->15         started        17 x86.elf 11->17         started        process7 19 x86.elf 13->19         started        21 x86.elf 15->21         started       
Threat name:
Linux.Worm.Mirai
Status:
Malicious
First seen:
2026-06-02 04:51:33 UTC
File Type:
ELF32 Little (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  5/10
Tags:
credential_access linux
Behaviour
Changes its process name
Reads process memory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Toriilike_persist
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Mirai_389ee3e9
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Author:Elastic Security
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags
Rule name:woof_mirai_variant
Author:Nokia Deepfield ERT
Description:Detects Woof Mirai variant (ChaCha20 table, HTTP C2 with token/guid, .woof dropper)
Reference:Internal analysis of sample 6ef4ce02

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 7ddd7b3502a2e1c0e1358c0752b971468b88e01e4dbfbf84d9a98e5f9630624d

(this sample)

  
Delivery method
Distributed via web download

Comments