MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8381505af7af56d74cf3b56f52e8f7799f445744d563fbd0f03449df589ec695. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	8381505af7af56d74cf3b56f52e8f7799f445744d563fbd0f03449df589ec695
SHA3-384 hash:	6ab0ed208a3e104ebf4d8af9ea5dd0e061f046858a2320c0ef2f9dcadeb171ff27dd98d6bac4a67db0848419d3cbe2b4
SHA1 hash:	38d452ab107795d9a65d7367eb575050f98630e1
MD5 hash:	303e2ca3778adba2502ddc7d65b35c84
humanhash:	speaker-fruit-golf-sink
File name:	ppc
Download:	download sample
Signature	Mirai Create hunting rule
File size:	92'064 bytes
First seen:	2025-12-03 20:12:19 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	1536:wrTRtMgxWLtLcDcTD+rdiYRQpPixbbUZrvoxnH7OGdpKTq8kJ+unHxpeECO7HnjE:awoWLt9T1Y2i6wpg2+2xgM/mr
TLSH	T104934B02B3180A47D1A34DB03A3F1BD1C3BFA5D121E4F689692E9B8596B5D336486FCD
Magika	elf
Reporter	abuse_ch
Tags:	elf mirai upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 4d0ff47525b4e8de5005a1239f8450f1a1df266b36c8f1fb0f3e63c96959b0be

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	42'228 bytes
File size (de-compressed) :	92'064 bytes
Format:	linux/ppc32
Packed file:	4d0ff47525b4e8de5005a1239f8450f1a1df266b36c8f1fb0f3e63c96959b0be

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Mirai

Details

Mirai

an XOR decryption key and at least a c2 socket address

Link:

https://research.acce.ciphertechsolutions.com/results/d9a51023-64f2-4036-8082-4524659d5642/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Runs as daemon

Sends data to a server

DNS request

Connection attempt

Traces processes

Substitutes an application name

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

mirai

Link:

https://www.filescan.io/uploads/693099dad4d2310e5cbe921a/reports/e679e590-042a-48f3-a8bb-12b812ca7346/overview

Result

Gathering data

Verdict:

Malicious

File Type:

elf.32.be

Detections:

HEUR:Backdoor.Linux.Mirai.h HEUR:Backdoor.Linux.Mirai.cw HEUR:Backdoor.Linux.Mirai.b

Link:

https://opentip.kaspersky.com/8381505af7af56d74cf3b56f52e8f7799f445744d563fbd0f03449df589ec695/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a76f18e5-a875-482d-9399-ec399424087c

Result

Threat name:

Mirai, Xmrig

Detection:

malicious

Classification:

troj.mine

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1825794

Signature

Antivirus / Scanner detection for submitted sample

Found strings related to Crypto-Mining

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Mirai

Yara detected Xmrig cryptocurrency miner

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/8381505af7af56d74cf3b56f52e8f7799f445744d563fbd0f03449df589ec695

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8381505af7af56d74cf3b56f52e8f7799f445744d563fbd0f03449df589ec695/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/8381505af7af56d74cf3b56f52e8f7799f445744d563fbd0f03449df589ec695

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qoavawxxv5lnothtwvxvf2hxpgpuiv2e2vr7xuhqgre56we6y2kq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai linux

Link:

https://tria.ge/reports/251203-yzhjystnfv/

Malware Config

C2 Extraction:

ahahahahahajs.unproxy.st

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CoinMiner_Strings Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects mining pool protocol string in Executable
Reference:	https://minergate.com/faq/what-pool-address

Rule name:	CoinMiner_Strings_RID2DDE Create hunting rule
Author:	Florian Roth
Description:	Detects mining pool protocol string in Executable
Reference:	https://minergate.com/faq/what-pool-address

Rule name:	enterpriseapps2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise apps

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Linux_Trojan_Gafgyt_28a2fe0c Create hunting rule
Author:	Elastic Security

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 4d0ff47525b4e8de5005a1239f8450f1a1df266b36c8f1fb0f3e63c96959b0be

Mirai

elf 8381505af7af56d74cf3b56f52e8f7799f445744d563fbd0f03449df589ec695

(this sample)

Dropped by

SHA256 4d0ff47525b4e8de5005a1239f8450f1a1df266b36c8f1fb0f3e63c96959b0be

URLhaus

https://urlhaus.abuse.ch/url/3683092/

Delivery method

Distributed via web download

Dropped by

MD5 b538db7591d844f8a5221ccab1d050e4

URLhaus

https://urlhaus.abuse.ch/url/3718239/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample