MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85d832b76ffa7623c5d14c0010db35fc9ea43aabd189731671c04ac5f3fb5cf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85d832b76ffa7623c5d14c0010db35fc9ea43aabd189731671c04ac5f3fb5cf2
SHA3-384 hash: 7dfb9d8e4080dc3cdc37f75bc8f7fd224fda7c4cc160b543bbf6a294d416ee025af3d776ca88f1b46d968a9c65e11f19
SHA1 hash: 2d05c2d38df76b1bf2727be1bdb2987ade66e181
MD5 hash: ecf5c42e83916d21ea1babde89ba9ed4
humanhash: blue-harry-music-neptune
File name:armv4l
Download: download sample
Signature Mirai
Create hunting rule
File size:73'312 bytes
First seen:2025-03-30 11:33:38 UTC
Last seen:2025-04-18 18:06:19 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:KVPTKtWP1IXaATJcZ6zsw8Gf3CgYBIQdg8:YnP18RSVsag
TLSH T192633A957C829612C9D43276FA1E42CD372657E8E3EA3213DD221F6477CAC2B0E37652
telfhash t19b21ddfa0d692dcf5bf05500928ef27e6dac35ba2f44354ae1aab90a51d32c1702dc02
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
3
# of downloads :
65
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e92e25cfd0a37f830a24e3linux22vpnfull_triage
Tags:
malware
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
arm
Packer:
not packed
Botnet:
unknown
Number of open files:
15
Number of processes launched:
2
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/85d832b76ffa7623c5d14c0010db35fc9ea43aabd189731671c04ac5f3fb5cf2
Behaviour
Anti-VM
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 172.217.192.127:3478
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/40f9583c-7214-477c-8d9c-f477d8b7917f
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1652153
Signature
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/85d832b76ffa7623c5d14c0010db35fc9ea43aabd189731671c04ac5f3fb5cf2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85d832b76ffa7623c5d14c0010db35fc9ea43aabd189731671c04ac5f3fb5cf2/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-03-30 11:34:21 UTC
File Type:
ELF32 Little (Exe)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxmdfn3p7j3chrorjqabbwzv7spkiovl2gexgftrybfml473ltza._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250330-npkw8axxft/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85d832b76ffa7623c5d14c0010db35fc9ea43aabd189731671c04ac5f3fb5cf2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Generic_Threat_d94e1020
Create hunting rule
Author:Elastic Security
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh a8bc12125e9a1d7604318e38f8c0c5a0430b20dab8a0d3d384104f8de528e7f0

Mirai

elf 85d832b76ffa7623c5d14c0010db35fc9ea43aabd189731671c04ac5f3fb5cf2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3495050/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 a8bc12125e9a1d7604318e38f8c0c5a0430b20dab8a0d3d384104f8de528e7f0
  
Dropped by
MD5 2843105a674965a5d75e5829ccd17274
  
URLhaus
https://urlhaus.abuse.ch/url/3495042/
  
Dropped by
SHA256 7dcf51497ca0168b4f7f436b1069ca47b5ba8ff00e23f3cfb0addf57aa32768f
  
Dropped by
MD5 6470a053bc9376bfe1d9c36e3b0833b3
  
URLhaus
https://urlhaus.abuse.ch/url/3495067/
  
Dropped by
SHA256 b3af40324cdf4ba7fb7c50a6a4267915fca8179d4b3cf44fefcf2cc437768cf0
  
Dropped by
MD5 63e939c5e2935dd96a1e85f45469b1ac
  
Dropped by
SHA256 05bb60d449ad9d849e3303ac5c01e6766cb9fcfdb2b07e4bb1bd1f3b41bb3950
  
Dropped by
MD5 a9d5f1eb5f9ee995f3e4575617a4c300
  
Dropped by
SHA256 ae6428692adeaab08b358b337d563795a5f4ad5c130623398459aa4ad208f3dd
  
Dropped by
MD5 8e634b92b319b534cb6cb2085cd88f0e
  
Dropped by
SHA256 26fe0cb3393d7e8d61f67419ec112b5b8ea9d57e31c2684fa71ac4766ef37069
  
Dropped by
MD5 3be927ea1be3add980cbe8f61730c8cd
  
Dropped by
SHA256 122cbe427c8dc2cd07886c06a56bdd0fd83a95e86cb7bd00afdadb80b5c37d1e
  
Dropped by
MD5 77fa7ff8d600cc292c60080bdd9a7711
  
Dropped by
SHA256 c5053fc9145a56877ba14c7735d2c9400e94b0b759204bd253a3e8a270b3cf1a
  
Dropped by
MD5 6b25b9de8bab980fef87814364ed62f2
  
Dropped by
SHA256 a4b4583c2952c0394de9482e9f1a648f4a3ccf3199ce765c2b3c1b45b7a00b80
  
Dropped by
MD5 31b84cdacb95ef4ed06611978ff742d7

Comments