MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 861ac422be84ec5e4f485d56923da3d0e215e208c72ce88cf131d24338d2da54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	861ac422be84ec5e4f485d56923da3d0e215e208c72ce88cf131d24338d2da54
SHA3-384 hash:	3bf7e797948d60ca2a6747f096b98aee8e148a42ffd837941ac9f804bcb64fc4f4548f5b6ef50fd5287230e88d829392
SHA1 hash:	de11f56686ced8bb3929df83e3a41f0a1133179f
MD5 hash:	9de877ba192f4f32421a5e37a7732e3b
humanhash:	west-spaghetti-montana-double
File name:	ngentodluwh.mips2
Download:	download sample
Signature	Mirai Create hunting rule
File size:	206'256 bytes
First seen:	2025-11-23 01:24:30 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	6144:El8P+kAy053vkopMaNoxJv4gMwSs7d3LVDpq:E+P7ATVko2aQeQPpq
TLSH	T16814C84E6F228F7EFBAC873447B74D20975933D626E1D584D1ACD6012E6038E641FBA8
telfhash	t106417f180d7817b4a3355c5e49ddff76e6a320db7e166c238e11e86aa769b834d11c0c
Magika	elf
Reporter	abuse_ch
Tags:	elf mirai upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 71992486c643a6c3d941740a20446008fc9f6b03583704fe0a44e33fc08614d7

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	61'928 bytes
File size (de-compressed) :	206'256 bytes
Format:	linux/mips
Packed file:	71992486c643a6c3d941740a20446008fc9f6b03583704fe0a44e33fc08614d7

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Unix.Trojan.Mirai-7100807-0

Unix.Dropper.Mirai-7135881-0

Unix.Dropper.Mirai-7135897-0

Unix.Dropper.Mirai-7135901-0

Unix.Dropper.Mirai-7135909-0

Unix.Trojan.Mirai-7135916-0

Unix.Dropper.Mirai-7135918-0

Unix.Dropper.Mirai-7135954-0

Unix.Dropper.Mirai-7135996-0

Unix.Dropper.Mirai-7136013-0

Unix.Dropper.Mirai-7136016-0

Unix.Dropper.Mirai-7136028-0

Unix.Dropper.Mirai-7136033-0

Unix.Dropper.Mirai-7136057-0

Unix.Trojan.Mirai-8025795-0

Unix.Trojan.Mirai-8041698-0

Unix.Trojan.Mirai-9807962-0

Unix.Trojan.Mirai-9808381-0

Unix.Trojan.Mirai-9858729-0

Unix.Trojan.Mirai-10017641-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Runs as daemon

Receives data from a server

Opens a port

Sends data to a server

Kills critical processes

Performs a bruteforce attack in the network

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

false

Architecture:

mips

Packer:

not packed

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

Full report:

https://elfdigest.com/brief/861ac422be84ec5e4f485d56923da3d0e215e208c72ce88cf131d24338d2da54

Behaviour

no suspicious findings

Botnet C2s

TCP botnet C2(s):

type:Mirai 82.22.174.27:9506

UDP botnet C2(s):

not identified

Verdict:

Malicious

File Type:

elf.32.be

First seen:

2025-11-22T23:46:00Z UTC

Last seen:

2025-11-23T02:28:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/861ac422be84ec5e4f485d56923da3d0e215e208c72ce88cf131d24338d2da54/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/5c5350fc-2b3f-4b6b-b892-b318f846097a

Behavior Graph:

Download SVG

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1819269

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/861ac422be84ec5e4f485d56923da3d0e215e208c72ce88cf131d24338d2da54

Detection:

mirai

Link:

https://mwdb.cert.pl/sample/861ac422be84ec5e4f485d56923da3d0e215e208c72ce88cf131d24338d2da54/

Threat name:

Linux.Worm.Mirai

Status:

Malicious

First seen:

2025-11-23 01:25:44 UTC

File Type:

ELF32 Big (Exe)

AV detection:

18 of 36 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qynmiiv6qtwf4t2ilvljepnd2drblyqiy4wordhrghjegogs3jka._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai defense_evasion discovery

Link:

https://tria.ge/reports/251123-bta7cssnal/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Reads system network configuration

Enumerates active TCP sockets

Enumerates running processes

Modifies Watchdog functionality

Contacts a large (20281) amount of remote hosts

Creates a large amount of network flows

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2b81daba-efbe-4cb3-98da-d4fa50b73167

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/861ac422be84ec5e4f485d56923da3d0e215e208c72ce88cf131d24338d2da54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research