MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89f712095b8c26acfe97878ced839b6c7e1976361825d9e6fac725a2009bcd4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 10

Intelligence 10 IOCs YARA 11 File information Comments

SHA256 hash:	89f712095b8c26acfe97878ced839b6c7e1976361825d9e6fac725a2009bcd4e
SHA3-384 hash:	d7cf28613545668935bf4f7a479a86dbfb1920207be2b781a62b84f81449a69b26b3b96f066c5b75f61c9874a24d6f72
SHA1 hash:	57838fb8eb91b4c83fd5f278fe37fe07ccf4dd59
MD5 hash:	e33d47a26dd34ab6902000826f8249e9
humanhash:	east-xray-charlie-ohio
File name:	p-p.c-.Sakura
Download:	download sample
Signature	Mirai Create hunting rule
File size:	272'575 bytes
First seen:	2025-06-28 16:26:43 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	6144:O2vKgKBLJOfot1q0sXbskyx5w+twifINjYGEDQa3gTu68l5RbuT:nKgKBLHtwV65w+tw1CDQa3gTu68l5Rbi
TLSH	T15D443B5FAF280B43E4974DF1283F73E0878CE6B650D921C69419AA805BB39762136FD7
telfhash	t1e651c726d9f98e3e2be349649c7d4ff11166521272723d74bf39c0c0957b00a6924e8f
Magika	elf
Reporter	abuse_ch
Tags:	elf gafgyt mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30395.LC.UNOFFICIAL

SecuriteInfo.com.Linux.Siggen.2205.UNOFFICIAL

Sanesecurity.Malware.29052.TSource.UNOFFICIAL

Sanesecurity.Malware.29325.LC.Pl.UNOFFICIAL

SecuriteInfo.com.Linux.Mirai-81.UNOFFICIAL

Sanesecurity.Malware.30420.LX.BOT.UNOFFICIAL

Sanesecurity.Malware.32134.LX.BOT.UNOFFICIAL

Sanesecurity.Malware.32133.LX.BOT.UNOFFICIAL

Unix.Trojan.Gafgyt-6981154-0

Unix.Trojan.Tsunami-6981155-0

Unix.Trojan.Tsunami-6981163-0

Unix.Trojan.Gafgyt-6981165-0

Unix.Trojan.Mirai-6981169-0

Unix.Dropper.Mirai-7135935-0

Unix.Dropper.Mirai-7135940-0

Unix.Dropper.Mirai-7135945-0

Unix.Dropper.Mirai-7135968-0

Unix.Dropper.Mirai-7136011-0

Unix.Dropper.Mirai-7136072-0

Unix.Dropper.Mirai-7136105-0

Unix.Dropper.Mirai-7139223-0

Unix.Dropper.Mirai-7139232-0

Unix.Trojan.Gafgyt-7643791-0

Unix.Trojan.Mirai-7688276-0

Unix.Proxy.Mirai-7844054-0

Unix.Trojan.Gafgyt-9396656-0

Unix.Dropper.Gafgyt-9762292-0

Unix.Trojan.Gafgyt-9762295-0

Unix.Trojan.Mirai-9847812-0

Unix.Trojan.Mirai-9864781-0

Unix.Trojan.Gafgyt-9879277-0

Unix.Trojan.Mirai-9943729-0

Unix.Trojan.Mirai-9951087-0

Unix.Trojan.Mirai-5607483-0

Verdict:

Clean

Score:

84.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686018c637c343677946a68blinux22vpnfull_triage

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Kills processes

Creating a file

Sets a written file as executable

Manages services

Collects information on the CPU

Connection attempt

Changes the time when the file was created, accessed, or modified

Writes files to system directory

Deletes a system binary file

Replaces system binary files

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

base64 gcc lolbin mirai remote

Link:

https://www.filescan.io/uploads/6860180c45e80b29f8a3915f/reports/0878a2a3-b8b1-4ece-a63b-0ee64b58c244/overview

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/3d571499-4023-4777-b118-cdc1627194a3

Behavior Graph:

Download SVG

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b7b43747-044c-46b7-a95c-c33ace3aadcf

Result

Threat name:

Gafgyt, Mirai

Detection:

malicious

Classification:

spre.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1724740

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains symbols with names commonly found in malware

Drops files in suspicious directories

Drops invisible ELF files

Malicious sample detected (through community Yara rule)

Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions

Multi AV Scanner detection for submitted file

Opens /proc/net/* files useful for finding connected devices and routers

Protects files from modification

Sample deletes itself

Sample is potentially a Mirai botnet sample

Uses dynamic DNS services

Writes identical ELF files to multiple locations

Yara detected Gafgyt

Yara detected Mirai

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/89f712095b8c26acfe97878ced839b6c7e1976361825d9e6fac725a2009bcd4e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/89f712095b8c26acfe97878ced839b6c7e1976361825d9e6fac725a2009bcd4e/

Threat name:

Linux.Trojan.Gafgyt

Status:

Malicious

First seen:

2025-06-28 16:27:42 UTC

File Type:

ELF32 Big (Exe)

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rh3reck3rqtkz7uxq6go3a43nr7bs5rwdas5tzx2y4s2eae3zvha._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt linux

Link:

https://tria.ge/reports/250628-tyf8aatqz6/

Malware Config

C2 Extraction:

239.255.255.250:1900

Verdict:

Malicious

Tags:

botnet trojan gafgyt Unix.Trojan.Gafgyt-6981154-0

YARA:

botnet_dayzddos Linux_Trojan_Gafgyt_28a2fe0c Linux_Gafgyt_May_2024

Link:

https://app.threat.zone/submission/9af99517-9dec-4535-9ad0-b66b57c51950

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Mirai

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/89f712095b8c26acfe97878ced839b6c7e1976361825d9e6fac725a2009bcd4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202503_elf_Mirai Create hunting rule
Author:	abuse.ch
Description:	Detects Mirai 'TSource' ELF files

Rule name:	botnet_dayzddos Create hunting rule
Author:	NDA0E
Description:	dayzddos botnet

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	ELF_Mirai Create hunting rule
Author:	NDA0E
Description:	Detects multiple Mirai variants

Rule name:	enterpriseapps2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise apps

Rule name:	Linux_Gafgyt_Generic Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Mirai/Gafgyt samples

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Linux_Trojan_Gafgyt_28a2fe0c Create hunting rule
Author:	Elastic Security

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	setsockopt Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for setsockopt() red flags

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 89f712095b8c26acfe97878ced839b6c7e1976361825d9e6fac725a2009bcd4e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3571107/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample