MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ac7262112be101a283302fc39c3e147fa905d3f36ddcbc14ec79c6f9e362463. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ac7262112be101a283302fc39c3e147fa905d3f36ddcbc14ec79c6f9e362463
SHA3-384 hash: 5589b74943359dc9285ce3a18acee9ba464b8ed223aac03bdc4f74ce3112bd74dfad8612a8f3bcc593bd63ff078f444e
SHA1 hash: d8323e523fe57d13ee068593a00aca590536d1b8
MD5 hash: 5ad85dcb9d30d3142503f52fc42d7d68
humanhash: vermont-river-utah-muppet
File name:i
Download: download sample
Signature Mirai
Create hunting rule
File size:307'960 bytes
First seen:2021-07-24 14:00:50 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xiona5POdOQ33Q:p3lOYoaja8xzx/0wsxzSi/PqOJ
TLSH T17B64F1CBEF11BC3AD940077125AB0B5DB778DA9A82C7E080F2D4C55E3CAA2C5BB911D5
Reporter tolisec
Tags:mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL
Create hunting rule

Unix.Dropper.Botnet-6566040-0
Create hunting rule

Unix.Packed.Botnet-6566031-0
Create hunting rule

Unix.Trojan.Gafgyt-6748839-0
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Dropper.Mirai-7135934-0
Create hunting rule

Unix.Dropper.Mirai-7136013-0
Create hunting rule

Unix.Dropper.Mirai-7136057-0
Create hunting rule

Unix.Dropper.Mirai-7136070-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Exploit.Mirai-9795501-0
Create hunting rule

Unix.Trojan.Mozi-9840825-0
Create hunting rule

Unix.Trojan.Mirai-9843255-0
Create hunting rule

Unix.Trojan.Mirai-9858729-0
Create hunting rule

Unix.Trojan.Gafgyt-6735924-0
Create hunting rule

Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
mips
Packer:
UPX
Botnet:
59.93.27.73:45897
Number of open files:
430
Number of processes launched:
38
Processes remaning?
true
Remote TCP ports scanned:
8080,80,8081,5555,60001,7574,37215,52869,8443,8181,81,49152,2323,23
Full report:
https://elfdigest.com/brief/8ac7262112be101a283302fc39c3e147fa905d3f36ddcbc14ec79c6f9e362463
Behaviour
Process Renaming
Firewall Changes
Information Gathering
Botnet C2s
TCP botnet C2(s):
87.98.162.88:6881
212.129.33.59:6881
67.215.246.10:6881
82.221.103.244:6881
130.239.18.159:6881
185.231.223.142:6881
178.141.215.10:6881
148.251.41.88:50000
148.251.87.55:50000
95.216.14.176:50000
95.216.13.248:50000
178.63.60.100:50000
178.63.65.152:50000
65.21.33.212:50000
135.181.223.234:50000
206.189.96.59:8081
165.22.63.46:8081
117.222.161.228:8081
178.141.52.250:8082
163.53.206.228:8082
130.239.18.159:8744
217.178.194.139:12547
14.34.121.17:40809
103.41.36.34:20500
59.95.68.122:45840
116.68.110.111:30505
130.239.18.159:8723
112.163.136.209:41488
47.21.48.182:8000
107.173.155.188:8000
182.61.18.63:8000
178.141.132.103:8000
112.27.124.113:8000
118.44.8.11:41237
117.222.164.102:25764
182.59.253.119:60628
202.164.131.196:20098
117.222.168.88:59519
130.239.18.159:8792
128.69.179.116:39999
84.53.229.135:9985
130.239.18.159:8547
117.198.246.11:19399
111.92.79.184:50810
112.31.176.16:11211
60.162.183.158:11211
116.68.99.187:46261
178.72.71.220:19739
125.161.23.232:19739
80.44.20.119:13150
45.87.251.3:28103
50.66.150.41:15937
163.172.62.18:51413
80.243.106.186:51413
81.171.22.94:51413
78.132.199.59:21736
176.214.41.88:34291
196.188.240.230:32306
106.193.13.62:18616
223.190.164.15:29372
27.61.204.61:60842
91.109.131.178:50209
223.187.185.46:23988
130.239.18.159:8623
178.72.78.201:7334
59.22.241.184:33210
80.213.73.162:60450
94.245.130.53:5616
157.48.155.242:35859
142.179.6.233:63718
151.202.110.111:18753
176.155.164.64:46557
24.46.23.203:13026
14.37.44.6:7925
219.75.26.13:57338
27.5.41.40:1128
211.171.233.177:30221
210.89.63.110:21600
130.239.18.159:8606
130.239.18.159:9031
130.239.18.159:8700
130.239.18.159:8646
130.239.18.159:8973
178.141.168.174:9977
61.141.124.30:17513
202.164.137.179:46812
202.83.56.161:1567
223.130.31.94:26906
178.141.204.180:22255
112.27.124.147:4645
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d409a2b7-9f78-4104-bc3b-81c24f337bd9
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/821223
Signature
Found strings indicative of a multi-platform dropper
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453635 Sample: i Startdate: 24/07/2021 Architecture: LINUX Score: 88 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected Mirai 2->28 30 Yara detected Mirai 2->30 32 4 other signatures 2->32 6 upstart sh 2->6         started        8 upstart sh 2->8         started        10 upstart sh 2->10         started        12 i 2->12         started        process3 process4 14 sh date 6->14         started        16 sh apport-checkreports 6->16         started        18 sh date 8->18         started        20 sh apport-gtk 8->20         started        22 sh date 10->22         started        24 sh apport-gtk 10->24         started       
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8ac7262112be101a283302fc39c3e147fa905d3f36ddcbc14ec79c6f9e362463/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2021-07-24 14:01:05 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
linux
Link:
https://tria.ge/reports/210724-26k58xhf2n/
Behaviour
Reads runtime system information
Writes file to tmp directory
Reads system network configuration
Enumerates active TCP sockets
Reads system routing table
Modifies hosts file
Modifies the Watchdog daemon
Writes file to system bin folder
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/8ac7262112be101a283302fc39c3e147fa905d3f36ddcbc14ec79c6f9e362463

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 8ac7262112be101a283302fc39c3e147fa905d3f36ddcbc14ec79c6f9e362463

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1478328/
  
Delivery method
Distributed via web download

Comments