MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d23109f3365229684e31928b371aecb9d3fbd1e70dad90f27faf620a51be444. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d23109f3365229684e31928b371aecb9d3fbd1e70dad90f27faf620a51be444
SHA3-384 hash: 0f1fdb86c43338d0da07d5c951e349ceea394e53c13334a144a41f877b39fa7c06821770ca1692ccf2b8ed4c9ca62385
SHA1 hash: 4b67160529b4cfb453edb044d1bbc72354a8a6fd
MD5 hash: 2cb5cdc62ece570034995dd68e7ce0b8
humanhash: seventeen-washington-louisiana-beryllium
File name:firmware.i686
Download: download sample
Signature Mirai
Create hunting rule
File size:103'572 bytes
First seen:2024-09-01 15:29:13 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:LOZydcr6EN6EvILDG4VjMW6MSybVpUWiZ4BSGS3yRIplX8mlnCs3j7:LOB6EQ3G4VZ6MzbZieBSGS3yRElX+sP
TLSH T11DA33981F68B85F6D907883060A7F23FCB30D9794031D69DEF59AF3ADA37601921B259
telfhash t1154136f969720ce467d09803e2ce5b32fc1cab7f286436b104f758313272141a2bad36
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter NDA0E
Tags:elf firmware mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30435.LC.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Dropper.Mirai-7135868-0
Create hunting rule

Unix.Dropper.Mirai-7135891-0
Create hunting rule

Unix.Dropper.Mirai-7135892-0
Create hunting rule

Unix.Dropper.Mirai-7136013-0
Create hunting rule

Unix.Dropper.Mirai-7136034-0
Create hunting rule

Unix.Dropper.Mirai-7136057-0
Create hunting rule

Unix.Dropper.Mirai-7136070-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Trojan.Mirai-9858729-0
Create hunting rule

Unix.Trojan.Mirai-10027280-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sends data to a server
Deleting a recently created file
DNS request
Connection attempt
Creating a file
Kills processes
Substitutes an application name
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug botnet lolbin masquerade mirai remote
Link:
https://www.filescan.io/uploads/66d488816e29f44ae2a5ed13/reports/cd9a8463-8476-4953-b497-3e829ed4a8ca/overview
Result
Verdict:
MALICIOUS
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13f37656-3eb5-430f-9c5c-58e2497e2649
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1502462
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Tries to resolve many domain names, but no domain seems valid
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502462 Sample: firmware.i686.elf Startdate: 01/09/2024 Architecture: LINUX Score: 96 92 50.55.21.131 ZIPLY-FIBER-LEGACY-ASNUS United States 2->92 94 155.212.41.159 WINDSTREAMUS United States 2->94 96 375 other IPs or domains 2->96 106 Malicious sample detected (through community Yara rule) 2->106 108 Antivirus detection for dropped file 2->108 110 Antivirus / Scanner detection for submitted sample 2->110 112 4 other signatures 2->112 11 firmware.i686.elf 2->11         started        signatures3 process4 process5 13 firmware.i686.elf 11->13         started        signatures6 114 Drops files in suspicious directories 13->114 116 Sample tries to persist itself using cron 13->116 16 firmware.i686.elf 13->16         started        20 firmware.i686.elf sh 13->20         started        22 firmware.i686.elf 13->22         started        24 4 other processes 13->24 process7 file8 84 /var/spool/cron/crontabs/root, ASCII 16->84 dropped 86 /usr/bin/myirnra, ELF 16->86 dropped 98 Drops files in suspicious directories 16->98 100 Sample tries to persist itself using cron 16->100 26 firmware.i686.elf sh 16->26         started        28 firmware.i686.elf 16->28         started        30 firmware.i686.elf 16->30         started        40 3 other processes 16->40 32 sh crontab 20->32         started        36 firmware.i686.elf sh 22->36         started        42 12 other processes 22->42 38 firmware.i686.elf sh 24->38         started        44 2 other processes 24->44 signatures9 process10 file11 46 sh crontab 26->46         started        50 firmware.i686.elf sh 28->50         started        58 12 other processes 28->58 52 firmware.i686.elf sh 30->52         started        60 3 other processes 30->60 88 /var/spool/cron/crontabs/tmp.Y9ZHp2, ASCII 32->88 dropped 102 Sample tries to persist itself using cron 32->102 104 Executes the "crontab" command typically for achieving persistence 32->104 54 sh hostname 36->54         started        56 sh hostname 38->56         started        62 12 other processes 42->62 64 2 other processes 44->64 signatures12 process13 file14 90 /var/spool/cron/crontabs/tmp.tiEfc5, ASCII 46->90 dropped 118 Sample tries to persist itself using cron 46->118 120 Executes the "crontab" command typically for achieving persistence 46->120 66 sh hostname 50->66         started        68 sh hostname 52->68         started        70 sh hostname 58->70         started        72 sh hostname 58->72         started        74 sh hostname 58->74         started        82 9 other processes 58->82 76 sh hostname 60->76         started        78 sh hostname 60->78         started        80 sh hostname 60->80         started        signatures15 process16
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/8d23109f3365229684e31928b371aecb9d3fbd1e70dad90f27faf620a51be444
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d23109f3365229684e31928b371aecb9d3fbd1e70dad90f27faf620a51be444/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2024-09-01 15:30:08 UTC
File Type:
ELF32 Little (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rurrbhztmurjnbhddeulg4nozoot7pi6odnnsdzh7l3cbji34rca._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet discovery linux persistence rootkit
Link:
https://tria.ge/reports/240901-sxglzsvgkb/
Behaviour
Creates/modifies Cron job
Loads a kernel module
Unexpected DNS network traffic destination
Contacts a large (46944) amount of remote hosts
Creates a large amount of network flows
Mirai
Malware Config
C2 Extraction:
www.ckea.ru
www.akck.ru
45.152.112.46
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d23109f3365229684e31928b371aecb9d3fbd1e70dad90f27faf620a51be444

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Trojan_Mirai_0cb1699c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_0d73971c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_24c5b7d6
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_268aac0b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_2e3f67a9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_3a85a418
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_485c4b13
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_70ef58f1
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:Mirai_Botnet_Malware
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:Mirai_Botnet_Malware_RID2EF6
Create hunting rule
Author:Florian Roth
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 8d23109f3365229684e31928b371aecb9d3fbd1e70dad90f27faf620a51be444

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3138650/
  
URLhaus
https://urlhaus.abuse.ch/url/3138684/
  
URLhaus
https://urlhaus.abuse.ch/url/3138719/
  
URLhaus
https://urlhaus.abuse.ch/url/3138737/
  
URLhaus
https://urlhaus.abuse.ch/url/3138765/
  
URLhaus
https://urlhaus.abuse.ch/url/3138772/
  
URLhaus
https://urlhaus.abuse.ch/url/3138794/
  
URLhaus
https://urlhaus.abuse.ch/url/3138799/

Comments