MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 917e77c574ab71aea68ce35202d5d1447b883ad5f353aaa756cac4d6df793bb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	917e77c574ab71aea68ce35202d5d1447b883ad5f353aaa756cac4d6df793bb6
SHA3-384 hash:	62028f904f9eb4f3f8b550279cbf80cfd2a013e1dc784f203d5b2a4b4cc467fbd8e9c08b025f792c41a701bd43c5ddda
SHA1 hash:	395b99c16d79545b18e29c524fe7f5ec2841517d
MD5 hash:	1029ab77e65bdcbb1e59ad81981d0343
humanhash:	high-tango-pluto-orange
File name:	mips
Download:	download sample
Signature	Mirai Create hunting rule
File size:	109'760 bytes
First seen:	2025-11-29 04:06:56 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	1536:SkUa7xt8FyhmfltOhNE6evz6qPt9/vEXSiy7APk2PK6e/BdHZBNZ:sa7xRwN2E6eL6qPt93EXSiy7OkAKBZBb
TLSH	T1A2B3D64E7F329F7CFBA8C23447B35A21A65923D227E1DA85D19CD6011E7024E681FBB4
telfhash	t1d0115b1c4d3823e0d7751caa67ecff76e15130eb46255e378e10e99d9a6d9429d01c1c
Magika	elf
Reporter	abuse_ch
Tags:	elf mirai upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 1120f6a02a73a88c9405b537d3c97c338d602a571f642ad32626ebf6f52bb350

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	41'104 bytes
File size (de-compressed) :	109'760 bytes
Format:	linux/mips
Packed file:	1120f6a02a73a88c9405b537d3c97c338d602a571f642ad32626ebf6f52bb350

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30435.LC.UNOFFICIAL

SecuriteInfo.com.Linux.Siggen.9999-6.UNOFFICIAL

Unix.Trojan.Mirai-7100807-0

Unix.Dropper.Mirai-7135897-0

Unix.Dropper.Mirai-7135901-0

Unix.Dropper.Mirai-7135909-0

Unix.Trojan.Mirai-7135916-0

Unix.Dropper.Mirai-7135918-0

Unix.Dropper.Mirai-7135954-0

Unix.Dropper.Mirai-7136016-0

Unix.Dropper.Mirai-7136028-0

Unix.Trojan.Mirai-8025795-0

Unix.Dropper.Mirai-10007027-0

Unix.Trojan.Mirai-10009361-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

DNS request

Runs as daemon

Receives data from a server

Opens a port

Sends data to a server

Result

Gathering data

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/efcc2bd5-d0fa-409b-af3f-5b3b852bfe47

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/afe48fbe-d038-424a-ba8d-54e096e46227

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1822664

Signature

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/917e77c574ab71aea68ce35202d5d1447b883ad5f353aaa756cac4d6df793bb6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/917e77c574ab71aea68ce35202d5d1447b883ad5f353aaa756cac4d6df793bb6/

Threat name:

Linux.Worm.Mirai

Status:

Malicious

First seen:

2025-11-29 04:07:37 UTC

File Type:

ELF32 Big (Exe)

AV detection:

20 of 36 (55.56%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sf7hprluvny25jum4njafvorir5yqowv6nj2vj2wzlcnnx3zho3a._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai defense_evasion discovery

Link:

https://tria.ge/reports/251129-epv8hszrev/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Enumerates running processes

Writes file to system bin folder

Modifies Watchdog functionality

Malware Config

C2 Extraction:

teamc2.duckdns.org

Verdict:

Malicious

Tags:

botnet mirai Unix.Trojan.Mirai-7100807-0

YARA:

Mirai_Botnet_Malware

Link:

https://app.threat.zone/submission/6b10011f-a837-4312-a6c5-856586ec1753

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/917e77c574ab71aea68ce35202d5d1447b883ad5f353aaa756cac4d6df793bb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ELF_Mirai Create hunting rule
Author:	NDA0E
Description:	Detects multiple Mirai variants

Rule name:	Mirai_Botnet_Malware Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Mirai Botnet Malware
Reference:	Internal Research

Rule name:	Mirai_Botnet_Malware_RID2EF6 Create hunting rule
Author:	Florian Roth
Description:	Detects Mirai Botnet Malware
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research