MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
SHA3-384 hash: 5aa44b24d857803f8c451d1b472170a00dc9b2df2781e053d7a857518ade79a7734ea1bf7af4313efa8d02864aeb1ed4
SHA1 hash: 0d8eb08add467b3b5474f9b25909297fe7c2839c
MD5 hash: 1b166b95f9cb4b079ef1b9ec8363ddf3
humanhash: river-sad-india-twenty
File name:doQQmLpWCXK3TF48O7pZ2ayjzBZWAPU7nH
Download: download sample
Signature Mirai
Create hunting rule
File size:122'566 bytes
First seen:2024-11-03 12:46:10 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:lbeGHulXta3Yz+u6b/tDrHvIAJ9GjOHSHm8RiQztBJk9zEp:Re3ODtDbvIg9Gj7Hm8RiQztB+9zEp
TLSH T1B5C31A45FD50476BC2D23BFBFB9A438D37395B54A7CB33116E285EB42B82B881E29111
telfhash t13a31ffc2a07b4d692eb1a8148ca8c7b475dfaa12d7516eb0ef5dc98c402b1117702ecf
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.29524.LC.UNOFFICIAL
Create hunting rule

Unix.Trojan.Tsunami-9396652-0
Create hunting rule

Unix.Dropper.Mirai-9977145-0
Create hunting rule

Unix.Trojan.Mirai-10033529-0
Create hunting rule

Unix.Trojan.Mirai-10033788-0
Create hunting rule

Unix.Trojan.Mirai-10033789-0
Create hunting rule

Unix.Trojan.Mirai-10034904-0
Create hunting rule

Unix.Trojan.Mirai-10034905-0
Create hunting rule

Unix.Trojan.Mirai-10035004-0
Create hunting rule

Unix.Packed.Botnet-6566031-0
Create hunting rule

Unix.Dropper.Botnet-6566040-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672770cd8d23d90491331b56linux22vpnfull_triage
Tags:
gafgyt mirai
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
android gcc lolbin remote
Link:
https://www.filescan.io/uploads/672770c8f34fcc4d75993cff/reports/1a631d16-27c8-44b0-8ee1-89497e84e4c5/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
not packed
Botnet:
unknown
Number of open files:
372
Number of processes launched:
279
Processes remaning?
false
Remote TCP ports scanned:
80,37215,81,8080,52869,7574,5555,49152,8443
Full report:
https://elfdigest.com/brief/94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
Behaviour
Persistence
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Malware family:
Gafgyt
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f71d892-627c-488a-b8b1-f45cf21a07ac
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1547944
Signature
Contains symbols with names commonly found in malware
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1547944 Sample: doQQmLpWCXK3TF48O7pZ2ayjzBZ... Startdate: 03/11/2024 Architecture: LINUX Score: 84 31 216.126.231.240, 34730, 443, 46696 ANYNODEUS United States 2->31 33 conn.masjesu.zip 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Mirai 2->37 39 Contains symbols with names commonly found in malware 2->39 9 doQQmLpWCXK3TF48O7pZ2ayjzBZWAPU7nH.elf 2->9         started        signatures3 process4 process5 11 doQQmLpWCXK3TF48O7pZ2ayjzBZWAPU7nH.elf 9->11         started        13 doQQmLpWCXK3TF48O7pZ2ayjzBZWAPU7nH.elf 9->13         started        process6 15 doQQmLpWCXK3TF48O7pZ2ayjzBZWAPU7nH.elf sh 11->15         started        17 doQQmLpWCXK3TF48O7pZ2ayjzBZWAPU7nH.elf sh 11->17         started        19 doQQmLpWCXK3TF48O7pZ2ayjzBZWAPU7nH.elf 13->19         started        21 doQQmLpWCXK3TF48O7pZ2ayjzBZWAPU7nH.elf 13->21         started        process7 23 sh crontab 15->23         started        27 sh crontab 17->27         started        file8 29 /var/spool/cron/crontabs/tmp.iyTtfq, ASCII 23->29 dropped 41 Sample tries to persist itself using cron 23->41 43 Executes the "crontab" command typically for achieving persistence 23->43 signatures9
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2024-11-02 19:57:24 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ssqzwmysjs54drlqwmzy6tp3wk7rvezvu4vm6iv6aku3xcrshteq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery execution persistence privilege_escalatio
Link:
https://tria.ge/reports/241103-pz7dmsvakg/
Behaviour
Reads runtime system information
Creates/modifies Cron job
Enumerates running processes
Renames itself
Contacts a large (2201) amount of remote hosts
Creates a large amount of network flows
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/04d7f6fc-cf12-4695-8642-aa02d176e1a3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CVE_2017_17215
Create hunting rule
Author:NDA0E
Description:Detects exploitation attempt of CVE-2017-17215
Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:iot_req_metachar
Create hunting rule
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Generic_Threat_1ac392ca
Create hunting rule
Author:Elastic Security
Rule name:Linux_Generic_Threat_d94e1020
Create hunting rule
Author:Elastic Security
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Xorbot

sh 0f81e0203eee1ec5892d652dc6f772fb15cdca2c0a48a07500af14f6d4e8c263

Mirai

elf 94a19b33124cbbc1c570b3338f4dfbb2bf1a9335a72acf22be02a9bb8a323cc9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3273853/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3274058/
  
URLhaus
https://urlhaus.abuse.ch/url/3275292/
  
Dropped by
SHA256 0f81e0203eee1ec5892d652dc6f772fb15cdca2c0a48a07500af14f6d4e8c263
  
Dropped by
MD5 23b9c1f3db9dfed3dda0ab858df83342
  
Dropped by
SHA256 12734f2cb1b19aaa69d57283c4192a4b63578e42eadeadce2890068dc7ae4248
  
Dropped by
MD5 8c7d36dd357abbd46ca005035becd725
  
Dropped by
SHA256 1955d746164824980d26e30bf407060921504888edd33ed9ca28b3459cebe74f
  
Dropped by
MD5 8665f2af69fbd363509207dc0486225c

Comments