MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94fcb7a0db25f4e91eeeb6b85f4912a4621547b33929a3d404abbbb64a3581e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94fcb7a0db25f4e91eeeb6b85f4912a4621547b33929a3d404abbbb64a3581e0
SHA3-384 hash: c4c5714eed9e4f900e8fcafb2584e38fcd1d7831cff9aabf78191d16301f15648e5a3dc568406aeb367b40e3c4f49899
SHA1 hash: 383dd304eafa2117e49e0dd9faf7825570ad5d7f
MD5 hash: d921a52f001f4efc7f6565d74b537b68
humanhash: nineteen-hot-two-romeo
File name:morte.arm
Download: download sample
Signature Mirai
Create hunting rule
File size:38'852 bytes
First seen:2025-07-14 17:11:25 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:3qidlGiQKVa4N+krEAj/YbBqjwNw5PDbaHaikQ4s+Vrc1G0UTvJFaZldUYKWs3U2:3qUlbV7+kr7slYm07b5rs+cGddF8nUYM
TLSH T1BD03F175840549B5ABC07234D0F78283BB822B7841FE34EE664D505BB24B0AB87F679B
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf UPX
File size (compressed) :38'852 bytes
File size (de-compressed) :83'664 bytes
Format:linux/arm
Unpacked file: 0d90d5de7b06bba91d5c38ab95954a2394c0f0849163f5596f34e8a82943ae31

Intelligence

File Origin
# of uploads :
1
# of downloads :
21
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
packed upx
Link:
https://www.filescan.io/uploads/68753a8b8a7d628a81ae0c55/reports/1145d027-4b07-4bfa-a86c-8e967e9afcdc/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
UPX
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/94fcb7a0db25f4e91eeeb6b85f4912a4621547b33929a3d404abbbb64a3581e0
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/53fd0998-5a89-4e4a-bd1a-e2270cc0acdf
Behavior Graph:
Download SVG
%3 guuid=70da3bb7-1900-0000-57d5-55d4e9090000 pid=2537 /usr/bin/sudo guuid=4e49d4b8-1900-0000-57d5-55d4f0090000 pid=2544 /tmp/sample.bin guuid=70da3bb7-1900-0000-57d5-55d4e9090000 pid=2537->guuid=4e49d4b8-1900-0000-57d5-55d4f0090000 pid=2544 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/03203558-d302-4ca2-b55d-b1046b3379bf
Result
Threat name:
Mirai, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1736315
Signature
Drops files in suspicious directories
Drops invisible ELF files
Found strings related to Crypto-Mining
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample is packed with UPX
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Yara detected Mirai
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1736315 Sample: morte.arm.elf Startdate: 14/07/2025 Architecture: LINUX Score: 92 38 last.galaxias.cc 196.251.69.179, 12121, 45968, 45974 Web4AfricaZA Seychelles 2->38 40 54.171.230.55, 37912, 443 AMAZON-02US United States 2->40 42 54.217.10.153, 443 AMAZON-02US United States 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Mirai 2->46 48 Yara detected Xmrig cryptocurrency miner 2->48 50 Sample is packed with UPX 2->50 10 morte.arm.elf 2->10         started        13 dash rm 2->13         started        15 dash tr 2->15         started        17 8 other processes 2->17 signatures3 process4 signatures5 58 Found strings related to Crypto-Mining 10->58 19 morte.arm.elf 10->19         started        process6 process7 21 morte.arm.elf 19->21         started        file8 34 /etc/init.d/sysd, POSIX 21->34 dropped 52 Sample tries to set files in /etc globally writable 21->52 54 Drops files in suspicious directories 21->54 56 Sample tries to persist itself using System V runlevels 21->56 25 morte.arm.elf sh 21->25         started        27 morte.arm.elf 21->27         started        signatures9 process10 signatures11 30 sh cp 25->30         started        60 Sample deletes itself 27->60 process12 file13 36 /usr/bin/.sh, ELF 30->36 dropped 62 Drops invisible ELF files 30->62 64 Drops files in suspicious directories 30->64 signatures14
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/94fcb7a0db25f4e91eeeb6b85f4912a4621547b33929a3d404abbbb64a3581e0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94fcb7a0db25f4e91eeeb6b85f4912a4621547b33929a3d404abbbb64a3581e0/
Threat name:
Linux.Trojan.Svirtu
Create hunting rule
Status:
Malicious
First seen:
2025-07-14 17:12:34 UTC
File Type:
ELF32 Little (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=st6lpig3ex2oshxow24f6sisurrbkr5theu2hvaevo53msrvqhqa._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
upx
Link:
https://tria.ge/reports/250714-vq21fsvmz7/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/53c0d578-e22b-4652-a1fa-ab59b12ac8b0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/94fcb7a0db25f4e91eeeb6b85f4912a4621547b33929a3d404abbbb64a3581e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 94fcb7a0db25f4e91eeeb6b85f4912a4621547b33929a3d404abbbb64a3581e0

(this sample)

Mirai

elf 0d90d5de7b06bba91d5c38ab95954a2394c0f0849163f5596f34e8a82943ae31

  
URLhaus
https://urlhaus.abuse.ch/url/3581211/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3581242/
  
Dropping
SHA256 0d90d5de7b06bba91d5c38ab95954a2394c0f0849163f5596f34e8a82943ae31
  
Dropping
MD5 da3c9f51b242aecafa4640fc43439c2c
  
URLhaus
https://urlhaus.abuse.ch/url/3574724/
  
URLhaus
https://urlhaus.abuse.ch/url/3581177/
  
URLhaus
https://urlhaus.abuse.ch/url/3579395/
  
URLhaus
https://urlhaus.abuse.ch/url/3581193/

Comments