MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 963f3ab6b8c1943e52cd5c4c4f525ae09bfae80ce0dbcc5d853240fa78d8858d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 963f3ab6b8c1943e52cd5c4c4f525ae09bfae80ce0dbcc5d853240fa78d8858d
SHA3-384 hash: b1b74875829b4014646482ac329530141bc0dff6625a5f28b01f1af810ffce6f423bac2d9677bdaffaf30312bfc08640
SHA1 hash: f1baef72fed11fdec830878e62fc00acd4d61ac8
MD5 hash: a4bd4a964888752d5150edac754257d2
humanhash: winner-cola-dakota-orange
File name:monero.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:60'204 bytes
First seen:2026-06-18 09:47:03 UTC
Last seen:2026-06-18 13:29:07 UTC
File type: elf
MIME type:application/x-sharedlib
ssdeep 1536:4e/uxdmRGkULpukDkuRup9hxiZ+0EB61wQHuf9O:PrR1ULkUkuRuLhkDpO9O
TLSH T19E4302EE7E8EE0FFEDB8563E207553DA9466994130BD020C507610640BE7CF296BE365
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf UPX
File size (compressed) :60'204 bytes
File size (de-compressed) :116'028 bytes
Format:linux/i386
Unpacked file: 70179624c8c1870bbc6875478f9f949478777e6be4cccb4d5ca7a9194e6a7ed0

Intelligence

File Origin
# of uploads :
2
# of downloads :
47
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/373d3291-e4ae-47d0-8278-37a00919031d/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Opens a port
Changes access rights for a written file
Creating a file
Sends data to a server
Connection attempt
Receives data from a server
Runs as daemon
Kills processes
Manages services
Substitutes an application name
Creates or modifies files in /cron to set up autorun
Creates or modifies files in /init.d to set up autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade mirai packed upx
Link:
https://www.filescan.io/uploads/6a33bee662d0679105f79e70/reports/76b2462d-bf52-49d1-988a-8b0bb93c0d5d/overview
Verdict:
Unknown
File Type:
elf.32.le
Link:
https://opentip.kaspersky.com/963f3ab6b8c1943e52cd5c4c4f525ae09bfae80ce0dbcc5d853240fa78d8858d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/0dec02df-9b18-4b05-9a1e-035605175a19
Behavior Graph:
Download SVG
%3 guuid=5264977c-1e00-0000-bd12-139300120000 pid=4608 /usr/bin/sudo guuid=4052ae7e-1e00-0000-bd12-139301120000 pid=4609 /tmp/sample.bin net write-file guuid=5264977c-1e00-0000-bd12-139300120000 pid=4608->guuid=4052ae7e-1e00-0000-bd12-139301120000 pid=4609 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=4052ae7e-1e00-0000-bd12-139301120000 pid=4609->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d5befe7e-1e00-0000-bd12-139302120000 pid=4610 /tmp/sample.bin guuid=4052ae7e-1e00-0000-bd12-139301120000 pid=4609->guuid=d5befe7e-1e00-0000-bd12-139302120000 pid=4610 clone guuid=a31a097f-1e00-0000-bd12-139303120000 pid=4611 /tmp/sample.bin net send-data write-config write-file guuid=d5befe7e-1e00-0000-bd12-139302120000 pid=4610->guuid=a31a097f-1e00-0000-bd12-139303120000 pid=4611 clone guuid=a31a097f-1e00-0000-bd12-139303120000 pid=4611->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 7524b232-708c-59bf-ba7e-d4733b263658 31.56.209.211:6767 guuid=a31a097f-1e00-0000-bd12-139303120000 pid=4611->7524b232-708c-59bf-ba7e-d4733b263658 send: 602B guuid=d1bf127f-1e00-0000-bd12-139304120000 pid=4612 /tmp/sample.bin guuid=a31a097f-1e00-0000-bd12-139303120000 pid=4611->guuid=d1bf127f-1e00-0000-bd12-139304120000 pid=4612 clone guuid=4001167f-1e00-0000-bd12-139305120000 pid=4613 /tmp/sample.bin guuid=a31a097f-1e00-0000-bd12-139303120000 pid=4611->guuid=4001167f-1e00-0000-bd12-139305120000 pid=4613 clone guuid=867f2c7f-1e00-0000-bd12-139307120000 pid=4615 /usr/bin/systemctl guuid=a31a097f-1e00-0000-bd12-139303120000 pid=4611->guuid=867f2c7f-1e00-0000-bd12-139307120000 pid=4615 execve guuid=ca4ed0ba-1e00-0000-bd12-1393e0120000 pid=4832 /usr/bin/systemctl guuid=a31a097f-1e00-0000-bd12-139303120000 pid=4611->guuid=ca4ed0ba-1e00-0000-bd12-1393e0120000 pid=4832 execve guuid=eddf1c7f-1e00-0000-bd12-139306120000 pid=4614 /tmp/sample.bin guuid=4001167f-1e00-0000-bd12-139305120000 pid=4613->guuid=eddf1c7f-1e00-0000-bd12-139306120000 pid=4614 clone
Malware family:
Gafgyt
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9fbb500b-297d-4352-82ef-7a46c0d23a8c
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1929865
Signature
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1929865 Sample: monero.x86.elf Startdate: 18/06/2026 Architecture: LINUX Score: 60 36 31.56.209.211, 46750, 6767 SWISSNET-ASUS Netherlands 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Sample is packed with UPX 2->40 10 monero.x86.elf 2->10         started        12 systemd snapd-env-generator 2->12         started        14 systemd snapd-env-generator 2->14         started        signatures3 process4 process5 16 monero.x86.elf 10->16         started        process6 18 monero.x86.elf 16->18         started        file7 32 /etc/rc.local, ASCII 18->32 dropped 34 /etc/cron.d/monero, ASCII 18->34 dropped 42 Sample tries to persist itself using cron 18->42 44 Sample tries to persist itself using System V runlevels 18->44 22 monero.x86.elf 18->22         started        24 monero.x86.elf systemctl 18->24         started        26 monero.x86.elf systemctl 18->26         started        28 monero.x86.elf 18->28         started        signatures8 process9 process10 30 monero.x86.elf 22->30         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/963f3ab6b8c1943e52cd5c4c4f525ae09bfae80ce0dbcc5d853240fa78d8858d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/963f3ab6b8c1943e52cd5c4c4f525ae09bfae80ce0dbcc5d853240fa78d8858d/
Threat name:
Linux.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-15 02:00:19 UTC
File Type:
ELF32 Little (SO)
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sy7tvnvyygkd4uwnlrge6us24cn7v2am4dn4yxmfgjapu6gyqwgq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution linux persistence privilege_escalation upx
Link:
https://tria.ge/reports/260618-ls4sdsey7r/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
UPX packed file
Creates/modifies Cron job
Enumerates active TCP sockets
Enumerates running processes
Modifies rc script
Modifies systemd
Write file to user bin folder
Modifies Watchdog functionality
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/963f3ab6b8c1943e52cd5c4c4f525ae09bfae80ce0dbcc5d853240fa78d8858d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 963f3ab6b8c1943e52cd5c4c4f525ae09bfae80ce0dbcc5d853240fa78d8858d

(this sample)

Mirai

elf 70179624c8c1870bbc6875478f9f949478777e6be4cccb4d5ca7a9194e6a7ed0

  
URLhaus
https://urlhaus.abuse.ch/url/3866739/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 70179624c8c1870bbc6875478f9f949478777e6be4cccb4d5ca7a9194e6a7ed0
  
Dropping
MD5 177eda9eef1fdfbdd509ac46679b1d21

Comments