MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9793fcf57e3e5270d0b9259ed41382064443a841ef071cc33d36259830ff023d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9793fcf57e3e5270d0b9259ed41382064443a841ef071cc33d36259830ff023d
SHA3-384 hash: 785d639027ccc9dd13c8a771a205076528ea7637f8f7ac8ce1d55c2c3f866cfa504ebc7bfc269c0e23e66bf1c3a5bfce
SHA1 hash: e4350e71b533c5d2209ece8125522f7bb0ca2743
MD5 hash: cba83d5f10349cab3f38bcd9f9b81ca7
humanhash: kansas-monkey-tango-fish
File name:mirai.ppc
Download: download sample
Signature Mirai
Create hunting rule
File size:87'272 bytes
First seen:2025-12-24 09:00:46 UTC
Last seen:2025-12-24 10:38:18 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:/zqMqbHa2101FVDudWV0VqMTIMwBq5xfeym8dWihTIqEK:/PqbDdUMy6/dNhWK
TLSH T1F6835C02B3280A43E1A25EF4293F17E0D3EEE59021F4FA89690FDB564175E37558AFC9
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Link:
https://research.acce.ciphertechsolutions.com/results/9f6026f3-2eb8-47cb-940c-0e97dac84aef/
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30419.LX.M0Z.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30435.LC.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Dropper.Mirai-7135868-0
Create hunting rule

Unix.Dropper.Mirai-7135891-0
Create hunting rule

Unix.Dropper.Mirai-7135892-0
Create hunting rule

Unix.Dropper.Mirai-7135957-0
Create hunting rule

Unix.Dropper.Mirai-7135965-0
Create hunting rule

Unix.Dropper.Mirai-7136013-0
Create hunting rule

Unix.Dropper.Mirai-7136034-0
Create hunting rule

Unix.Dropper.Mirai-7136057-0
Create hunting rule

Unix.Dropper.Mirai-7136070-0
Create hunting rule

Unix.Dropper.Mirai-7139230-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Trojan.Mirai-9858729-0
Create hunting rule

Unix.Trojan.Mirai-9940367-0
Create hunting rule

Unix.Trojan.Mirai-10027280-0
Create hunting rule

Unix.Trojan.Mirai-1
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
botnet gafgyt masquerade mirai mirai obfuscated
Link:
https://www.filescan.io/uploads/694babdee126b9ff438fa655/reports/f8ab6b73-e549-46d6-9b73-b79be1163e16/overview
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/89a3205b-0d3b-4113-93d8-054ff5e41133
Behavior Graph:
Download SVG
%3 guuid=66fcd283-1900-0000-0c7a-e0156b140000 pid=5227 /usr/bin/sudo guuid=5dd32f87-1900-0000-0c7a-e0156c140000 pid=5228 /tmp/sample.bin guuid=66fcd283-1900-0000-0c7a-e0156b140000 pid=5227->guuid=5dd32f87-1900-0000-0c7a-e0156c140000 pid=5228 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c76af5d3-432f-4b73-8d90-47a4c4e4c7b0
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1838723
Signature
Antivirus / Scanner detection for submitted sample
Drops files in suspicious directories
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1838723 Sample: mirai.ppc.elf Startdate: 24/12/2025 Architecture: LINUX Score: 100 58 160.52.253.69, 23 WISCNET1-ASUS Austria 2->58 60 203.28.36.137, 23 WA-GOVERNMENT-AS-APWAGovernmentprojectAU Australia 2->60 62 98 other IPs or domains 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected Mirai 2->70 10 mirai.ppc.elf 2->10         started        13 gdm3 gdm-session-worker 2->13         started        15 systemd accounts-daemon 2->15         started        17 19 other processes 2->17 signatures3 process4 signatures5 74 Sample deletes itself 10->74 19 mirai.ppc.elf 10->19         started        23 gdm-session-worker gdm-x-session 13->23         started        76 Reads system files that contain records of logged in users 15->76 25 accounts-daemon language-validate 15->25         started        process6 file7 52 /usr/bin/wget, POSIX 19->52 dropped 54 /usr/bin/tftp, POSIX 19->54 dropped 56 /usr/bin/curl, POSIX 19->56 dropped 72 Drops files in suspicious directories 19->72 27 mirai.ppc.elf 19->27         started        29 mirai.ppc.elf 19->29         started        31 gdm-x-session dbus-daemon 23->31         started        34 gdm-x-session Xorg Xorg.wrap Xorg 23->34         started        36 language-validate language-options 25->36         started        signatures8 process9 signatures10 78 Sample reads /proc/mounts (often used for finding a writable filesystem) 31->78 38 dbus-daemon 31->38         started        40 Xorg sh 34->40         started        42 language-options sh 36->42         started        process11 process12 44 dbus-daemon false 38->44         started        46 sh xkbcomp 40->46         started        48 sh locale 42->48         started        50 sh grep 42->50         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/9793fcf57e3e5270d0b9259ed41382064443a841ef071cc33d36259830ff023d
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9793fcf57e3e5270d0b9259ed41382064443a841ef071cc33d36259830ff023d/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-24 09:01:20 UTC
File Type:
ELF32 Big (Exe)
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6j7z5l6hzjhbufzewpnie4cazcehkcb54drzqz5gyszqmh7ai6q._file
Gathering data
Verdict:
Malicious
Tags:
botnet mirai trojan Unix.Trojan.Mirai-7100807-0
YARA:
MAL_ELF_LNX_Mirai_Oct10_2 Mirai_Botnet_Malware Linux_Trojan_Mirai_0bce98a2
Link:
https://app.threat.zone/submission/370b44ee-bd18-4918-a925-2162d01d2b09
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9793fcf57e3e5270d0b9259ed41382064443a841ef071cc33d36259830ff023d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Mirai_Generic
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Mirai/Gafgyt samples
Rule name:Linux_Trojan_Mirai_0bce98a2
Create hunting rule
Author:Elastic Security
Rule name:MAL_ELF_LNX_Mirai_Oct10_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A
Create hunting rule
Author:Florian Roth
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:Mirai_Botnet_Malware
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:Mirai_Botnet_Malware_RID2EF6
Create hunting rule
Author:Florian Roth
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 9793fcf57e3e5270d0b9259ed41382064443a841ef071cc33d36259830ff023d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3735506/
  
Delivery method
Distributed via web download

Comments