MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97a753ceaefa50cdb402b8bba849ca9e5a97951cc535990a98d03cc2dcbb65fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97a753ceaefa50cdb402b8bba849ca9e5a97951cc535990a98d03cc2dcbb65fb
SHA3-384 hash: 7243ea12d76eb3536a55544dbc71a3c891a3dc75ae14122abd1f56f7a6edd78caf7ace3dc47c6b1353fda77747d16ec4
SHA1 hash: ecd12048da68efcabea5c767f91e59b79109f8b8
MD5 hash: 218c97b06c083a4042105732cc9033d9
humanhash: indigo-ack-coffee-freddie
File name:kaf.i386
Download: download sample
Signature Mirai
Create hunting rule
File size:1'719'748 bytes
First seen:2026-05-17 15:57:40 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 49152:K+ZSVvWxCnSQ7Z33hCEhhzxoqJi+TloBKeoqa3:K+Z/CSQ7Z33hCEhVxoqJi+T5eo
TLSH T1C4857C98E7C794F0F26300F0065FD7B71624621A5053F6F2EF896A97B4337527A2622E
telfhash t1d562bab315ad54ec7be045059b9b7220cef6e42726e0387259fb7cc05ab2c431f669b8
Magika elf
Reporter abuse_ch
Tags:elf Hajime mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.32138.LX.BOT.UNOFFICIAL
Create hunting rule

Unix.Trojan.Gafgyt-9939811-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Connection attempt
Creating a file
Changes access rights for a written file
Launching a process
Locks files
Sets a written file as executable
Manages services
Runs as daemon
Changes the time when the file was created, accessed, or modified
Creates or modifies files in /cron to set up autorun
Substitutes an application name
Creates or modifies files in /init.d to set up autorun
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
gcc masquerade rust
Link:
https://www.filescan.io/uploads/6a09e5afc9d535126e010970/reports/39fc7be9-6c83-45cd-ba26-5545a3c76c4a/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
0
Number of processes launched:
2
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/97a753ceaefa50cdb402b8bba849ca9e5a97951cc535990a98d03cc2dcbb65fb
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-05-17T14:23:00Z UTC
Last seen:
2026-05-17T15:10:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/97a753ceaefa50cdb402b8bba849ca9e5a97951cc535990a98d03cc2dcbb65fb/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b61a71d1-0693-4a71-99f7-23adcf560fbc
Behavior Graph:
Download SVG
%3 guuid=2f08a8c4-1e00-0000-fe99-9588960c0000 pid=3222 /usr/bin/sudo guuid=d215c1c6-1e00-0000-fe99-95889b0c0000 pid=3227 /tmp/sample.bin guuid=2f08a8c4-1e00-0000-fe99-9588960c0000 pid=3222->guuid=d215c1c6-1e00-0000-fe99-95889b0c0000 pid=3227 execve guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228 /tmp/sample.bin dns net net-scan send-data write-config zombie guuid=d215c1c6-1e00-0000-fe99-95889b0c0000 pid=3227->guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228 clone 2a9ea15b-49c4-5433-81d5-6f57a8699282 144.217.167.73:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->2a9ea15b-49c4-5433-81d5-6f57a8699282 send: 128B 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 1072B 256fa50d-2443-5787-95b7-49deb82f4081 tox.abilinski.com:0 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->256fa50d-2443-5787-95b7-49deb82f4081 con de2c8fa0-3a37-5252-85c5-be2e12c2d10d tox.abilinski.com:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->de2c8fa0-3a37-5252-85c5-be2e12c2d10d send: 15488B d9a2d260-6386-5e70-9ea5-d4e71f4769b9 205.185.115.131:53 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->d9a2d260-6386-5e70-9ea5-d4e71f4769b9 send: 155B f1b74f9a-c6a6-5f21-8721-ebe1759421a0 tox1.mf-net.eu:0 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->f1b74f9a-c6a6-5f21-8721-ebe1759421a0 con be276392-565a-5e8a-9483-67d0dd1aabea tox1.mf-net.eu:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->be276392-565a-5e8a-9483-67d0dd1aabea send: 155B 7d9d4bee-0ee0-5bc6-b834-9c725feed6e0 188.225.9.167:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->7d9d4bee-0ee0-5bc6-b834-9c725feed6e0 send: 155B 63ad28f6-ec9a-5856-b48c-feaa2db15d8f 3.0.24.15:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->63ad28f6-ec9a-5856-b48c-feaa2db15d8f send: 155B 2e4728bb-2da7-51d8-a740-150420ac8748 104.225.141.59:43334 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->2e4728bb-2da7-51d8-a740-150420ac8748 send: 15488B 1ac8f68b-1963-598a-9bb3-f7a0297e32db 139.162.110.188:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->1ac8f68b-1963-598a-9bb3-f7a0297e32db send: 155B 0bb0e51e-84b1-5b8b-9b8c-3db64166b12f tox2.mf-net.eu:0 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->0bb0e51e-84b1-5b8b-9b8c-3db64166b12f con 06945a77-d4ad-5dba-a746-5f38832443e9 tox2.mf-net.eu:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->06945a77-d4ad-5dba-a746-5f38832443e9 send: 155B b203b6ae-cb7d-5a4a-8e70-fcdbec75c876 172.105.109.31:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->b203b6ae-cb7d-5a4a-8e70-fcdbec75c876 send: 155B 60037e1c-310b-5ea6-99d5-9355b030720c 91.146.66.26:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->60037e1c-310b-5ea6-99d5-9355b030720c send: 15488B 644e6c29-713c-555a-b4cd-3b4d0d216238 172.104.215.182:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->644e6c29-713c-555a-b4cd-3b4d0d216238 send: 155B 070d4552-7a06-5f56-81b2-d7a266b8ea8b mononoke.rcss0.initramfs.io:0 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->070d4552-7a06-5f56-81b2-d7a266b8ea8b con 526aa9b6-9d52-5e18-9a0a-6b3178a7c50f mononoke.rcss0.initramfs.io:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->526aa9b6-9d52-5e18-9a0a-6b3178a7c50f send: 155B c2452b3b-3683-5dbd-bdc2-d61d950c0823 tox3.mf-net.eu:0 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->c2452b3b-3683-5dbd-bdc2-d61d950c0823 con fef40136-0abf-5c15-b3e3-66785b84221d tox3.mf-net.eu:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->fef40136-0abf-5c15-b3e3-66785b84221d send: 155B 43d3b810-a0f3-5577-9b11-876b65c5bbc3 tox.plastiras.org:0 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->43d3b810-a0f3-5577-9b11-876b65c5bbc3 con 9a772356-3bc0-5946-8529-9c94373ddaa3 tox.plastiras.org:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->9a772356-3bc0-5946-8529-9c94373ddaa3 send: 15488B dfb72c84-7006-51e3-8c63-0aa9eb875c88 188.214.122.30:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->dfb72c84-7006-51e3-8c63-0aa9eb875c88 send: 155B 776befc3-30bc-5965-b1ef-30f75dfdb309 43.198.227.166:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->776befc3-30bc-5965-b1ef-30f75dfdb309 send: 155B c7a23149-d0ab-5446-a681-c864a2261119 95.181.230.108:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->c7a23149-d0ab-5446-a681-c864a2261119 send: 155B 2961d6f9-14b3-5baa-bc68-eaf535e63206 tox.hidemybits.com:0 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->2961d6f9-14b3-5baa-bc68-eaf535e63206 con 9f1a0762-d8d9-50fe-8e5e-3b237ef0f1cc tox.hidemybits.com:443 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->9f1a0762-d8d9-50fe-8e5e-3b237ef0f1cc send: 155B d259ee60-f1ef-55c5-ac55-ee39ee44835e tox4.mf-net.eu:0 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->d259ee60-f1ef-55c5-ac55-ee39ee44835e con d4ce5c2e-d49a-5861-a7bb-d080c2c56908 tox4.mf-net.eu:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->d4ce5c2e-d49a-5861-a7bb-d080c2c56908 send: 155B 4a86eabf-f611-5087-8d66-0be309cc4986 188.245.84.166:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->4a86eabf-f611-5087-8d66-0be309cc4986 send: 155B 32b8d737-b069-5d81-ba13-ce1bbd19f2f1 86.107.187.54:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->32b8d737-b069-5d81-ba13-ce1bbd19f2f1 send: 155B 1bbfd328-403c-51d7-b6d5-c2b3e12b925a 119.59.101.63:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->1bbfd328-403c-51d7-b6d5-c2b3e12b925a send: 209B f0dc0a97-0f60-5c54-83e6-b93ac39d7aeb 167.17.40.142:33445 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->f0dc0a97-0f60-5c54-83e6-b93ac39d7aeb send: 209B a41c0910-b2c7-59e7-b59d-a5d147fb779c 5.19.249.240:38296 guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->a41c0910-b2c7-59e7-b59d-a5d147fb779c send: 209B guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228|send-data send-data to 123 IP addresses review logs to see them all guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228|send-data send guuid=a7a8d4f5-1e00-0000-fe99-9588cf0c0000 pid=3279 /usr/bin/dash guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->guuid=a7a8d4f5-1e00-0000-fe99-9588cf0c0000 pid=3279 execve guuid=f48b0cf7-1e00-0000-fe99-9588d60c0000 pid=3286 /usr/bin/dash guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->guuid=f48b0cf7-1e00-0000-fe99-9588d60c0000 pid=3286 execve guuid=5486d24e-1f00-0000-fe99-9588540d0000 pid=3412 /usr/bin/dash guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->guuid=5486d24e-1f00-0000-fe99-9588540d0000 pid=3412 execve guuid=437b6987-1f00-0000-fe99-9588e00d0000 pid=3552 /usr/bin/dash guuid=d45510c7-1e00-0000-fe99-95889c0c0000 pid=3228->guuid=437b6987-1f00-0000-fe99-9588e00d0000 pid=3552 execve guuid=6d7a2cf6-1e00-0000-fe99-9588d10c0000 pid=3281 /usr/bin/dash guuid=a7a8d4f5-1e00-0000-fe99-9588cf0c0000 pid=3279->guuid=6d7a2cf6-1e00-0000-fe99-9588d10c0000 pid=3281 clone guuid=967441f6-1e00-0000-fe99-9588d20c0000 pid=3282 /usr/bin/dash guuid=a7a8d4f5-1e00-0000-fe99-9588cf0c0000 pid=3279->guuid=967441f6-1e00-0000-fe99-9588d20c0000 pid=3282 clone guuid=008741f6-1e00-0000-fe99-9588d30c0000 pid=3283 /usr/bin/dash guuid=6d7a2cf6-1e00-0000-fe99-9588d10c0000 pid=3281->guuid=008741f6-1e00-0000-fe99-9588d30c0000 pid=3283 clone guuid=36f849f6-1e00-0000-fe99-9588d40c0000 pid=3284 /usr/bin/grep guuid=6d7a2cf6-1e00-0000-fe99-9588d10c0000 pid=3281->guuid=36f849f6-1e00-0000-fe99-9588d40c0000 pid=3284 execve guuid=52d755f7-1e00-0000-fe99-9588d70c0000 pid=3287 /usr/bin/systemctl guuid=f48b0cf7-1e00-0000-fe99-9588d60c0000 pid=3286->guuid=52d755f7-1e00-0000-fe99-9588d70c0000 pid=3287 execve guuid=d5c1214f-1f00-0000-fe99-9588550d0000 pid=3413 /usr/bin/systemctl send-data guuid=5486d24e-1f00-0000-fe99-9588540d0000 pid=3412->guuid=d5c1214f-1f00-0000-fe99-9588550d0000 pid=3413 execve guuid=d5c1214f-1f00-0000-fe99-9588550d0000 pid=3413->2a9ea15b-49c4-5433-81d5-6f57a8699282 send: 115B guuid=83659887-1f00-0000-fe99-9588e10d0000 pid=3553 /usr/bin/systemctl guuid=437b6987-1f00-0000-fe99-9588e00d0000 pid=3552->guuid=83659887-1f00-0000-fe99-9588e10d0000 pid=3553 execve guuid=2fdaba13-0000-0000-fe99-958801000000 pid=1 /usr/lib/systemd/systemd guuid=8e904689-1f00-0000-fe99-9588e70d0000 pid=3559 /tmp/sample.bin guuid=2fdaba13-0000-0000-fe99-958801000000 pid=1->guuid=8e904689-1f00-0000-fe99-9588e70d0000 pid=3559 execve guuid=212fb7e7-2100-0000-fe99-958850140000 pid=5200 /tmp/sample.bin guuid=2fdaba13-0000-0000-fe99-958801000000 pid=1->guuid=212fb7e7-2100-0000-fe99-958850140000 pid=5200 execve guuid=7a1f604a-2400-0000-fe99-9588ce140000 pid=5326 /tmp/sample.bin guuid=2fdaba13-0000-0000-fe99-958801000000 pid=1->guuid=7a1f604a-2400-0000-fe99-9588ce140000 pid=5326 execve guuid=14ea34ad-2600-0000-fe99-9588ea140000 pid=5354 /tmp/sample.bin guuid=2fdaba13-0000-0000-fe99-958801000000 pid=1->guuid=14ea34ad-2600-0000-fe99-9588ea140000 pid=5354 execve guuid=cfda7510-2900-0000-fe99-9588ec140000 pid=5356 /tmp/sample.bin guuid=2fdaba13-0000-0000-fe99-958801000000 pid=1->guuid=cfda7510-2900-0000-fe99-9588ec140000 pid=5356 execve guuid=40a6db72-2b00-0000-fe99-9588ee140000 pid=5358 /tmp/sample.bin guuid=2fdaba13-0000-0000-fe99-958801000000 pid=1->guuid=40a6db72-2b00-0000-fe99-9588ee140000 pid=5358 execve guuid=c6b6428b-1f00-0000-fe99-9588ec0d0000 pid=3564 /tmp/sample.bin guuid=8e904689-1f00-0000-fe99-9588e70d0000 pid=3559->guuid=c6b6428b-1f00-0000-fe99-9588ec0d0000 pid=3564 clone guuid=9b91c0ea-2100-0000-fe99-958858140000 pid=5208 /tmp/sample.bin guuid=212fb7e7-2100-0000-fe99-958850140000 pid=5200->guuid=9b91c0ea-2100-0000-fe99-958858140000 pid=5208 clone guuid=f9b2964c-2400-0000-fe99-9588cf140000 pid=5327 /tmp/sample.bin guuid=7a1f604a-2400-0000-fe99-9588ce140000 pid=5326->guuid=f9b2964c-2400-0000-fe99-9588cf140000 pid=5327 clone guuid=1d4b64af-2600-0000-fe99-9588eb140000 pid=5355 /tmp/sample.bin guuid=14ea34ad-2600-0000-fe99-9588ea140000 pid=5354->guuid=1d4b64af-2600-0000-fe99-9588eb140000 pid=5355 clone guuid=dc1f0213-2900-0000-fe99-9588ed140000 pid=5357 /tmp/sample.bin guuid=cfda7510-2900-0000-fe99-9588ec140000 pid=5356->guuid=dc1f0213-2900-0000-fe99-9588ed140000 pid=5357 clone guuid=f52d1275-2b00-0000-fe99-9588ef140000 pid=5359 /tmp/sample.bin guuid=40a6db72-2b00-0000-fe99-9588ee140000 pid=5358->guuid=f52d1275-2b00-0000-fe99-9588ef140000 pid=5359 clone
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c3581e4d-e1f1-4fd1-94f2-7dc2b4c2dea7
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/97a753ceaefa50cdb402b8bba849ca9e5a97951cc535990a98d03cc2dcbb65fb
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/97a753ceaefa50cdb402b8bba849ca9e5a97951cc535990a98d03cc2dcbb65fb/
Threat name:
Linux.Trojan.Hajime
Create hunting rule
Status:
Malicious
First seen:
2026-05-01 16:11:59 UTC
File Type:
ELF32 Little (Exe)
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6tvhtvo7jim3nacxc52qsoktznjpfi4yu2zscuy2a6mfxf3mx5q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260517-tedcaaew3k/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Creates/modifies Cron job
Modifies rc script
Modifies systemd
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97a753ceaefa50cdb402b8bba849ca9e5a97951cc535990a98d03cc2dcbb65fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Detect_all_IPv6_variants
Create hunting rule
Author:Bierchermuesli
Description:Generic IPv6 catcher
Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:iot_req_metachar
Create hunting rule
Rule name:malwareelf55503
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 97a753ceaefa50cdb402b8bba849ca9e5a97951cc535990a98d03cc2dcbb65fb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3848877/
  
Delivery method
Distributed via web download

Comments