MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98ad2cadc594e95381fb98f514b2fcd6d64f6c69e45567438e279cb19d295d8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98ad2cadc594e95381fb98f514b2fcd6d64f6c69e45567438e279cb19d295d8b
SHA3-384 hash: 72dffd861e9b283fbeafa07820ef33cd676e11975013b419657bce0f1677792d726767126f2469213fd517287ecbc9cd
SHA1 hash: d8de8adad06340392061432a16095f2af3fe0774
MD5 hash: dfa13212034b0e0809b0ce7f52dd7c9b
humanhash: hotel-nine-arkansas-undress
File name:Fantazy.i686
Download: download sample
Signature Mirai
Create hunting rule
File size:78'608 bytes
First seen:2025-12-16 20:20:25 UTC
Last seen:2025-12-17 02:22:27 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:Kt+qZs87flIJGrw7VODopsKqhG/A1SttmxavigkRMSlfQ:Kt+grLqJGrw7EDop4hGBcaqgkRzlfQ
TLSH T1A5732B85F9C745F6C9078934A0ABF23FCA31E57940709B6DEF4DAF22DA27B01911229D
telfhash t16e1191ba27664dd837d05812f24b97307e19ab6b10107ab755f3253812a7991437bd34
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
3
# of downloads :
45
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Link:
https://research.acce.ciphertechsolutions.com/results/cae15fd0-2fa6-4ee9-a2cc-1471809dece9/
Detection(s):
Unix.Trojan.Mirai-7135937-0
Create hunting rule

Unix.Dropper.Mirai-7136014-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Runs as daemon
Receives data from a server
Kills processes
Opens a port
Sends data to a server
Substitutes an application name
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6941bf3be126b9ff43836e9d/reports/dd82ea79-80c3-4890-9a14-c3d33a7d2a96/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-12-16T17:42:00Z UTC
Last seen:
2025-12-18T15:13:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/98ad2cadc594e95381fb98f514b2fcd6d64f6c69e45567438e279cb19d295d8b/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/94f27193-6645-4a62-a9a3-88fbd8f42bdd
Behavior Graph:
Download SVG
%3 guuid=3a2fc060-1900-0000-916f-c85ffe0a0000 pid=2814 /usr/bin/sudo guuid=7c722163-1900-0000-916f-c85f040b0000 pid=2820 /tmp/sample.bin net guuid=3a2fc060-1900-0000-916f-c85ffe0a0000 pid=2814->guuid=7c722163-1900-0000-916f-c85f040b0000 pid=2820 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=7c722163-1900-0000-916f-c85f040b0000 pid=2820->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1e456b63-1900-0000-916f-c85f050b0000 pid=2821 /tmp/sample.bin guuid=7c722163-1900-0000-916f-c85f040b0000 pid=2820->guuid=1e456b63-1900-0000-916f-c85f050b0000 pid=2821 clone guuid=9e877b63-1900-0000-916f-c85f070b0000 pid=2823 /tmp/sample.bin net send-data zombie guuid=7c722163-1900-0000-916f-c85f040b0000 pid=2820->guuid=9e877b63-1900-0000-916f-c85f070b0000 pid=2823 clone guuid=9e877b63-1900-0000-916f-c85f070b0000 pid=2823->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 78e3738d-7262-5540-8dc6-5596f84d4d72 91.92.243.68:63645 guuid=9e877b63-1900-0000-916f-c85f070b0000 pid=2823->78e3738d-7262-5540-8dc6-5596f84d4d72 send: 24B guuid=1e218563-1900-0000-916f-c85f080b0000 pid=2824 /tmp/sample.bin guuid=9e877b63-1900-0000-916f-c85f070b0000 pid=2823->guuid=1e218563-1900-0000-916f-c85f080b0000 pid=2824 clone guuid=efaf8c63-1900-0000-916f-c85f090b0000 pid=2825 /tmp/sample.bin guuid=9e877b63-1900-0000-916f-c85f070b0000 pid=2823->guuid=efaf8c63-1900-0000-916f-c85f090b0000 pid=2825 clone guuid=80129063-1900-0000-916f-c85f0a0b0000 pid=2826 /tmp/sample.bin net net-scan send-data guuid=9e877b63-1900-0000-916f-c85f070b0000 pid=2823->guuid=80129063-1900-0000-916f-c85f0a0b0000 pid=2826 clone guuid=80129063-1900-0000-916f-c85f0a0b0000 pid=2826->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 52506213-d7c9-57f1-a586-0c7fa0abad50 168.78.201.1:2323 guuid=80129063-1900-0000-916f-c85f0a0b0000 pid=2826->52506213-d7c9-57f1-a586-0c7fa0abad50 send: 40B guuid=80129063-1900-0000-916f-c85f0a0b0000 pid=2826|send-data send-data to 4097 IP addresses review logs to see them all guuid=80129063-1900-0000-916f-c85f0a0b0000 pid=2826->guuid=80129063-1900-0000-916f-c85f0a0b0000 pid=2826|send-data send
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33f04ed7-b6c1-4f1b-b4b1-2a3f34cf7d40
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1834349
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1834349 Sample: Fantazy.i686.elf Startdate: 16/12/2025 Architecture: LINUX Score: 76 99 Malicious sample detected (through community Yara rule) 2->99 101 Antivirus / Scanner detection for submitted sample 2->101 103 Multi AV Scanner detection for submitted file 2->103 10 systemd gdm3 2->10         started        12 systemd gpu-manager 2->12         started        14 systemd gpu-manager 2->14         started        16 93 other processes 2->16 process3 file4 20 gdm3 gdm-session-worker 10->20         started        30 3 other processes 10->30 22 gpu-manager sh 12->22         started        32 7 other processes 12->32 34 8 other processes 14->34 93 /var/log/wtmp, data 16->93 dropped 95 Sample reads /proc/mounts (often used for finding a writable filesystem) 16->95 97 Reads system files that contain records of logged in users 16->97 24 Fantazy.i686.elf 16->24         started        26 accounts-daemon language-validate 16->26         started        28 accounts-daemon language-validate 16->28         started        36 29 other processes 16->36 signatures5 process6 process7 38 gdm-session-worker gdm-wayland-session 20->38         started        40 sh grep 22->40         started        42 Fantazy.i686.elf 24->42         started        49 3 other processes 24->49 45 language-validate language-options 26->45         started        47 language-validate language-options 28->47         started        51 7 other processes 32->51 53 8 other processes 34->53 55 18 other processes 36->55 signatures8 57 gdm-wayland-session dbus-run-session 38->57         started        59 gdm-wayland-session dbus-daemon 38->59         started        107 Sample tries to kill multiple processes (SIGKILL) 42->107 62 language-options sh 45->62         started        64 language-options sh 47->64         started        66 Fantazy.i686.elf 49->66         started        68 language-options sh 55->68         started        70 language-options sh 55->70         started        process9 signatures10 72 dbus-run-session dbus-daemon 57->72         started        109 Sample reads /proc/mounts (often used for finding a writable filesystem) 59->109 75 dbus-daemon 59->75         started        77 sh locale 62->77         started        79 sh grep 62->79         started        81 sh locale 64->81         started        83 sh grep 64->83         started        85 sh locale 68->85         started        87 sh grep 68->87         started        89 2 other processes 70->89 process11 signatures12 105 Sample reads /proc/mounts (often used for finding a writable filesystem) 72->105 91 dbus-daemon false 75->91         started        process13
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/98ad2cadc594e95381fb98f514b2fcd6d64f6c69e45567438e279cb19d295d8b
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/98ad2cadc594e95381fb98f514b2fcd6d64f6c69e45567438e279cb19d295d8b/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-16 20:21:30 UTC
File Type:
ELF32 Little (Exe)
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcwszlofstuvhap3td2rjmx423le63dj4rkwoq4oe6oldhjjlwfq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/251216-y44mzswkcq/
Behaviour
Reads runtime system information
Changes its process name
Reads process memory
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Contacts a large (24007) amount of remote hosts
Creates a large amount of network flows
Malware Config
C2 Extraction:
katana.chernobyl.network
Verdict:
Malicious
Tags:
trojan mirai Unix.Trojan.Mirai-7135937-0
YARA:
Linux_Trojan_Mirai_268aac0b Linux_Trojan_Mirai_0cb1699c Linux_Trojan_Mirai_c8385b81 Linux_Trojan_Mirai_70ef58f1 Linux_Trojan_Mirai_3a85a418 Linux_Trojan_Mirai_485c4b13 Linux_Trojan_Mirai_575f5bc8 Linux_Trojan_Mirai_2e3f67a9 Linux_Trojan_Mirai_0d73971c Linux_Trojan_Mirai_88de437f Linux_Trojan_Mirai_3278f1b8 Linux_Trojan_Mirai_cc93863b
Link:
https://app.threat.zone/submission/002c4209-7321-404f-9c0c-2bcdd6177169
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/98ad2cadc594e95381fb98f514b2fcd6d64f6c69e45567438e279cb19d295d8b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Mirai_0cb1699c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_0d73971c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_268aac0b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_2e3f67a9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_3278f1b8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_3a85a418
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_485c4b13
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_575f5bc8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_70ef58f1
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_c8385b81
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 98ad2cadc594e95381fb98f514b2fcd6d64f6c69e45567438e279cb19d295d8b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3734867/
  
Delivery method
Distributed via web download

Comments