MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 995b4d57bca6d751f2ef0e865630fbc4949b990d9ed071a2a00f9e6c34d98bdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 995b4d57bca6d751f2ef0e865630fbc4949b990d9ed071a2a00f9e6c34d98bdc
SHA3-384 hash: 288ee49114255b52753f86ceec8fb5f3f3d7d0d1259bee24f7970eaf759b615b6fa19fabfd05fbb6eebfc8e5476f9077
SHA1 hash: 5bec0d6715a62810a275e58b7be8357824c23b8b
MD5 hash: 6c4008359c0b28a006d4291ea978028f
humanhash: fillet-social-apart-uniform
File name:mirai.spc
Download: download sample
Signature Mirai
Create hunting rule
File size:91'684 bytes
First seen:2025-12-24 07:36:38 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:1rjsdx3BJSO2c8O3PgE4fnEa0q3vLO+E6Yk5Ht0adQu:ZQUOL6Ea0qzOv6YUbdQu
TLSH T120936A22B9796E27C0E4A57F22F38321F2F1578E24A8C61E7D710E4EFF2865025576B1
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Link:
https://research.acce.ciphertechsolutions.com/results/46d1f68a-42ca-4909-91c2-d37a87376809/
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30435.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30419.LX.M0Z.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Dropper.Mirai-7135868-0
Create hunting rule

Unix.Dropper.Mirai-7135891-0
Create hunting rule

Unix.Dropper.Mirai-7135892-0
Create hunting rule

Unix.Dropper.Mirai-7135965-0
Create hunting rule

Unix.Dropper.Mirai-7136013-0
Create hunting rule

Unix.Dropper.Mirai-7136034-0
Create hunting rule

Unix.Dropper.Mirai-7136057-0
Create hunting rule

Unix.Dropper.Mirai-7136070-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Trojan.Mirai-9858729-0
Create hunting rule

Unix.Trojan.Mirai-10027280-0
Create hunting rule

Unix.Trojan.Mirai-1
Create hunting rule

Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
botnet masquerade mirai mirai
Link:
https://www.filescan.io/uploads/694b982be126b9ff438f8d77/reports/6f16303e-d5a1-4bbf-b376-5b0590a1e7b0/overview
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2025-12-24T05:50:00Z UTC
Last seen:
2025-12-24T06:23:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/995b4d57bca6d751f2ef0e865630fbc4949b990d9ed071a2a00f9e6c34d98bdc/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/6e74482b-c516-426a-9289-7767557b359e
Behavior Graph:
Download SVG
%3 guuid=13c1aa8b-1800-0000-435b-7f09b90c0000 pid=3257 /usr/bin/sudo guuid=74e5d28d-1800-0000-435b-7f09c00c0000 pid=3264 /tmp/sample.bin guuid=13c1aa8b-1800-0000-435b-7f09b90c0000 pid=3257->guuid=74e5d28d-1800-0000-435b-7f09c00c0000 pid=3264 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dcaf804c-a49e-42bf-8220-17ba9069bde1
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1838691
Signature
Antivirus / Scanner detection for submitted sample
Drops files in suspicious directories
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1838691 Sample: mirai.spc.elf Startdate: 24/12/2025 Architecture: LINUX Score: 100 113 80.100.170.152 XS4ALL-NLAmsterdamNL Netherlands 2->113 115 137.210.129.151, 2323 WirtschaftsuniversitaetWienAT United States 2->115 117 99 other IPs or domains 2->117 123 Malicious sample detected (through community Yara rule) 2->123 125 Antivirus / Scanner detection for submitted sample 2->125 127 Multi AV Scanner detection for submitted file 2->127 129 Yara detected Mirai 2->129 14 gdm3 gdm-session-worker 2->14         started        16 mirai.spc.elf 2->16         started        19 systemd accounts-daemon 2->19         started        21 10 other processes 2->21 signatures3 process4 signatures5 23 gdm-session-worker gdm-x-session 14->23         started        119 Sample deletes itself 16->119 25 mirai.spc.elf 16->25         started        121 Reads system files that contain records of logged in users 19->121 29 accounts-daemon language-validate 19->29         started        process6 file7 31 gdm-x-session dbus-run-session 23->31         started        33 gdm-x-session Xorg Xorg.wrap Xorg 23->33         started        35 gdm-x-session Default 23->35         started        107 /usr/bin/wget, POSIX 25->107 dropped 109 /usr/bin/tftp, POSIX 25->109 dropped 111 /usr/bin/curl, POSIX 25->111 dropped 131 Drops files in suspicious directories 25->131 37 mirai.spc.elf 25->37         started        39 mirai.spc.elf 25->39         started        41 language-validate language-options 29->41         started        signatures8 process9 process10 43 dbus-run-session dbus-daemon 31->43         started        46 dbus-run-session gnome-session gnome-session-binary 1 31->46         started        48 Xorg sh 33->48         started        50 Xorg sh 33->50         started        52 language-options sh 41->52         started        signatures11 135 Sample reads /proc/mounts (often used for finding a writable filesystem) 43->135 54 dbus-daemon 43->54         started        56 dbus-daemon 43->56         started        67 9 other processes 43->67 58 gnome-session-binary sh gnome-shell 46->58         started        61 gnome-session-binary gnome-session-check-accelerated 46->61         started        69 17 other processes 46->69 63 sh xkbcomp 48->63         started        65 sh xkbcomp 50->65         started        71 2 other processes 52->71 process12 signatures13 73 dbus-daemon at-spi-bus-launcher 54->73         started        75 dbus-daemon gjs 56->75         started        133 Sample reads /proc/mounts (often used for finding a writable filesystem) 58->133 78 gnome-shell ibus-daemon 58->78         started        80 gnome-session-check-accelerated gnome-session-check-accelerated-gl-helper 61->80         started        82 gnome-session-check-accelerated gnome-session-check-accelerated-gles-helper 61->82         started        84 dbus-daemon false 67->84         started        86 dbus-daemon false 67->86         started        88 dbus-daemon false 67->88         started        90 5 other processes 67->90 process14 signatures15 92 at-spi-bus-launcher dbus-daemon 73->92         started        137 Sample reads /proc/mounts (often used for finding a writable filesystem) 75->137 95 ibus-daemon 78->95         started        97 ibus-daemon ibus-memconf 78->97         started        99 ibus-daemon 78->99         started        process16 signatures17 139 Sample reads /proc/mounts (often used for finding a writable filesystem) 92->139 101 dbus-daemon 92->101         started        103 ibus-daemon ibus-x11 95->103         started        process18 process19 105 dbus-daemon at-spi2-registryd 101->105         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/995b4d57bca6d751f2ef0e865630fbc4949b990d9ed071a2a00f9e6c34d98bdc
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/995b4d57bca6d751f2ef0e865630fbc4949b990d9ed071a2a00f9e6c34d98bdc/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-24 07:37:17 UTC
File Type:
ELF32 Big (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tfnu2v54u3lvd4xpb2dfmmh3yskjxgint3ihdivab6pgyngzrpoa._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:mirai linux
Link:
https://tria.ge/reports/251224-jf2fdssnhx/
Verdict:
Malicious
Tags:
botnet mirai trojan Unix.Trojan.Mirai-7100807-0
YARA:
MAL_ELF_LNX_Mirai_Oct10_2 Mirai_Botnet_Malware Linux_Trojan_Mirai_0bce98a2
Link:
https://app.threat.zone/submission/92ae520d-5eea-45a7-8e68-ca5de13a4085
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/995b4d57bca6d751f2ef0e865630fbc4949b990d9ed071a2a00f9e6c34d98bdc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Mirai_Generic
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Mirai/Gafgyt samples
Rule name:Linux_Trojan_Mirai_0bce98a2
Create hunting rule
Author:Elastic Security
Rule name:MAL_ELF_LNX_Mirai_Oct10_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A
Create hunting rule
Author:Florian Roth
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:Mirai_Botnet_Malware
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:Mirai_Botnet_Malware_RID2EF6
Create hunting rule
Author:Florian Roth
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 995b4d57bca6d751f2ef0e865630fbc4949b990d9ed071a2a00f9e6c34d98bdc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3735509/
  
Delivery method
Distributed via web download

Comments