MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b8020883de80c73cdb74172e7f51d74f3dc120b8160e26d13982e6bab610d48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b8020883de80c73cdb74172e7f51d74f3dc120b8160e26d13982e6bab610d48
SHA3-384 hash: ea1278f13248af3d7f80c1bb07df2ee4615db28ede391ece12ae32c7972e3eac3fdb447de84125ca5fe8cf579a91dd1a
SHA1 hash: be5781c647699121ebcfb934c9683b1017dffe3f
MD5 hash: 32450a70bc0c080d773e6191fe3a589e
humanhash: bluebird-delta-hamper-failed
File name:ecco.i686
Download: download sample
Signature Mirai
Create hunting rule
File size:85'080 bytes
First seen:2025-12-10 11:46:03 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:Sg6mn1asDJsLG2ao8G2Vt9x5L6zKbv8QVC1elyrNaH2MzDk7Gavfnouy8GyB:36m1a3d09rx5LIqQpU2EsGMPoutl
TLSH T19E8302F60AABD695D23EE0330C3E6D871D38F1DA9AB1D522518E64075CB27A2B6174D0
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :85'080 bytes
File size (de-compressed) :240'448 bytes
Format:linux/i386
Unpacked file: ce441aad3e0f8d2af1550c75efd6c0a33fe333e383ab75c61127918195c8f693

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/1198b42f-ef8f-40dd-aa3f-aecc5624949e/
Detection(s):
Unix.Dropper.Mirai-7135858-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm gafgyt masquerade mirai obfuscated packed upx
Link:
https://www.filescan.io/uploads/69395d87cf690d27f3db0fa6/reports/36f08011-db06-458a-961f-36b4725c8a92/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-12-10T08:52:00Z UTC
Last seen:
2025-12-10T09:41:00Z UTC
Hits:
~10
Detections:
HEUR:Exploit.Linux.Netgear.a HEUR:Exploit.Linux.Mvpower.a HEUR:Exploit.Linux.DLink.b HEUR:Exploit.Linux.DLink.a HEUR:Exploit.Linux.CVE-2018-10561.a HEUR:Exploit.Linux.CVE-2017-17215.a HEUR:Backdoor.Linux.Mirai.r HEUR:Backdoor.Linux.Mirai.cw HEUR:Backdoor.Linux.Gafgyt.bl HEUR:Exploit.Linux.Vacron.a HEUR:Exploit.Linux.Netgear.b HEUR:Backdoor.Linux.Mirai.h HEUR:Backdoor.Linux.Mirai.b HEUR:Backdoor.Linux.Gafgyt.cn HEUR:Backdoor.Linux.Gafgyt.bj HEUR:Exploit.Linux.CVE-2014-8361.a HEUR:Backdoor.Linux.Mirai.ii
Link:
https://opentip.kaspersky.com/9b8020883de80c73cdb74172e7f51d74f3dc120b8160e26d13982e6bab610d48/results?tab=lookup
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f172d93f-df87-42fe-922b-a58c1e7df06b
Result
Threat name:
Gafgyt, Mirai
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1830179
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Yara detected Gafgyt
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/9b8020883de80c73cdb74172e7f51d74f3dc120b8160e26d13982e6bab610d48
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9b8020883de80c73cdb74172e7f51d74f3dc120b8160e26d13982e6bab610d48/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/9b8020883de80c73cdb74172e7f51d74f3dc120b8160e26d13982e6bab610d48
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 11:46:17 UTC
File Type:
ELF32 Little (Exe)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=toacbcb55aghhtnxifzop5i5otz5yeqlqfqoe3ittaxgxk3bbvea._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:lzrd antivm botnet discovery linux upx
Link:
https://tria.ge/reports/251210-nxeeeahl3y/
Behaviour
Reads runtime system information
Checks CPU configuration
Checks SCSI settings
Checks hardware identifiers (DMI)
Mirai
Mirai family
Malware Config
C2 Extraction:
draft22.duckdns.org
Verdict:
Malicious
Tags:
Unix.Dropper.Mirai-7135858-0
YARA:
n/a
Link:
https://app.threat.zone/submission/bc475ea9-ffb7-4c50-9528-fc252ebe2a87
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9b8020883de80c73cdb74172e7f51d74f3dc120b8160e26d13982e6bab610d48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 9b8020883de80c73cdb74172e7f51d74f3dc120b8160e26d13982e6bab610d48

(this sample)

Mirai

elf ce441aad3e0f8d2af1550c75efd6c0a33fe333e383ab75c61127918195c8f693

  
URLhaus
https://urlhaus.abuse.ch/url/3725556/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 ce441aad3e0f8d2af1550c75efd6c0a33fe333e383ab75c61127918195c8f693
  
Dropping
MD5 8188130bbd0e8d153ee7b5e72d3a6d6d
  
URLhaus
https://urlhaus.abuse.ch/url/3727063/

Comments