MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f81af29c974eeb4184483efc12fa2e4adafcc35d7efd2693f9a294bdc34ac54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f81af29c974eeb4184483efc12fa2e4adafcc35d7efd2693f9a294bdc34ac54
SHA3-384 hash: ddd8364798217573a55879f3595f6bb92e4874416b292d9e4e7cc9d2874457d5c7bcec7352ebe6386faec0087e539211
SHA1 hash: 0ea8da76ca27c05442ed49811288e2e429d354d4
MD5 hash: 13bb690fc99903719a7c3cd9038dfb71
humanhash: magazine-neptune-leopard-sweet
File name:armv4l-20230706-2123
Download: download sample
Signature Mirai
Create hunting rule
File size:111'916 bytes
First seen:2023-07-06 21:23:47 UTC
Last seen:2023-07-07 11:43:02 UTC
File type: elf
MIME type:application/x-executable
ssdeep 3072:MlKxwLHbqdI7GtGnXoVO6WLL/RtIfLdHaVQ4:y7qdI7GtkoVO60/RtIfLdaVQ4
TLSH T109B3F8C2AD427E33C2C2EBB5BBEBD14837F2561497DB3301A5D97EB00A1A9CD1D1A254
telfhash t14c21218124f689195f9699389cfc56b34a41621732052fb49d3985dc583b0a1e73dc8a
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter elfdigest
Tags:gafgyt mirai

Intelligence

File Origin
# of uploads :
10
# of downloads :
91
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Mirai-69.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Mirai-78.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29523.LC.UNOFFICIAL
Create hunting rule

Unix.Dropper.Mirai-7355719-0
Create hunting rule

Unix.Trojan.Tsunami-9396652-0
Create hunting rule

Unix.Dropper.Mirai-9977145-0
Create hunting rule

Unix.Trojan.Mirai-5607483-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin remote
Link:
https://www.filescan.io/uploads/64a730f5342796a4a9081a55/reports/0e3e4acc-1d53-4fc5-8308-86cf14f94f67/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
not packed
Botnet:
5.181.80.102
Number of open files:
141
Number of processes launched:
38
Processes remaning?
false
Remote TCP ports scanned:
37215,5555
Full report:
https://elfdigest.com/brief/9f81af29c974eeb4184483efc12fa2e4adafcc35d7efd2693f9a294bdc34ac54
Behaviour
Persistence
Firewall Changes
Information Gathering
Kernel Modules
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94fbbadf-a3d0-4168-a05a-8d62ee9c573e
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1268605
Signature
Antivirus / Scanner detection for submitted sample
Drops files in suspicious directories
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings indicative of a multi-platform dropper
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1268605 Sample: armv4l-20230706-2123.elf Startdate: 07/07/2023 Architecture: LINUX Score: 100 117 fucking.blackpeople.lol 2->117 119 13.20.51.167 XEROX-ELLUS United States 2->119 121 99 other IPs or domains 2->121 131 Snort IDS alert for network traffic 2->131 133 Antivirus / Scanner detection for submitted sample 2->133 135 Multi AV Scanner detection for submitted file 2->135 137 3 other signatures 2->137 12 systemd mandb armv4l-20230706-2123.elf 2->12         started        15 systemd logrotate 2->15         started        17 systemd install 2->17         started        19 systemd find 2->19         started        signatures3 process4 signatures5 143 Sample deletes itself 12->143 21 armv4l-20230706-2123.elf 12->21         started        23 armv4l-20230706-2123.elf 12->23         started        25 logrotate sh 15->25         started        27 logrotate sh 15->27         started        29 logrotate gzip 15->29         started        31 logrotate gzip 15->31         started        process6 process7 33 armv4l-20230706-2123.elf 21->33         started        35 armv4l-20230706-2123.elf 21->35         started        37 armv4l-20230706-2123.elf 21->37         started        43 2 other processes 21->43 39 sh invoke-rc.d 25->39         started        41 sh rsyslog-rotate 27->41         started        process8 45 armv4l-20230706-2123.elf 33->45         started        47 armv4l-20230706-2123.elf 33->47         started        49 armv4l-20230706-2123.elf 33->49         started        61 18 other processes 33->61 51 invoke-rc.d runlevel 39->51         started        53 invoke-rc.d systemctl 39->53         started        55 invoke-rc.d ls 39->55         started        57 invoke-rc.d systemctl 39->57         started        59 rsyslog-rotate systemctl 41->59         started        process9 63 armv4l-20230706-2123.elf 45->63         started        65 armv4l-20230706-2123.elf sh 47->65         started        69 armv4l-20230706-2123.elf sh 47->69         started        71 armv4l-20230706-2123.elf sh 49->71         started        73 armv4l-20230706-2123.elf sh 49->73         started        75 armv4l-20230706-2123.elf sh 61->75         started        77 armv4l-20230706-2123.elf sh 61->77         started        79 armv4l-20230706-2123.elf sh 61->79         started        81 34 other processes 61->81 file10 83 armv4l-20230706-2123.elf sh 63->83         started        87 armv4l-20230706-2123.elf sh 63->87         started        105 /etc/rc.local, ASCII 65->105 dropped 123 Sample tries to persist itself using System V runlevels 65->123 89 sh chmod 65->89         started        107 /etc/init.d/rcD, ASCII 71->107 dropped 125 Drops files in suspicious directories 71->125 91 sh chmod 71->91         started        109 /etc/profile, ASCII 75->109 dropped 127 Sample tries to persist itself using /etc/profile 75->127 111 /etc/cron.hourly/0, ASCII 77->111 dropped 129 Sample tries to persist itself using cron 77->129 93 sh iptables 79->93         started        113 /etc/passwd, ASCII 81->113 dropped 95 armv4l-20230706-2123.elf sh 81->95         started        97 armv4l-20230706-2123.elf sh 81->97         started        signatures11 process12 file13 115 /etc/init.d/multipath-tools, ASCII 83->115 dropped 139 Drops files in suspicious directories 83->139 99 sh chmod 83->99         started        141 Executes the "iptables" command to insert, remove and/or manipulate rules 93->141 101 sh su 95->101         started        103 sh 95->103         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f81af29c974eeb4184483efc12fa2e4adafcc35d7efd2693f9a294bdc34ac54/
Threat name:
Linux.Trojan.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2023-07-06 21:24:06 UTC
File Type:
ELF32 Little (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6a26kojotxligceqpx4cl5c4sw27tbv27x5e2j7tiuuxxbuvrka._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230706-z8184aed44/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9f81af29c974eeb4184483efc12fa2e4adafcc35d7efd2693f9a294bdc34ac54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:myMirai
Create hunting rule
Description:Mirai
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 9f81af29c974eeb4184483efc12fa2e4adafcc35d7efd2693f9a294bdc34ac54

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2676953/
  
Delivery method
Distributed via web download

Comments