MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a22fc801dd8403569a8fd3c0c2b4ae72464cbcc33af092afabc3ccb65c1fd3db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a22fc801dd8403569a8fd3c0c2b4ae72464cbcc33af092afabc3ccb65c1fd3db
SHA3-384 hash: bf8b60c3355964a4bdad241b30856e7ee35c22223396838376e04326cd5f0e6773b814bfb1406468fe62df3e586f40e6
SHA1 hash: ac3db623bf3c8ba23b73c917b049be63bd527bea
MD5 hash: 8313d94b7045e5b3ee01812cec8c0601
humanhash: fix-paris-mango-happy
File name:mipsel
Download: download sample
Signature Mirai
Create hunting rule
File size:999'824 bytes
First seen:2025-05-20 17:32:45 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 24576:1RYObRWoisW52jYwA33aAJY6cytVxD7uaGYEoN:1KARWos2WqWYgVxD75GY
TLSH T123254C47EF505FEBC0E98E314C6EC20702AAE5D255C793EA71BCC65C7A9967D0E83488
telfhash t1fef0a6a04a7d40800d62ec009c5211ff5eebe6aa1e81f945fb8addc52c6e01dfb43e4b
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ELF.Agent-DNH.31009.19080.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682cbd242f280a98fb424439linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sets a written file as executable
Creating a file
Creates directories in a subdirectory of a temporary directory
Creates directories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash gcc lolbin remote
Link:
https://www.filescan.io/uploads/682cbd240de036ed65ad1639/reports/32ee6b7d-25bf-4444-8352-37dcf5509ca9/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
7
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/a22fc801dd8403569a8fd3c0c2b4ae72464cbcc33af092afabc3ccb65c1fd3db
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/cd6c209b-abb9-4950-81bb-0ab40125a790
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1695294
Signature
Drops files in suspicious directories
Drops invisible ELF files
Malicious sample detected (through community Yara rule)
Sample tries to persist itself using .desktop files
Writes ELF files to hidden directories
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695294 Sample: mipsel.elf Startdate: 20/05/2025 Architecture: LINUX Score: 68 151 109.202.202.202, 80 INIT7CH Switzerland 2->151 153 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->153 155 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->155 165 Malicious sample detected (through community Yara rule) 2->165 15 mipsel.elf 2->15         started        signatures3 process4 file5 143 /tmp/systemd-priva...ig/.update-6e9f7086, ELF 15->143 dropped 145 /tmp/systemd-priva...he/.update-672c31c0, ELF 15->145 dropped 147 /tmp/systemd-priva...ig/.update-3edde1b6, ELF 15->147 dropped 149 6 other malicious files 15->149 dropped 157 Writes ELF files to hidden directories 15->157 159 Writes identical ELF files to multiple locations 15->159 161 Sample tries to persist itself using .desktop files 15->161 163 Drops invisible ELF files 15->163 19 mipsel.elf 15->19         started        signatures6 process7 process8 21 mipsel.elf 19->21         started        file9 81 /usr/local/sbin/update, ELF 21->81 dropped 83 /usr/local/sbin/lists, ELF 21->83 dropped 169 Writes identical ELF files to multiple locations 21->169 25 mipsel.elf lists 21->25         started        29 mipsel.elf update 21->29         started        signatures10 process11 file12 93 /tmp/systemd-priva...rt/.update-22b9695c, ELF 25->93 dropped 95 /tmp/systemd-priva...ig/.update-5f209803, ELF 25->95 dropped 97 /root/snap/.config...rt/.update-161062db, ELF 25->97 dropped 105 6 other malicious files 25->105 dropped 179 Writes ELF files to hidden directories 25->179 181 Writes identical ELF files to multiple locations 25->181 183 Sample tries to persist itself using .desktop files 25->183 31 lists 25->31         started        99 /tmp/systemd-priva...rt/.update-3f30fef0, ELF 29->99 dropped 101 /tmp/systemd-priva...nfig/.update-14027a, ELF 29->101 dropped 103 /root/snap/.config...art/.update-ede0150, ELF 29->103 dropped 107 6 other malicious files 29->107 dropped 185 Drops invisible ELF files 29->185 33 update 29->33         started        signatures13 process14 process15 35 lists 31->35         started        39 update 33->39         started        file16 73 /usr/local/sbin/updater, ELF 35->73 dropped 75 /usr/local/bin/lists, ELF 35->75 dropped 167 Writes identical ELF files to multiple locations 35->167 41 lists lists 35->41         started        45 lists updater 35->45         started        77 /usr/local/sbin/servers, ELF 39->77 dropped 79 /usr/local/bin/update, ELF 39->79 dropped 47 update update 39->47         started        49 update servers 39->49         started        signatures17 process18 file19 109 /tmp/systemd-priva...tart/update.desktop, ASCII 41->109 dropped 111 /tmp/systemd-priva...art/.update-7a23176, ELF 41->111 dropped 119 8 other malicious files 41->119 dropped 187 Writes ELF files to hidden directories 41->187 189 Writes identical ELF files to multiple locations 41->189 191 Sample tries to persist itself using .desktop files 41->191 51 lists 41->51         started        113 /tmp/systemd-priva...rt/.update-20493c19, ELF 45->113 dropped 121 8 other malicious files 45->121 dropped 193 Drops invisible ELF files 45->193 53 updater 45->53         started        115 /tmp/systemd-priva...rt/.update-7492c52d, ELF 47->115 dropped 123 8 other malicious files 47->123 dropped 55 update 47->55         started        117 /tmp/systemd-priva...rt/.update-70d2da65, ELF 49->117 dropped 125 8 other malicious files 49->125 dropped 57 servers 49->57         started        signatures20 process21 process22 59 lists 51->59         started        63 updater 53->63         started        65 update 55->65         started        67 servers 57->67         started        file23 127 /usr/sbin/servers, ELF 59->127 dropped 129 /usr/bin/lists, ELF 59->129 dropped 131 /usr/sbin/lists, ELF 63->131 dropped 133 /usr/local/bin/servers, ELF 63->133 dropped 195 Writes identical ELF files to multiple locations 63->195 197 Drops files in suspicious directories 63->197 69 updater servers 63->69         started        135 /usr/sbin/updater, ELF 65->135 dropped 137 /usr/local/bin/updater, ELF 65->137 dropped 139 /usr/sbin/update, ELF 67->139 dropped 141 /usr/bin/update, ELF 67->141 dropped signatures24 process25 file26 85 /tmp/systemd-priva...rt/.update-577e29f9, ELF 69->85 dropped 87 /tmp/systemd-priva...ig/.update-473ae9e8, ELF 69->87 dropped 89 /root/snap/.config...rt/.update-2a84de2d, ELF 69->89 dropped 91 6 other malicious files 69->91 dropped 171 Writes ELF files to hidden directories 69->171 173 Writes identical ELF files to multiple locations 69->173 175 Sample tries to persist itself using .desktop files 69->175 177 Drops invisible ELF files 69->177 signatures27
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/a22fc801dd8403569a8fd3c0c2b4ae72464cbcc33af092afabc3ccb65c1fd3db
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a22fc801dd8403569a8fd3c0c2b4ae72464cbcc33af092afabc3ccb65c1fd3db/
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 17:23:49 UTC
File Type:
ELF32 Little (Exe)
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uix4qao5qqbvngup2pamfnfoojdezpgdhlyjfl5lypglmxa72pnq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250520-v5czwahq6x/
Behaviour
System Network Configuration Discovery
Writes file to shm directory
Writes file to tmp directory
Creates .desktop file
Modifies Bash startup script
Creates/modifies environment variables
Write file to user bin folder
Writes file to system bin folder
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a22fc801dd8403569a8fd3c0c2b4ae72464cbcc33af092afabc3ccb65c1fd3db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:malwareelf55503
Create hunting rule
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf a22fc801dd8403569a8fd3c0c2b4ae72464cbcc33af092afabc3ccb65c1fd3db

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3548342/
  
Delivery method
Distributed via web download

Comments