MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a54e8cc21ed34c00daa66f29310c0e765a894fef9e8b16854abb474837ffdf5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a54e8cc21ed34c00daa66f29310c0e765a894fef9e8b16854abb474837ffdf5d
SHA3-384 hash: 2428b4d2e35d9f6feea3ce80f1c2b7aefbfb2d1b59e69375780ef2326c3ba7089abed7b6613b28374237042d916ef693
SHA1 hash: 7d93cb3ed231674706ffa8e0d1e36b642c1f36cd
MD5 hash: 86997925480b2a443a204f301df766fa
humanhash: ceiling-magazine-william-purple
File name:Fantazy.i486
Download: download sample
Signature Mirai
Create hunting rule
File size:74'328 bytes
First seen:2025-12-08 21:47:10 UTC
Last seen:2025-12-08 22:27:11 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:7NKUBf1J2hoQYjSwScT82ARNpz7HrVS94Ykp8:7N11CYel2ARNpz7Hrk9sp8
TLSH T19B735C4AE7CBF9F0CD410678306BAB35D93698323134DFF7E7D4B557AA56212A04226C
telfhash t15c2100f60ab418e4b7d08942c10d4b706e9dab3b281076a307f3653422afe83903bc39
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
39
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Link:
https://research.acce.ciphertechsolutions.com/results/5def5363-e680-421c-9d32-00626f0d95d1/
Detection(s):
Unix.Trojan.Mirai-7135937-0
Create hunting rule

Unix.Dropper.Mirai-7136014-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Kills processes
Opens a port
Sends data to a server
Connection attempt
Substitutes an application name
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-12-08T19:32:00Z UTC
Last seen:
2025-12-08T23:42:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/a54e8cc21ed34c00daa66f29310c0e765a894fef9e8b16854abb474837ffdf5d/results?tab=lookup
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3d1e31a-79d6-47f3-b560-7ab3e6ffe879
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1829180
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1829180 Sample: Fantazy.i486.elf Startdate: 08/12/2025 Architecture: LINUX Score: 76 162 Malicious sample detected (through community Yara rule) 2->162 164 Antivirus / Scanner detection for submitted sample 2->164 166 Multi AV Scanner detection for submitted file 2->166 14 systemd gdm3 2->14         started        16 Fantazy.i486.elf 2->16         started        18 systemd gpu-manager 2->18         started        20 80 other processes 2->20 process3 file4 24 gdm3 gdm-session-worker 14->24         started        26 gdm3 gdm-session-worker 14->26         started        36 5 other processes 14->36 28 Fantazy.i486.elf 16->28         started        30 Fantazy.i486.elf 16->30         started        38 8 other processes 18->38 154 /var/log/wtmp, data 20->154 dropped 168 Sample reads /proc/mounts (often used for finding a writable filesystem) 20->168 170 Reads system files that contain records of logged in users 20->170 32 accounts-daemon language-validate 20->32         started        34 accounts-daemon language-validate 20->34         started        40 33 other processes 20->40 signatures5 process6 process7 42 gdm-session-worker gdm-x-session 24->42         started        44 gdm-session-worker gdm-wayland-session 26->44         started        46 Fantazy.i486.elf 28->46         started        48 Fantazy.i486.elf 28->48         started        55 3 other processes 28->55 51 language-validate language-options 32->51         started        53 language-validate language-options 34->53         started        57 8 other processes 38->57 59 25 other processes 40->59 signatures8 61 gdm-x-session dbus-run-session 42->61         started        63 gdm-x-session Xorg Xorg.wrap Xorg 42->63         started        65 gdm-x-session Default 42->65         started        67 gdm-wayland-session dbus-run-session 44->67         started        69 Fantazy.i486.elf 46->69         started        156 Sample tries to kill multiple processes (SIGKILL) 48->156 72 language-options sh 51->72         started        74 language-options sh 53->74         started        76 Fantazy.i486.elf 55->76         started        78 language-options sh 59->78         started        process9 signatures10 80 dbus-run-session dbus-daemon 61->80         started        83 dbus-run-session gnome-session gnome-session-binary 1 61->83         started        85 Xorg sh 63->85         started        87 Xorg sh 63->87         started        89 dbus-run-session dbus-daemon 67->89         started        91 dbus-run-session gnome-session gnome-session-binary 1 67->91         started        172 Sample tries to kill multiple processes (SIGKILL) 69->172 93 2 other processes 72->93 95 2 other processes 74->95 97 2 other processes 78->97 process11 signatures12 158 Sample tries to kill multiple processes (SIGKILL) 80->158 160 Sample reads /proc/mounts (often used for finding a writable filesystem) 80->160 99 dbus-daemon 80->99         started        101 dbus-daemon 80->101         started        110 9 other processes 80->110 103 gnome-session-binary sh gnome-shell 83->103         started        112 17 other processes 83->112 106 sh xkbcomp 85->106         started        108 sh xkbcomp 87->108         started        114 7 other processes 89->114 116 2 other processes 91->116 process13 signatures14 118 dbus-daemon at-spi-bus-launcher 99->118         started        120 dbus-daemon gjs 101->120         started        174 Sample reads /proc/mounts (often used for finding a writable filesystem) 103->174 123 gnome-shell ibus-daemon 103->123         started        133 9 other processes 110->133 125 gsd-print-notifications 112->125         started        127 gnome-session-check-accelerated gnome-session-check-accelerated-gl-helper 112->127         started        129 gnome-session-check-accelerated gnome-session-check-accelerated-gles-helper 112->129         started        131 dbus-daemon false 114->131         started        135 6 other processes 114->135 process15 signatures16 137 at-spi-bus-launcher dbus-daemon 118->137         started        176 Sample reads /proc/mounts (often used for finding a writable filesystem) 120->176 140 ibus-daemon 123->140         started        142 ibus-daemon ibus-memconf 123->142         started        144 ibus-daemon ibus-engine-simple 123->144         started        146 gsd-print-notifications gsd-printer 125->146         started        process17 signatures18 178 Sample tries to kill multiple processes (SIGKILL) 137->178 180 Sample reads /proc/mounts (often used for finding a writable filesystem) 137->180 148 dbus-daemon 137->148         started        150 ibus-daemon ibus-x11 140->150         started        process19 process20 152 dbus-daemon at-spi2-registryd 148->152         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/a54e8cc21ed34c00daa66f29310c0e765a894fef9e8b16854abb474837ffdf5d
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a54e8cc21ed34c00daa66f29310c0e765a894fef9e8b16854abb474837ffdf5d/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-08 21:48:18 UTC
File Type:
ELF32 Little (Exe)
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvhizqq62ngabwvgn4utcdaooznist7pt2frnbkkxnduqn7735oq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/251208-1nby5ssjdm/
Behaviour
Reads runtime system information
Changes its process name
Reads process memory
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Contacts a large (24003) amount of remote hosts
Creates a large amount of network flows
Verdict:
Malicious
Tags:
trojan mirai Unix.Trojan.Mirai-7135937-0
YARA:
Linux_Trojan_Mirai_aa39fb02 Linux_Trojan_Mirai_3a56423b Linux_Trojan_Mirai_575f5bc8 Linux_Trojan_Mirai_6e8e9257
Link:
https://app.threat.zone/submission/e61e3723-62ec-42c0-87c0-a58014f5c6df
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/a54e8cc21ed34c00daa66f29310c0e765a894fef9e8b16854abb474837ffdf5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Mirai_3a56423b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_575f5bc8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_6e8e9257
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_aa39fb02
Create hunting rule
Author:Elastic Security
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf a54e8cc21ed34c00daa66f29310c0e765a894fef9e8b16854abb474837ffdf5d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3729500/
  
Delivery method
Distributed via web download

Comments