MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7614efb29ad9b64a8970c9ea8dfadb0f79f6858a30524635c0cb084ef39e72d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7614efb29ad9b64a8970c9ea8dfadb0f79f6858a30524635c0cb084ef39e72d
SHA3-384 hash: 792a1cf07975ba2f4d9c39c025f4c397a2413f769a21d6f8057b9b08ab5d82a5880082b857ba004b094c89d9a74cadea
SHA1 hash: f11cf1fc2f0da4f874e228b7721c1e47f4306d7a
MD5 hash: 875d8b4703425700a7f16242f990caac
humanhash: arizona-sink-river-leopard
File name:Fantazy.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:74'544 bytes
First seen:2026-01-04 09:48:08 UTC
Last seen:2026-01-05 21:29:47 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:hFlQjJcUuoWQKhru9fLc4VoD7yB89cLYHOYvP+Q5Z+h5bGeTiS97s/:zQJcToWnhSFA4VoD7yB89cLkOA+CIjhM
TLSH T1C8734AC8A5C3F9F5EC110979307AAB719A77F43FA179EE97D3A82533A901202E10175E
telfhash t17f110afd15394cacb7e09c42e11e4631395aa77b28103a630673653426bed4744bbd7c
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
3
# of downloads :
57
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Link:
https://research.acce.ciphertechsolutions.com/results/43188bb4-d128-49a3-a78d-d07a5cebdc9b/
Detection(s):
Unix.Trojan.Mirai-7135937-0
Create hunting rule

Unix.Dropper.Mirai-7136014-0
Create hunting rule

Unix.Trojan.Mirai-9835278-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-01-04T07:05:00Z UTC
Last seen:
2026-01-04T21:44:00Z UTC
Hits:
~100
Detections:
HEUR:Backdoor.Linux.Mirai.dx HEUR:Backdoor.Linux.Mirai.b
Link:
https://opentip.kaspersky.com/a7614efb29ad9b64a8970c9ea8dfadb0f79f6858a30524635c0cb084ef39e72d/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/30a68982-eeb2-4e97-a2bc-d451f5276ee2
Behavior Graph:
Download SVG
%3 guuid=e1294636-1a00-0000-dda1-2450510c0000 pid=3153 /usr/bin/sudo guuid=325d8539-1a00-0000-dda1-2450520c0000 pid=3154 /tmp/sample.bin net guuid=e1294636-1a00-0000-dda1-2450510c0000 pid=3153->guuid=325d8539-1a00-0000-dda1-2450520c0000 pid=3154 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=325d8539-1a00-0000-dda1-2450520c0000 pid=3154->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=b5dbcd39-1a00-0000-dda1-2450530c0000 pid=3155 /tmp/sample.bin guuid=325d8539-1a00-0000-dda1-2450520c0000 pid=3154->guuid=b5dbcd39-1a00-0000-dda1-2450530c0000 pid=3155 clone guuid=6055d439-1a00-0000-dda1-2450540c0000 pid=3156 /tmp/sample.bin net send-data zombie guuid=325d8539-1a00-0000-dda1-2450520c0000 pid=3154->guuid=6055d439-1a00-0000-dda1-2450540c0000 pid=3156 clone guuid=6055d439-1a00-0000-dda1-2450540c0000 pid=3156->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 9bff2e1e-4e84-5ecd-918a-a1cdd4202ef3 130.12.180.28:63645 guuid=6055d439-1a00-0000-dda1-2450540c0000 pid=3156->9bff2e1e-4e84-5ecd-918a-a1cdd4202ef3 send: 9B guuid=8e79ed39-1a00-0000-dda1-2450550c0000 pid=3157 /tmp/sample.bin guuid=6055d439-1a00-0000-dda1-2450540c0000 pid=3156->guuid=8e79ed39-1a00-0000-dda1-2450550c0000 pid=3157 clone guuid=5e51f539-1a00-0000-dda1-2450560c0000 pid=3158 /tmp/sample.bin guuid=6055d439-1a00-0000-dda1-2450540c0000 pid=3156->guuid=5e51f539-1a00-0000-dda1-2450560c0000 pid=3158 clone guuid=7588fa39-1a00-0000-dda1-2450570c0000 pid=3159 /tmp/sample.bin net net-scan send-data guuid=6055d439-1a00-0000-dda1-2450540c0000 pid=3156->guuid=7588fa39-1a00-0000-dda1-2450570c0000 pid=3159 clone guuid=7588fa39-1a00-0000-dda1-2450570c0000 pid=3159->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 43f10b5b-1ef8-552e-bf13-48ed4fd6a7e4 89.230.6.224:23 guuid=7588fa39-1a00-0000-dda1-2450570c0000 pid=3159->43f10b5b-1ef8-552e-bf13-48ed4fd6a7e4 send: 40B guuid=7588fa39-1a00-0000-dda1-2450570c0000 pid=3159|send-data send-data to 4097 IP addresses review logs to see them all guuid=7588fa39-1a00-0000-dda1-2450570c0000 pid=3159->guuid=7588fa39-1a00-0000-dda1-2450570c0000 pid=3159|send-data send
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0fb05c9b-fab1-4b0a-b140-e8dfe66bcd45
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1844409
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1844409 Sample: Fantazy.x86.elf Startdate: 04/01/2026 Architecture: LINUX Score: 76 154 Malicious sample detected (through community Yara rule) 2->154 156 Antivirus / Scanner detection for submitted sample 2->156 158 Multi AV Scanner detection for submitted file 2->158 14 systemd gdm3 2->14         started        16 systemd gpu-manager 2->16         started        18 Fantazy.x86.elf 2->18         started        20 33 other processes 2->20 process3 file4 24 gdm3 gdm-session-worker 14->24         started        26 gdm3 gdm-session-worker 14->26         started        36 3 other processes 14->36 28 gpu-manager sh 16->28         started        38 7 other processes 16->38 30 Fantazy.x86.elf 18->30         started        32 Fantazy.x86.elf 18->32         started        146 /var/log/wtmp, data 20->146 dropped 162 Sample reads /proc/mounts (often used for finding a writable filesystem) 20->162 164 Reads system files that contain records of logged in users 20->164 34 accounts-daemon language-validate 20->34         started        40 4 other processes 20->40 signatures5 process6 process7 42 gdm-session-worker gdm-x-session 24->42         started        44 gdm-session-worker gdm-wayland-session 26->44         started        46 sh grep 28->46         started        48 Fantazy.x86.elf 30->48         started        50 Fantazy.x86.elf 30->50         started        57 2 other processes 30->57 53 language-validate language-options 34->53         started        55 sh grep 38->55         started        59 6 other processes 38->59 signatures8 61 gdm-x-session dbus-run-session 42->61         started        63 gdm-x-session Xorg Xorg.wrap Xorg 42->63         started        65 gdm-x-session Default 42->65         started        67 gdm-wayland-session dbus-run-session 44->67         started        69 Fantazy.x86.elf 48->69         started        160 Sample tries to kill multiple processes (SIGKILL) 50->160 72 language-options sh 53->72         started        process9 signatures10 74 dbus-run-session dbus-daemon 61->74         started        77 dbus-run-session gnome-session gnome-session-binary 1 61->77         started        79 Xorg sh 63->79         started        81 Xorg sh 63->81         started        83 dbus-run-session dbus-daemon 67->83         started        85 dbus-run-session gnome-session gnome-session-binary 1 67->85         started        166 Sample tries to kill multiple processes (SIGKILL) 69->166 87 sh locale 72->87         started        89 sh grep 72->89         started        process11 signatures12 168 Sample tries to kill multiple processes (SIGKILL) 74->168 170 Sample reads /proc/mounts (often used for finding a writable filesystem) 74->170 91 dbus-daemon 74->91         started        93 dbus-daemon 74->93         started        102 9 other processes 74->102 95 gnome-session-binary sh gnome-shell 77->95         started        104 18 other processes 77->104 98 sh xkbcomp 79->98         started        100 sh xkbcomp 81->100         started        106 7 other processes 83->106 108 2 other processes 85->108 process13 signatures14 110 dbus-daemon at-spi-bus-launcher 91->110         started        112 dbus-daemon gjs 93->112         started        172 Sample reads /proc/mounts (often used for finding a writable filesystem) 95->172 115 gnome-shell ibus-daemon 95->115         started        125 9 other processes 102->125 117 gsd-print-notifications 104->117         started        119 gnome-session-check-accelerated gnome-session-check-accelerated-gl-helper 104->119         started        121 gnome-session-check-accelerated gnome-session-check-accelerated-gles-helper 104->121         started        123 dbus-daemon false 106->123         started        127 6 other processes 106->127 process15 signatures16 129 at-spi-bus-launcher dbus-daemon 110->129         started        148 Sample reads /proc/mounts (often used for finding a writable filesystem) 112->148 132 ibus-daemon 115->132         started        134 ibus-daemon ibus-memconf 115->134         started        136 ibus-daemon ibus-engine-simple 115->136         started        138 gsd-print-notifications gsd-printer 117->138         started        process17 signatures18 150 Sample tries to kill multiple processes (SIGKILL) 129->150 152 Sample reads /proc/mounts (often used for finding a writable filesystem) 129->152 140 dbus-daemon 129->140         started        142 ibus-daemon ibus-x11 132->142         started        process19 process20 144 dbus-daemon at-spi2-registryd 140->144         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/a7614efb29ad9b64a8970c9ea8dfadb0f79f6858a30524635c0cb084ef39e72d
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a7614efb29ad9b64a8970c9ea8dfadb0f79f6858a30524635c0cb084ef39e72d/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/a7614efb29ad9b64a8970c9ea8dfadb0f79f6858a30524635c0cb084ef39e72d
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-04 09:49:14 UTC
File Type:
ELF32 Little (Exe)
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u5qu56zjvwnwjkexbspkrx5nwd3z62cyumcsiy24bsyij3zz44wq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/260104-ls3v4aymar/
Behaviour
Reads runtime system information
Changes its process name
Reads process memory
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Contacts a large (23848) amount of remote hosts
Creates a large amount of network flows
Verdict:
Malicious
Tags:
trojan mirai Unix.Trojan.Mirai-7135937-0
YARA:
Linux_Trojan_Mirai_fa3ad9d0 Linux_Trojan_Mirai_b14f4c5d Linux_Trojan_Mirai_93fc3657 Linux_Trojan_Mirai_804f8e7c Linux_Trojan_Mirai_99d78950 Linux_Trojan_Mirai_575f5bc8 Linux_Trojan_Mirai_a68e498c Linux_Trojan_Mirai_88de437f Linux_Trojan_Mirai_ae9d0fa6 Linux_Trojan_Mirai_389ee3e9 Linux_Trojan_Mirai_cc93863b Linux_Trojan_Mirai_8aa7b5d3
Link:
https://app.threat.zone/submission/aa31dc81-5ddd-46ed-ade9-410fe863a09d
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:elf_mirai_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects elf.mirai.
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_575f5bc8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_804f8e7c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_8aa7b5d3
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_93fc3657
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_99d78950
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_a68e498c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_ae9d0fa6
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_b14f4c5d
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_fa3ad9d0
Create hunting rule
Author:Elastic Security
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 6a3c45d3c6166d64090163f506abf7efbbf637e76b5809c1a0fff61f41a20a21

Mirai

elf a7614efb29ad9b64a8970c9ea8dfadb0f79f6858a30524635c0cb084ef39e72d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3750061/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3750124/
  
Dropped by
SHA256 6a3c45d3c6166d64090163f506abf7efbbf637e76b5809c1a0fff61f41a20a21
  
Dropped by
MD5 d8144c08a0c970777b708252317a992d
  
URLhaus
https://urlhaus.abuse.ch/url/3750699/

Comments