MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 11 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26
SHA3-384 hash: 31d097ee2b2a36f3ddb3615f1316cc0a92410469da85e729bbd39a18d58155babb3d96688e5f594da9a3914959cb7bf9
SHA1 hash: 9af7348ce37b96cb262e4fc90920778d4af77d68
MD5 hash: 6ce18ef97dc28ad721bcb26d84178aca
humanhash: nuts-social-alabama-thirteen
File name:6ce18ef97dc28ad721bcb26d84178aca
Download: download sample
Signature Mirai
Create hunting rule
File size:114'412 bytes
First seen:2024-04-08 00:08:39 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:5tyBeAZDJCRBMjvG4FGV94lXkGLy+GB2NccmAx9HSUt2Q7xW3N:nPWDJaKpoQKGNGcNcayuI3N
TLSH T170B36DC4F747C0F6FD5291B51067A7368773E439503AEA97C3A9E932EC122519A2B32C
telfhash t11c512df61e7a0ce4b7c4a902931f7b119d2ed77b146037a34573992436aad8282b6c38
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter zbetcheckin
Tags:32 elf intel mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
FR FR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Receives data from a server
Runs as daemon
Kills processes
DNS request
Opens a port
Sends data to a server
Connection attempt
Traces processes
Substitutes an application name
Kills critical processes
Deleting of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug php
Link:
https://www.filescan.io/uploads/661335a6bda3c35a0b03f72b/reports/307914d8-7a92-45e3-aa7a-d0c3e792ba41/overview
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bdb7b138-ff82-4c67-a37a-3a941f5988e9
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1421876
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1421876 Sample: USE5KJLGvF.elf Startdate: 08/04/2024 Architecture: LINUX Score: 100 78 secure-core-rebirthltd.su 2->78 80 41.204.199.8, 37215 xneeloZA South Africa 2->80 82 100 other IPs or domains 2->82 92 Snort IDS alert for network traffic 2->92 94 Malicious sample detected (through community Yara rule) 2->94 96 Antivirus / Scanner detection for submitted sample 2->96 98 4 other signatures 2->98 11 systemd gdm3 2->11         started        13 systemd gpu-manager 2->13         started        15 systemd gpu-manager 2->15         started        17 51 other processes 2->17 signatures3 process4 file5 21 gdm3 gdm-session-worker 11->21         started        31 3 other processes 11->31 23 gpu-manager sh 13->23         started        25 gpu-manager sh 13->25         started        33 6 other processes 13->33 35 8 other processes 15->35 76 /var/log/wtmp, data 17->76 dropped 84 Sample deletes itself 17->84 86 Sample reads /proc/mounts (often used for finding a writable filesystem) 17->86 88 Reads system files that contain records of logged in users 17->88 27 USE5KJLGvF.elf 17->27         started        29 accounts-daemon language-validate 17->29         started        37 2 other processes 17->37 signatures6 process7 process8 39 gdm-session-worker gdm-wayland-session 21->39         started        41 sh grep 23->41         started        43 sh grep 25->43         started        45 USE5KJLGvF.elf 27->45         started        52 2 other processes 27->52 48 language-validate language-options 29->48         started        50 sh grep 33->50         started        54 5 other processes 33->54 56 8 other processes 35->56 signatures9 58 gdm-wayland-session dbus-run-session 39->58         started        60 gdm-wayland-session dbus-daemon 39->60         started        102 Sample tries to kill multiple processes (SIGKILL) 45->102 63 language-options sh 48->63         started        process10 signatures11 65 dbus-run-session dbus-daemon 58->65         started        100 Sample reads /proc/mounts (often used for finding a writable filesystem) 60->100 68 dbus-daemon 60->68         started        70 sh locale 63->70         started        72 sh grep 63->72         started        process12 signatures13 90 Sample reads /proc/mounts (often used for finding a writable filesystem) 65->90 74 dbus-daemon false 68->74         started        process14
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2024-04-08 00:09:08 UTC
File Type:
ELF32 Little (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vbq7eiywdgfd2ir4tjqswuinl2zbo6tmchjpbaou47eetgyo34ta._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery linux
Link:
https://tria.ge/reports/240408-afgasaaf81/
Behaviour
Reads runtime system information
Enumerates running processes
Changes its process name
Deletes itself
Traces itself
Unexpected DNS network traffic destination
Contacts a large (38396) amount of remote hosts
Creates a large amount of network flows
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_5f7b67b8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_8aa7b5d3
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_ae9d0fa6
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_b14f4c5d
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf a861f22316198a3d223c9a612b510d5eb2177a6c11d2f081d4e7c8499b0edf26

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2803843/
  
URLhaus
https://urlhaus.abuse.ch/url/2804355/
  
URLhaus
https://urlhaus.abuse.ch/url/2801855/
  
URLhaus
https://urlhaus.abuse.ch/url/2803851/

Comments


Avatar
zbet commented on 2024-04-08 00:08:40 UTC

url : hxxp://79.110.62.86/x86_32