MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9a3b28baf736dcf0555d9e7363b13a06b6bdc4f9a01fc1e93db78240dec0c85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9a3b28baf736dcf0555d9e7363b13a06b6bdc4f9a01fc1e93db78240dec0c85
SHA3-384 hash: c4488bae04c36e38630e5fa26041ebcbde22e185bf0a1583e83064a91cc053f81b703283964af1751c4b27879e9c3996
SHA1 hash: efd3e7ea84347a48beeef7eea4332e2753fac7a7
MD5 hash: 953d3f7feecd487b6b8d810d3ad02397
humanhash: fourteen-spaghetti-vegan-london
File name:xnxnxnxnxnxnxnxni386xnxn
Download: download sample
Signature Mirai
Create hunting rule
File size:123'472 bytes
First seen:2025-12-21 19:31:20 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:36tJsoRNjmj1VGCLUZMIV9Sr+QVrxZNio8w:VoRNjmj1VGc3rRio7
TLSH T109C35B82E6A2D0F0E68701B00557F3E68935EA305416CEC6EFA93D71EC717829D9BB1C
telfhash t1dd4107fa5ea60ce873d49c05d35e1730b909da3b687036aa40f31e7536fad9212b5c35
Magika elf
Reporter abuse_ch
Tags:elf gafgyt mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 cc08d1e6c384658eeac77c0284e59b30ad9cec728eedddd559a747f76b09dc6f
File size (compressed) :60'788 bytes
File size (de-compressed) :123'472 bytes
Format:linux/i386
Packed file: cc08d1e6c384658eeac77c0284e59b30ad9cec728eedddd559a747f76b09dc6f

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Detection(s):
Unix.Trojan.Mirai-10056451-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
DNS request
Runs as daemon
Creating a file in the %temp% directory
Receives data from a server
Kills processes
Locks files
Sends data to a server
Substitutes an application name
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
rust
Link:
https://www.filescan.io/uploads/69484b133f8fdbf8e94dbea3/reports/3fd8e853-26f8-416a-89f4-8ff81b1b8ed6/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-12-21T16:51:00Z UTC
Last seen:
2025-12-21T17:10:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/a9a3b28baf736dcf0555d9e7363b13a06b6bdc4f9a01fc1e93db78240dec0c85/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d990a9d6-0a3b-4ec0-9024-587d02f6967b
Behavior Graph:
Download SVG
%3 guuid=afb19271-1b00-0000-fe20-98bfe00b0000 pid=3040 /usr/bin/sudo guuid=63b65674-1b00-0000-fe20-98bfe80b0000 pid=3048 /tmp/sample.bin guuid=afb19271-1b00-0000-fe20-98bfe00b0000 pid=3040->guuid=63b65674-1b00-0000-fe20-98bfe80b0000 pid=3048 execve guuid=8a9c7374-1b00-0000-fe20-98bfe90b0000 pid=3049 /tmp/sample.bin guuid=63b65674-1b00-0000-fe20-98bfe80b0000 pid=3048->guuid=8a9c7374-1b00-0000-fe20-98bfe90b0000 pid=3049 clone guuid=86f27974-1b00-0000-fe20-98bfea0b0000 pid=3050 /tmp/sample.bin net send-data zombie guuid=8a9c7374-1b00-0000-fe20-98bfe90b0000 pid=3049->guuid=86f27974-1b00-0000-fe20-98bfea0b0000 pid=3050 clone 9a6302f7-7a83-5384-a427-43347f281767 41.216.189.149:54128 guuid=86f27974-1b00-0000-fe20-98bfea0b0000 pid=3050->9a6302f7-7a83-5384-a427-43347f281767 send: 134B 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=86f27974-1b00-0000-fe20-98bfea0b0000 pid=3050->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 33B guuid=86f27974-1b00-0000-fe20-98bfea0b0000 pid=3052 /tmp/sample.bin guuid=86f27974-1b00-0000-fe20-98bfea0b0000 pid=3050->guuid=86f27974-1b00-0000-fe20-98bfea0b0000 pid=3052 clone guuid=86f27974-1b00-0000-fe20-98bfea0b0000 pid=3053 /tmp/sample.bin zombie guuid=86f27974-1b00-0000-fe20-98bfea0b0000 pid=3050->guuid=86f27974-1b00-0000-fe20-98bfea0b0000 pid=3053 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3b4fa2b8-cd43-4d11-b989-5a0ad62e029b
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1837203
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/a9a3b28baf736dcf0555d9e7363b13a06b6bdc4f9a01fc1e93db78240dec0c85
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a9a3b28baf736dcf0555d9e7363b13a06b6bdc4f9a01fc1e93db78240dec0c85/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-12-21 19:32:19 UTC
File Type:
ELF32 Little (Exe)
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgr3fc5ponw46bkv3httmoytubvwxxcptia7yhut3n4cidpmbscq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm discovery linux
Link:
https://tria.ge/reports/251221-x8rzbabm7t/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Reads system network configuration
Checks hardware identifiers (DMI)
Enumerates active TCP sockets
Enumerates running processes
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-10056451-0
YARA:
n/a
Link:
https://app.threat.zone/submission/4abb1584-79d8-46ea-b288-a9e4098cae0b
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf cc08d1e6c384658eeac77c0284e59b30ad9cec728eedddd559a747f76b09dc6f

Mirai

elf a9a3b28baf736dcf0555d9e7363b13a06b6bdc4f9a01fc1e93db78240dec0c85

(this sample)

  
Dropped by
SHA256 cc08d1e6c384658eeac77c0284e59b30ad9cec728eedddd559a747f76b09dc6f
  
URLhaus
https://urlhaus.abuse.ch/url/3739616/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 8e6a9a6fcb1c9458787908622839bd3f
  
URLhaus
https://urlhaus.abuse.ch/url/3739654/

Comments