MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac4cfd34e2876ab19b329c93ec3f1e0601bc5e4c2c8ee03528c42ba46782fa2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac4cfd34e2876ab19b329c93ec3f1e0601bc5e4c2c8ee03528c42ba46782fa2e
SHA3-384 hash: beb4ec0427672b46db4e14c183225107a73a0bb693a8c3c8f14050a75351366a5b5558a62ec044ca881f4d7da89dd0c9
SHA1 hash: 7dfcdf02347505d048c99b3bdc1369a6cc47cdbb
MD5 hash: 1ea5aa3e955f7252842d4ce765784ab2
humanhash: nebraska-july-table-gee
File name:data.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:865'880 bytes
First seen:2026-01-12 21:01:48 UTC
Last seen:2026-01-13 10:38:29 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:+5JOpr9gh6Yh+Lp8kgxWOcmiSBAJ044w13L6SBN8V93yPyMDisdrH6jLu:+ipWh6YhVkAgmrMr4w13lKV9iisdr
TLSH T131057C9DE786E0E1F62300F1025FDBF64634A12A5023F6F6EF55266374327616F1A22E
telfhash t171d117732da598d873f0440583a7b121ce36e4172af0297219f36491b7b6f836b36db9
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
65
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
gcc masquerade mirai rust
Link:
https://www.filescan.io/uploads/69656161c82deb762e7a7728/reports/088021b9-c2b1-4b51-8b36-ea084de926bd/overview
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d727358b-e054-48fd-a4ab-38be456f4481
Behavior Graph:
Download SVG
%3 guuid=8876a106-1900-0000-70b1-e0c9f0120000 pid=4848 /usr/bin/sudo guuid=d1874908-1900-0000-70b1-e0c9f8120000 pid=4856 /tmp/sample.bin net guuid=8876a106-1900-0000-70b1-e0c9f0120000 pid=4848->guuid=d1874908-1900-0000-70b1-e0c9f8120000 pid=4856 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=d1874908-1900-0000-70b1-e0c9f8120000 pid=4856->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=88ee8208-1900-0000-70b1-e0c9fa120000 pid=4858 /tmp/sample.bin guuid=d1874908-1900-0000-70b1-e0c9f8120000 pid=4856->guuid=88ee8208-1900-0000-70b1-e0c9fa120000 pid=4858 clone guuid=34238b08-1900-0000-70b1-e0c9fb120000 pid=4859 /tmp/sample.bin write-config zombie guuid=88ee8208-1900-0000-70b1-e0c9fa120000 pid=4858->guuid=34238b08-1900-0000-70b1-e0c9fb120000 pid=4859 clone guuid=c5b8e108-1900-0000-70b1-e0c9fe120000 pid=4862 /usr/bin/dash guuid=34238b08-1900-0000-70b1-e0c9fb120000 pid=4859->guuid=c5b8e108-1900-0000-70b1-e0c9fe120000 pid=4862 execve guuid=762d6b09-1900-0000-70b1-e0c902130000 pid=4866 /tmp/sample.bin dns net send-data write-file zombie guuid=34238b08-1900-0000-70b1-e0c9fb120000 pid=4859->guuid=762d6b09-1900-0000-70b1-e0c902130000 pid=4866 clone guuid=62530509-1900-0000-70b1-e0c9ff120000 pid=4863 /usr/bin/cp guuid=c5b8e108-1900-0000-70b1-e0c9fe120000 pid=4862->guuid=62530509-1900-0000-70b1-e0c9ff120000 pid=4863 execve guuid=762d6b09-1900-0000-70b1-e0c902130000 pid=4866->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 34B c7f3fd6c-df8f-501c-b378-7ce65631888c cyber-reborn.com:25565 guuid=762d6b09-1900-0000-70b1-e0c902130000 pid=4866->c7f3fd6c-df8f-501c-b378-7ce65631888c send: 11B guuid=7b666e09-1900-0000-70b1-e0c904130000 pid=4868 /tmp/sample.bin guuid=762d6b09-1900-0000-70b1-e0c902130000 pid=4866->guuid=7b666e09-1900-0000-70b1-e0c904130000 pid=4868 clone guuid=18653d0a-1900-0000-70b1-e0c907130000 pid=4871 /usr/bin/dash guuid=762d6b09-1900-0000-70b1-e0c902130000 pid=4866->guuid=18653d0a-1900-0000-70b1-e0c907130000 pid=4871 execve guuid=89e1c313-1900-0000-70b1-e0c92b130000 pid=4907 /usr/bin/dash guuid=762d6b09-1900-0000-70b1-e0c902130000 pid=4866->guuid=89e1c313-1900-0000-70b1-e0c92b130000 pid=4907 execve guuid=54f3970a-1900-0000-70b1-e0c90a130000 pid=4874 /usr/sbin/xtables-nft-multi guuid=18653d0a-1900-0000-70b1-e0c907130000 pid=4871->guuid=54f3970a-1900-0000-70b1-e0c90a130000 pid=4874 execve guuid=063ded13-1900-0000-70b1-e0c92d130000 pid=4909 /usr/sbin/xtables-nft-multi guuid=89e1c313-1900-0000-70b1-e0c92b130000 pid=4907->guuid=063ded13-1900-0000-70b1-e0c92d130000 pid=4909 execve
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/350e645e-6335-4073-98dd-e5a9e9f1d27e
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1849529
Signature
Drops files in suspicious directories
Executes the "iptables" command to insert, remove and/or manipulate rules
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1849529 Sample: data.x86.elf Startdate: 12/01/2026 Architecture: LINUX Score: 56 41 109.202.202.202, 80 INIT7CH Switzerland 2->41 43 cyber-reborn.com 130.12.180.108, 25565, 37724 DATAHOPDatahop-SixDegreesGB Canada 2->43 45 3 other IPs or domains 2->45 10 data.x86.elf 2->10         started        12 dash rm 2->12         started        14 dash rm 2->14         started        process3 process4 16 data.x86.elf 10->16         started        process5 18 data.x86.elf 16->18         started        file6 39 /etc/init.d/system_service, POSIX 18->39 dropped 49 Sample tries to set files in /etc globally writable 18->49 51 Drops files in suspicious directories 18->51 53 Sample tries to persist itself using System V runlevels 18->53 22 data.x86.elf 18->22         started        24 data.x86.elf sh 18->24         started        signatures7 process8 process9 26 data.x86.elf sh 22->26         started        28 data.x86.elf sh 22->28         started        30 data.x86.elf 22->30         started        32 sh cp 24->32         started        process10 34 sh iptables 26->34         started        37 sh iptables 28->37         started        signatures11 47 Executes the "iptables" command to insert, remove and/or manipulate rules 34->47
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ac4cfd34e2876ab19b329c93ec3f1e0601bc5e4c2c8ee03528c42ba46782fa2e
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ac4cfd34e2876ab19b329c93ec3f1e0601bc5e4c2c8ee03528c42ba46782fa2e/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-12 21:02:30 UTC
File Type:
ELF32 Little (Exe)
AV detection:
4 of 36 (11.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrgp2nhcq5vldgzstsj6ypy6aya3yxsmfshoanjiyqv2iz4c7ixa._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
credential_access discovery linux persistence
Link:
https://tria.ge/reports/260112-zvm5baev6a/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Enumerates active TCP sockets
Enumerates running processes
Modifies init.d
Modifies rc script
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/edefde6b-86e7-4c09-b867-f8149172e22b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac4cfd34e2876ab19b329c93ec3f1e0601bc5e4c2c8ee03528c42ba46782fa2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:malwareelf55503
Create hunting rule
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf ac4cfd34e2876ab19b329c93ec3f1e0601bc5e4c2c8ee03528c42ba46782fa2e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3746581/
  
Delivery method
Distributed via web download

Comments