MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad23d3c3a70c722f36f005a0660fe2dbf6385fc6da6c799d0feb81599dd7e341. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad23d3c3a70c722f36f005a0660fe2dbf6385fc6da6c799d0feb81599dd7e341
SHA3-384 hash: 79d047b06dde47df742439bf35b2e17051c311d63145d46a24dea7690de8d2b31e1da0e194baff7f6d5024ad31e1e7f4
SHA1 hash: c7329de7741529b10c49a0aae595fdbf6ed59374
MD5 hash: 1af4de72c3ecf9b8b42f585232da79ff
humanhash: item-diet-angel-steak
File name:Mozi.m
Download: download sample
Signature Mirai
Create hunting rule
File size:307'960 bytes
First seen:2021-07-20 08:03:09 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xioH3Q:p3lOYoaja8xzx/0wsxzSiL
TLSH T1FF640287EB22BC1FCE010FB121DB0B9E66BC965B83C79091B2D4C95F35B6185B7A11C9
Reporter tolisec
Tags:mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL
Create hunting rule

Unix.Dropper.Botnet-6566040-0
Create hunting rule

Unix.Packed.Botnet-6566031-0
Create hunting rule

Unix.Trojan.Gafgyt-6748839-0
Create hunting rule

Unix.Trojan.Mozi-9840825-0
Create hunting rule

Unix.Trojan.Mirai-9843255-0
Create hunting rule

Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
mips
Packer:
UPX
Botnet:
59.99.141.70:50782
Number of open files:
430
Number of processes launched:
38
Processes remaning?
true
Remote TCP ports scanned:
8080,7574,80,60001,52869,8443,49152,37215,8081,81,5555,8181,2323,23
Full report:
https://elfdigest.com/brief/ad23d3c3a70c722f36f005a0660fe2dbf6385fc6da6c799d0feb81599dd7e341
Behaviour
Process Renaming
Firewall Changes
Information Gathering
Botnet C2s
TCP botnet C2(s):
212.129.33.59:6881
87.98.162.88:6881
67.215.246.10:6881
82.221.103.244:6881
130.239.18.159:6881
103.134.205.204:6881
178.184.206.142:6881
46.233.220.192:6881
5.165.2.8:6881
59.97.174.187:6881
91.206.15.133:6881
2.108.162.130:6881
176.215.59.131:6881
83.143.32.73:21228
77.43.132.243:5008
180.218.243.59:7256
108.29.172.31:50321
82.10.73.236:50321
31.54.32.211:50321
1.64.181.201:51417
157.32.83.237:60680
27.5.19.157:46603
117.194.162.72:26667
46.172.127.231:12352
118.44.8.11:41237
46.181.86.21:17791
91.105.176.207:26694
89.109.49.59:8249
178.252.101.244:40105
188.230.63.235:35766
117.222.166.11:31874
188.32.233.33:34886
88.147.136.215:40783
118.158.198.135:9371
49.89.231.214:8080
59.94.193.66:8080
125.51.147.17:18395
95.46.140.137:18510
95.211.213.220:54871
2.95.204.120:10426
83.97.109.93:1547
176.114.65.123:51413
37.57.18.3:51413
27.83.27.149:51413
128.68.115.236:36727
126.237.189.35:23575
202.164.139.55:30544
117.196.23.141:56295
108.249.194.121:30301
59.94.200.108:30301
59.93.19.164:56796
116.74.23.141:58045
202.170.126.200:23790
202.164.130.86:51041
117.213.43.37:20555
103.217.117.24:35433
178.187.128.31:15854
217.199.227.144:20983
178.72.77.117:2152
92.126.212.111:41137
117.251.55.113:62678
195.94.250.178:21755
117.251.56.178:53498
180.188.250.16:5870
123.192.101.163:30539
37.46.62.203:19883
178.72.71.118:11514
94.179.235.179:23671
54.77.218.23:6992
54.209.131.199:6892
84.52.94.75:23175
128.74.191.186:61299
185.165.160.102:56842
203.115.91.82:4393
27.6.204.204:41405
178.72.70.179:20656
81.30.176.208:55641
188.187.12.76:8689
46.182.109.230:15259
91.121.83.60:26516
37.79.156.88:37986
77.40.13.148:16092
111.92.116.245:20715
178.49.117.66:10360
59.99.40.79:1027
180.188.224.99:37298
188.163.50.38:40402
95.76.18.58:33245
37.21.56.105:26452
5.39.226.220:55754
95.71.18.59:39574
87.225.15.108:6882
94.154.214.117:32950
130.239.18.159:8896
178.72.68.159:10466
61.3.158.212:19364
59.93.31.102:6667
185.34.240.227:47545
188.233.212.62:56242
117.196.51.116:22987
178.72.77.64:8387
82.215.105.207:17463
95.28.153.187:14744
112.168.0.76:30329
103.41.25.13:13914
220.218.229.178:22200
116.66.218.82:22644
188.143.142.31:33333
171.33.246.220:3713
41.207.248.243:15703
95.32.18.81:26033
109.106.143.206:28437
213.108.36.115:49160
180.131.238.158:16286
185.107.71.129:28118
84.108.70.97:13792
51.158.148.27:10082
98.159.35.5:60935
79.69.130.43:21469
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/212e83a0-3cbf-4f22-9fc6-9ce680fab994
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/818729
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451140 Sample: Mozi.m Startdate: 20/07/2021 Architecture: LINUX Score: 84 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected Mirai 2->30 32 3 other signatures 2->32 6 upstart sh 2->6         started        8 upstart sh 2->8         started        10 upstart sh 2->10         started        12 Mozi.m 2->12         started        process3 process4 14 sh date 6->14         started        16 sh apport-checkreports 6->16         started        18 sh date 8->18         started        20 sh apport-gtk 8->20         started        22 sh date 10->22         started        24 sh apport-gtk 10->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad23d3c3a70c722f36f005a0660fe2dbf6385fc6da6c799d0feb81599dd7e341/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2021-01-23 02:17:11 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
linux
Link:
https://tria.ge/reports/210720-35xjb6yz96/
Behaviour
Reads runtime system information
Writes file to tmp directory
Reads system network configuration
Enumerates active TCP sockets
Reads system routing table
Modifies hosts file
Modifies the Watchdog daemon
Writes file to system bin folder
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/ad23d3c3a70c722f36f005a0660fe2dbf6385fc6da6c799d0feb81599dd7e341

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf ad23d3c3a70c722f36f005a0660fe2dbf6385fc6da6c799d0feb81599dd7e341

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/983449/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/983466/
  
URLhaus
https://urlhaus.abuse.ch/url/1144051/
  
URLhaus
https://urlhaus.abuse.ch/url/1144216/
  
URLhaus
https://urlhaus.abuse.ch/url/1144869/
  
URLhaus
https://urlhaus.abuse.ch/url/1467813/
  
URLhaus
https://urlhaus.abuse.ch/url/1470292/

Comments