MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0026a72a4e34f6ff5a2b0ac1e5f202b39412dbe9ef629119e4ea659e5323abc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0026a72a4e34f6ff5a2b0ac1e5f202b39412dbe9ef629119e4ea659e5323abc
SHA3-384 hash: 64631b53573cc22e0bf92b2ce7be16f69332ef1a5eb9138c5ddaaa8012b4ba7feb2ddc490daf4afbbe6be6ad6a68f483
SHA1 hash: 5f9dc66130d2679e6f4325480ccb2c597805e7bd
MD5 hash: 1e10bb271c300ae58ae76010fba47845
humanhash: sodium-alabama-robin-low
File name:clientamd64
Download: download sample
Signature Mirai
Create hunting rule
File size:961'136 bytes
First seen:2026-04-05 01:55:40 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:sRstFBnNgAJJ2ro319IndWHI2XPpDTSaavC5RRd+FcVglW21FqYEayd+SMgI0zHX:sROrnNgxMF9lUaYYglWmqYIMg
TLSH T1E6157D2EB2B3B5BCD007C03447DBCAA29535B47522322DBB27C4DA353D66DE51369B22
telfhash t148b13d700af935f0b29fc911b352f4b96a7228f661e936a01b376d94dfd4f810ca6427
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
19
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Connection attempt
Collects information on the RAM
Deleting a recently created file
Sends data to a server
Launching a process
Creating a file in the %temp% directory
Collects information on the CPU
Receives data from a server
Creating a file
Locks files
DNS request
Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
8
Number of processes launched:
84
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/b0026a72a4e34f6ff5a2b0ac1e5f202b39412dbe9ef629119e4ea659e5323abc
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Adware
File Type:
elf.64.le
Link:
https://opentip.kaspersky.com/b0026a72a4e34f6ff5a2b0ac1e5f202b39412dbe9ef629119e4ea659e5323abc/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ecac0280-1004-44dd-838f-4ee86cc8cad9
Behavior Graph:
Download SVG
%3 guuid=c46b6d4e-1a00-0000-3470-41ba010b0000 pid=2817 /usr/bin/sudo guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821 /tmp/sample.bin net guuid=c46b6d4e-1a00-0000-3470-41ba010b0000 pid=2817->guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821 execve afa5068e-5f6f-5b65-bab4-f3b270b26c8f 103.130.214.71:12345 guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->afa5068e-5f6f-5b65-bab4-f3b270b26c8f con guuid=66eea150-1a00-0000-3470-41ba060b0000 pid=2822 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=66eea150-1a00-0000-3470-41ba060b0000 pid=2822 execve guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2881 /tmp/sample.bin guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2881 clone guuid=7870377e-1a00-0000-3470-41ba420b0000 pid=2882 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=7870377e-1a00-0000-3470-41ba420b0000 pid=2882 execve guuid=ce3a78c8-1b00-0000-3470-41ba950d0000 pid=3477 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=ce3a78c8-1b00-0000-3470-41ba950d0000 pid=3477 execve guuid=f73fa010-1d00-0000-3470-41ba89110000 pid=4489 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=f73fa010-1d00-0000-3470-41ba89110000 pid=4489 execve guuid=f1565758-1e00-0000-3470-41ba7f140000 pid=5247 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=f1565758-1e00-0000-3470-41ba7f140000 pid=5247 execve guuid=c1e30c99-1f00-0000-3470-41ba89140000 pid=5257 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=c1e30c99-1f00-0000-3470-41ba89140000 pid=5257 execve guuid=442987e5-2000-0000-3470-41baac140000 pid=5292 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=442987e5-2000-0000-3470-41baac140000 pid=5292 execve guuid=11212524-2200-0000-3470-41baaf140000 pid=5295 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=11212524-2200-0000-3470-41baaf140000 pid=5295 execve guuid=f7536263-2300-0000-3470-41bab2140000 pid=5298 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=f7536263-2300-0000-3470-41bab2140000 pid=5298 execve guuid=6e69caa1-2400-0000-3470-41bab5140000 pid=5301 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=6e69caa1-2400-0000-3470-41bab5140000 pid=5301 execve guuid=0b7ec4e0-2500-0000-3470-41bab8140000 pid=5304 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=0b7ec4e0-2500-0000-3470-41bab8140000 pid=5304 execve guuid=2408b11f-2700-0000-3470-41babb140000 pid=5307 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=2408b11f-2700-0000-3470-41babb140000 pid=5307 execve guuid=92aa115f-2800-0000-3470-41bac8140000 pid=5320 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2821->guuid=92aa115f-2800-0000-3470-41bac8140000 pid=5320 execve guuid=a689df50-1a00-0000-3470-41ba070b0000 pid=2823 /usr/bin/curl net send-data guuid=66eea150-1a00-0000-3470-41ba060b0000 pid=2822->guuid=a689df50-1a00-0000-3470-41ba070b0000 pid=2823 execve 75aab096-419b-50ef-be46-7d76b6a90e4c github.com:443 guuid=a689df50-1a00-0000-3470-41ba070b0000 pid=2823->75aab096-419b-50ef-be46-7d76b6a90e4c send: 800B guuid=a689df50-1a00-0000-3470-41ba070b0000 pid=2838 /usr/bin/curl dns net send-data guuid=a689df50-1a00-0000-3470-41ba070b0000 pid=2823->guuid=a689df50-1a00-0000-3470-41ba070b0000 pid=2838 clone 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=a689df50-1a00-0000-3470-41ba070b0000 pid=2838->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 56B guuid=cb41437e-1a00-0000-3470-41ba440b0000 pid=2884 /usr/bin/dash guuid=62424550-1a00-0000-3470-41ba050b0000 pid=2881->guuid=cb41437e-1a00-0000-3470-41ba440b0000 pid=2884 execve guuid=9ff7777e-1a00-0000-3470-41ba460b0000 pid=2886 /usr/bin/curl net send-data guuid=7870377e-1a00-0000-3470-41ba420b0000 pid=2882->guuid=9ff7777e-1a00-0000-3470-41ba460b0000 pid=2886 execve guuid=d879757e-1a00-0000-3470-41ba450b0000 pid=2885 /usr/bin/wget dns net send-data write-file guuid=cb41437e-1a00-0000-3470-41ba440b0000 pid=2884->guuid=d879757e-1a00-0000-3470-41ba450b0000 pid=2885 execve guuid=d879757e-1a00-0000-3470-41ba450b0000 pid=2885->75aab096-419b-50ef-be46-7d76b6a90e4c send: 784B guuid=d879757e-1a00-0000-3470-41ba450b0000 pid=2885->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 142B f1b40f69-7597-5700-a86b-95aef84d80b0 raw.githubusercontent.com:0 guuid=d879757e-1a00-0000-3470-41ba450b0000 pid=2885->f1b40f69-7597-5700-a86b-95aef84d80b0 con c712ff6d-cc26-5d0e-90f0-dff755bcc1da raw.githubusercontent.com:443 guuid=d879757e-1a00-0000-3470-41ba450b0000 pid=2885->c712ff6d-cc26-5d0e-90f0-dff755bcc1da send: 795B d111c2cd-79b3-556f-b48a-5c6cc9fca27d pastebin.com:443 guuid=9ff7777e-1a00-0000-3470-41ba460b0000 pid=2886->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=9ff7777e-1a00-0000-3470-41ba460b0000 pid=2901 /usr/bin/curl dns net send-data guuid=9ff7777e-1a00-0000-3470-41ba460b0000 pid=2886->guuid=9ff7777e-1a00-0000-3470-41ba460b0000 pid=2901 clone guuid=9ff7777e-1a00-0000-3470-41ba460b0000 pid=2901->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=9ff7777e-1a00-0000-3470-41ba460b0000 pid=2901->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con guuid=8520bec8-1b00-0000-3470-41ba970d0000 pid=3479 /usr/bin/curl net send-data guuid=ce3a78c8-1b00-0000-3470-41ba950d0000 pid=3477->guuid=8520bec8-1b00-0000-3470-41ba970d0000 pid=3479 execve guuid=8520bec8-1b00-0000-3470-41ba970d0000 pid=3479->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=8520bec8-1b00-0000-3470-41ba970d0000 pid=3488 /usr/bin/curl dns net send-data guuid=8520bec8-1b00-0000-3470-41ba970d0000 pid=3479->guuid=8520bec8-1b00-0000-3470-41ba970d0000 pid=3488 clone guuid=8520bec8-1b00-0000-3470-41ba970d0000 pid=3488->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=8520bec8-1b00-0000-3470-41ba970d0000 pid=3488->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con guuid=8430e210-1d00-0000-3470-41ba8b110000 pid=4491 /usr/bin/curl net send-data guuid=f73fa010-1d00-0000-3470-41ba89110000 pid=4489->guuid=8430e210-1d00-0000-3470-41ba8b110000 pid=4491 execve guuid=8430e210-1d00-0000-3470-41ba8b110000 pid=4491->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=8430e210-1d00-0000-3470-41ba8b110000 pid=4504 /usr/bin/curl dns net send-data guuid=8430e210-1d00-0000-3470-41ba8b110000 pid=4491->guuid=8430e210-1d00-0000-3470-41ba8b110000 pid=4504 clone guuid=8430e210-1d00-0000-3470-41ba8b110000 pid=4504->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=8430e210-1d00-0000-3470-41ba8b110000 pid=4504->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con guuid=78a7b658-1e00-0000-3470-41ba80140000 pid=5248 /usr/bin/curl net send-data guuid=f1565758-1e00-0000-3470-41ba7f140000 pid=5247->guuid=78a7b658-1e00-0000-3470-41ba80140000 pid=5248 execve guuid=78a7b658-1e00-0000-3470-41ba80140000 pid=5248->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=78a7b658-1e00-0000-3470-41ba80140000 pid=5249 /usr/bin/curl dns net send-data guuid=78a7b658-1e00-0000-3470-41ba80140000 pid=5248->guuid=78a7b658-1e00-0000-3470-41ba80140000 pid=5249 clone guuid=78a7b658-1e00-0000-3470-41ba80140000 pid=5249->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=78a7b658-1e00-0000-3470-41ba80140000 pid=5249->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con guuid=43a66d99-1f00-0000-3470-41ba8a140000 pid=5258 /usr/bin/curl net send-data guuid=c1e30c99-1f00-0000-3470-41ba89140000 pid=5257->guuid=43a66d99-1f00-0000-3470-41ba8a140000 pid=5258 execve guuid=43a66d99-1f00-0000-3470-41ba8a140000 pid=5258->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=43a66d99-1f00-0000-3470-41ba8a140000 pid=5259 /usr/bin/curl dns net send-data guuid=43a66d99-1f00-0000-3470-41ba8a140000 pid=5258->guuid=43a66d99-1f00-0000-3470-41ba8a140000 pid=5259 clone guuid=43a66d99-1f00-0000-3470-41ba8a140000 pid=5259->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=43a66d99-1f00-0000-3470-41ba8a140000 pid=5259->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con guuid=52f8b9e5-2000-0000-3470-41baad140000 pid=5293 /usr/bin/curl net send-data guuid=442987e5-2000-0000-3470-41baac140000 pid=5292->guuid=52f8b9e5-2000-0000-3470-41baad140000 pid=5293 execve guuid=52f8b9e5-2000-0000-3470-41baad140000 pid=5293->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=52f8b9e5-2000-0000-3470-41baad140000 pid=5294 /usr/bin/curl dns net send-data guuid=52f8b9e5-2000-0000-3470-41baad140000 pid=5293->guuid=52f8b9e5-2000-0000-3470-41baad140000 pid=5294 clone guuid=52f8b9e5-2000-0000-3470-41baad140000 pid=5294->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=52f8b9e5-2000-0000-3470-41baad140000 pid=5294->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con guuid=b7316424-2200-0000-3470-41bab0140000 pid=5296 /usr/bin/curl net send-data guuid=11212524-2200-0000-3470-41baaf140000 pid=5295->guuid=b7316424-2200-0000-3470-41bab0140000 pid=5296 execve guuid=b7316424-2200-0000-3470-41bab0140000 pid=5296->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=b7316424-2200-0000-3470-41bab0140000 pid=5297 /usr/bin/curl dns net send-data guuid=b7316424-2200-0000-3470-41bab0140000 pid=5296->guuid=b7316424-2200-0000-3470-41bab0140000 pid=5297 clone guuid=b7316424-2200-0000-3470-41bab0140000 pid=5297->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=b7316424-2200-0000-3470-41bab0140000 pid=5297->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con guuid=18669463-2300-0000-3470-41bab3140000 pid=5299 /usr/bin/curl net send-data guuid=f7536263-2300-0000-3470-41bab2140000 pid=5298->guuid=18669463-2300-0000-3470-41bab3140000 pid=5299 execve guuid=18669463-2300-0000-3470-41bab3140000 pid=5299->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=18669463-2300-0000-3470-41bab3140000 pid=5300 /usr/bin/curl dns net send-data guuid=18669463-2300-0000-3470-41bab3140000 pid=5299->guuid=18669463-2300-0000-3470-41bab3140000 pid=5300 clone guuid=18669463-2300-0000-3470-41bab3140000 pid=5300->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=18669463-2300-0000-3470-41bab3140000 pid=5300->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con guuid=e35e00a2-2400-0000-3470-41bab6140000 pid=5302 /usr/bin/curl net send-data guuid=6e69caa1-2400-0000-3470-41bab5140000 pid=5301->guuid=e35e00a2-2400-0000-3470-41bab6140000 pid=5302 execve guuid=e35e00a2-2400-0000-3470-41bab6140000 pid=5302->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=e35e00a2-2400-0000-3470-41bab6140000 pid=5303 /usr/bin/curl dns net send-data guuid=e35e00a2-2400-0000-3470-41bab6140000 pid=5302->guuid=e35e00a2-2400-0000-3470-41bab6140000 pid=5303 clone guuid=e35e00a2-2400-0000-3470-41bab6140000 pid=5303->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=e35e00a2-2400-0000-3470-41bab6140000 pid=5303->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con guuid=7d59f5e0-2500-0000-3470-41bab9140000 pid=5305 /usr/bin/curl net send-data guuid=0b7ec4e0-2500-0000-3470-41bab8140000 pid=5304->guuid=7d59f5e0-2500-0000-3470-41bab9140000 pid=5305 execve guuid=7d59f5e0-2500-0000-3470-41bab9140000 pid=5305->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=7d59f5e0-2500-0000-3470-41bab9140000 pid=5306 /usr/bin/curl dns net send-data guuid=7d59f5e0-2500-0000-3470-41bab9140000 pid=5305->guuid=7d59f5e0-2500-0000-3470-41bab9140000 pid=5306 clone guuid=7d59f5e0-2500-0000-3470-41bab9140000 pid=5306->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=7d59f5e0-2500-0000-3470-41bab9140000 pid=5306->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con guuid=8f80e31f-2700-0000-3470-41babc140000 pid=5308 /usr/bin/curl net send-data guuid=2408b11f-2700-0000-3470-41babb140000 pid=5307->guuid=8f80e31f-2700-0000-3470-41babc140000 pid=5308 execve guuid=8f80e31f-2700-0000-3470-41babc140000 pid=5308->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=8f80e31f-2700-0000-3470-41babc140000 pid=5309 /usr/bin/curl dns net send-data guuid=8f80e31f-2700-0000-3470-41babc140000 pid=5308->guuid=8f80e31f-2700-0000-3470-41babc140000 pid=5309 clone guuid=8f80e31f-2700-0000-3470-41babc140000 pid=5309->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=8f80e31f-2700-0000-3470-41babc140000 pid=5309->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con guuid=a0dc485f-2800-0000-3470-41bac9140000 pid=5321 /usr/bin/curl net send-data guuid=92aa115f-2800-0000-3470-41bac8140000 pid=5320->guuid=a0dc485f-2800-0000-3470-41bac9140000 pid=5321 execve guuid=a0dc485f-2800-0000-3470-41bac9140000 pid=5321->d111c2cd-79b3-556f-b48a-5c6cc9fca27d send: 785B guuid=a0dc485f-2800-0000-3470-41bac9140000 pid=5322 /usr/bin/curl dns net send-data guuid=a0dc485f-2800-0000-3470-41bac9140000 pid=5321->guuid=a0dc485f-2800-0000-3470-41bac9140000 pid=5322 clone guuid=a0dc485f-2800-0000-3470-41bac9140000 pid=5322->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 60B guuid=a0dc485f-2800-0000-3470-41bac9140000 pid=5322->d111c2cd-79b3-556f-b48a-5c6cc9fca27d con
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/57a886ae-b81e-414c-853b-58ccd1461908
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1893684
Signature
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1893684 Sample: clientamd64.elf Startdate: 05/04/2026 Architecture: LINUX Score: 48 38 pastebin.com 2->38 40 103.130.214.71, 12345, 57796, 57802 BKHOST-AS-VNVietnamOnlineNetworkSolutionJointStockCom Viet Nam 2->40 42 9 other IPs or domains 2->42 44 Connects to many ports of the same IP (likely port scanning) 2->44 8 clientamd64.elf 2->8         started        10 dash rm 2->10         started        12 dash rm 2->12         started        14 python3.8 dpkg 2->14         started        signatures3 46 Connects to a pastebin service (likely for C&C) 38->46 process4 process5 16 clientamd64.elf sh 8->16         started        18 clientamd64.elf sh 8->18         started        20 clientamd64.elf sh 8->20         started        22 7 other processes 8->22 process6 24 sh curl 16->24         started        26 sh wget 18->26         started        28 sh curl 20->28         started        30 sh curl 22->30         started        32 sh curl 22->32         started        34 sh curl 22->34         started        36 4 other processes 22->36
Score:
96%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/b0026a72a4e34f6ff5a2b0ac1e5f202b39412dbe9ef629119e4ea659e5323abc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0026a72a4e34f6ff5a2b0ac1e5f202b39412dbe9ef629119e4ea659e5323abc/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-05 01:57:36 UTC
File Type:
ELF64 Little (Exe)
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wabgu4ve4nhw75ncwcwb4xzafm4ucln6t33csem6j2tftzjshk6a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm credential_access defense_evasion discovery execution linux persistence
Link:
https://tria.ge/reports/260405-ccv1wacy6s/
Behaviour
Software Deployment Tools
Command and Scripting Interpreter: Unix Shell
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads CPU attributes
Contacts third-party web service commonly abused for C2
Deletes log files
Looks up external IP address via web service
Write file to user bin folder
Executes dropped EXE
OS Credential Dumping
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/b0026a72a4e34f6ff5a2b0ac1e5f202b39412dbe9ef629119e4ea659e5323abc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:malwareelf55503
Create hunting rule
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf b0026a72a4e34f6ff5a2b0ac1e5f202b39412dbe9ef629119e4ea659e5323abc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3811392/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3811437/
  
URLhaus
https://urlhaus.abuse.ch/url/3811566/
  
URLhaus
https://urlhaus.abuse.ch/url/3811568/
  
URLhaus
https://urlhaus.abuse.ch/url/3811584/

Comments