MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b230fffe398fd040331e643de50e2b4f2ff214331f80b7aa2d94ce856066ba55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	b230fffe398fd040331e643de50e2b4f2ff214331f80b7aa2d94ce856066ba55
SHA3-384 hash:	b874d864edcc2cee9d3cc37f71444ad5f8aeb05d0629ea9b87ee62c2401965d2d512df2597aae595b4a072b5ed3c85bc
SHA1 hash:	6454d90c61284f9cc0d9dd246657eb6b5c25fad3
MD5 hash:	11258985cc5d6b6c47afd55c4a5caf84
humanhash:	orange-xray-leopard-bulldog
File name:	Mozi.m
Download:	download sample
Signature	Mirai Create hunting rule
File size:	307'960 bytes
First seen:	2021-07-30 02:02:14 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	3072:2glZ3FtCKXhkmHtZ9TEKzjfj/WMngyIfsJ0F7xPtowoG2sKqqwPa5POdOQ33Q:2IIKXhZtL7jOTyIG87XToNsKqqfPqOJ
TLSH	T15464E1D7EA01BE75F4D151B5FA2F034873728BA8D3C7B211F214CA29399E24A4B7A1C5
Reporter	tolisec
Tags:	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

555

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL

SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL

Unix.Dropper.Botnet-6566040-0

Unix.Packed.Botnet-6566031-0

Unix.Trojan.Gafgyt-6748839-0

Unix.Trojan.Mirai-7100807-0

Unix.Dropper.Mirai-7135934-0

Unix.Dropper.Mirai-7136013-0

Unix.Dropper.Mirai-7136057-0

Unix.Dropper.Mirai-7136070-0

Unix.Trojan.Mirai-8025795-0

Unix.Trojan.Mirai-9762350-0

Unix.Trojan.Mirai-9763616-0

Unix.Trojan.Mirai-9769616-0

Unix.Trojan.Mirai-9774339-0

Unix.Trojan.Mirai-9774712-0

Unix.Trojan.Mirai-9774958-0

Unix.Trojan.Mirai-9778190-0

Unix.Trojan.Mirai-9778279-0

Unix.Trojan.Mirai-9778883-0

Unix.Trojan.Mirai-9786053-0

Unix.Trojan.Mirai-9786115-0

Unix.Trojan.Mirai-9786166-0

Unix.Exploit.Mirai-9795501-0

Unix.Trojan.Mirai-9819430-0

Unix.Trojan.Mirai-9819450-0

Unix.Trojan.Mirai-9821543-0

Unix.Trojan.Mirai-9822019-0

Unix.Trojan.Mirai-9822570-0

Unix.Trojan.Mirai-9823425-0

Unix.Trojan.Mirai-9823624-0

Unix.Trojan.Mirai-9823625-0

Unix.Dropper.Mirai-9825964-0

Unix.Trojan.Mirai-9826420-0

Unix.Trojan.Mirai-9826840-0

Unix.Trojan.Mirai-9827594-0

Unix.Trojan.Mirai-9828330-0

Unix.Trojan.Mirai-9828606-0

Unix.Trojan.Mirai-9829012-0

Unix.Trojan.Mirai-9858729-0

Unix.Trojan.Gafgyt-6735924-0

Verdict:

Malicious

Uses P2P?:

true

Uses anti-vm?:

false

Architecture:

mips

Packer:

UPX

Botnet:

61.3.150.182:39664

Number of open files:

430

Number of processes launched:

Processes remaning?

true

Remote TCP ports scanned:

80,7574,49152,60001,8080,8081,81,52869,8181,5555,8443,37215,1023,23

Full report:

https://elfdigest.com/brief/b230fffe398fd040331e643de50e2b4f2ff214331f80b7aa2d94ce856066ba55

Behaviour

Process Renaming

Firewall Changes

Information Gathering

Botnet C2s

TCP botnet C2(s):

87.98.162.88:6881
212.129.33.59:6881
67.215.246.10:6881
82.221.103.244:6881
130.239.18.159:6881
181.210.53.214:6881
37.187.113.145:6881
31.17.111.95:6881
60.125.58.120:6881
69.248.39.54:6881
89.12.148.30:6881
85.224.49.140:6881
163.172.85.156:6881
31.184.254.119:6881
81.243.165.202:6881
147.192.156.171:23442
91.140.90.215:21521
206.189.96.59:8081
59.93.25.177:8081
167.99.249.26:8081
198.16.58.241:8081
112.27.80.120:8081
130.239.18.159:8723
72.187.147.100:49001
180.150.12.78:49001
70.19.69.249:49001
5.137.46.74:49001
130.239.18.159:8547
178.141.40.58:8080
90.159.233.113:8080
96.49.232.42:8080
178.72.70.72:42293
111.92.79.72:6755
185.136.149.101:33556
173.237.254.168:34006
158.69.53.10:25530
68.161.185.65:49201
203.106.81.159:27604
5.150.202.162:61696
219.95.27.180:54670
15.207.153.94:4000
117.223.82.13:4000
117.217.69.57:4000
59.99.136.17:4000
114.236.135.56:4000
85.17.172.81:8999
47.150.244.17:8999
93.51.19.130:8999
130.239.18.159:9031
130.239.18.159:8700
130.239.18.159:8792
173.212.202.22:51505
217.20.138.171:51413
31.44.225.133:51413
37.187.19.46:51413
94.19.90.132:51413
81.171.22.94:51413
50.93.55.136:51413
185.245.2.85:51413
176.31.253.61:51413
81.33.243.252:51413
27.83.27.149:51413
130.239.18.159:8896
180.76.235.126:10510
95.158.19.130:4872
178.141.75.194:32321
117.194.171.114:48370
46.237.50.234:5353
220.135.136.93:5353
189.1.135.236:5353
112.27.124.124:35848
171.44.224.159:14493
59.99.43.205:24861
178.141.140.148:36136
73.238.60.85:50321
174.93.206.84:50321
172.222.176.186:50321
212.109.192.97:8621
62.205.207.253:59914
114.157.48.34:7404
37.146.100.42:55579
94.23.7.201:50085
188.209.56.12:28045
94.215.180.29:51417
124.218.69.121:51417
219.74.247.136:51417
119.246.97.70:7769
91.121.164.220:64093
62.210.74.244:63557
89.115.117.96:53288
218.19.222.24:21509
174.94.12.15:13601
98.117.39.160:59712
71.225.107.12:56264
89.11.132.24:64356
198.245.49.28:50002
143.198.224.72:6889
68.231.109.16:56127
143.244.41.205:57108
195.139.149.46:55424
37.105.169.239:19230
50.72.18.34:8267
174.1.32.13:38855
185.200.116.131:22384
184.160.68.158:48079
87.114.32.15:37828
94.36.106.223:57834
95.169.232.44:55980
46.147.173.213:20863
112.27.124.145:39679
59.98.101.56:38159
113.110.149.217:45127
106.209.147.252:1105
62.210.73.100:55051
45.86.190.173:11165
174.110.12.75:19877
121.185.245.168:40761
198.73.50.72:59621
178.167.57.109:62942
89.132.232.185:43957
130.239.18.159:8973
213.136.79.205:6919
178.141.168.174:9977
128.69.179.116:39999
81.229.230.103:33561
130.239.18.159:8744
37.48.93.129:64992
188.209.56.26:28052
111.92.72.211:5459
180.188.232.211:20685
77.94.25.27:64714
45.87.251.11:28091
89.242.157.25:32630
37.133.162.152:29546
90.252.218.102:57448
178.72.71.69:16673
191.136.108.137:16921
189.34.122.243:16324
185.126.33.59:54403
178.72.77.3:25825
115.96.83.182:23764
223.130.31.24:26574
117.221.184.161:28861
91.109.200.254:35972
128.74.100.37:63103
156.146.62.209:35113
46.146.248.61:44067
82.23.141.14:32797
92.100.93.84:42913
59.93.21.63:46758
180.188.248.31:7668
116.68.97.119:11186
202.164.138.142:41170
137.186.10.2:7751
86.26.41.183:36954

UDP botnet C2(s):

not identified

Result

Verdict:

MALICIOUS

Malware family:

Mozi

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/de9d4fd9-3c1e-455c-bef1-5b2c7718d5a8

Result

Threat name:

Mirai

Detection:

malicious

Classification:

spre.troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/824221

Signature

Found strings indicative of a multi-platform dropper

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Yara detected Mirai

Behaviour

Behavior Graph:

Download SVG

Detection:

mirai

Link:

https://mwdb.cert.pl/sample/b230fffe398fd040331e643de50e2b4f2ff214331f80b7aa2d94ce856066ba55/

Threat name:

Linux.Trojan.Mirai

Status:

Malicious

First seen:

2021-07-30 01:37:28 UTC

AV detection:

18 of 46 (39.13%)

Threat level:

5/5

Result

Malware family:

n/a

Score:

9/10

Tags:

linux

Link:

https://tria.ge/reports/210730-36vqwej5ea/

Behaviour

Reads runtime system information

Writes file to tmp directory

Reads system network configuration

Enumerates active TCP sockets

Reads system routing table

Modifies hosts file

Modifies the Watchdog daemon

Writes file to system bin folder

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/b230fffe398fd040331e643de50e2b4f2ff214331f80b7aa2d94ce856066ba55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	linux_generic_p2p_catcher Create hunting rule
Author:	@_lubiedo
Description:	Generic catcher for P2P capable linux ELFs

Rule name:	SUSP_ELF_LNX_UPX_Compressed_File Create hunting rule
Author:	Florian Roth
Description:	Detects a suspicious ELF binary with UPX compression
Reference:	Internal Research

Rule name:	SUSP_XORed_Mozilla Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf b230fffe398fd040331e643de50e2b4f2ff214331f80b7aa2d94ce856066ba55

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1491074/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample