MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b31cdd55ef65c423a3268078aae28911506bee278f3cf4e5c7397daba2247727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b31cdd55ef65c423a3268078aae28911506bee278f3cf4e5c7397daba2247727
SHA3-384 hash: 66cf1ac5985a0e6035c8f8c098a80a9d34bc0b85767a5eb60b311077a88cf6d4a7742e715ca99fcb2f94d29b81fd1ca1
SHA1 hash: c487c5a3c128186e19a9d85c99e7f16c41d96ef2
MD5 hash: 46e59f8351b52d2a1bf4717e348ff329
humanhash: florida-pasta-friend-zebra
File name:arm7
Download: download sample
Signature Mirai
Create hunting rule
File size:80'572 bytes
First seen:2025-10-16 11:25:38 UTC
Last seen:2025-10-17 04:43:48 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:1NnKTRnw5gKn2YciTeX9V91mtKb1P6qp+VrW8QGdleWisCo8e:ARw5SYciTeNPMtcB6qp+VrWdkCo3
TLSH T17273E649BC819B11D5D822BAFE2E118D33275BB8E3EEB212DD105B1567CA91F0F77902
telfhash t1bee0eb34881c88ccfbf2f3c0e2ec001a9cbc333113022049c682931b84138e7f01984a
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
51
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Opens a port
Sends data to a server
Creating a file
Receives data from a server
Connection attempt
Runs as daemon
Substitutes an application name
Performs a bruteforce attack in the network
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
android mirai rust
Link:
https://www.filescan.io/uploads/68f0d64e64833d0cfabe5c5b/reports/049f3c8c-cae6-4fde-8018-1b43025f8b04/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-10-16T06:09:00Z UTC
Last seen:
2025-10-16T17:58:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/b31cdd55ef65c423a3268078aae28911506bee278f3cf4e5c7397daba2247727/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/1fc01e10-ee33-429f-8ff2-07299d5c8baf
Behavior Graph:
Download SVG
%3 guuid=70c6bcf4-1800-0000-f620-f80606140000 pid=5126 /usr/bin/sudo guuid=cf1788f6-1800-0000-f620-f8060c140000 pid=5132 /tmp/sample.bin guuid=70c6bcf4-1800-0000-f620-f80606140000 pid=5126->guuid=cf1788f6-1800-0000-f620-f8060c140000 pid=5132 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b97b826-9cb8-484c-85d0-191d8372cd33
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1796458
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1796458 Sample: arm7.elf Startdate: 16/10/2025 Architecture: LINUX Score: 48 18 136.31.17.213 WEBPASSUS United States 2->18 20 2.205.85.117, 23 VODANETInternationalIP-BackboneofVodafoneDE Germany 2->20 22 98 other IPs or domains 2->22 24 Multi AV Scanner detection for submitted file 2->24 8 arm7.elf 2->8         started        signatures3 process4 process5 10 arm7.elf 8->10         started        process6 12 arm7.elf 10->12         started        14 arm7.elf 10->14         started        16 arm7.elf 10->16         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/b31cdd55ef65c423a3268078aae28911506bee278f3cf4e5c7397daba2247727
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b31cdd55ef65c423a3268078aae28911506bee278f3cf4e5c7397daba2247727/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-10-16 12:16:16 UTC
AV detection:
17 of 38 (44.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wmon2vppmxcchizgqb4kvyujcfigx3rhr46pjzohhf62xireo4tq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access defense_evasion discovery
Link:
https://tria.ge/reports/251016-njq62shp5s/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Reads process memory
Enumerates active TCP sockets
Enumerates running processes
Modifies Watchdog functionality
Renames itself
Unexpected DNS network traffic destination
Contacts a large (181262) amount of remote hosts
Creates a large amount of network flows
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-1
YARA:
n/a
Link:
https://app.threat.zone/submission/1b7f41a4-6e34-4c35-8705-650ff2ffc3b0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b31cdd55ef65c423a3268078aae28911506bee278f3cf4e5c7397daba2247727

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Generic_Threat_8299c877
Create hunting rule
Author:Elastic Security
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf b31cdd55ef65c423a3268078aae28911506bee278f3cf4e5c7397daba2247727

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3657686/
  
Delivery method
Distributed via web download

Comments