MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b37a16cc0e2bf402c45390f890f9c97dda1825b19b419af1dd56171ebc8ea8ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 16 File information Comments

SHA256 hash: b37a16cc0e2bf402c45390f890f9c97dda1825b19b419af1dd56171ebc8ea8ed
SHA3-384 hash: 8840f00bbbe4da6b01a15b28b6a634e7a5b783b53fbaf75b7c3c918adea979a09d91b04e906e8f6b101123b5fb2290cc
SHA1 hash: 079932786f2f4302b84522b533d970b227671ccf
MD5 hash: e7d5eaf89643b37b34d64afb69cc5fb8
humanhash: saturn-carpet-uniform-william
File name:micro.x86_64
Download: download sample
Signature Mirai
File size:160'728 bytes
First seen:2026-05-31 17:25:48 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:xWPA5oc+Gm1usV/tVgs5QT8c0FxPjsK9Mkgk7sQA:xWPA5ocByVdjsKCpQ
TLSH T184F34A17B9D184FDC9DAC1744BBFB13AE931B05D0238B26B27C4AE222E4DE301E6D655
telfhash t1e951e9743d82394c62db9a6bb24fe9eaf97308140ad270e56e337de5ce5a7840d62413
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 d0667cc345a45dbcffd133dbcee3b2b41548df5850239284e71f4bddccf86be4
File size (compressed) :61'056 bytes
File size (de-compressed) :160'728 bytes
Format:linux/amd64
Packed file: d0667cc345a45dbcffd133dbcee3b2b41548df5850239284e71f4bddccf86be4

Intelligence


File Origin
# of uploads :
1
# of downloads :
70
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Sends data to a server
Receives data from a server
Connection attempt
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-05-31T16:27:00Z UTC
Last seen:
2026-05-31T16:55:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=c4e51cea-1600-0000-4f32-58210a0e0000 pid=3594 /usr/bin/sudo guuid=b4f8f8eb-1600-0000-4f32-58210e0e0000 pid=3598 /tmp/sample.bin net send-data guuid=c4e51cea-1600-0000-4f32-58210a0e0000 pid=3594->guuid=b4f8f8eb-1600-0000-4f32-58210e0e0000 pid=3598 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=b4f8f8eb-1600-0000-4f32-58210e0e0000 pid=3598->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 1e4b2d99-3f5d-5293-8aa0-cb5d2b3168e1 176.65.139.46:80 guuid=b4f8f8eb-1600-0000-4f32-58210e0e0000 pid=3598->1e4b2d99-3f5d-5293-8aa0-cb5d2b3168e1 send: 94B guuid=b7870eec-1600-0000-4f32-58210f0e0000 pid=3599 /tmp/sample.bin guuid=b4f8f8eb-1600-0000-4f32-58210e0e0000 pid=3598->guuid=b7870eec-1600-0000-4f32-58210f0e0000 pid=3599 clone guuid=4827e4ed-1600-0000-4f32-5821130e0000 pid=3603 /tmp/sample.bin net send-data zombie guuid=b4f8f8eb-1600-0000-4f32-58210e0e0000 pid=3598->guuid=4827e4ed-1600-0000-4f32-5821130e0000 pid=3603 clone guuid=4827e4ed-1600-0000-4f32-5821130e0000 pid=3603->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con a472ec19-88fb-5c11-903c-cb07abb25bcf 176.65.139.46:1337 guuid=4827e4ed-1600-0000-4f32-5821130e0000 pid=3603->a472ec19-88fb-5c11-903c-cb07abb25bcf send: 7B guuid=b705ebed-1600-0000-4f32-5821140e0000 pid=3604 /tmp/sample.bin guuid=4827e4ed-1600-0000-4f32-5821130e0000 pid=3603->guuid=b705ebed-1600-0000-4f32-5821140e0000 pid=3604 clone
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1920774 Sample: micro.x86_64.elf Startdate: 31/05/2026 Architecture: LINUX Score: 64 22 176.65.139.46, 1337, 38588, 42632 STORMINDUSTRIESHostingServicesUS Netherlands 2->22 24 109.202.202.202, 80 INIT7CH Switzerland 2->24 26 3 other IPs or domains 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 8 micro.x86_64.elf 2->8         started        10 dash rm 2->10         started        12 dash rm 2->12         started        14 python3.8 dpkg 2->14         started        signatures3 process4 process5 16 micro.x86_64.elf 8->16         started        18 micro.x86_64.elf 8->18         started        process6 20 micro.x86_64.elf 16->20         started       
Threat name:
Linux.Backdoor.Mirai
Status:
Malicious
First seen:
2026-05-31 17:26:44 UTC
File Type:
ELF64 Little (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:mirai botnet:lzrd botnet defense_evasion linux
Behaviour
Writes file to system bin folder
Modifies Watchdog functionality
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Toriilike_persist
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:Linux_Trojan_Gafgyt_0cd591cd
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_a33a8363
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d0c57a2e
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d996d335
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_01e4a728
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_1e0c5ce0
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_520deeb8
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_6a77af0f
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_e0cf29e2
Author:Elastic Security
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf b37a16cc0e2bf402c45390f890f9c97dda1825b19b419af1dd56171ebc8ea8ed

(this sample)

  
Delivery method
Distributed via web download

Comments