MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8a196da57dbd7e5310c4e6206438207c2011559456da3624d1f8bbec839f3c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 14


Intelligence 14 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8a196da57dbd7e5310c4e6206438207c2011559456da3624d1f8bbec839f3c0
SHA3-384 hash: dba36f2f5b2fecdfd2587a7afee1ccda3dafc70094f96e82e3b3f16ab54fb900384da34df3cc88b435067ce7967090e5
SHA1 hash: 21837e6cbff43c25c4059c4da8fc54ad6d0591ed
MD5 hash: 8137158ec8bb92b832ea03a94ac463b4
humanhash: venus-speaker-iowa-orange
File name:x86
Download: download sample
Signature Mirai
Create hunting rule
File size:150'152 bytes
First seen:2026-01-03 12:51:25 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:Zii3IxIjqHMBZLo97k/xpGGtSMrODCNVjzbt3/VxZn6NfxY7BwbZnuv:Yi3IxIjqHYu97+jt1rOs3dP69wBwRu
TLSH T1CFE37EC5F743E4F5E91601712177AB36AB72E03E203ADA83C7B96E33EC52941C54A26C
telfhash t10251cdf9627b0eed9bd49803e78d6b31ec0e66bb786436f106a715d0322614142b9c79
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 1c3e6df9446b59c6d4c02bee2ed00714897de782ce06818ce7f9d7f41b296055
File size (compressed) :61'508 bytes
File size (de-compressed) :150'152 bytes
Format:linux/i386
Packed file: 1c3e6df9446b59c6d4c02bee2ed00714897de782ce06818ce7f9d7f41b296055

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Link:
https://research.acce.ciphertechsolutions.com/results/094e2698-c19c-452b-9481-c14007f6c731/
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30435.LC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9999-14.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Trojan.Mirai-7135916-0
Create hunting rule

Unix.Dropper.Mirai-7136016-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Unix.Trojan.Mirai-10028515-0
Create hunting rule

Unix.Trojan.Mirai-10056463-0
Create hunting rule

Unix.Trojan.Mirai-10059006-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Kills processes
Sends data to a server
Launching a process
Manages services
Creating a file
Runs as daemon
Sets a written file as executable
Opens a port
Substitutes an application name
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
botnet gafgyt mirai obfuscated
Link:
https://www.filescan.io/uploads/695910fd2fb7bb52ca85e567/reports/f3d9894c-460a-4695-bc7a-dcac0bd8387e/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-01-03T09:57:00Z UTC
Last seen:
2026-01-04T01:46:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Gafgyt.bj HEUR:Backdoor.Linux.Mirai.r HEUR:Backdoor.Linux.Mirai.cw HEUR:Backdoor.Linux.Mirai.b HEUR:Backdoor.Linux.Gafgyt.bl
Link:
https://opentip.kaspersky.com/b8a196da57dbd7e5310c4e6206438207c2011559456da3624d1f8bbec839f3c0/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/c7c5eb54-a282-4849-9d90-3aa686733be2
Behavior Graph:
Download SVG
%3 guuid=cc193128-1c00-0000-fd50-ac4c960e0000 pid=3734 /usr/bin/sudo guuid=cdf5fd29-1c00-0000-fd50-ac4c9e0e0000 pid=3742 /tmp/sample.bin net write-config write-file guuid=cc193128-1c00-0000-fd50-ac4c960e0000 pid=3734->guuid=cdf5fd29-1c00-0000-fd50-ac4c9e0e0000 pid=3742 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=cdf5fd29-1c00-0000-fd50-ac4c9e0e0000 pid=3742->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4729b72a-1c00-0000-fd50-ac4ca40e0000 pid=3748 /usr/bin/dash guuid=cdf5fd29-1c00-0000-fd50-ac4c9e0e0000 pid=3742->guuid=4729b72a-1c00-0000-fd50-ac4ca40e0000 pid=3748 execve guuid=28d5532c-1c00-0000-fd50-ac4cab0e0000 pid=3755 /usr/bin/dash guuid=cdf5fd29-1c00-0000-fd50-ac4c9e0e0000 pid=3742->guuid=28d5532c-1c00-0000-fd50-ac4cab0e0000 pid=3755 execve guuid=d12a302e-1c00-0000-fd50-ac4cb40e0000 pid=3764 /tmp/sample.bin guuid=cdf5fd29-1c00-0000-fd50-ac4c9e0e0000 pid=3742->guuid=d12a302e-1c00-0000-fd50-ac4cb40e0000 pid=3764 clone guuid=cddc332e-1c00-0000-fd50-ac4cb50e0000 pid=3765 /tmp/sample.bin guuid=cdf5fd29-1c00-0000-fd50-ac4c9e0e0000 pid=3742->guuid=cddc332e-1c00-0000-fd50-ac4cb50e0000 pid=3765 clone guuid=d2da372e-1c00-0000-fd50-ac4cb70e0000 pid=3767 /tmp/sample.bin net send-data zombie guuid=cdf5fd29-1c00-0000-fd50-ac4c9e0e0000 pid=3742->guuid=d2da372e-1c00-0000-fd50-ac4cb70e0000 pid=3767 clone guuid=3217e92a-1c00-0000-fd50-ac4ca50e0000 pid=3749 /usr/bin/systemctl guuid=4729b72a-1c00-0000-fd50-ac4ca40e0000 pid=3748->guuid=3217e92a-1c00-0000-fd50-ac4ca50e0000 pid=3749 execve guuid=ae038b2c-1c00-0000-fd50-ac4cad0e0000 pid=3757 /usr/bin/systemctl guuid=28d5532c-1c00-0000-fd50-ac4cab0e0000 pid=3755->guuid=ae038b2c-1c00-0000-fd50-ac4cad0e0000 pid=3757 execve guuid=0f61372e-1c00-0000-fd50-ac4cb60e0000 pid=3766 /tmp/sample.bin guuid=d12a302e-1c00-0000-fd50-ac4cb40e0000 pid=3764->guuid=0f61372e-1c00-0000-fd50-ac4cb60e0000 pid=3766 clone guuid=28463b2e-1c00-0000-fd50-ac4cb80e0000 pid=3768 /tmp/sample.bin guuid=d12a302e-1c00-0000-fd50-ac4cb40e0000 pid=3764->guuid=28463b2e-1c00-0000-fd50-ac4cb80e0000 pid=3768 clone guuid=d2da372e-1c00-0000-fd50-ac4cb70e0000 pid=3767->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=d2da372e-1c00-0000-fd50-ac4cb70e0000 pid=3767->54d92a3b-1447-55af-b534-047898c60c8d send: 185B 51a553e2-ae0e-5eda-9e98-aa9e45810237 151.242.30.13:12121 guuid=d2da372e-1c00-0000-fd50-ac4cb70e0000 pid=3767->51a553e2-ae0e-5eda-9e98-aa9e45810237 send: 4B
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/667f97b5-2f55-4682-a77a-2f5e17c6176f
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1844126
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1844126 Sample: x86.elf Startdate: 03/01/2026 Architecture: LINUX Score: 80 40 169.254.169.254 USDOSUS Reserved 2->40 42 151.242.30.13, 12121, 56268 RASANAIR Iran (ISLAMIC Republic Of) 2->42 44 5 other IPs or domains 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for dropped file 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 2 other signatures 2->52 9 x86.elf 2->9         started        12 dash rm 2->12         started        14 dash rm 2->14         started        16 python3.8 dpkg 2->16         started        signatures3 process4 file5 38 /usr/local/bin/infinitd, ELF 9->38 dropped 18 x86.elf sh 9->18         started        20 x86.elf sh 9->20         started        22 x86.elf 9->22         started        24 2 other processes 9->24 process6 process7 26 sh systemctl 18->26         started        28 sh systemctl 20->28         started        30 x86.elf 22->30         started        32 x86.elf 22->32         started        34 x86.elf 24->34         started        process8 36 x86.elf 34->36         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/b8a196da57dbd7e5310c4e6206438207c2011559456da3624d1f8bbec839f3c0
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b8a196da57dbd7e5310c4e6206438207c2011559456da3624d1f8bbec839f3c0/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/b8a196da57dbd7e5310c4e6206438207c2011559456da3624d1f8bbec839f3c0
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-03 12:52:14 UTC
File Type:
ELF32 Little (Exe)
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcqznwsx3pl6kmimjzramq4ca7bacfkzivw2gysnd6f35sbz6paa._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet defense_evasion discovery linux persistence privilege_escalation
Link:
https://tria.ge/reports/260103-p3zszaxmbq/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Enumerates active TCP sockets
Modifies systemd
Write file to user bin folder
Writes file to system bin folder
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
teamc2.duckdns.org
Verdict:
Malicious
Tags:
botnet mirai trojan gafgyt Unix.Trojan.Mirai-7100807-0
YARA:
Mirai_Botnet_Malware Linux_Trojan_Gafgyt_5bf62ce4 Linux_Trojan_Mirai_fa3ad9d0 Linux_Trojan_Mirai_b14f4c5d Linux_Trojan_Mirai_93fc3657 Linux_Trojan_Mirai_804f8e7c Linux_Trojan_Mirai_99d78950 Linux_Trojan_Mirai_a68e498c Linux_Trojan_Mirai_88de437f Linux_Trojan_Mirai_ae9d0fa6 Linux_Trojan_Mirai_389ee3e9 Linux_Trojan_Mirai_cc93863b Linux_Trojan_Mirai_8aa7b5d3
Link:
https://app.threat.zone/submission/da50bd29-ccf0-4e28-bd1a-1d9e2b6e8086
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b8a196da57dbd7e5310c4e6206438207c2011559456da3624d1f8bbec839f3c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Mirai_Generic
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Mirai/Gafgyt samples
Rule name:Linux_Trojan_Gafgyt_5bf62ce4
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_804f8e7c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_8aa7b5d3
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_93fc3657
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_99d78950
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_a68e498c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_ae9d0fa6
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_b14f4c5d
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_fa3ad9d0
Create hunting rule
Author:Elastic Security
Rule name:Mirai_Botnet_Malware
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:Mirai_Botnet_Malware_RID2EF6
Create hunting rule
Author:Florian Roth
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 1c3e6df9446b59c6d4c02bee2ed00714897de782ce06818ce7f9d7f41b296055

Mirai

elf b8a196da57dbd7e5310c4e6206438207c2011559456da3624d1f8bbec839f3c0

(this sample)

  
Dropped by
SHA256 1c3e6df9446b59c6d4c02bee2ed00714897de782ce06818ce7f9d7f41b296055
  
URLhaus
https://urlhaus.abuse.ch/url/3722799/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 a79ba1c18a63265dd90c57b786b0a51e
  
URLhaus
https://urlhaus.abuse.ch/url/3719326/
  
URLhaus
https://urlhaus.abuse.ch/url/3722813/

Comments