MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9e7d4f2be1e68f3c47dac1d59edef69ce21ac3af8a27c0b8d3b3310a0024727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9e7d4f2be1e68f3c47dac1d59edef69ce21ac3af8a27c0b8d3b3310a0024727
SHA3-384 hash: a0f7b2d78ce22b0b7f9060f961d09237c7906e4aaf82e2cdc6be7d1582550f9443aeb8d73c302c8da906c30fe75f0222
SHA1 hash: ca98d7f0b9e2a1b4d208b2d9a297ebf7e67ea76d
MD5 hash: 397fc15607929046974259b784326677
humanhash: fifteen-edward-glucose-grey
File name:ecco.mips
Download: download sample
Signature Mirai
Create hunting rule
File size:88'968 bytes
First seen:2025-12-05 17:12:10 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:JrIyS3LrnhTmuNEclnmJIFRqNGFY9ANX2kGVIC7ySEE/C7j9ztVgaVETVJuV:JMyGLrnhTmuqc9mJAEN+7ETEE/ClwaVZ
TLSH T16D9302480B92143AED02D1B21BB78E717AE00F7CA743E806397A5E956E5C0DB7C42777
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :88'968 bytes
File size (de-compressed) :327'936 bytes
Format:linux/mips
Unpacked file: 186c3eb179dda9525852c81b591d4259ccfc5c0d36eaa234af6eb4e4cbcf5b96

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/6e2123f8-a14f-4167-8707-5a97a47fef72/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade mirai packed upx
Link:
https://www.filescan.io/uploads/693312726019bc7a8f8188e9/reports/8db8728d-a078-4fc2-bd7f-16fbe88cba1c/overview
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2025-12-05T11:43:00Z UTC
Last seen:
2025-12-05T14:24:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Mirai.b HEUR:Backdoor.Linux.Gafgyt.cn HEUR:Exploit.Linux.Netgear.a HEUR:Exploit.Linux.DLink.b HEUR:Backdoor.Linux.Mirai.r HEUR:Exploit.Linux.Netgear.b HEUR:Exploit.Linux.Mvpower.a HEUR:Backdoor.Linux.Mirai.h HEUR:Backdoor.Linux.Mirai.cw HEUR:Exploit.Linux.Vacron.a HEUR:Exploit.Linux.DLink.a HEUR:Exploit.Linux.CVE-2018-10561.a HEUR:Exploit.Linux.CVE-2017-17215.a HEUR:Backdoor.Linux.Gafgyt.bj HEUR:Exploit.Linux.CVE-2014-8361.a
Link:
https://opentip.kaspersky.com/b9e7d4f2be1e68f3c47dac1d59edef69ce21ac3af8a27c0b8d3b3310a0024727/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6b46c61b-2192-47e8-909c-0cfcd88d3d66
Result
Threat name:
Mirai, Gafgyt
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1827439
Signature
Deletes system log files
Detected Mirai
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Malicious sample detected (through community Yara rule)
Manipulation of devices in /dev
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Suricata IDS alerts for network traffic
Yara detected Gafgyt
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1827439 Sample: ecco.mips.elf Startdate: 05/12/2025 Architecture: LINUX Score: 100 79 90.254.90.182 VodafoneGB United Kingdom 2->79 81 152.91.209.7 VZB-AU-ASVerizonAustraliaPTYLimitedAU Australia 2->81 83 98 other IPs or domains 2->83 91 Suricata IDS alerts for network traffic 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 Detected Mirai 2->95 97 4 other signatures 2->97 12 ecco.mips.elf 2->12         started        signatures3 process4 process5 14 ecco.mips.elf 12->14         started        process6 16 ecco.mips.elf 14->16         started        file7 69 /etc/init.d/sysd, POSIX 16->69 dropped 85 Sample tries to set files in /etc globally writable 16->85 87 Drops files in suspicious directories 16->87 89 Sample tries to persist itself using System V runlevels 16->89 20 ecco.mips.elf 16->20         started        22 ecco.mips.elf 16->22         started        25 ecco.mips.elf sh 16->25         started        signatures8 process9 file10 27 ecco.mips.elf 20->27         started        29 ecco.mips.elf sh 20->29         started        31 ecco.mips.elf 20->31         started        40 4 other processes 20->40 71 /usr/Bin), ELF 22->71 dropped 34 ecco.mips.elf sh 22->34         started        36 ecco.mips.elf 22->36         started        38 sh cp 25->38         started        process11 signatures12 56 920 other processes 27->56 42 sh crontab 29->42         started        46 sh 29->46         started        107 Manipulation of devices in /dev 31->107 109 Deletes system log files 31->109 48 sh crontab 34->48         started        50 sh 34->50         started        58 68 other processes 36->58 52 ecco.mips.elf 40->52         started        54 ecco.mips.elf 40->54         started        60 3 other processes 40->60 process13 file14 73 /var/spool/cron/crontabs/tmp.fzbA4U, ASCII 42->73 dropped 62 sh crontab 46->62         started        75 /var/spool/cron/cr...mp.jG2UCU (deleted), ASCII 48->75 dropped 77 /dev/null (deleted), ASCII 48->77 dropped 99 Manipulation of devices in /dev 48->99 101 Sample tries to persist itself using cron 48->101 103 Executes the "crontab" command typically for achieving persistence 48->103 65 sh crontab 50->65         started        67 ecco.mips.elf 54->67         started        signatures15 process16 signatures17 105 Executes the "crontab" command typically for achieving persistence 62->105
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/b9e7d4f2be1e68f3c47dac1d59edef69ce21ac3af8a27c0b8d3b3310a0024727
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b9e7d4f2be1e68f3c47dac1d59edef69ce21ac3af8a27c0b8d3b3310a0024727/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/b9e7d4f2be1e68f3c47dac1d59edef69ce21ac3af8a27c0b8d3b3310a0024727
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-05 17:12:21 UTC
File Type:
ELF32 Big (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xht5j4v6dzuphrd5vqovt3ppnhhcdlb27crhyc4nhmzrbiaci4tq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet defense_evasion discovery execution persistence privilege_escalation upx
Link:
https://tria.ge/reports/251205-vqzv4adp2y/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Changes its process name
UPX packed file
Creates/modifies Cron job
Deletes log files
Enumerates running processes
Modifies init.d
Modifies rc script
Writes file to system bin folder
Deletes Audit logs
Deletes system logs
Modifies Watchdog functionality
Contacts a large (105842) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7c0be1fa-4caf-4014-97f5-2e3be97959e3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b9e7d4f2be1e68f3c47dac1d59edef69ce21ac3af8a27c0b8d3b3310a0024727

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf b9e7d4f2be1e68f3c47dac1d59edef69ce21ac3af8a27c0b8d3b3310a0024727

(this sample)

Mirai

elf 186c3eb179dda9525852c81b591d4259ccfc5c0d36eaa234af6eb4e4cbcf5b96

  
URLhaus
https://urlhaus.abuse.ch/url/3725560/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 186c3eb179dda9525852c81b591d4259ccfc5c0d36eaa234af6eb4e4cbcf5b96
  
Dropping
MD5 4eb4aa13aa6b2f9e4253cde6d0207abc
  
URLhaus
https://urlhaus.abuse.ch/url/3727061/

Comments