MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baf5208fddbb85feddf5c52684671059656d59b7e72243840d90fe47831c1237. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baf5208fddbb85feddf5c52684671059656d59b7e72243840d90fe47831c1237
SHA3-384 hash: 628239d09f88d1addb5a35d27d1d517bac28f5413ba4c049ed49f0eb7c3ef2501f6af678b53adce0d938ef89f5b782e7
SHA1 hash: 1711046c86001ac0d5ccd671d85b80d135a6b670
MD5 hash: f5f81e9c07f7b5a72e80a3f93973847f
humanhash: yellow-idaho-two-north
File name:0.ppc
Download: download sample
Signature Mirai
Create hunting rule
File size:21'312 bytes
First seen:2025-12-25 01:27:52 UTC
Last seen:2025-12-26 00:17:49 UTC
File type: elf
MIME type:application/x-executable
ssdeep 384:4UL7JIgYJcmNjagkKSwqbdA50kvZff8Cgua6MIv9GTRiSrkV64DFM4uVcqgw05Vz:vylvLSwqbdCVf8rua6MS9KiSh4Dq4uVW
TLSH T1B8A2D0B0CAE57E92D6EBEC315CD4D9D417E81DD52E2A0AF934C56341A20A636FB04CD4
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :21'312 bytes
File size (de-compressed) :51'636 bytes
Format:linux/ppc32
Unpacked file: 09cf198529a81088ec17999541b24a634b784da7f97e4e8bc285c9597d0f4fec

Intelligence

File Origin
# of uploads :
3
# of downloads :
102
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/5f929d05-17a3-447a-b3c6-1c8220367671/
Detection(s):
Unix.Trojan.Mirai-9936831-0
Create hunting rule

Verdict:
Malicious
File Type:
elf.32.be
First seen:
2025-12-24T22:46:00Z UTC
Last seen:
2025-12-25T12:48:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/baf5208fddbb85feddf5c52684671059656d59b7e72243840d90fe47831c1237/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ba2fee7d-2456-4e8f-96d5-0c48150ae408
Behavior Graph:
Download SVG
%3 guuid=e656daf6-1a00-0000-92f9-ccdd920c0000 pid=3218 /usr/bin/sudo guuid=839663fa-1a00-0000-92f9-ccdd930c0000 pid=3219 /tmp/sample.bin guuid=e656daf6-1a00-0000-92f9-ccdd920c0000 pid=3218->guuid=839663fa-1a00-0000-92f9-ccdd930c0000 pid=3219 execve guuid=06e6ddfb-1a00-0000-92f9-ccdd950c0000 pid=3221 /usr/bin/dash guuid=839663fa-1a00-0000-92f9-ccdd930c0000 pid=3219->guuid=06e6ddfb-1a00-0000-92f9-ccdd950c0000 pid=3221 clone guuid=f226ebfb-1a00-0000-92f9-ccdd960c0000 pid=3222 /usr/bin/dash guuid=839663fa-1a00-0000-92f9-ccdd930c0000 pid=3219->guuid=f226ebfb-1a00-0000-92f9-ccdd960c0000 pid=3222 clone guuid=aae3fcfb-1a00-0000-92f9-ccdd970c0000 pid=3223 /usr/bin/dash guuid=839663fa-1a00-0000-92f9-ccdd930c0000 pid=3219->guuid=aae3fcfb-1a00-0000-92f9-ccdd970c0000 pid=3223 clone guuid=c91f63fc-1a00-0000-92f9-ccdd990c0000 pid=3225 /usr/bin/dash guuid=839663fa-1a00-0000-92f9-ccdd930c0000 pid=3219->guuid=c91f63fc-1a00-0000-92f9-ccdd990c0000 pid=3225 clone guuid=1fc370fc-1a00-0000-92f9-ccdd9a0c0000 pid=3226 /usr/bin/dash zombie guuid=839663fa-1a00-0000-92f9-ccdd930c0000 pid=3219->guuid=1fc370fc-1a00-0000-92f9-ccdd9a0c0000 pid=3226 clone guuid=a10e85fc-1a00-0000-92f9-ccdd9b0c0000 pid=3227 /usr/bin/dash guuid=839663fa-1a00-0000-92f9-ccdd930c0000 pid=3219->guuid=a10e85fc-1a00-0000-92f9-ccdd9b0c0000 pid=3227 clone guuid=4a8cc2fc-1a00-0000-92f9-ccdd9c0c0000 pid=3228 /usr/bin/dash guuid=839663fa-1a00-0000-92f9-ccdd930c0000 pid=3219->guuid=4a8cc2fc-1a00-0000-92f9-ccdd9c0c0000 pid=3228 clone guuid=0f7408fc-1a00-0000-92f9-ccdd980c0000 pid=3224 /usr/bin/dash guuid=06e6ddfb-1a00-0000-92f9-ccdd950c0000 pid=3221->guuid=0f7408fc-1a00-0000-92f9-ccdd980c0000 pid=3224 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/29fcf58f-efb9-4a40-9140-77b57741e23f
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1839158
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample tries to kill multiple processes (SIGKILL)
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1839158 Sample: 0.ppc.elf Startdate: 25/12/2025 Architecture: LINUX Score: 80 24 169.254.169.254, 80 USDOSUS Reserved 2->24 26 176.97.210.242, 3778, 51322 ASOSKNETCZ Russian Federation 2->26 28 daisy.ubuntu.com 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 2 other signatures 2->36 7 0.ppc.elf 2->7         started        9 xfce4-panel wrapper-2.0 2->9         started        11 xfce4-panel wrapper-2.0 2->11         started        13 7 other processes 2->13 signatures3 process4 process5 15 0.ppc.elf 7->15         started        18 0.ppc.elf 7->18         started        20 0.ppc.elf 7->20         started        22 wrapper-2.0 xfpm-power-backlight-helper 9->22         started        signatures6 38 Sample tries to kill multiple processes (SIGKILL) 15->38
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/baf5208fddbb85feddf5c52684671059656d59b7e72243840d90fe47831c1237
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/baf5208fddbb85feddf5c52684671059656d59b7e72243840d90fe47831c1237/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-25 01:29:19 UTC
File Type:
ELF32 Big (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xl2sbd65xoc75xpvyutiizyqlfsw2wnx44rehbansd7epay4ci3q._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
linux upx
Link:
https://tria.ge/reports/251225-bv6pnabs4b/
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-9936831-0
YARA:
n/a
Link:
https://app.threat.zone/submission/b172e5f5-1620-4e16-8f15-0d19eaf75b1f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/baf5208fddbb85feddf5c52684671059656d59b7e72243840d90fe47831c1237

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf baf5208fddbb85feddf5c52684671059656d59b7e72243840d90fe47831c1237

(this sample)

Mirai

elf 09cf198529a81088ec17999541b24a634b784da7f97e4e8bc285c9597d0f4fec

  
URLhaus
https://urlhaus.abuse.ch/url/3742927/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 09cf198529a81088ec17999541b24a634b784da7f97e4e8bc285c9597d0f4fec
  
Dropping
MD5 445399044b61e715ccc618bae803c27c

Comments