MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb61ff20bf46854ba1a14f5840d623bd22a09df7316f6c4bd86a55dd04f85f58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb61ff20bf46854ba1a14f5840d623bd22a09df7316f6c4bd86a55dd04f85f58
SHA3-384 hash: 852a7eb350c80a2f8e6a94842dab0bd8bc8772229f951e329198ad9a5ead4a4e50268d3a93734f1c2c04db303a13304a
SHA1 hash: a88e51d6dae88e76a601e0bc67a6da9a11a76c5e
MD5 hash: 01f16797629288066ac530c8cbe02568
humanhash: delta-carbon-monkey-september
File name:x86_64
Download: download sample
Signature Mirai
Create hunting rule
File size:2'437'728 bytes
First seen:2026-04-01 22:56:28 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 49152:Z4dsfmbwyjoNYOhqdMaDQREx9XItpw1nvoZIt4z2jdDRFx6h8:A2dh2MQyC94tgnAe40dFMh8
TLSH T1BCB533F648A8036F69845BDC5BCA77D0867F8000AA5CF1C19C5978C75C34BEB6E0B72A
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :2'437'728 bytes
File size (de-compressed) :5'669'928 bytes
Format:linux/amd64
Unpacked file: af5195e882ab3ab966730dd022119a4c5d996245f6fef56ee4ba458dd73da8ea

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Collects information on the CPU
Sets a written file as executable
Changes the time when the file was created, accessed, or modified
Opens a port
Creating a file
Locks files
Runs as daemon
Changes access rights for a written file
Manages services
Creating a process from a recently created file
Kills processes
Creating a file in the %temp% directory
Writes files to system directory
Substitutes an application name
Creates or modifies files in /cron to set up autorun
Creates or modifies files in /init.d to set up autorun
Creates or modifies files to set up autorun
Creates or modifies symbolic links in /init.d to set up autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
hajime packed upx
Link:
https://www.filescan.io/uploads/69cda2c92346b9da57b7fc94/reports/5b3142fe-6aba-44ad-a033-471097328e1a/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
8
Number of processes launched:
3
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/bb61ff20bf46854ba1a14f5840d623bd22a09df7316f6c4bd86a55dd04f85f58
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9c9552c7-44ed-4493-9d39-c39ba210993a
Behavior Graph:
Download SVG
%3 guuid=4c8442fc-1600-0000-22b2-aa777a0d0000 pid=3450 /usr/bin/sudo guuid=97eeabfe-1600-0000-22b2-aa77810d0000 pid=3457 /tmp/sample.bin mprotect-exec write-config write-file guuid=4c8442fc-1600-0000-22b2-aa777a0d0000 pid=3450->guuid=97eeabfe-1600-0000-22b2-aa77810d0000 pid=3457 execve guuid=895feb07-1700-0000-22b2-aa779c0d0000 pid=3484 /tmp/sample.bin guuid=97eeabfe-1600-0000-22b2-aa77810d0000 pid=3457->guuid=895feb07-1700-0000-22b2-aa779c0d0000 pid=3484 clone guuid=7a6edc14-1700-0000-22b2-aa77ad0d0000 pid=3501 /usr/bin/dash guuid=97eeabfe-1600-0000-22b2-aa77810d0000 pid=3457->guuid=7a6edc14-1700-0000-22b2-aa77ad0d0000 pid=3501 execve guuid=da97e748-1700-0000-22b2-aa77350e0000 pid=3637 /usr/bin/dash guuid=97eeabfe-1600-0000-22b2-aa77810d0000 pid=3457->guuid=da97e748-1700-0000-22b2-aa77350e0000 pid=3637 execve guuid=f582cc6c-1700-0000-22b2-aa779d0e0000 pid=3741 /usr/bin/dash guuid=97eeabfe-1600-0000-22b2-aa77810d0000 pid=3457->guuid=f582cc6c-1700-0000-22b2-aa779d0e0000 pid=3741 execve guuid=49db207b-1700-0000-22b2-aa77db0e0000 pid=3803 /usr/bin/dash guuid=97eeabfe-1600-0000-22b2-aa77810d0000 pid=3457->guuid=49db207b-1700-0000-22b2-aa77db0e0000 pid=3803 execve guuid=0e1c27ae-1700-0000-22b2-aa779c0f0000 pid=3996 /usr/bin/dash guuid=97eeabfe-1600-0000-22b2-aa77810d0000 pid=3457->guuid=0e1c27ae-1700-0000-22b2-aa779c0f0000 pid=3996 execve guuid=7519cbb6-1700-0000-22b2-aa77c70f0000 pid=4039 /tmp/sample.bin zombie guuid=97eeabfe-1600-0000-22b2-aa77810d0000 pid=3457->guuid=7519cbb6-1700-0000-22b2-aa77c70f0000 pid=4039 clone guuid=66231708-1700-0000-22b2-aa77a00d0000 pid=3488 /tmp/sample.bin guuid=895feb07-1700-0000-22b2-aa779c0d0000 pid=3484->guuid=66231708-1700-0000-22b2-aa77a00d0000 pid=3488 clone guuid=1393aaf6-1700-0000-22b2-aa7779100000 pid=4217 /tmp/sample.bin mprotect-exec guuid=895feb07-1700-0000-22b2-aa779c0d0000 pid=3484->guuid=1393aaf6-1700-0000-22b2-aa7779100000 pid=4217 execve guuid=a2232115-1700-0000-22b2-aa77af0d0000 pid=3503 /usr/bin/systemctl guuid=7a6edc14-1700-0000-22b2-aa77ad0d0000 pid=3501->guuid=a2232115-1700-0000-22b2-aa77af0d0000 pid=3503 execve guuid=7d630e49-1700-0000-22b2-aa77360e0000 pid=3638 /usr/bin/systemctl guuid=da97e748-1700-0000-22b2-aa77350e0000 pid=3637->guuid=7d630e49-1700-0000-22b2-aa77360e0000 pid=3638 execve guuid=9bfcfb6c-1700-0000-22b2-aa779f0e0000 pid=3743 /usr/bin/systemctl guuid=f582cc6c-1700-0000-22b2-aa779d0e0000 pid=3741->guuid=9bfcfb6c-1700-0000-22b2-aa779f0e0000 pid=3743 execve guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1 /usr/lib/systemd/systemd guuid=fb30386e-1700-0000-22b2-aa77a50e0000 pid=3749 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=fb30386e-1700-0000-22b2-aa77a50e0000 pid=3749 execve guuid=5e3978a7-1800-0000-22b2-aa772f120000 pid=4655 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=5e3978a7-1800-0000-22b2-aa772f120000 pid=4655 execve guuid=e10df3ed-1900-0000-22b2-aa77b9140000 pid=5305 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=e10df3ed-1900-0000-22b2-aa77b9140000 pid=5305 execve guuid=6e7fa735-1b00-0000-22b2-aa77c1140000 pid=5313 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=6e7fa735-1b00-0000-22b2-aa77c1140000 pid=5313 execve guuid=a735937d-1c00-0000-22b2-aa77e2140000 pid=5346 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=a735937d-1c00-0000-22b2-aa77e2140000 pid=5346 execve guuid=76d389b6-1d00-0000-22b2-aa77e3140000 pid=5347 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=76d389b6-1d00-0000-22b2-aa77e3140000 pid=5347 execve guuid=ac8471ef-1e00-0000-22b2-aa77e4140000 pid=5348 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=ac8471ef-1e00-0000-22b2-aa77e4140000 pid=5348 execve guuid=0c338a28-2000-0000-22b2-aa77e5140000 pid=5349 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=0c338a28-2000-0000-22b2-aa77e5140000 pid=5349 execve guuid=e9e64e61-2100-0000-22b2-aa77e6140000 pid=5350 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=e9e64e61-2100-0000-22b2-aa77e6140000 pid=5350 execve guuid=1132d499-2200-0000-22b2-aa77e7140000 pid=5351 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=1132d499-2200-0000-22b2-aa77e7140000 pid=5351 execve guuid=ba621fd3-2300-0000-22b2-aa77e8140000 pid=5352 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=ba621fd3-2300-0000-22b2-aa77e8140000 pid=5352 execve guuid=de33c70b-2500-0000-22b2-aa77f3140000 pid=5363 /usr/lib/.libsystemd.so mprotect-exec guuid=2fdaba13-0000-0000-22b2-aa7701000000 pid=1->guuid=de33c70b-2500-0000-22b2-aa77f3140000 pid=5363 execve guuid=a1c2507b-1700-0000-22b2-aa77dc0e0000 pid=3804 /usr/sbin/update-rc.d guuid=49db207b-1700-0000-22b2-aa77db0e0000 pid=3803->guuid=a1c2507b-1700-0000-22b2-aa77dc0e0000 pid=3804 execve guuid=4e54cc7c-1700-0000-22b2-aa77e20e0000 pid=3810 /usr/bin/systemctl guuid=a1c2507b-1700-0000-22b2-aa77dc0e0000 pid=3804->guuid=4e54cc7c-1700-0000-22b2-aa77e20e0000 pid=3810 execve guuid=218f5cae-1700-0000-22b2-aa779e0f0000 pid=3998 /usr/bin/dash guuid=0e1c27ae-1700-0000-22b2-aa779c0f0000 pid=3996->guuid=218f5cae-1700-0000-22b2-aa779e0f0000 pid=3998 clone guuid=0b1363ae-1700-0000-22b2-aa779f0f0000 pid=3999 /usr/bin/dash guuid=0e1c27ae-1700-0000-22b2-aa779c0f0000 pid=3996->guuid=0b1363ae-1700-0000-22b2-aa779f0f0000 pid=3999 clone guuid=7bd971ae-1700-0000-22b2-aa77a00f0000 pid=4000 /usr/bin/dash guuid=218f5cae-1700-0000-22b2-aa779e0f0000 pid=3998->guuid=7bd971ae-1700-0000-22b2-aa77a00f0000 pid=4000 clone guuid=91e876ae-1700-0000-22b2-aa77a10f0000 pid=4001 /usr/bin/grep guuid=218f5cae-1700-0000-22b2-aa779e0f0000 pid=3998->guuid=91e876ae-1700-0000-22b2-aa77a10f0000 pid=4001 execve guuid=7519cbb6-1700-0000-22b2-aa77c70f0000 pid=4040 /tmp/sample.bin guuid=7519cbb6-1700-0000-22b2-aa77c70f0000 pid=4039->guuid=7519cbb6-1700-0000-22b2-aa77c70f0000 pid=4040 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/755712ef-cd76-46cc-9e2a-512ddc93e954
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/bb61ff20bf46854ba1a14f5840d623bd22a09df7316f6c4bd86a55dd04f85f58
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb61ff20bf46854ba1a14f5840d623bd22a09df7316f6c4bd86a55dd04f85f58/
Threat name:
Linux.Exploit.CVE-2021-36260
Create hunting rule
Status:
Malicious
First seen:
2026-04-01 22:57:22 UTC
File Type:
ELF64 Little (Exe)
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnq76if7i2cuxinbj5mebvrdxurkbhpxgfxwys6ynjk52bhyl5ma._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
defense_evasion discovery execution linux persistence privilege_escalation upx
Link:
https://tria.ge/reports/260401-2xb6yacv6w/
Behaviour
Reads runtime system information
Writes file to shm directory
Writes file to tmp directory
Changes its process name
Reads CPU attributes
Modifies Bash startup script
UPX packed file
Creates/modifies Cron job
Creates/modifies environment variables
Modifies init.d
Modifies rc script
Modifies systemd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb61ff20bf46854ba1a14f5840d623bd22a09df7316f6c4bd86a55dd04f85f58

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf bb61ff20bf46854ba1a14f5840d623bd22a09df7316f6c4bd86a55dd04f85f58

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3808217/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3795971/

Comments