MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be29498560c7df27cc643e4c5eca3098afa2e3c7ceee0a34e00e130ebbcda824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 8

Intelligence 8 IOCs YARA 14 File information Comments

SHA256 hash:	be29498560c7df27cc643e4c5eca3098afa2e3c7ceee0a34e00e130ebbcda824
SHA3-384 hash:	b0b25e89ff3aa467769ed0d95a0e508a9c8786df5b859119f1a252b2d90d523db6dc251303c905f36cf9eb2d8903d0b3
SHA1 hash:	6d148783678292c98dbb70b68f0aa0a0b56c9129
MD5 hash:	0024b10c17ee655d4a3bff52a35d8be8
humanhash:	alpha-undress-earth-arkansas
File name:	manji.dbg
Download:	download sample
Signature	Mirai Create hunting rule
File size:	65'296 bytes
First seen:	2026-04-28 20:28:01 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	1536:Jovs7uPHD1KdSIYTeOrBq8aUEwN1a6z5xFR:+vs7uL1KlYTZBbMwNFz5DR
TLSH	T1B5535C1BA58180FCC19DC2B80B66763FE97372FD0239F2BA97D4EA365D45D204E6E508
telfhash	t1af210ea139a91e60e1e7f076b31af52058641f6008f279f2c07669efd711bc30a7e827
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf gafgyt mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Siggen.9999-9.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Receives data from a server

Opens a port

Sends data to a server

Creating a file

Collects information on the CPU

Connection attempt

Substitutes an application name

Gathering data

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

true

Architecture:

x86

Packer:

not packed

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

true

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/be29498560c7df27cc643e4c5eca3098afa2e3c7ceee0a34e00e130ebbcda824

Behaviour

Anti-VM

Process Renaming

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

not identified

Result

Gathering data

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/7841f537-6a59-4d83-81b9-0a2753057c7a

Behavior Graph:

Download SVG

Malware family:

Mirai

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1157da39-b2f7-4a42-8b87-a17af56d24cc

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/be29498560c7df27cc643e4c5eca3098afa2e3c7ceee0a34e00e130ebbcda824

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/be29498560c7df27cc643e4c5eca3098afa2e3c7ceee0a34e00e130ebbcda824/

Threat name:

Linux.Backdoor.Gafgyt

Status:

Malicious

First seen:

2026-04-28 20:29:41 UTC

File Type:

ELF64 Little (Exe)

AV detection:

10 of 36 (27.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xyuutblay7psptdehzgf5srqtcx2fy6hz3xaunhabyjq5o6nvasa._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai antivm botnet linux

Link:

https://tria.ge/reports/260428-y9al4aev3y/

Behaviour

Changes its process name

Checks CPU configuration

Malware Config

C2 Extraction:

boats.dogmuncher.xyz

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	ELF_Toriilike_persist Create hunting rule
Author:	4r4
Description:	Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:	Identified via researched data

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	Linux_Trojan_Gafgyt_33b4111a Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Trojan_Gafgyt_620087b9 Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Trojan_Gafgyt_807911a2 Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Trojan_Gafgyt_9e9530a7 Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Trojan_Gafgyt_d4227dbf Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Trojan_Gafgyt_d996d335 Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Trojan_Mirai_1e0c5ce0 Create hunting rule
Author:	Elastic Security

Rule name:	Linux_Trojan_Mirai_e0cf29e2 Create hunting rule
Author:	Elastic Security

Rule name:	MatchByteSequence Create hunting rule
Author:	Generated by ChatGPT
Description:	Rule to match specific byte sequence: 89 C8 C1 E8 08 31 D1 31 C8

Rule name:	TH_Generic_MassHunt_Linux_Malware_2026_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Linux malware mass-hunt rule - 2026
Reference:	https://cyfare.net/

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf be29498560c7df27cc643e4c5eca3098afa2e3c7ceee0a34e00e130ebbcda824

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3834065/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample