MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c15f19e255d49e9ff8d7e253eec6c1e9ed0c51a37c0c829d04c602241935c225. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c15f19e255d49e9ff8d7e253eec6c1e9ed0c51a37c0c829d04c602241935c225
SHA3-384 hash: 01ea6de94389787d184a231bbd73d70c7c939b8a932bf7bb865cdbeaebfc391da4c3cdee62589541de3c5d529a354048
SHA1 hash: 7854a5bd0c46cb2052f655b1e7ed16027dccfcef
MD5 hash: 19614b4e24e130a767e543993b6404e8
humanhash: uncle-north-london-dakota
File name:dwhdbg
Download: download sample
Signature Mirai
Create hunting rule
File size:172'264 bytes
First seen:2024-11-21 21:56:09 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:aDA3eZQ664Vk76FLH2V4xKvx+czc/HC++FtMMFUKUYaoH5ZzEpTY8Y:aDA3eZQ66+k76F72V4TVi/v9aFY8
TLSH T15FF35B17B5D0D4FDC0CAC1745BAEA537ED71F0AD1238B21B1BD0AE222E4EE715A2DA44
telfhash t1bc51ec703c863d9861ebdb2a735fe5eaf87109414ae171e58d3799d5ce027c40d720a2
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28880.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29325.LC.Pl.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Mirai-81.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28886.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30423.LX.BOT.UNOFFICIAL
Create hunting rule

Unix.Dropper.Mirai-7540662-0
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Unix.Trojan.Mirai-9970440-0
Create hunting rule

Unix.Trojan.Mirai-10011027-0
Create hunting rule

Unix.Trojan.Mirai-10011918-0
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673fad50b31374f098334004linux22vpnfull_triage
Tags:
phishing
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sends data to a server
Connection attempt
Creating a file
DNS request
Opens a port
Kills processes
Substitutes an application name
Deleting of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug bash lolbin remote
Link:
https://www.filescan.io/uploads/673facb4a5bb1773f641740e/reports/5ea4f04c-8199-48a8-a476-cecdef672993/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
44
Number of processes launched:
2
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/c15f19e255d49e9ff8d7e253eec6c1e9ed0c51a37c0c829d04c602241935c225
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0bde95c8-a53b-4c99-ad81-2299a1db8804
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1560552
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill a massive number of system processes
Sample tries to kill multiple processes (SIGKILL)
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560552 Sample: dwhdbg.elf Startdate: 21/11/2024 Architecture: LINUX Score: 100 138 ksdjwi.eye-network.ru 154.216.16.109, 33966, 48286, 48626 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 2->138 140 89.190.156.145, 37432, 37436, 37438 HOSTUS-GLOBAL-ASHostUSHK United Kingdom 2->140 142 Malicious sample detected (through community Yara rule) 2->142 144 Antivirus / Scanner detection for submitted sample 2->144 146 Multi AV Scanner detection for submitted file 2->146 148 2 other signatures 2->148 13 systemd gdm3 2->13         started        15 systemd gdm3 2->15         started        17 systemd systemd 2->17         started        19 59 other processes 2->19 signatures3 process4 file5 23 gdm3 gdm-session-worker 13->23         started        25 gdm3 gdm-session-worker 13->25         started        34 3 other processes 13->34 27 gdm3 gdm-session-worker 15->27         started        29 gdm3 gdm-session-worker 15->29         started        36 4 other processes 15->36 38 5 other processes 17->38 136 /var/log/wtmp, data 19->136 dropped 150 Sample deletes itself 19->150 152 Sample reads /proc/mounts (often used for finding a writable filesystem) 19->152 154 Reads system files that contain records of logged in users 19->154 31 dwhdbg.elf 19->31         started        40 43 other processes 19->40 signatures6 process7 signatures8 42 gdm-session-worker gdm-x-session 23->42         started        44 gdm-session-worker gdm-wayland-session 25->44         started        46 gdm-session-worker gdm-wayland-session 27->46         started        48 gdm-session-worker gdm-x-session 29->48         started        162 Sample tries to kill a massive number of system processes 31->162 164 Sample tries to kill multiple processes (SIGKILL) 31->164 56 2 other processes 31->56 166 Sample reads /proc/mounts (often used for finding a writable filesystem) 38->166 50 systemd 30-systemd-environment-d-generator 38->50         started        52 language-validate language-options 40->52         started        54 language-validate language-options 40->54         started        58 33 other processes 40->58 process9 process10 60 gdm-x-session dbus-run-session 42->60         started        72 2 other processes 42->72 62 gdm-wayland-session dbus-run-session 44->62         started        64 gdm-wayland-session dbus-run-session 46->64         started        74 3 other processes 48->74 66 language-options sh 52->66         started        68 language-options sh 54->68         started        76 2 other processes 56->76 70 language-options sh 58->70         started        process11 78 dbus-run-session dbus-daemon 60->78         started        81 dbus-run-session gnome-session gnome-session-binary 60->81         started        85 2 other processes 62->85 87 2 other processes 64->87 89 2 other processes 66->89 91 2 other processes 68->91 93 2 other processes 70->93 83 Xorg sh 72->83         started        95 3 other processes 74->95 signatures12 158 Sample tries to kill multiple processes (SIGKILL) 78->158 160 Sample reads /proc/mounts (often used for finding a writable filesystem) 78->160 97 dbus-daemon 78->97         started        105 7 other processes 78->105 99 gnome-session-binary gnome-session-check-accelerated 81->99         started        107 2 other processes 81->107 101 sh xkbcomp 83->101         started        109 9 other processes 85->109 103 dbus-daemon 87->103         started        111 8 other processes 87->111 113 2 other processes 95->113 process13 process14 115 dbus-daemon at-spi-bus-launcher 97->115         started        125 2 other processes 99->125 117 dbus-daemon false 103->117         started        127 7 other processes 105->127 129 7 other processes 109->129 119 dbus-daemon false 111->119         started        121 dbus-daemon false 111->121         started        123 dbus-daemon false 111->123         started        131 3 other processes 111->131 process15 133 at-spi-bus-launcher dbus-daemon 115->133         started        signatures16 156 Sample reads /proc/mounts (often used for finding a writable filesystem) 133->156
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/c15f19e255d49e9ff8d7e253eec6c1e9ed0c51a37c0c829d04c602241935c225
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c15f19e255d49e9ff8d7e253eec6c1e9ed0c51a37c0c829d04c602241935c225/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2024-11-21 21:57:19 UTC
File Type:
ELF64 Little (Exe)
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfprtysv2spj76gx4jj65rwb5hwqyundpqgifhieyybcigjvyisq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:botnet discovery linux
Link:
https://tria.ge/reports/241121-2fbtvaylft/
Behaviour
Reads runtime system information
Changes its process name
Enumerates running processes
Deletes itself
Malware Config
C2 Extraction:
boats.dogmuncher.xyz
Verdict:
Malicious
Tags:
trojan mirai gafgyt Unix.Dropper.Mirai-7540662-0
YARA:
Linux_Trojan_Gafgyt_28a2fe0c Linux_Trojan_Gafgyt_9e9530a7 Linux_Trojan_Gafgyt_807911a2 Linux_Trojan_Gafgyt_d4227dbf Linux_Trojan_Gafgyt_d996d335 Linux_Trojan_Gafgyt_d0c57a2e Linux_Trojan_Gafgyt_620087b9 Linux_Trojan_Gafgyt_0cd591cd Linux_Trojan_Gafgyt_33b4111a Linux_Trojan_Gafgyt_a33a8363 Linux_Trojan_Mirai_520deeb8 Linux_Trojan_Mirai_449937aa Linux_Trojan_Mirai_01e4a728 Linux_Trojan_Mirai_e0cf29e2 Linux_Gafgyt_May_2024
Link:
https://app.threat.zone/submission/49b913ff-e71a-4108-bc15-fe9e3bb152fb
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c15f19e255d49e9ff8d7e253eec6c1e9ed0c51a37c0c829d04c602241935c225

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_0cd591cd
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_28a2fe0c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_a33a8363
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d0c57a2e
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d996d335
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_01e4a728
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_449937aa
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_520deeb8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_e0cf29e2
Create hunting rule
Author:Elastic Security
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf c15f19e255d49e9ff8d7e253eec6c1e9ed0c51a37c0c829d04c602241935c225

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3298717/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments