MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cabe8af779b093fbb99bc9e07c5fcd2a8453b238a42a23ff8618e9e33e7e030b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cabe8af779b093fbb99bc9e07c5fcd2a8453b238a42a23ff8618e9e33e7e030b
SHA3-384 hash: 62942e8dfd9363d2277bcc912269975892b833c0acede4db85287820a47ed310acb2bf205dc7e5f36acbeebf30b44256
SHA1 hash: 4be4cc231794975518f81843eed59fdaf65f1fc9
MD5 hash: 7e3caa46b92e59b8e627e1ce9309b65d
humanhash: oscar-south-avocado-tennis
File name:xova.ppc
Download: download sample
Signature Mirai
Create hunting rule
File size:28'776 bytes
First seen:2026-01-11 05:52:55 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:e/NtpY94h3wrvtnb6X6Atwogdrh+fdAO8l+j4uVcqgw09p:e/N/6g3gN6ZOoglh+fdsl+4u+qgw09p
TLSH T158D2E268F2889ED3CFDFACE10B85D6D023F21E8D33FE84A0D6D6C29255129222D41BD4
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :28'776 bytes
File size (de-compressed) :66'468 bytes
Format:linux/ppc32
Unpacked file: 698dcc70e226f16530947e626139a4617eec2b4a5301f1877b1247dc2f3e1ae0

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
DE DE
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/5b9c8407-0c8e-47b3-aee7-fc9903babfac/
Detection(s):
Unix.Trojan.Mirai-9936831-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Runs as daemon
Receives data from a server
Kills processes
Opens a port
Sends data to a server
Kills critical processes
Performs a bruteforce attack in the network
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
masquerade mirai packed upx
Link:
https://www.filescan.io/uploads/69633ae407ef5fa68e84195e/reports/68baf84e-1353-48f6-85d8-7605ec7dff95/overview
Result
Gathering data
Verdict:
Malicious
File Type:
elf.32.be
Link:
https://opentip.kaspersky.com/cabe8af779b093fbb99bc9e07c5fcd2a8453b238a42a23ff8618e9e33e7e030b/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/cd882039-0253-4f5c-8d7d-886d84727515
Behavior Graph:
Download SVG
%3 guuid=c61ccebe-1900-0000-a4d6-5312d0090000 pid=2512 /usr/bin/sudo guuid=589ad6c1-1900-0000-a4d6-5312d3090000 pid=2515 /tmp/sample.bin guuid=c61ccebe-1900-0000-a4d6-5312d0090000 pid=2512->guuid=589ad6c1-1900-0000-a4d6-5312d3090000 pid=2515 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6489bfa1-c58e-4a96-a35c-ac32ebea27ab
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1848262
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample is packed with UPX
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1848262 Sample: xova.ppc.elf Startdate: 11/01/2026 Architecture: LINUX Score: 80 93 84.63.9.102, 23 VODANETInternationalIP-BackboneofVodafoneDE Germany 2->93 95 93.66.141.128, 23 VODAFONE-IT-ASNIT Italy 2->95 97 99 other IPs or domains 2->97 103 Antivirus / Scanner detection for submitted sample 2->103 105 Multi AV Scanner detection for submitted file 2->105 107 Yara detected Mirai 2->107 109 Sample is packed with UPX 2->109 11 systemd gdm3 2->11         started        13 systemd gpu-manager 2->13         started        15 systemd gpu-manager 2->15         started        17 68 other processes 2->17 signatures3 process4 file5 21 gdm3 gdm-session-worker 11->21         started        32 3 other processes 11->32 23 gpu-manager sh 13->23         started        34 7 other processes 13->34 36 8 other processes 15->36 91 /var/log/wtmp, data 17->91 dropped 99 Sample reads /proc/mounts (often used for finding a writable filesystem) 17->99 101 Reads system files that contain records of logged in users 17->101 25 xova.ppc.elf 17->25         started        27 xova.ppc.elf 17->27         started        30 accounts-daemon language-validate 17->30         started        38 29 other processes 17->38 signatures6 process7 signatures8 40 gdm-session-worker gdm-wayland-session 21->40         started        42 sh grep 23->42         started        44 xova.ppc.elf 25->44         started        51 2 other processes 25->51 113 Sample tries to kill multiple processes (SIGKILL) 27->113 47 language-validate language-options 30->47         started        53 7 other processes 34->53 55 8 other processes 36->55 49 language-validate language-options 38->49         started        57 19 other processes 38->57 process9 signatures10 59 gdm-wayland-session dbus-run-session 40->59         started        61 gdm-wayland-session dbus-daemon 40->61         started        115 Sample tries to kill multiple processes (SIGKILL) 44->115 64 language-options sh 47->64         started        66 language-options sh 49->66         started        68 language-options sh 57->68         started        70 gdm-wayland-session dbus-daemon 57->70         started        process11 signatures12 72 dbus-run-session dbus-daemon 59->72         started        117 Sample reads /proc/mounts (often used for finding a writable filesystem) 61->117 75 dbus-daemon 61->75         started        77 sh locale 64->77         started        79 sh grep 64->79         started        81 sh locale 66->81         started        83 sh grep 66->83         started        85 sh locale 68->85         started        87 sh grep 68->87         started        process13 signatures14 111 Sample reads /proc/mounts (often used for finding a writable filesystem) 72->111 89 dbus-daemon false 75->89         started        process15
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/cabe8af779b093fbb99bc9e07c5fcd2a8453b238a42a23ff8618e9e33e7e030b
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cabe8af779b093fbb99bc9e07c5fcd2a8453b238a42a23ff8618e9e33e7e030b/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-11 05:45:46 UTC
File Type:
ELF32 Big (Exe)
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zk7iv53zwcj7xom3zhqhyx6nfkcfhmryuqvch74gddu6gpt6amfq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
linux upx
Link:
https://tria.ge/reports/260111-glg8laa19e/
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-9936831-0
YARA:
n/a
Link:
https://app.threat.zone/submission/e5384753-5ec0-4a8b-b3c0-55fb1dc27589
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cabe8af779b093fbb99bc9e07c5fcd2a8453b238a42a23ff8618e9e33e7e030b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf cabe8af779b093fbb99bc9e07c5fcd2a8453b238a42a23ff8618e9e33e7e030b

(this sample)

Mirai

elf 698dcc70e226f16530947e626139a4617eec2b4a5301f1877b1247dc2f3e1ae0

  
URLhaus
https://urlhaus.abuse.ch/url/3755744/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3755793/
  
Dropping
SHA256 698dcc70e226f16530947e626139a4617eec2b4a5301f1877b1247dc2f3e1ae0
  
Dropping
MD5 a6bd2bec7111483102e9f35c3e58e905

Comments