MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdef5e824be6188d738deab6ad3c1a29956aa9ac0f9eec14c19208216bd04a61. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdef5e824be6188d738deab6ad3c1a29956aa9ac0f9eec14c19208216bd04a61
SHA3-384 hash: d112e757cc881c7767c4f1af9c9a185cfb752230085b46eab8c859c06dabc2d465f91e848846c4ee6f4dd0a613fd489b
SHA1 hash: 718810ce910857a7f493e80f3eade44bb652eb05
MD5 hash: 7ba34f612bc1dd7b5d02a96c23d34c9b
humanhash: single-ack-moon-vegan
File name:db0fa4b8db0333367e9bda3ab68b8042.x86
Download: download sample
Signature Mirai
Create hunting rule
File size:33'272 bytes
First seen:2025-08-07 07:34:49 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:E17nMr7XxGP2RxuZLa6rft7vapt7qMWKnbcuyD7Uiyqr:k7ng7XxGP2GdpftIt7qMWKnouy8Zqr
TLSH T144E2F103B488DB96EE990871166F374D5C74713E74904CF67B8021A7F922FDA9B187D2
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :33'272 bytes
File size (de-compressed) :74'608 bytes
Format:linux/i386
Unpacked file: 58b3082e784465a55ebf753c7eee852bc73f92e07da18867577843a659fbbc3d

Intelligence

File Origin
# of uploads :
1
# of downloads :
25
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Unix.Trojan.Mirai-7669677-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Opens a port
Sends data to a server
Receives data from a server
Connection attempt
DNS request
Runs as daemon
Substitutes an application name
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
0
Number of processes launched:
8
Processes remaning?
true
Remote TCP ports scanned:
80,23,37215,443
Full report:
https://elfdigest.com/brief/cdef5e824be6188d738deab6ad3c1a29956aa9ac0f9eec14c19208216bd04a61
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ea7096a3-8b4f-448d-b2e9-db0d8185b834
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1752084
Signature
Detected Mirai
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample tries to kill multiple processes (SIGKILL)
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1752084 Sample: db0fa4b8db0333367e9bda3ab68... Startdate: 07/08/2025 Architecture: LINUX Score: 100 29 210.247.141.246 WEBCENTRAL-ASWebCentralAU Australia 2->29 31 109.112.176.252, 443 VODAFONE-IT-ASNIT Italy 2->31 33 99 other IPs or domains 2->33 35 Suricata IDS alerts for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Detected Mirai 2->39 41 4 other signatures 2->41 8 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 2->8         started        10 xfce4-panel wrapper-2.0 2->10         started        12 xfce4-panel wrapper-2.0 2->12         started        14 6 other processes 2->14 signatures3 process4 process5 16 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 8->16         started        18 wrapper-2.0 xfpm-power-backlight-helper 10->18         started        process6 20 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 16->20         started        23 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 16->23         started        25 db0fa4b8db0333367e9bda3ab68b8042.x86.elf 16->25         started        27 3 other processes 16->27 signatures7 43 Sample tries to kill multiple processes (SIGKILL) 20->43
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/cdef5e824be6188d738deab6ad3c1a29956aa9ac0f9eec14c19208216bd04a61
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cdef5e824be6188d738deab6ad3c1a29956aa9ac0f9eec14c19208216bd04a61/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/cdef5e824be6188d738deab6ad3c1a29956aa9ac0f9eec14c19208216bd04a61
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-08-06 02:30:26 UTC
File Type:
ELF32 Little (Exe)
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxxv5asl4ymi244n5k3k2pa2fgkwvknmb6poyfgbsiecc26qjjqq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:unstable botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/250807-jfgqzsdq4v/
Behaviour
Reads runtime system information
Changes its process name
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Contacts a large (201793) amount of remote hosts
Creates a large amount of network flows
Mirai
Mirai family
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-7669677-0
YARA:
n/a
Link:
https://app.threat.zone/submission/aa60634f-6ed8-435e-a933-2bc717d4a6af
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/cdef5e824be6188d738deab6ad3c1a29956aa9ac0f9eec14c19208216bd04a61

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh b068a1df0639980bf1ee189ab71838a9d78911b2517b3f5aa09ce426339ca521

Mirai

elf cdef5e824be6188d738deab6ad3c1a29956aa9ac0f9eec14c19208216bd04a61

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3598079/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 b068a1df0639980bf1ee189ab71838a9d78911b2517b3f5aa09ce426339ca521
  
Dropped by
MD5 b5504783f3af7a4d17782e346db47990
  
URLhaus
https://urlhaus.abuse.ch/url/3598078/
  
URLhaus
https://urlhaus.abuse.ch/url/3598521/
  
URLhaus
https://urlhaus.abuse.ch/url/3598540/
  
URLhaus
https://urlhaus.abuse.ch/url/3598544/
  
URLhaus
https://urlhaus.abuse.ch/url/3598545/
  
URLhaus
https://urlhaus.abuse.ch/url/3598565/
  
URLhaus
https://urlhaus.abuse.ch/url/3598569/
  
URLhaus
https://urlhaus.abuse.ch/url/3598589/
  
URLhaus
https://urlhaus.abuse.ch/url/3598597/
  
Dropped by
SHA256 d31727dc523ec3271858980a56e84271885961d7d6d990f789200d779f62fd1c
  
Dropped by
MD5 be95c6144d78857aa0c2430b9943e78d
  
Dropped by
SHA256 f4ec9449fbbbb3e40916fe13c42fe45db171cbea253ee43dfe64e5994abdb89f
  
Dropped by
MD5 7f8052bb67c14782f1ec296953770323
  
Dropped by
SHA256 0ddd54d79bf29b096c5ae6f3ddc4de078d9777638c2086d9c7bf4cfd2454cf14
  
Dropped by
MD5 8e610cb2e9d3854735e3525565a1ac5c
  
Dropped by
SHA256 b79997c8b30ad6b00e3e2afae0895f391b2756beb0ca8b966fa0f29acd6d1e82
  
Dropped by
MD5 0ac24c40afc4ac70b3126cdfc65c6da0
  
Dropped by
SHA256 e9d23766f0d1736195850a320ae7751e85d2be0865ae832fcfb54ce328799592
  
Dropped by
MD5 2edbf3e5a36ce818bb3f06751dbcc728
  
Dropped by
SHA256 d32ab9e6756ee5eb17accd106ccc544280784d1b4e0da4a6ae32889c478d3da2
  
Dropped by
MD5 31b2f89f95157b0e4f3eaf2ce1ee9b5a
  
Dropped by
SHA256 5514183fd45975a42e65a424d54769cc76146314ead8a3fba99bd03e592473f2
  
Dropped by
MD5 a98fd861d233a728a4848e56f55991be
  
Dropped by
SHA256 43f4ca887f2ef1ae6c9a37e37ae93c0411d9748d90614d50cbee6f97e37c1647
  
Dropped by
MD5 5e037a8c4340d2699a4cf3fc42b3b0ef
  
Dropped by
SHA256 bcf486650257346530bca8f5ca65600f655c458517422fc7c70ccac0d4b78384
  
Dropped by
MD5 2441c1c7c935e9452fbc432369bd1ce5
  
Dropped by
SHA256 cacc4898b1ecabb49f519262fccdccf4aea367207cf8480602e50d6124a00488
  
Dropped by
MD5 e62420328adf7f701256b472ae3aa2f8
  
Dropped by
SHA256 0e99ae419742ddcef9864982c71aef58ce6afee04272b89692f83fb72d16f421
  
Dropped by
MD5 97d3a740f13ed10ccff0fd3328de67fc
  
Dropped by
SHA256 e9c8915333b6730c5715919f9029d6242c8cd218f51ca6f72110446b6b6d9fc0
  
Dropped by
MD5 64fc987394c96ebec0c1ff1270e70f35
  
Dropped by
SHA256 a9a38ff89db972acd2dc74d81174bed482da90f00a8fdecce23f198b4289d8cc
  
Dropped by
MD5 c57648881833d6f106b5fcc115a095eb
  
URLhaus
https://urlhaus.abuse.ch/url/3598489/
  
URLhaus
https://urlhaus.abuse.ch/url/3598564/
  
URLhaus
https://urlhaus.abuse.ch/url/3598584/
  
URLhaus
https://urlhaus.abuse.ch/url/3598595/
  
URLhaus
https://urlhaus.abuse.ch/url/3598490/
  
URLhaus
https://urlhaus.abuse.ch/url/3598561/
  
URLhaus
https://urlhaus.abuse.ch/url/3598577/
  
URLhaus
https://urlhaus.abuse.ch/url/3598602/
  
URLhaus
https://urlhaus.abuse.ch/url/3598491/
  
URLhaus
https://urlhaus.abuse.ch/url/3598590/
  
URLhaus
https://urlhaus.abuse.ch/url/3598591/
  
URLhaus
https://urlhaus.abuse.ch/url/3598492/
  
URLhaus
https://urlhaus.abuse.ch/url/3598573/
  
URLhaus
https://urlhaus.abuse.ch/url/3598599/
  
URLhaus
https://urlhaus.abuse.ch/url/3598609/
  
URLhaus
https://urlhaus.abuse.ch/url/3598611/
  
URLhaus
https://urlhaus.abuse.ch/url/3598493/
  
URLhaus
https://urlhaus.abuse.ch/url/3598576/
  
URLhaus
https://urlhaus.abuse.ch/url/3598592/
  
URLhaus
https://urlhaus.abuse.ch/url/3598601/
  
URLhaus
https://urlhaus.abuse.ch/url/3598606/
  
URLhaus
https://urlhaus.abuse.ch/url/3598494/
  
URLhaus
https://urlhaus.abuse.ch/url/3598570/
  
URLhaus
https://urlhaus.abuse.ch/url/3598586/
  
URLhaus
https://urlhaus.abuse.ch/url/3598588/
  
URLhaus
https://urlhaus.abuse.ch/url/3598495/
  
URLhaus
https://urlhaus.abuse.ch/url/3598574/
  
URLhaus
https://urlhaus.abuse.ch/url/3598575/
  
URLhaus
https://urlhaus.abuse.ch/url/3598582/
  
URLhaus
https://urlhaus.abuse.ch/url/3598496/
  
URLhaus
https://urlhaus.abuse.ch/url/3598585/
  
URLhaus
https://urlhaus.abuse.ch/url/3598587/
  
URLhaus
https://urlhaus.abuse.ch/url/3598605/
  
URLhaus
https://urlhaus.abuse.ch/url/3598497/
  
URLhaus
https://urlhaus.abuse.ch/url/3598568/
  
URLhaus
https://urlhaus.abuse.ch/url/3598579/
  
URLhaus
https://urlhaus.abuse.ch/url/3598600/
  
URLhaus
https://urlhaus.abuse.ch/url/3598604/
  
URLhaus
https://urlhaus.abuse.ch/url/3598498/
  
URLhaus
https://urlhaus.abuse.ch/url/3598581/
  
URLhaus
https://urlhaus.abuse.ch/url/3598598/
  
URLhaus
https://urlhaus.abuse.ch/url/3598613/
  
URLhaus
https://urlhaus.abuse.ch/url/3598499/
  
URLhaus
https://urlhaus.abuse.ch/url/3598560/
  
URLhaus
https://urlhaus.abuse.ch/url/3598566/
  
URLhaus
https://urlhaus.abuse.ch/url/3598567/
  
URLhaus
https://urlhaus.abuse.ch/url/3598500/
  
URLhaus
https://urlhaus.abuse.ch/url/3598559/
  
URLhaus
https://urlhaus.abuse.ch/url/3598578/
  
URLhaus
https://urlhaus.abuse.ch/url/3598594/
  
URLhaus
https://urlhaus.abuse.ch/url/3598610/
  
URLhaus
https://urlhaus.abuse.ch/url/3598563/
  
URLhaus
https://urlhaus.abuse.ch/url/3598580/
  
URLhaus
https://urlhaus.abuse.ch/url/3598607/
  
URLhaus
https://urlhaus.abuse.ch/url/3598608/
  
URLhaus
https://urlhaus.abuse.ch/url/3598612/
  
URLhaus
https://urlhaus.abuse.ch/url/3598583/
  
URLhaus
https://urlhaus.abuse.ch/url/3598556/
  
URLhaus
https://urlhaus.abuse.ch/url/3598593/
  
URLhaus
https://urlhaus.abuse.ch/url/3598572/
  
URLhaus
https://urlhaus.abuse.ch/url/3598557/
  
URLhaus
https://urlhaus.abuse.ch/url/3598614/
  
URLhaus
https://urlhaus.abuse.ch/url/3598571/
  
URLhaus
https://urlhaus.abuse.ch/url/3575091/
  
URLhaus
https://urlhaus.abuse.ch/url/3598488/
  
URLhaus
https://urlhaus.abuse.ch/url/3598562/
  
Dropped by
SHA256 54de431d841f759305b668ec7ad323a2dc1fe50df9c8a3d91fe5ad45b2509507
  
Dropped by
MD5 285f03e0e57de0a307ea6064719648eb

Comments