MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf32a3e93123f3050c364325f0e06a279c6de2cc80e61b56c6cb916e23cbcf03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf32a3e93123f3050c364325f0e06a279c6de2cc80e61b56c6cb916e23cbcf03
SHA3-384 hash: 4567a5a89e58ddd0218d128ac52a985e2eac6d416e9bdd09a71871f01879e91db81970cdaa4ab22b5b3c5453b0643af3
SHA1 hash: 18ddaa583f1c5d6b230819e51a1d0038238af498
MD5 hash: a74f95ad4d8fbf43cf10f44fec6284e2
humanhash: georgia-alabama-white-summer
File name:furry.mpslxc
Download: download sample
Signature Mirai
Create hunting rule
File size:259'014 bytes
First seen:2026-02-12 06:30:06 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:pOnmhA01LUTxiKRqM1SM8loXNzSiV3bQ8P2vJ0:kTcKKlwzSiV3bQ8P2vJ0
TLSH T1EE44E909AF210FFBE8AFDE3706EA0B55148CA90722A53B357574ED58B60B18F09D3974
telfhash t1e45178369d3e842637f1d4185c9c9bf1154a43336b519d32ef19c9ac641e04eb04bc4f
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf gafgyt mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Siggen.9999-11.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30423.LX.BOT.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-10017641-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Kills processes
Receives data from a server
Collects information on the RAM
Manages services
Launching a process
Opens a port
Sends data to a server
DNS request
Sets a written file as executable
Creating a file
Collects information on the CPU
Connection attempt
Collects information on the OS
Kills critical processes
Substitutes an application name
Deleting of the original file
Creates or modifies files in /init.d to set up autorun
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
bash gcc lolbin
Link:
https://www.filescan.io/uploads/698d73a82ffccda0976de4c1/reports/2b559ec0-0d59-4578-9462-46f16daf2660/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
7
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/cf32a3e93123f3050c364325f0e06a279c6de2cc80e61b56c6cb916e23cbcf03
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/769f3920-df14-4d28-80ae-43f92d0ccbd4
Behavior Graph:
Download SVG
%3 guuid=0344a21e-1a00-0000-4080-81b7be090000 pid=2494 /usr/bin/sudo guuid=7c41b220-1a00-0000-4080-81b7c3090000 pid=2499 /tmp/sample.bin guuid=0344a21e-1a00-0000-4080-81b7be090000 pid=2494->guuid=7c41b220-1a00-0000-4080-81b7c3090000 pid=2499 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8dd59cae-a5fd-44c9-9426-ac40864c6f33
Result
Threat name:
Aquabot, Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1868118
Signature
Contains symbols with names commonly found in malware
Found malware configuration
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using System V runlevels
Yara detected Aquabot
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1868118 Sample: furry.mpslxc.elf Startdate: 12/02/2026 Architecture: LINUX Score: 96 63 femboyvault.xyz 2->63 65 femboyvault.xyz 23.172.217.88, 34824, 4568 WILDWISP-01US Reserved 2->65 67 5 other IPs or domains 2->67 73 Found malware configuration 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected Aquabot 2->77 81 2 other signatures 2->81 8 furry.mpslxc.elf 2->8         started        12 systemd gpu-manager 2->12         started        14 systemd dbus-daemon 2->14         started        16 94 other processes 2->16 signatures3 79 Performs DNS queries to domains with low reputation 63->79 process4 file5 55 /usr/local/bin/MBRK92Sjs1tb9N1, ELF 8->55 dropped 57 /etc/rc.local, ASCII 8->57 dropped 59 /etc/issue.net, ASCII 8->59 dropped 61 /etc/issue, ASCII 8->61 dropped 83 Sample deletes itself 8->83 85 Sample tries to persist itself using System V runlevels 8->85 18 furry.mpslxc.elf 8->18         started        21 furry.mpslxc.elf 8->21         started        23 furry.mpslxc.elf 8->23         started        31 11 other processes 8->31 25 gpu-manager sh 12->25         started        27 gpu-manager sh 12->27         started        29 gpu-manager sh 12->29         started        33 5 other processes 12->33 87 Sample reads /proc/mounts (often used for finding a writable filesystem) 14->87 35 23 other processes 16->35 signatures6 process7 signatures8 69 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->69 71 Sample tries to kill multiple processes (SIGKILL) 21->71 37 sh grep 25->37         started        39 sh grep 27->39         started        41 sh grep 29->41         started        43 sh systemctl 31->43         started        45 sh systemctl 31->45         started        47 sh systemctl 31->47         started        49 3 other processes 31->49 51 5 other processes 33->51 53 7 other processes 35->53 process9
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/cf32a3e93123f3050c364325f0e06a279c6de2cc80e61b56c6cb916e23cbcf03
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cf32a3e93123f3050c364325f0e06a279c6de2cc80e61b56c6cb916e23cbcf03/
Threat name:
Linux.Backdoor.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2026-02-12 06:17:13 UTC
File Type:
ELF32 Little (Exe)
AV detection:
9 of 36 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4zkh2jrepzqkdbwims7bydke6og3ywmqdtbwvwgzoiw4i6lz4bq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm credential_access discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260212-g9xcesbw7d/
Behaviour
Reads runtime system information
Changes its process name
Checks CPU configuration
Reads system network configuration
Reads process memory
Enumerates active TCP sockets
Enumerates running processes
Modifies rc script
Modifies systemd
Write file to user bin folder
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202503_elf_Mirai
Create hunting rule
Author:abuse.ch
Description:Detects Mirai 'TSource' ELF files
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf cf32a3e93123f3050c364325f0e06a279c6de2cc80e61b56c6cb916e23cbcf03

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3776310/
  
Delivery method
Distributed via web download

Comments