MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d25f9b94462c327c549ad5cc2b481958cbf3faea066e8d84b35f26b4be3f7d43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d25f9b94462c327c549ad5cc2b481958cbf3faea066e8d84b35f26b4be3f7d43
SHA3-384 hash: 287c0c6c400e0beee6d610e050d67d1cf113be29eff3bcd376d3a6c5fe5768f2b1b195cd51d8dbfc77776d00efc27cb3
SHA1 hash: a59c17cee32bee561ebe5ec4b43d2fde8ee70b6a
MD5 hash: e69dc91ec3f01c98afa557e2c131cec5
humanhash: oranges-william-floor-september
File name:arm.go
Download: download sample
Signature Mirai
Create hunting rule
File size:132'308 bytes
First seen:2026-02-09 21:08:45 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:T8V9zwzGMeyyx5PUH0RVLY1jAsJhNpxJo1HPY41RlppGDjwg9Rl7Do59gOXkPjZR:T8V9zdc0o1phPxEY41lpw3JDus0I
TLSH T1C9D33B92FC82D612C6C76177FB1E428D772713B8D3EA32039E256F61368A56A0F7B141
telfhash t1fa513626df540edce7ca86d091cf701557ed31ad27185466966c77874d43dc2b03d41b
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30455.LC.BadVar.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-10001386-0
Create hunting rule

Unix.Trojan.Mirai-10010127-0
Create hunting rule

Unix.Trojan.Mirai-10017351-0
Create hunting rule

Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
masquerade rust
Link:
https://www.filescan.io/uploads/698a4cfc2ffccda0976ba907/reports/8ae907e0-504d-4cb6-9365-d4a44857d215/overview
Result
Gathering data
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aeda053b-558f-406b-83d4-7678f113a84b
Result
Threat name:
Gafgyt
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1866361
Signature
Drops files in suspicious directories
Drops invisible ELF files
Executes the "crontab" command typically for achieving persistence
Found malware configuration
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Terminates several processes with shell command 'killall'
Writes identical ELF files to multiple locations
Yara detected Gafgyt
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1866361 Sample: arm.go.elf Startdate: 09/02/2026 Architecture: LINUX Score: 100 97 54.171.230.55, 443, 58866 AMAZON-02US United States 2->97 115 Found malware configuration 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 Yara detected Gafgyt 2->119 11 dash rm arm.go.elf 2->11         started        14 udisksd dumpe2fs 2->14         started        16 udisksd dumpe2fs 2->16         started        18 168 other processes 2->18 signatures3 process4 signatures5 129 Sample reads /proc/mounts (often used for finding a writable filesystem) 11->129 20 arm.go.elf 11->20         started        process6 file7 89 /var/spool/cron/root, ASCII 20->89 dropped 91 /var/spool/cron/crontabs/root, ASCII 20->91 dropped 93 /tmp/.taunt, POSIX 20->93 dropped 95 13 other files (12 malicious) 20->95 dropped 121 Sample tries to set files in /etc globally writable 20->121 123 Sample tries to persist itself using /etc/profile 20->123 125 Drops files in suspicious directories 20->125 127 4 other signatures 20->127 24 arm.go.elf sh 20->24         started        26 arm.go.elf sh 20->26         started        28 arm.go.elf sh 20->28         started        30 21 other processes 20->30 signatures8 process9 process10 32 sh cp 24->32         started        36 sh crontab 26->36         started        38 sh 26->38         started        40 sh cp 28->40         started        42 sh cp 30->42         started        44 sh cp 30->44         started        46 sh rm 30->46         started        48 20 other processes 30->48 file11 79 /usr/bin/.update, ELF 32->79 dropped 99 Writes identical ELF files to multiple locations 32->99 101 Drops invisible ELF files 32->101 103 Drops files in suspicious directories 32->103 81 /var/spool/cron/crontabs/tmp.osrrPM, ASCII 36->81 dropped 105 Sample tries to persist itself using cron 36->105 107 Executes the "crontab" command typically for achieving persistence 36->107 50 sh crontab 38->50         started        83 /boot/.update, ELF 40->83 dropped 85 /var/jbx/shared/.update, ELF 42->85 dropped 87 /var/log/.update, ELF 44->87 dropped 109 Sample deletes itself 46->109 111 Terminates several processes with shell command 'killall' 48->111 53 S99backup0 48->53         started        55 S99backup1 48->55         started        57 S99backup2 48->57         started        59 2 other processes 48->59 signatures12 process13 signatures14 113 Executes the "crontab" command typically for achieving persistence 50->113 61 S99backup0 .update 53->61         started        71 5 other processes 53->71 63 S99backup1 .update 55->63         started        73 5 other processes 55->73 65 S99backup2 .update 57->65         started        75 5 other processes 57->75 67 S99network .update 59->67         started        69 .monitor .update 59->69         started        77 10 other processes 59->77 process15
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d25f9b94462c327c549ad5cc2b481958cbf3faea066e8d84b35f26b4be3f7d43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d25f9b94462c327c549ad5cc2b481958cbf3faea066e8d84b35f26b4be3f7d43/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/d25f9b94462c327c549ad5cc2b481958cbf3faea066e8d84b35f26b4be3f7d43
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-02-09 21:09:19 UTC
File Type:
ELF32 Little (Exe)
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2jpzxfcgfqzhyve22xgcwsazldf7h6xkazxi3bftl4tljpr7pvbq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai
Link:
https://tria.ge/reports/260209-zzj88acx3d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202503_elf_Mirai
Create hunting rule
Author:abuse.ch
Description:Detects Mirai 'TSource' ELF files
Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_irc_catcher
Create hunting rule
Author:@_lubiedo
Description:Find new ELF IRC samples
Rule name:Linux_Generic_Threat_d94e1020
Create hunting rule
Author:Elastic Security
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf d25f9b94462c327c549ad5cc2b481958cbf3faea066e8d84b35f26b4be3f7d43

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3775214/
  
Delivery method
Distributed via web download

Comments