MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2a25e97ae1dc76898019d7a71d29aad5328cc5793986e6763f44c3fbbe7ad91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2a25e97ae1dc76898019d7a71d29aad5328cc5793986e6763f44c3fbbe7ad91
SHA3-384 hash: 3285a4e367f6621539a604b903dba7e183f72ba4f6e9d78073a0753a8805b801f7a2f5e5fecd14dd123f6b5b9c0946ba
SHA1 hash: 2bddf2d219c2b0f3f3746c8e0a480fa95a43a9fc
MD5 hash: 12bdef284d4e3fd911429fe69dac3e4e
humanhash: orange-vegan-twelve-mars
File name:mips
Download: download sample
Signature Mirai
Create hunting rule
File size:236'732 bytes
First seen:2025-10-24 04:12:51 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:IsHxJiHpuaDT91qKtDNgrw47jg/JAp/tc+sl6R+WBZ8:IsuJuS91qKbCOJCtCl6kWBZ8
TLSH T10934431E2E22DF7EF66C873447B7C964979832D626E1D645E26CC31C1E2024E641FBE8
telfhash t15b519e18097813f0a3655c5d49edff37d6a320da7e162c378e50e86ba769b834d10c1c
Magika elf
Reporter abuse_ch
Tags:elf gafgyt mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.29524.LC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9999-1.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-8041698-0
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Unix.Dropper.Mirai-9977145-0
Create hunting rule

Unix.Trojan.Mirai-10017641-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Deleting a recently created file
Sends data to a server
Mounts file systems
Kills processes
Removes directories
Receives data from a server
Runs as daemon
Opens a port
Substitutes an application name
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
lolbin remote threat
Link:
https://www.filescan.io/uploads/68fafcf13a79800405f423fb/reports/e78bdc47-2429-4c5f-abd3-af9b98534a28/overview
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2025-10-24T01:20:00Z UTC
Last seen:
2025-10-24T03:28:00Z UTC
Hits:
~10
Detections:
HEUR:Exploit.Linux.CVE-2017-17215.a HEUR:Backdoor.Linux.Mirai.hj HEUR:Backdoor.Linux.Mirai.gen
Link:
https://opentip.kaspersky.com/d2a25e97ae1dc76898019d7a71d29aad5328cc5793986e6763f44c3fbbe7ad91/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/1db5d9c0-5535-4f7e-ace8-e2ac81019f36
Behavior Graph:
Download SVG
%3 guuid=5263e356-1900-0000-12b0-98a0e40f0000 pid=4068 /usr/bin/sudo guuid=3c14aa58-1900-0000-12b0-98a0ea0f0000 pid=4074 /tmp/sample.bin guuid=5263e356-1900-0000-12b0-98a0e40f0000 pid=4068->guuid=3c14aa58-1900-0000-12b0-98a0ea0f0000 pid=4074 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/618ab7ea-0900-46bc-a935-de348925b087
Result
Threat name:
Gafgyt, Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1801038
Signature
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected Gafgyt
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1801038 Sample: mips.elf Startdate: 24/10/2025 Architecture: LINUX Score: 100 153 157.182.44.137 WVUUS United States 2->153 155 159.41.100.238 WHIRLPOOL-ASNUS United States 2->155 157 98 other IPs or domains 2->157 167 Suricata IDS alerts for network traffic 2->167 169 Antivirus / Scanner detection for submitted sample 2->169 171 Multi AV Scanner detection for submitted file 2->171 173 4 other signatures 2->173 15 systemd gdm3 2->15         started        17 systemd gdm3 2->17         started        19 mips.elf 2->19         started        22 54 other processes 2->22 signatures3 process4 file5 25 gdm3 gdm-session-worker 15->25         started        27 gdm3 gdm-session-worker 15->27         started        36 5 other processes 15->36 29 gdm3 gdm-session-worker 17->29         started        31 gdm3 gdm-session-worker 17->31         started        38 5 other processes 17->38 175 Sample deletes itself 19->175 177 Sample reads /proc/mounts (often used for finding a writable filesystem) 19->177 33 mips.elf 19->33         started        40 3 other processes 19->40 151 /var/log/wtmp, data 22->151 dropped 179 Reads system files that contain records of logged in users 22->179 42 22 other processes 22->42 signatures6 process7 signatures8 44 gdm-session-worker gdm-x-session 25->44         started        46 gdm-session-worker gdm-wayland-session 27->46         started        48 gdm-session-worker gdm-wayland-session 29->48         started        50 gdm-session-worker gdm-x-session 31->50         started        159 Sample tries to kill multiple processes (SIGKILL) 33->159 161 Sample reads /proc/mounts (often used for finding a writable filesystem) 33->161 52 mips.elf 40->52         started        54 language-validate language-options 42->54         started        56 language-validate language-options 42->56         started        58 sh grep 42->58         started        60 15 other processes 42->60 process9 process10 62 gdm-x-session dbus-run-session 44->62         started        64 gdm-x-session Xorg Xorg.wrap Xorg 44->64         started        66 gdm-x-session Default 44->66         started        68 gdm-wayland-session dbus-run-session 46->68         started        70 gdm-wayland-session dbus-run-session 48->70         started        72 gdm-x-session dbus-daemon 50->72         started        75 gdm-x-session Xorg Xorg.wrap Xorg 50->75         started        77 language-options sh 54->77         started        79 language-options sh 56->79         started        signatures11 81 dbus-run-session dbus-daemon 62->81         started        84 dbus-run-session gnome-session gnome-session-binary 62->84         started        90 2 other processes 64->90 92 2 other processes 68->92 94 2 other processes 70->94 181 Sample reads /proc/mounts (often used for finding a writable filesystem) 72->181 86 dbus-daemon 72->86         started        88 Xorg sh 75->88         started        96 2 other processes 77->96 98 2 other processes 79->98 process12 signatures13 163 Sample tries to kill multiple processes (SIGKILL) 81->163 165 Sample reads /proc/mounts (often used for finding a writable filesystem) 81->165 100 dbus-daemon 81->100         started        102 dbus-daemon 81->102         started        108 8 other processes 81->108 110 17 other processes 84->110 104 dbus-daemon false 86->104         started        106 sh xkbcomp 88->106         started        113 2 other processes 90->113 115 9 other processes 92->115 117 9 other processes 94->117 process14 signatures15 119 dbus-daemon at-spi-bus-launcher 100->119         started        121 dbus-daemon gjs 102->121         started        130 8 other processes 108->130 189 Sample reads /proc/mounts (often used for finding a writable filesystem) 110->189 124 gnome-shell ibus-daemon 110->124         started        132 2 other processes 110->132 126 dbus-daemon false 115->126         started        128 dbus-daemon false 115->128         started        134 5 other processes 115->134 136 7 other processes 117->136 process16 signatures17 138 at-spi-bus-launcher dbus-daemon 119->138         started        183 Sample reads /proc/mounts (often used for finding a writable filesystem) 121->183 141 ibus-daemon 124->141         started        143 ibus-daemon ibus-memconf 124->143         started        process18 signatures19 185 Sample tries to kill multiple processes (SIGKILL) 138->185 187 Sample reads /proc/mounts (often used for finding a writable filesystem) 138->187 145 dbus-daemon 138->145         started        147 ibus-daemon ibus-x11 141->147         started        process20 process21 149 dbus-daemon at-spi2-registryd 145->149         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d2a25e97ae1dc76898019d7a71d29aad5328cc5793986e6763f44c3fbbe7ad91
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d2a25e97ae1dc76898019d7a71d29aad5328cc5793986e6763f44c3fbbe7ad91/
Verdict:
Malicious
Threat:
Backdoor.Linux.Mirai
Link:
https://tip.neiki.dev/file/d2a25e97ae1dc76898019d7a71d29aad5328cc5793986e6763f44c3fbbe7ad91
Threat name:
Linux.Backdoor.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2025-10-24 04:13:36 UTC
File Type:
ELF32 Big (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2krf5f5odxdwrgabtv5hduu2vvjsrtcxsomg4z3d6rgd7o7hvwiq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access discovery
Link:
https://tria.ge/reports/251024-etdh9sxjax/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Reads process memory
Enumerates running processes
Deletes itself
Contacts a large (37619) amount of remote hosts
Creates a large amount of network flows
Verdict:
Malicious
Tags:
Unix.Trojan.Mirai-8041698-0
YARA:
n/a
Link:
https://app.threat.zone/submission/28d006ed-6984-4b5e-8774-01ac6d0631e9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d2a25e97ae1dc76898019d7a71d29aad5328cc5793986e6763f44c3fbbe7ad91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CVE_2017_17215
Create hunting rule
Author:NDA0E
Description:Detects exploitation attempt of CVE-2017-17215
Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf d2a25e97ae1dc76898019d7a71d29aad5328cc5793986e6763f44c3fbbe7ad91

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3683051/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3670626/

Comments