MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3047ff521542e77f8206ddde6af450fe760bb782646dbc4ee22ace6f0c72d37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 14


Intelligence 14 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3047ff521542e77f8206ddde6af450fe760bb782646dbc4ee22ace6f0c72d37
SHA3-384 hash: 8b61065ca5bb75d282d7f151bdb34555b5003f28e2f6ca940b202c37b5ced1dc739a50ebd6340b2a459c968651a574f6
SHA1 hash: 8ab31feb1c959acba6c8c7a091a6f152349724d5
MD5 hash: 5d41eb82780153e89836819d280714c8
humanhash: kilo-johnny-eight-papa
File name:mao.x86_64
Download: download sample
Signature Mirai
Create hunting rule
File size:76'016 bytes
First seen:2026-04-06 11:03:22 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:7YSDIfasSohWyrHsxz0Wjv7U1maJYf4pdcmmDQzHvYaXua84+:NGBSoEssxAcUgaJq4pdODQzHvYaO
TLSH T109734C0BBD4880FDC159D53C83BEB53AC56770BD1139B2EB2BD8BE271D46E612A1C858
telfhash t1362121b678ad08a471d7b136e716f1e58c38196405f636e2ad3304f2eb223884db3436
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Detection(s):
Sanesecurity.Malware.30455.LC.BadVar.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-9907086-0
Create hunting rule

Unix.Trojan.Mirai-9945193-0
Create hunting rule

Unix.Trojan.Mirai-9946826-0
Create hunting rule

Unix.Dropper.Mirai-10008433-0
Create hunting rule

Unix.Trojan.Mirai-10028946-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
DNS request
Sets a written file as executable
Runs as daemon
Creating a file in the %temp% directory
Manages services
Creating a file
Kills processes
Opens a port
Launching a process
Creates or modifies files in /cron to set up autorun
Substitutes an application name
Creates or modifies symbolic links in /init.d to set up autorun
Creates or modifies files in /init.d to set up autorun
Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
1
Number of processes launched:
8
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/d3047ff521542e77f8206ddde6af450fe760bb782646dbc4ee22ace6f0c72d37
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-04-06T08:18:00Z UTC
Last seen:
2026-04-07T06:21:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Mirai.es HEUR:Backdoor.Linux.Mirai.b
Link:
https://opentip.kaspersky.com/d3047ff521542e77f8206ddde6af450fe760bb782646dbc4ee22ace6f0c72d37/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/727e166f-4bc1-499a-8b54-96aa7a0b7d82
Behavior Graph:
Download SVG
%3 guuid=5c9d6c62-1900-0000-ad23-1ddd590e0000 pid=3673 /usr/bin/sudo guuid=48baa064-1900-0000-ad23-1ddd620e0000 pid=3682 /tmp/sample.bin net guuid=5c9d6c62-1900-0000-ad23-1ddd590e0000 pid=3673->guuid=48baa064-1900-0000-ad23-1ddd620e0000 pid=3682 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=48baa064-1900-0000-ad23-1ddd620e0000 pid=3682->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=f5a0c964-1900-0000-ad23-1ddd630e0000 pid=3683 /tmp/sample.bin zombie guuid=48baa064-1900-0000-ad23-1ddd620e0000 pid=3682->guuid=f5a0c964-1900-0000-ad23-1ddd630e0000 pid=3683 clone guuid=795cd264-1900-0000-ad23-1ddd640e0000 pid=3684 /tmp/sample.bin guuid=f5a0c964-1900-0000-ad23-1ddd630e0000 pid=3683->guuid=795cd264-1900-0000-ad23-1ddd640e0000 pid=3684 clone guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685 /tmp/sample.bin dns net send-data write-config write-file guuid=795cd264-1900-0000-ad23-1ddd640e0000 pid=3684->guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685 clone guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 29B a11803fe-5fd8-544d-b13b-84f58f3c81f8 mn.34509.su:25565 guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685->a11803fe-5fd8-544d-b13b-84f58f3c81f8 con guuid=5575de64-1900-0000-ad23-1ddd660e0000 pid=3686 /tmp/sample.bin guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685->guuid=5575de64-1900-0000-ad23-1ddd660e0000 pid=3686 clone guuid=f8d0ef64-1900-0000-ad23-1ddd680e0000 pid=3688 /usr/bin/dash guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685->guuid=f8d0ef64-1900-0000-ad23-1ddd680e0000 pid=3688 execve guuid=c611f897-1900-0000-ad23-1ddd3b0f0000 pid=3899 /usr/bin/dash guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685->guuid=c611f897-1900-0000-ad23-1ddd3b0f0000 pid=3899 execve guuid=4f9c2a98-1900-0000-ad23-1ddd3e0f0000 pid=3902 /usr/bin/dash guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685->guuid=4f9c2a98-1900-0000-ad23-1ddd3e0f0000 pid=3902 execve guuid=d05052bb-1900-0000-ad23-1dddea0f0000 pid=4074 /usr/bin/dash guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685->guuid=d05052bb-1900-0000-ad23-1dddea0f0000 pid=4074 execve guuid=de5b42eb-1900-0000-ad23-1dddad100000 pid=4269 /usr/bin/dash guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685->guuid=de5b42eb-1900-0000-ad23-1dddad100000 pid=4269 execve guuid=4936f5ee-1900-0000-ad23-1dddc0100000 pid=4288 /usr/bin/dash guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685->guuid=4936f5ee-1900-0000-ad23-1dddc0100000 pid=4288 execve guuid=f0eb57ef-1900-0000-ad23-1dddc3100000 pid=4291 /tmp/sample.bin guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685->guuid=f0eb57ef-1900-0000-ad23-1dddc3100000 pid=4291 clone guuid=94535aef-1900-0000-ad23-1dddc4100000 pid=4292 /tmp/sample.bin guuid=90b4d764-1900-0000-ad23-1ddd650e0000 pid=3685->guuid=94535aef-1900-0000-ad23-1dddc4100000 pid=4292 clone guuid=493c1d65-1900-0000-ad23-1ddd690e0000 pid=3689 /usr/sbin/update-rc.d guuid=f8d0ef64-1900-0000-ad23-1ddd680e0000 pid=3688->guuid=493c1d65-1900-0000-ad23-1ddd690e0000 pid=3689 execve guuid=c5b95767-1900-0000-ad23-1ddd710e0000 pid=3697 /usr/bin/systemctl guuid=493c1d65-1900-0000-ad23-1ddd690e0000 pid=3689->guuid=c5b95767-1900-0000-ad23-1ddd710e0000 pid=3697 execve guuid=77c04c98-1900-0000-ad23-1ddd3f0f0000 pid=3903 /usr/bin/systemctl guuid=4f9c2a98-1900-0000-ad23-1ddd3e0f0000 pid=3902->guuid=77c04c98-1900-0000-ad23-1ddd3f0f0000 pid=3903 execve guuid=bec078bb-1900-0000-ad23-1dddeb0f0000 pid=4075 /usr/bin/systemctl guuid=d05052bb-1900-0000-ad23-1dddea0f0000 pid=4074->guuid=bec078bb-1900-0000-ad23-1dddeb0f0000 pid=4075 execve guuid=0f176aeb-1900-0000-ad23-1dddae100000 pid=4270 /usr/bin/systemctl guuid=de5b42eb-1900-0000-ad23-1dddad100000 pid=4269->guuid=0f176aeb-1900-0000-ad23-1dddae100000 pid=4270 execve guuid=39a01def-1900-0000-ad23-1dddc1100000 pid=4289 /usr/bin/chmod guuid=4936f5ee-1900-0000-ad23-1dddc0100000 pid=4288->guuid=39a01def-1900-0000-ad23-1dddc1100000 pid=4289 execve guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1 /usr/lib/systemd/systemd guuid=d701e4ec-1900-0000-ad23-1dddb7100000 pid=4279 /tmp/sample.bin net guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1->guuid=d701e4ec-1900-0000-ad23-1dddb7100000 pid=4279 execve guuid=63376851-1c00-0000-ad23-1ddd88140000 pid=5256 /tmp/sample.bin net guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1->guuid=63376851-1c00-0000-ad23-1ddd88140000 pid=5256 execve guuid=325cbf90-1d00-0000-ad23-1dddad140000 pid=5293 /tmp/sample.bin net guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1->guuid=325cbf90-1d00-0000-ad23-1dddad140000 pid=5293 execve guuid=2e7e9cd1-1e00-0000-ad23-1dddb4140000 pid=5300 /tmp/sample.bin net guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1->guuid=2e7e9cd1-1e00-0000-ad23-1dddb4140000 pid=5300 execve guuid=faa7890a-2000-0000-ad23-1dddb9140000 pid=5305 /tmp/sample.bin net guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1->guuid=faa7890a-2000-0000-ad23-1dddb9140000 pid=5305 execve guuid=171e7c43-2100-0000-ad23-1dddbe140000 pid=5310 /tmp/sample.bin net guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1->guuid=171e7c43-2100-0000-ad23-1dddbe140000 pid=5310 execve guuid=3435717c-2200-0000-ad23-1dddc2140000 pid=5314 /tmp/sample.bin net guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1->guuid=3435717c-2200-0000-ad23-1dddc2140000 pid=5314 execve guuid=e99203b5-2300-0000-ad23-1dddc6140000 pid=5318 /tmp/sample.bin net guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1->guuid=e99203b5-2300-0000-ad23-1dddc6140000 pid=5318 execve guuid=744ef6ed-2400-0000-ad23-1dddcc140000 pid=5324 /tmp/sample.bin net guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1->guuid=744ef6ed-2400-0000-ad23-1dddcc140000 pid=5324 execve guuid=485b3027-2600-0000-ad23-1dddd1140000 pid=5329 /tmp/sample.bin net guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1->guuid=485b3027-2600-0000-ad23-1dddd1140000 pid=5329 execve guuid=1395a154-2700-0000-ad23-1dddd8140000 pid=5336 /tmp/sample.bin net guuid=2fdaba13-0000-0000-ad23-1ddd01000000 pid=1->guuid=1395a154-2700-0000-ad23-1dddd8140000 pid=5336 execve guuid=d701e4ec-1900-0000-ad23-1dddb7100000 pid=4279->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con b2d8e54b-c731-5e9d-91ce-9be6b900c2bd 0.0.0.0:63841 guuid=d701e4ec-1900-0000-ad23-1dddb7100000 pid=4279->b2d8e54b-c731-5e9d-91ce-9be6b900c2bd con guuid=6b4be619-1b00-0000-ad23-1ddd01140000 pid=5121 /tmp/sample.bin zombie guuid=d701e4ec-1900-0000-ad23-1dddb7100000 pid=4279->guuid=6b4be619-1b00-0000-ad23-1ddd01140000 pid=5121 clone guuid=01e4ef19-1b00-0000-ad23-1ddd02140000 pid=5122 /tmp/sample.bin guuid=6b4be619-1b00-0000-ad23-1ddd01140000 pid=5121->guuid=01e4ef19-1b00-0000-ad23-1ddd02140000 pid=5122 clone guuid=2a36f519-1b00-0000-ad23-1ddd03140000 pid=5123 /tmp/sample.bin guuid=01e4ef19-1b00-0000-ad23-1ddd02140000 pid=5122->guuid=2a36f519-1b00-0000-ad23-1ddd03140000 pid=5123 clone guuid=31e0001a-1b00-0000-ad23-1ddd04140000 pid=5124 /tmp/sample.bin guuid=2a36f519-1b00-0000-ad23-1ddd03140000 pid=5123->guuid=31e0001a-1b00-0000-ad23-1ddd04140000 pid=5124 clone guuid=63376851-1c00-0000-ad23-1ddd88140000 pid=5256->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=445f6253-1c00-0000-ad23-1ddd89140000 pid=5257 /tmp/sample.bin zombie guuid=63376851-1c00-0000-ad23-1ddd88140000 pid=5256->guuid=445f6253-1c00-0000-ad23-1ddd89140000 pid=5257 clone guuid=20d86f53-1c00-0000-ad23-1ddd8a140000 pid=5258 /tmp/sample.bin guuid=445f6253-1c00-0000-ad23-1ddd89140000 pid=5257->guuid=20d86f53-1c00-0000-ad23-1ddd8a140000 pid=5258 clone guuid=f1e37d53-1c00-0000-ad23-1ddd8b140000 pid=5259 /tmp/sample.bin write-config guuid=20d86f53-1c00-0000-ad23-1ddd8a140000 pid=5258->guuid=f1e37d53-1c00-0000-ad23-1ddd8b140000 pid=5259 clone guuid=c7488753-1c00-0000-ad23-1ddd8c140000 pid=5260 /tmp/sample.bin guuid=f1e37d53-1c00-0000-ad23-1ddd8b140000 pid=5259->guuid=c7488753-1c00-0000-ad23-1ddd8c140000 pid=5260 clone guuid=325cbf90-1d00-0000-ad23-1dddad140000 pid=5293->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a3e0f797-1d00-0000-ad23-1dddae140000 pid=5294 /tmp/sample.bin zombie guuid=325cbf90-1d00-0000-ad23-1dddad140000 pid=5293->guuid=a3e0f797-1d00-0000-ad23-1dddae140000 pid=5294 clone guuid=bf0f0398-1d00-0000-ad23-1dddaf140000 pid=5295 /tmp/sample.bin guuid=a3e0f797-1d00-0000-ad23-1dddae140000 pid=5294->guuid=bf0f0398-1d00-0000-ad23-1dddaf140000 pid=5295 clone guuid=c2a00998-1d00-0000-ad23-1dddb0140000 pid=5296 /tmp/sample.bin write-config guuid=bf0f0398-1d00-0000-ad23-1dddaf140000 pid=5295->guuid=c2a00998-1d00-0000-ad23-1dddb0140000 pid=5296 clone guuid=416e0e98-1d00-0000-ad23-1dddb1140000 pid=5297 /tmp/sample.bin guuid=c2a00998-1d00-0000-ad23-1dddb0140000 pid=5296->guuid=416e0e98-1d00-0000-ad23-1dddb1140000 pid=5297 clone guuid=602f1d98-1d00-0000-ad23-1dddb2140000 pid=5298 /usr/bin/dash guuid=c2a00998-1d00-0000-ad23-1dddb0140000 pid=5296->guuid=602f1d98-1d00-0000-ad23-1dddb2140000 pid=5298 execve guuid=73d54f98-1d00-0000-ad23-1dddb3140000 pid=5299 /usr/sbin/update-rc.d guuid=602f1d98-1d00-0000-ad23-1dddb2140000 pid=5298->guuid=73d54f98-1d00-0000-ad23-1dddb3140000 pid=5299 execve guuid=2e7e9cd1-1e00-0000-ad23-1dddb4140000 pid=5300->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c37450d4-1e00-0000-ad23-1dddb5140000 pid=5301 /tmp/sample.bin zombie guuid=2e7e9cd1-1e00-0000-ad23-1dddb4140000 pid=5300->guuid=c37450d4-1e00-0000-ad23-1dddb5140000 pid=5301 clone guuid=d4845ed4-1e00-0000-ad23-1dddb6140000 pid=5302 /tmp/sample.bin guuid=c37450d4-1e00-0000-ad23-1dddb5140000 pid=5301->guuid=d4845ed4-1e00-0000-ad23-1dddb6140000 pid=5302 clone guuid=dafe6ad4-1e00-0000-ad23-1dddb7140000 pid=5303 /tmp/sample.bin guuid=d4845ed4-1e00-0000-ad23-1dddb6140000 pid=5302->guuid=dafe6ad4-1e00-0000-ad23-1dddb7140000 pid=5303 clone guuid=2d4074d4-1e00-0000-ad23-1dddb8140000 pid=5304 /tmp/sample.bin guuid=dafe6ad4-1e00-0000-ad23-1dddb7140000 pid=5303->guuid=2d4074d4-1e00-0000-ad23-1dddb8140000 pid=5304 clone guuid=faa7890a-2000-0000-ad23-1dddb9140000 pid=5305->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c02d5e0d-2000-0000-ad23-1dddba140000 pid=5306 /tmp/sample.bin zombie guuid=faa7890a-2000-0000-ad23-1dddb9140000 pid=5305->guuid=c02d5e0d-2000-0000-ad23-1dddba140000 pid=5306 clone guuid=99bb6f0d-2000-0000-ad23-1dddbb140000 pid=5307 /tmp/sample.bin guuid=c02d5e0d-2000-0000-ad23-1dddba140000 pid=5306->guuid=99bb6f0d-2000-0000-ad23-1dddbb140000 pid=5307 clone guuid=39c5760d-2000-0000-ad23-1dddbc140000 pid=5308 /tmp/sample.bin guuid=99bb6f0d-2000-0000-ad23-1dddbb140000 pid=5307->guuid=39c5760d-2000-0000-ad23-1dddbc140000 pid=5308 clone guuid=d66e840d-2000-0000-ad23-1dddbd140000 pid=5309 /tmp/sample.bin guuid=39c5760d-2000-0000-ad23-1dddbc140000 pid=5308->guuid=d66e840d-2000-0000-ad23-1dddbd140000 pid=5309 clone guuid=171e7c43-2100-0000-ad23-1dddbe140000 pid=5310->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5de2cb45-2100-0000-ad23-1dddbf140000 pid=5311 /tmp/sample.bin zombie guuid=171e7c43-2100-0000-ad23-1dddbe140000 pid=5310->guuid=5de2cb45-2100-0000-ad23-1dddbf140000 pid=5311 clone guuid=fde9e045-2100-0000-ad23-1dddc0140000 pid=5312 /tmp/sample.bin guuid=5de2cb45-2100-0000-ad23-1dddbf140000 pid=5311->guuid=fde9e045-2100-0000-ad23-1dddc0140000 pid=5312 clone guuid=d9eae945-2100-0000-ad23-1dddc1140000 pid=5313 /tmp/sample.bin guuid=fde9e045-2100-0000-ad23-1dddc0140000 pid=5312->guuid=d9eae945-2100-0000-ad23-1dddc1140000 pid=5313 clone guuid=3435717c-2200-0000-ad23-1dddc2140000 pid=5314->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=51cec67e-2200-0000-ad23-1dddc3140000 pid=5315 /tmp/sample.bin zombie guuid=3435717c-2200-0000-ad23-1dddc2140000 pid=5314->guuid=51cec67e-2200-0000-ad23-1dddc3140000 pid=5315 clone guuid=b324de7e-2200-0000-ad23-1dddc4140000 pid=5316 /tmp/sample.bin guuid=51cec67e-2200-0000-ad23-1dddc3140000 pid=5315->guuid=b324de7e-2200-0000-ad23-1dddc4140000 pid=5316 clone guuid=74cee97e-2200-0000-ad23-1dddc5140000 pid=5317 /tmp/sample.bin guuid=b324de7e-2200-0000-ad23-1dddc4140000 pid=5316->guuid=74cee97e-2200-0000-ad23-1dddc5140000 pid=5317 clone guuid=e99203b5-2300-0000-ad23-1dddc6140000 pid=5318->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4d5d79b7-2300-0000-ad23-1dddc7140000 pid=5319 /tmp/sample.bin guuid=e99203b5-2300-0000-ad23-1dddc6140000 pid=5318->guuid=4d5d79b7-2300-0000-ad23-1dddc7140000 pid=5319 clone guuid=b38482b7-2300-0000-ad23-1dddc8140000 pid=5320 /tmp/sample.bin guuid=4d5d79b7-2300-0000-ad23-1dddc7140000 pid=5319->guuid=b38482b7-2300-0000-ad23-1dddc8140000 pid=5320 clone guuid=c3db86b7-2300-0000-ad23-1dddc9140000 pid=5321 /tmp/sample.bin write-config guuid=b38482b7-2300-0000-ad23-1dddc8140000 pid=5320->guuid=c3db86b7-2300-0000-ad23-1dddc9140000 pid=5321 clone guuid=39288fb7-2300-0000-ad23-1dddca140000 pid=5322 /tmp/sample.bin guuid=c3db86b7-2300-0000-ad23-1dddc9140000 pid=5321->guuid=39288fb7-2300-0000-ad23-1dddca140000 pid=5322 clone guuid=ec58acb7-2300-0000-ad23-1dddcb140000 pid=5323 /usr/bin/dash guuid=c3db86b7-2300-0000-ad23-1dddc9140000 pid=5321->guuid=ec58acb7-2300-0000-ad23-1dddcb140000 pid=5323 execve guuid=744ef6ed-2400-0000-ad23-1dddcc140000 pid=5324->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=cd9eccf0-2400-0000-ad23-1dddcd140000 pid=5325 /tmp/sample.bin zombie guuid=744ef6ed-2400-0000-ad23-1dddcc140000 pid=5324->guuid=cd9eccf0-2400-0000-ad23-1dddcd140000 pid=5325 clone guuid=432fd6f0-2400-0000-ad23-1dddce140000 pid=5326 /tmp/sample.bin guuid=cd9eccf0-2400-0000-ad23-1dddcd140000 pid=5325->guuid=432fd6f0-2400-0000-ad23-1dddce140000 pid=5326 clone guuid=5982dbf0-2400-0000-ad23-1dddcf140000 pid=5327 /tmp/sample.bin guuid=432fd6f0-2400-0000-ad23-1dddce140000 pid=5326->guuid=5982dbf0-2400-0000-ad23-1dddcf140000 pid=5327 clone guuid=9e34e4f0-2400-0000-ad23-1dddd0140000 pid=5328 /tmp/sample.bin guuid=5982dbf0-2400-0000-ad23-1dddcf140000 pid=5327->guuid=9e34e4f0-2400-0000-ad23-1dddd0140000 pid=5328 clone guuid=485b3027-2600-0000-ad23-1dddd1140000 pid=5329->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a8f86929-2600-0000-ad23-1dddd2140000 pid=5330 /tmp/sample.bin zombie guuid=485b3027-2600-0000-ad23-1dddd1140000 pid=5329->guuid=a8f86929-2600-0000-ad23-1dddd2140000 pid=5330 clone guuid=e5428129-2600-0000-ad23-1dddd3140000 pid=5331 /tmp/sample.bin guuid=a8f86929-2600-0000-ad23-1dddd2140000 pid=5330->guuid=e5428129-2600-0000-ad23-1dddd3140000 pid=5331 clone guuid=80619029-2600-0000-ad23-1dddd4140000 pid=5332 /tmp/sample.bin guuid=e5428129-2600-0000-ad23-1dddd3140000 pid=5331->guuid=80619029-2600-0000-ad23-1dddd4140000 pid=5332 clone guuid=0d869f29-2600-0000-ad23-1dddd5140000 pid=5333 /tmp/sample.bin guuid=80619029-2600-0000-ad23-1dddd4140000 pid=5332->guuid=0d869f29-2600-0000-ad23-1dddd5140000 pid=5333 clone guuid=1395a154-2700-0000-ad23-1dddd8140000 pid=5336->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=51d55a56-2700-0000-ad23-1dddd9140000 pid=5337 /tmp/sample.bin zombie guuid=1395a154-2700-0000-ad23-1dddd8140000 pid=5336->guuid=51d55a56-2700-0000-ad23-1dddd9140000 pid=5337 clone guuid=b1056556-2700-0000-ad23-1dddda140000 pid=5338 /tmp/sample.bin guuid=51d55a56-2700-0000-ad23-1dddd9140000 pid=5337->guuid=b1056556-2700-0000-ad23-1dddda140000 pid=5338 clone guuid=5ce16956-2700-0000-ad23-1ddddb140000 pid=5339 /tmp/sample.bin write-config guuid=b1056556-2700-0000-ad23-1dddda140000 pid=5338->guuid=5ce16956-2700-0000-ad23-1ddddb140000 pid=5339 clone guuid=09ad7056-2700-0000-ad23-1ddddc140000 pid=5340 /tmp/sample.bin guuid=5ce16956-2700-0000-ad23-1ddddb140000 pid=5339->guuid=09ad7056-2700-0000-ad23-1ddddc140000 pid=5340 clone guuid=afe28256-2700-0000-ad23-1ddddd140000 pid=5341 /usr/bin/dash guuid=5ce16956-2700-0000-ad23-1ddddb140000 pid=5339->guuid=afe28256-2700-0000-ad23-1ddddd140000 pid=5341 execve guuid=7f2ab356-2700-0000-ad23-1dddde140000 pid=5342 /usr/sbin/update-rc.d guuid=afe28256-2700-0000-ad23-1ddddd140000 pid=5341->guuid=7f2ab356-2700-0000-ad23-1dddde140000 pid=5342 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eb4732c3-b8a1-4dbe-9629-c1c8514b3aaf
Result
Threat name:
Okiru
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1893942
Signature
Drops files in suspicious directories
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Yara detected Okiru
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1893942 Sample: mao.x86_64.elf Startdate: 06/04/2026 Architecture: LINUX Score: 76 107 109.202.202.202, 80 INIT7CH Switzerland 2->107 109 mn.34509.su 89.190.156.14, 25565, 49924 HOSTUS-GLOBAL-ASHostUSHK United Kingdom 2->109 111 3 other IPs or domains 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 Yara detected Okiru 2->117 12 mao.x86_64.elf 2->12         started        14 systemd mao.x86_64.elf 2->14         started        16 systemd mao.x86_64.elf 2->16         started        18 26 other processes 2->18 signatures3 process4 process5 20 mao.x86_64.elf 12->20         started        22 mao.x86_64.elf 14->22         started        24 mao.x86_64.elf 16->24         started        26 mao.x86_64.elf 18->26         started        28 mao.x86_64.elf 18->28         started        30 mao.x86_64.elf 18->30         started        32 18 other processes 18->32 process6 34 mao.x86_64.elf 20->34         started        36 mao.x86_64.elf 22->36         started        38 mao.x86_64.elf 24->38         started        40 mao.x86_64.elf 26->40         started        42 mao.x86_64.elf 28->42         started        44 mao.x86_64.elf 30->44         started        46 mao.x86_64.elf 32->46         started        48 mao.x86_64.elf 32->48         started        50 16 other processes 32->50 process7 52 mao.x86_64.elf 34->52         started        56 mao.x86_64.elf 36->56         started        58 mao.x86_64.elf 38->58         started        60 mao.x86_64.elf 40->60         started        62 mao.x86_64.elf 42->62         started        64 mao.x86_64.elf 44->64         started        66 mao.x86_64.elf 46->66         started        68 mao.x86_64.elf 48->68         started        70 15 other processes 50->70 file8 101 /etc/init.d/.sys_daemon, POSIX 52->101 dropped 103 /etc/cron.d/.sys_update, ASCII 52->103 dropped 105 /tmp/.sys_recovery.sh, POSIX 52->105 dropped 119 Drops files in suspicious directories 52->119 121 Sample tries to persist itself using cron 52->121 86 9 other processes 52->86 72 mao.x86_64.elf 56->72         started        74 mao.x86_64.elf 58->74         started        76 mao.x86_64.elf 60->76         started        78 mao.x86_64.elf 62->78         started        80 mao.x86_64.elf 64->80         started        82 mao.x86_64.elf 66->82         started        84 mao.x86_64.elf 68->84         started        88 13 other processes 70->88 signatures9 process10 process11 90 sh update-rc.d 86->90         started        93 sh systemctl 86->93         started        95 sh systemctl 86->95         started        97 2 other processes 86->97 signatures12 123 Sample tries to persist itself using System V runlevels 90->123 99 update-rc.d systemctl 90->99         started        process13
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d3047ff521542e77f8206ddde6af450fe760bb782646dbc4ee22ace6f0c72d37
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d3047ff521542e77f8206ddde6af450fe760bb782646dbc4ee22ace6f0c72d37/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/d3047ff521542e77f8206ddde6af450fe760bb782646dbc4ee22ace6f0c72d37
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2026-04-06 11:04:30 UTC
File Type:
ELF64 Little (Exe)
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2mch75jbkqxhp6banxo6nl2fb7twbo3yezdnxrhoekwon4ghfu3q._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260406-m6b5zaet2k/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Creates/modifies Cron job
Modifies init.d
Modifies systemd
File and Directory Permissions Modification
Modifies Watchdog functionality
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3047ff52154/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/d3047ff521542e77f8206ddde6af450fe760bb782646dbc4ee22ace6f0c72d37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:Linux_Generic_Threat_3bcc1630
Create hunting rule
Author:Elastic Security
Rule name:Linux_Generic_Threat_da28eb8b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_0cd591cd
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_a33a8363
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_6a77af0f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_e0cf29e2
Create hunting rule
Author:Elastic Security
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf d3047ff521542e77f8206ddde6af450fe760bb782646dbc4ee22ace6f0c72d37

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3766741/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3812797/

Comments