MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d364b830a8d6dcd4ca6382e7216ca9e4d03ecfb2b05361730d579b3c1a09d8f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d364b830a8d6dcd4ca6382e7216ca9e4d03ecfb2b05361730d579b3c1a09d8f2
SHA3-384 hash: fb36a6af67baac8a1c794146d54b8465c05afee000e6984bc05e130b31cbbd6b2de97068d54fa7de17cbec9fc40a0407
SHA1 hash: bcf42e19f0b704bb80ea07cfcaa6a63005755a5e
MD5 hash: e593d47e7c58c81beb1b21c0181e7c87
humanhash: floor-social-illinois-shade
File name:x86
Download: download sample
Signature Mirai
Create hunting rule
File size:38'736 bytes
First seen:2025-08-28 02:59:43 UTC
Last seen:2025-08-28 03:31:46 UTC
File type: elf
MIME type:application/x-executable
ssdeep 768:5TKAx1/tWKBmP9sApYteotwyEHW+xSy57mV+WT4AOuuM+TU:5TZx114vytemfE2+xSygV+W8BdM
TLSH T10D033AC5E613D1F0EC5522B11037A7625F76E03626B8EB27CB662A357C53B00AB0B79D
telfhash t1c721a1f6bea608fcf691ac4cdb1f27e31616c67b072160f540b038963af31149036835
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
33
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Unix.Trojan.Mirai-9970440-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Kills processes
Sends data to a server
Connection attempt
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/68afc6606212e2f74264357d/reports/07a6588b-a5f6-4222-97d2-83c51fdd1763/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
4
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/d364b830a8d6dcd4ca6382e7216ca9e4d03ecfb2b05361730d579b3c1a09d8f2
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
File Type:
elf.32.le
Link:
https://opentip.kaspersky.com/d364b830a8d6dcd4ca6382e7216ca9e4d03ecfb2b05361730d579b3c1a09d8f2/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/23b59c6c-2dfb-448c-92cc-9066657d8996
Behavior Graph:
Download SVG
%3 guuid=f9de85eb-1600-0000-8127-fffb800d0000 pid=3456 /usr/bin/sudo guuid=77951aed-1600-0000-8127-fffb870d0000 pid=3463 /tmp/sample.bin guuid=f9de85eb-1600-0000-8127-fffb800d0000 pid=3456->guuid=77951aed-1600-0000-8127-fffb870d0000 pid=3463 execve guuid=66d65f46-1700-0000-8127-fffb560e0000 pid=3670 /tmp/sample.bin net send-data guuid=77951aed-1600-0000-8127-fffb870d0000 pid=3463->guuid=66d65f46-1700-0000-8127-fffb560e0000 pid=3670 clone guuid=28cdb049-1700-0000-8127-fffb630e0000 pid=3683 /tmp/sample.bin net send-data zombie guuid=77951aed-1600-0000-8127-fffb870d0000 pid=3463->guuid=28cdb049-1700-0000-8127-fffb630e0000 pid=3683 clone d7e75a5d-65d1-5941-aac4-e4015a0a0899 31.56.39.76:6969 guuid=66d65f46-1700-0000-8127-fffb560e0000 pid=3670->d7e75a5d-65d1-5941-aac4-e4015a0a0899 send: 52B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=28cdb049-1700-0000-8127-fffb630e0000 pid=3683->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con db96774e-46a5-59dd-83b1-9c87ef6aad62 104.252.127.190:1025 guuid=28cdb049-1700-0000-8127-fffb630e0000 pid=3683->db96774e-46a5-59dd-83b1-9c87ef6aad62 send: 18B guuid=e4b3c24a-1700-0000-8127-fffb660e0000 pid=3686 /tmp/sample.bin guuid=28cdb049-1700-0000-8127-fffb630e0000 pid=3683->guuid=e4b3c24a-1700-0000-8127-fffb660e0000 pid=3686 clone guuid=4d6ac7a0-1d00-0000-8127-fffb92140000 pid=5266 /tmp/sample.bin send-data guuid=28cdb049-1700-0000-8127-fffb630e0000 pid=3683->guuid=4d6ac7a0-1d00-0000-8127-fffb92140000 pid=5266 clone guuid=f4e0764b-1700-0000-8127-fffb690e0000 pid=3689 /tmp/sample.bin net send-data guuid=e4b3c24a-1700-0000-8127-fffb660e0000 pid=3686->guuid=f4e0764b-1700-0000-8127-fffb690e0000 pid=3689 clone guuid=2c388e87-1800-0000-8127-fffb52110000 pid=4434 /tmp/sample.bin net send-data guuid=e4b3c24a-1700-0000-8127-fffb660e0000 pid=3686->guuid=2c388e87-1800-0000-8127-fffb52110000 pid=4434 clone guuid=f4e0764b-1700-0000-8127-fffb690e0000 pid=3689->d7e75a5d-65d1-5941-aac4-e4015a0a0899 send: 38B guuid=2c388e87-1800-0000-8127-fffb52110000 pid=4434->d7e75a5d-65d1-5941-aac4-e4015a0a0899 send: 38B fa2b0013-a435-5a54-bac9-7d75ca214c5d 23.161.169.77:22 guuid=4d6ac7a0-1d00-0000-8127-fffb92140000 pid=5266->fa2b0013-a435-5a54-bac9-7d75ca214c5d send: 245820B guuid=c9c9e6a0-1d00-0000-8127-fffb93140000 pid=5267 /tmp/sample.bin guuid=4d6ac7a0-1d00-0000-8127-fffb92140000 pid=5266->guuid=c9c9e6a0-1d00-0000-8127-fffb93140000 pid=5267 clone
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23190f61-c0a8-4ecf-90b1-1bcbd6ad6ba1
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1766727
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample reads /proc/mounts (often used for finding a writable filesystem)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1766727 Sample: x86.elf Startdate: 28/08/2025 Architecture: LINUX Score: 60 21 31.56.39.76, 42296, 6969 RASANAIR Iran (ISLAMIC Republic Of) 2->21 23 109.202.202.202, 80 INIT7CH Switzerland 2->23 25 4 other IPs or domains 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 Multi AV Scanner detection for submitted file 2->29 8 x86.elf 2->8         started        11 dash rm 2->11         started        13 dash rm 2->13         started        signatures3 process4 signatures5 31 Sample reads /proc/mounts (often used for finding a writable filesystem) 8->31 15 x86.elf 8->15         started        17 x86.elf 8->17         started        process6 process7 19 x86.elf 15->19         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d364b830a8d6dcd4ca6382e7216ca9e4d03ecfb2b05361730d579b3c1a09d8f2
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d364b830a8d6dcd4ca6382e7216ca9e4d03ecfb2b05361730d579b3c1a09d8f2/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-08-28 03:00:48 UTC
File Type:
ELF32 Little (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2nslqmfi23onjstdqltsc3fj4tid5t5swbjwc4ynk6ntygqj3dza._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access discovery linux
Link:
https://tria.ge/reports/250828-dhp79aap7w/
Behaviour
Reads runtime system information
Changes its process name
Reads process memory
Enumerates running processes
Creates a large amount of network flows
Verdict:
Malicious
Tags:
trojan mirai Unix.Trojan.Mirai-9970440-0
YARA:
Linux_Trojan_Mirai_389ee3e9 Linux_Trojan_Mirai_cc93863b
Link:
https://app.threat.zone/submission/4a7d1f0e-bdc3-4a9d-9b2f-aa92bd4515e1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.09
Link:
https://yomi.yoroi.company/submissions/d364b830a8d6dcd4ca6382e7216ca9e4d03ecfb2b05361730d579b3c1a09d8f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf d364b830a8d6dcd4ca6382e7216ca9e4d03ecfb2b05361730d579b3c1a09d8f2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3609499/
  
Delivery method
Distributed via web download

Comments