MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3b6cc40167847e5aaaaec0b41d39fca5f2e4edd6a44cfe5e3c97b2ac731dfd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3b6cc40167847e5aaaaec0b41d39fca5f2e4edd6a44cfe5e3c97b2ac731dfd2
SHA3-384 hash: aae6f3f917007b04064033cf9593196d9cb94225a41b451036e4703865afb95a091e40a9a940f586a0eb872a1b628c09
SHA1 hash: b15ead1f7162afdfc78f6d58d893ab257a8c6065
MD5 hash: 9995f06ee169447fedf2e17a5163f193
humanhash: charlie-cardinal-undress-magnesium
File name:mips
Download: download sample
Signature Mirai
Create hunting rule
File size:990'692 bytes
First seen:2025-05-20 17:27:33 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 24576:y1qFbxayTHVZ/HnhuTlj+m1dHNWrUOl2fJ70hgp9XzKXjdtEoNn:Z/vHVZ/HKlj+m1dHwrUOdgijdt/
TLSH T19F257C367750CF95D374C2300AF3872157E211921BD245AB6278D72CBA512ACBE6FEE8
telfhash t1fef0a6a04a7d40800d62ec009c5211ff5eebe6aa1e81f945fb8addc52c6e01dfb43e4b
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ELF.Agent-DNH.15052.11212.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682cbba1c28c67d66642653alinux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sets a written file as executable
Creating a file
Creates directories in a subdirectory of a temporary directory
Creates directories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash gcc lolbin remote
Link:
https://www.filescan.io/uploads/682cbbb7bff72ff46b66f8f8/reports/93bde1f8-4dbe-4e72-9bbb-a90ec1266d22/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
9
Number of processes launched:
4
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/d3b6cc40167847e5aaaaec0b41d39fca5f2e4edd6a44cfe5e3c97b2ac731dfd2
Behaviour
Persistence
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/72174068-4eb8-4d27-8b54-e7626224ad7a
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1695288
Signature
Drops files in suspicious directories
Drops invisible ELF files
Malicious sample detected (through community Yara rule)
Sample tries to persist itself using .desktop files
Writes ELF files to hidden directories
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695288 Sample: mips.elf Startdate: 20/05/2025 Architecture: LINUX Score: 68 155 109.202.202.202, 80 INIT7CH Switzerland 2->155 157 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->157 159 34.249.145.219, 443 AMAZON-02US United States 2->159 173 Malicious sample detected (through community Yara rule) 2->173 15 mips.elf 2->15         started        19 dash rm 2->19         started        21 dash rm 2->21         started        signatures3 process4 file5 131 /tmp/systemd-priva...fig/.update-ea0b9b5, ELF 15->131 dropped 133 /tmp/systemd-priva...che/.update-edf4410, ELF 15->133 dropped 135 /tmp/systemd-priva...fig/.update-f150f9a, ELF 15->135 dropped 137 6 other malicious files 15->137 dropped 161 Writes ELF files to hidden directories 15->161 163 Writes identical ELF files to multiple locations 15->163 165 Sample tries to persist itself using .desktop files 15->165 167 Drops invisible ELF files 15->167 23 mips.elf 15->23         started        signatures6 process7 process8 25 mips.elf 23->25         started        file9 85 /usr/local/sbin/update, ELF 25->85 dropped 87 /usr/local/sbin/lists, ELF 25->87 dropped 177 Writes identical ELF files to multiple locations 25->177 29 mips.elf lists 25->29         started        33 mips.elf update 25->33         started        signatures10 process11 file12 97 /tmp/systemd-priva...rt/.update-79751e00, ELF 29->97 dropped 99 /tmp/systemd-priva...fig/.update-a9fcd91, ELF 29->99 dropped 101 /root/snap/.config...rt/.update-25db65e8, ELF 29->101 dropped 109 6 other malicious files 29->109 dropped 187 Writes ELF files to hidden directories 29->187 189 Writes identical ELF files to multiple locations 29->189 191 Sample tries to persist itself using .desktop files 29->191 35 lists 29->35         started        103 /tmp/systemd-priva...rt/.update-6ba5074b, ELF 33->103 dropped 105 /tmp/systemd-priva...ig/.update-70da67e1, ELF 33->105 dropped 107 /root/snap/.config...rt/.update-7a29b5b8, ELF 33->107 dropped 111 6 other malicious files 33->111 dropped 193 Drops invisible ELF files 33->193 37 update 33->37         started        signatures13 process14 process15 39 lists 35->39         started        43 update 37->43         started        file16 77 /usr/local/sbin/updater, ELF 39->77 dropped 79 /usr/local/bin/lists, ELF 39->79 dropped 175 Writes identical ELF files to multiple locations 39->175 45 lists updater 39->45         started        49 lists lists 39->49         started        81 /usr/local/sbin/servers, ELF 43->81 dropped 83 /usr/local/bin/update, ELF 43->83 dropped 51 update servers 43->51         started        53 update update 43->53         started        signatures17 process18 file19 113 /tmp/systemd-priva...rt/.update-24fd9f59, ELF 45->113 dropped 123 8 other malicious files 45->123 dropped 195 Writes ELF files to hidden directories 45->195 197 Writes identical ELF files to multiple locations 45->197 199 Sample tries to persist itself using .desktop files 45->199 55 updater 45->55         started        115 /tmp/systemd-priva...rt/.update-7deff167, ELF 49->115 dropped 125 8 other malicious files 49->125 dropped 57 lists 49->57         started        117 /tmp/systemd-priva...rt/.update-67bd0389, ELF 51->117 dropped 127 8 other malicious files 51->127 dropped 201 Drops invisible ELF files 51->201 59 servers 51->59         started        119 /tmp/systemd-priva...rt/.update-36422751, ELF 53->119 dropped 121 /tmp/systemd-priva...ig/.update-7289643e, ELF 53->121 dropped 129 7 other malicious files 53->129 dropped 61 update 53->61         started        signatures20 process21 process22 63 updater 55->63         started        67 lists 57->67         started        69 servers 59->69         started        71 update 61->71         started        file23 139 /usr/sbin/lists, ELF 63->139 dropped 141 /usr/local/bin/servers, ELF 63->141 dropped 169 Writes identical ELF files to multiple locations 63->169 171 Drops files in suspicious directories 63->171 73 updater servers 63->73         started        143 /usr/bin/update, ELF 67->143 dropped 145 /usr/bin/lists, ELF 67->145 dropped 147 /usr/sbin/servers, ELF 69->147 dropped 149 /usr/local/bin/updater, ELF 69->149 dropped 151 /usr/sbin/updater, ELF 71->151 dropped 153 /usr/sbin/update, ELF 71->153 dropped signatures24 process25 file26 89 /tmp/systemd-priva...rt/.update-3bce1f9d, ELF 73->89 dropped 91 /tmp/systemd-priva...ig/.update-584b507b, ELF 73->91 dropped 93 /root/snap/.config...rt/.update-5cc6715b, ELF 73->93 dropped 95 6 other malicious files 73->95 dropped 179 Writes ELF files to hidden directories 73->179 181 Writes identical ELF files to multiple locations 73->181 183 Sample tries to persist itself using .desktop files 73->183 185 Drops invisible ELF files 73->185 signatures27
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d3b6cc40167847e5aaaaec0b41d39fca5f2e4edd6a44cfe5e3c97b2ac731dfd2
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d3b6cc40167847e5aaaaec0b41d39fca5f2e4edd6a44cfe5e3c97b2ac731dfd2/
Threat name:
Linux.Trojan.SAgnt
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 17:24:05 UTC
File Type:
ELF32 Big (Exe)
AV detection:
14 of 37 (37.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2o3myqawpbd6lkvk5qfudu47zjps4tw5njcm7zpdzf5svrzr37ja._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250520-v1vn5ahp8x/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to shm directory
Writes file to tmp directory
Creates .desktop file
Modifies Bash startup script
Creates/modifies environment variables
Write file to user bin folder
Writes file to system bin folder
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d3b6cc40167847e5aaaaec0b41d39fca5f2e4edd6a44cfe5e3c97b2ac731dfd2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:malwareelf55503
Create hunting rule
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf d3b6cc40167847e5aaaaec0b41d39fca5f2e4edd6a44cfe5e3c97b2ac731dfd2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3442994/
  
Delivery method
Distributed via web download

Comments