MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d43fbf7577e3c3cddd61bf545d63fa164f9337fc239b4c6f3c11010158febb4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d43fbf7577e3c3cddd61bf545d63fa164f9337fc239b4c6f3c11010158febb4d
SHA3-384 hash: dec3a1acb92785d80c38ecc5edeaf1b5264c52b0152d061e0e619213bc0645a18390877ce579e0ca33fee9b602246c7f
SHA1 hash: 3b2a4bad9a34259525d41ec40da0ee43be2ebbd3
MD5 hash: 6eae27ecf1e2d9153b6f1552ab3fc8a3
humanhash: robin-maryland-mirror-louisiana
File name:mips
Download: download sample
Signature Mirai
Create hunting rule
File size:97'192 bytes
First seen:2024-12-23 05:41:17 UTC
Last seen:2025-02-17 00:22:07 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:vZhWFpwfTLb8okPawk+kUfVwuJHr9yGNznSJKZ0QJXTMRFu:vffbzlwk+kUfiuJL9yGtSJKZDXTuk
TLSH T12E93B51E7E158F6CF7AD86350BB38E21938937D737E1D685D16CEA001E6028E245FB68
telfhash t1ff11401c893c13f0d7b21d9c6bedff76e56170eb49225e338d00e95d9a1da469900c2c
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
6
# of downloads :
116
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Mirai.8670.20301.4522.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6768f82c8a4d48ee35fe5b6blinux22vpnfull_triage
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Connection attempt
Receives data from a server
Opens a port
DNS request
Sends data to a server
Kills processes
Substitutes an application name
Deleting of the original file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug
Link:
https://www.filescan.io/uploads/6768f82f8c28697d3122d833/reports/32d3b562-0fbc-458d-8543-ed8a8c35bd3e/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
88
Number of processes launched:
75
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/d43fbf7577e3c3cddd61bf545d63fa164f9337fc239b4c6f3c11010158febb4d
Behaviour
Anti-VM
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
type: 172.217.192.127:3478
Result
Verdict:
UNKNOWN
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d53c575a-2e37-4f01-a1c3-b7c94f7819ab
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1579625
Signature
Connects to many ports of the same IP (likely port scanning)
Multi AV Scanner detection for submitted file
Opens /sys/class/net/* files useful for querying network interface information
Performs DNS TXT record lookups
Sample deletes itself
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579625 Sample: mips.elf Startdate: 23/12/2024 Architecture: LINUX Score: 64 20 iranistrash.libre 2->20 22 5.231.4.240, 34567, 54482 ASGHOSTNETDE Germany 2->22 24 5 other IPs or domains 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Connects to many ports of the same IP (likely port scanning) 2->28 8 dash rm mips.elf 2->8         started        11 dash rm 2->11         started        signatures3 30 Performs DNS TXT record lookups 20->30 process4 signatures5 32 Sample deletes itself 8->32 13 mips.elf 8->13         started        process6 signatures7 34 Opens /sys/class/net/* files useful for querying network interface information 13->34 16 mips.elf 13->16         started        18 mips.elf 13->18         started        process8
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d43fbf7577e3c3cddd61bf545d63fa164f9337fc239b4c6f3c11010158febb4d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d43fbf7577e3c3cddd61bf545d63fa164f9337fc239b4c6f3c11010158febb4d/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2024-12-23 05:42:04 UTC
File Type:
ELF32 Big (Exe)
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2q7365lx4pb43xlbx5kf2y72czhzgn74eonuy3z4ceaqcwh6xngq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery evasion
Link:
https://tria.ge/reports/241223-gd1d7swpgy/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Reads system network configuration
Reads MAC address of network interface
Reads network interface configuration
Deletes itself
Unexpected DNS network traffic destination
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/544a3d1d-f87a-4a9e-a3c7-c2737a1ae5ea
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d43fbf7577e3c3cddd61bf545d63fa164f9337fc239b4c6f3c11010158febb4d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh f0e839ee9f42b6649606e594ccceb9b3b4df3b5302301b4fa4641000de0685ff

Mirai

elf d43fbf7577e3c3cddd61bf545d63fa164f9337fc239b4c6f3c11010158febb4d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3350357/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 f0e839ee9f42b6649606e594ccceb9b3b4df3b5302301b4fa4641000de0685ff
  
Dropped by
MD5 62da7a0ca52eb27e21567f7801ce0e46
  
Dropped by
SHA256 cbe7eb00b454a9ed7cd70707ed863887016ec3aae4e039acd6fbefab0df4226d
  
Dropped by
MD5 02054f55fe9cd31fb9aaff90748ecb60
  
Dropped by
SHA256 dae05bc736a75b557c391f61e4ce653a0a788ee5d7bc7c2670e0d43009498830
  
Dropped by
MD5 a3e69cfe72543effb994bd1b6803e8d2
  
Dropped by
SHA256 8d3a3fff55ebc2c5fd1cfd41d3b824779788c1604804160197da086e28e526de
  
Dropped by
MD5 e5af93ea3215bc131408799f2f499857
  
Dropped by
SHA256 7c217b907fe6e13c1a92e916a4787301876f120af500296c1ddb31156a74c08d
  
Dropped by
MD5 89ccf158390c5732f35df422a58a19a6
  
Dropped by
SHA256 bb74ee67d5802e6af227fecca797bb9ad3236144137a821505c784f472f245be
  
Dropped by
MD5 636e143e959d495806e8cf9a5bb733ae
  
Dropped by
SHA256 af9451401ca7b672e6a4189615a4f62dd700a77902f43699ceee5fb244e23569
  
Dropped by
MD5 a621413d33d014d6bcb9ed9c6916370f
  
Dropped by
SHA256 8824c9efb460160d0cad87d117efdf79a31c39a12cf6ec0018136aef9332a6cd
  
Dropped by
MD5 0640c0a5c19463d667880df8c8c00fdb
  
Dropped by
SHA256 f8c2237e66078a6b3004fa1c07afcb0a9b3c632da49e894e5063de47449f652e
  
Dropped by
MD5 6755837f45540a3b4f51211ebf4b12ca
  
Dropped by
SHA256 5bc44c8a78da90b1bba46651deb79cdf8ccff8d2754dfe00a0800756aa02fbe9
  
Dropped by
MD5 7fd45b29be92b522744f20e200ee5d81
  
Dropped by
SHA256 bfb6514dba65e9a1113e45a17bd2d787542e48cf8e0ed64e8c2967bec91e10a4
  
Dropped by
MD5 cf82349be195d598d364f7d9cd7748a2

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments