MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4a9539b3cb72cd718ff7fd59dfaa12a3d5dd275e8534997f6731a25ece739a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4a9539b3cb72cd718ff7fd59dfaa12a3d5dd275e8534997f6731a25ece739a0
SHA3-384 hash: ff06b394c309b8c9ff23942792562d3b65bd2034ef027cdf7e6d2d73750ba67df99ed95709a9a4dd2c34be1ba6021b9b
SHA1 hash: a3c9d9851a73873504001bc177569f5834c7b3c5
MD5 hash: beb366272b62f999ed74111fb482e674
humanhash: sierra-october-ohio-cola
File name:i686
Download: download sample
Signature Mirai
Create hunting rule
File size:1'409'940 bytes
First seen:2025-05-17 11:29:37 UTC
Last seen:2025-05-17 15:31:17 UTC
File type: elf
MIME type:application/x-executable
ssdeep 24576:C1YhrdhlPYpsglsMGpw7RIq79WIvmKSWYGUozezMAR05Tke:OYhrdhlgH2KwyoVHMi05
TLSH T11465BFC8EF87D6E3E2620172055FC7A20231A9176443AEA7FE84B5297CB37617E4721D
telfhash t1e6e072f20ab880005887e8402cc100bd3eaee8011fcbfc55ee09d8c16c7149eab03d8b
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.9024.24516.18749.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6828744f375681df7c1a0d7elinux22vpnfull_triage
Tags:
shellcode
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Runs as daemon
Connection attempt
Sets a written file as executable
Creating a file
Writes files to system directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gcc lolbin remote
Link:
https://www.filescan.io/uploads/6828734415ed82cd53d7c614/reports/f5b483ec-33cb-4859-a737-66555a4c8c82/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
1
Number of processes launched:
2
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/d4a9539b3cb72cd718ff7fd59dfaa12a3d5dd275e8534997f6731a25ece739a0
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/da5cd940-e056-49ff-9b75-4ea875b6a068
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1692838
Signature
Drops files in suspicious directories
Malicious sample detected (through community Yara rule)
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1692838 Sample: i686.elf Startdate: 17/05/2025 Architecture: LINUX Score: 56 108 89.42.88.163, 1338, 36006, 36008 MOLDTELECOM-ASMoldtelecomAutonomousSystemMD Romania 2->108 110 109.202.202.202, 80 INIT7CH Switzerland 2->110 112 3 other IPs or domains 2->112 122 Malicious sample detected (through community Yara rule) 2->122 15 i686.elf 2->15         started        17 dash rm 2->17         started        19 dash rm 2->19         started        signatures3 process4 process5 21 i686.elf 15->21         started        signatures6 124 Writes identical ELF files to multiple locations 21->124 126 Drops files in suspicious directories 21->126 24 i686.elf update 21->24         started        26 i686.elf update 21->26         started        28 i686.elf update 21->28         started        30 5 other processes 21->30 process7 process8 32 update 24->32         started        34 update 26->34         started        37 update 28->37         started        signatures9 39 update update 32->39         started        41 update update 32->41         started        118 Writes identical ELF files to multiple locations 34->118 120 Drops files in suspicious directories 34->120 43 update update 34->43         started        45 update 34->45         started        47 update 34->47         started        53 3 other processes 34->53 49 update 37->49         started        51 update 37->51         started        process10 process11 55 update 39->55         started        58 update 41->58         started        60 update 43->60         started        signatures12 128 Drops files in suspicious directories 55->128 62 update update 55->62         started        74 4 other processes 55->74 130 Writes identical ELF files to multiple locations 58->130 64 update update 58->64         started        66 update 58->66         started        76 4 other processes 58->76 68 update update 60->68         started        70 update 60->70         started        72 update 60->72         started        78 2 other processes 60->78 process13 process14 80 update 62->80         started        83 update 64->83         started        85 update 68->85         started        signatures15 114 Drops files in suspicious directories 80->114 87 update update 80->87         started        101 3 other processes 80->101 116 Writes identical ELF files to multiple locations 83->116 89 update 83->89         started        91 update 83->91         started        103 3 other processes 83->103 93 update 85->93         started        95 update 85->95         started        97 update 85->97         started        99 update 85->99         started        process16 process17 105 update 87->105         started        signatures18 132 Drops files in suspicious directories 105->132
Score:
98%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d4a9539b3cb72cd718ff7fd59dfaa12a3d5dd275e8534997f6731a25ece739a0
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d4a9539b3cb72cd718ff7fd59dfaa12a3d5dd275e8534997f6731a25ece739a0/
Threat name:
Linux.Trojan.Siggen
Create hunting rule
Status:
Malicious
First seen:
2025-05-17 11:30:41 UTC
File Type:
ELF32 Little (Exe)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2suvhgz4w4wnogh7p7kz36vbfi6v3utv5bjutf7womncl3hhhgqa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
linux persistence
Link:
https://tria.ge/reports/250517-nl3mvssmx7/
Behaviour
Write file to user bin folder
Writes file to system bin folder
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/d4a9539b3cb72cd718ff7fd59dfaa12a3d5dd275e8534997f6731a25ece739a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:Linux_Trojan_Tsunami_c94eec37
Create hunting rule
Author:Elastic Security
Rule name:malwareelf55503
Create hunting rule
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf d4a9539b3cb72cd718ff7fd59dfaa12a3d5dd275e8534997f6731a25ece739a0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3545672/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments