MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7b5d0f754163b8b27c8a649a38938c6efeed0f6b52cf938b76c3a9bbbd8bb2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7b5d0f754163b8b27c8a649a38938c6efeed0f6b52cf938b76c3a9bbbd8bb2e
SHA3-384 hash: f2389f98214e54f4053759106cdf3ff9cc298c68865f67421caa8f9200db0ff195023cacedf0ffad5d767c768cb0850b
SHA1 hash: ced1c0cdcc7ebe4ebb5d861351ed6dabb17ba61b
MD5 hash: 91e64c4094cb45be5d9af152e743af12
humanhash: quiet-steak-magazine-mirror
File name:morte.mpsl
Download: download sample
Signature Mirai
Create hunting rule
File size:43'168 bytes
First seen:2025-08-23 14:22:03 UTC
Last seen:2025-08-23 22:01:39 UTC
File type: elf
MIME type:application/x-executable
ssdeep 768:XMxUnyiw0DDJLv/MTMLKtoBP/T5sz84KHBD4Jj8GHe4BNXbTIIjmeoXCWt:8Cv/ZGF0P/T5sgFvGXNrbmeoX9
TLSH T19513F1ADE3285B81CACE1C7D60F921E2AB11F7D635ED116C43114EDD97A92870F5E630
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :43'168 bytes
File size (de-compressed) :113'980 bytes
Format:linux/mipsel
Unpacked file: 5f9ec2967cc4f21ae41e5050d5b4a79c29e50059c34da1204b74322580a0785e

Intelligence

File Origin
# of uploads :
2
# of downloads :
58
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sends data to a server
Receives data from a server
Runs as daemon
Opens a port
Kills processes
Deletes a file
Connection attempt
Substitutes an application name
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
packed threat upx
Link:
https://www.filescan.io/uploads/68a9ceb34a87ed7967691560/reports/4e487ab2-9a9f-40bb-bc66-0d9da1f9fe23/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
UPX
Botnet:
unknown
Number of open files:
7
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/d7b5d0f754163b8b27c8a649a38938c6efeed0f6b52cf938b76c3a9bbbd8bb2e
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-08-23T01:05:00Z UTC
Last seen:
2025-08-23T01:05:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/d7b5d0f754163b8b27c8a649a38938c6efeed0f6b52cf938b76c3a9bbbd8bb2e/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/df1cd853-f306-4556-a741-5041fa1b1ddd
Behavior Graph:
Download SVG
%3 guuid=dc50d60a-1b00-0000-59ed-1d57290c0000 pid=3113 /usr/bin/sudo guuid=7754ff0c-1b00-0000-59ed-1d572b0c0000 pid=3115 /tmp/sample.bin guuid=dc50d60a-1b00-0000-59ed-1d57290c0000 pid=3113->guuid=7754ff0c-1b00-0000-59ed-1d572b0c0000 pid=3115 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2664c2b1-2ebb-493f-afa7-906b35aa5694
Result
Threat name:
Mirai, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1763616
Signature
Antivirus / Scanner detection for submitted sample
Found strings related to Crypto-Mining
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sends malformed DNS queries
Yara detected Mirai
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1763616 Sample: morte.mpsl.elf Startdate: 23/08/2025 Architecture: LINUX Score: 84 19 bbos.p-e.kr. [malformed] 2->19 21 169.254.169.254, 80 USDOSUS Reserved 2->21 23 2 other IPs or domains 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Mirai 2->29 33 2 other signatures 2->33 8 morte.mpsl.elf 2->8         started        11 python3.8 dpkg 2->11         started        signatures3 31 Sends malformed DNS queries 19->31 process4 signatures5 35 Found strings related to Crypto-Mining 8->35 13 morte.mpsl.elf 8->13         started        15 morte.mpsl.elf 8->15         started        process6 process7 17 morte.mpsl.elf 13->17         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d7b5d0f754163b8b27c8a649a38938c6efeed0f6b52cf938b76c3a9bbbd8bb2e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7b5d0f754163b8b27c8a649a38938c6efeed0f6b52cf938b76c3a9bbbd8bb2e/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/d7b5d0f754163b8b27c8a649a38938c6efeed0f6b52cf938b76c3a9bbbd8bb2e
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-08-23 03:42:42 UTC
File Type:
ELF32 Little (Exe)
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2625b52ucy5ywj6iuze2hcjyy3x65uhwwuwpsofxnq5jxo6yxmxa._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet credential_access defense_evasion discovery upx
Link:
https://tria.ge/reports/250823-rpv9qsel3t/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Reads process memory
Enumerates active TCP sockets
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
bbos.p-e.kr
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/87966d06-194d-44ed-b73d-4d95c36e58b4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d7b5d0f754163b8b27c8a649a38938c6efeed0f6b52cf938b76c3a9bbbd8bb2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf d7b5d0f754163b8b27c8a649a38938c6efeed0f6b52cf938b76c3a9bbbd8bb2e

(this sample)

Mirai

elf 5f9ec2967cc4f21ae41e5050d5b4a79c29e50059c34da1204b74322580a0785e

  
URLhaus
https://urlhaus.abuse.ch/url/3609793/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 5f9ec2967cc4f21ae41e5050d5b4a79c29e50059c34da1204b74322580a0785e
  
Dropping
MD5 c17b3fa1c4e2b95b5260c5f51c7781a5

Comments