MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d90c812ba0ffae9ebb0c2a9c0103e0f9796e85ce68ab8489518dadb0b19e103c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d90c812ba0ffae9ebb0c2a9c0103e0f9796e85ce68ab8489518dadb0b19e103c
SHA3-384 hash: 5fc5e00d17b6eb25c4902e8ccde09d164461dd4d0432b5aaebd612f977b5bdd82ccbe197190ee632a7964f52a4d8bf2b
SHA1 hash: 8527b857c50402ecf74a2677c82d04758e3de75a
MD5 hash: d5b20d04ffdcc04e7e7201e03b616017
humanhash: bacon-bravo-montana-seven
File name:d5b20d04ffdcc04e7e7201e03b616017
Download: download sample
Signature Mirai
Create hunting rule
File size:118'028 bytes
First seen:2024-04-08 00:17:59 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:cpQMSk9bDrv9fmL9VyoS0+vT3IVMNitVWgymCvwC2CYXhFY5js/Q907xLv:D0b8rD+vTYS6AXmC4C2CAo9IF
TLSH T109B349C1F68BC0FAE81348B64027F33FD632D5255039D69BDF999E36DA236925B0621C
telfhash t1fe5108f56e7e1ce4b7d49802c14e7f21ad2ee77b1460329245f3d9353297e4281aac39
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter zbetcheckin
Tags:32 elf intel mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
FR FR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Receives data from a server
Runs as daemon
Kills processes
DNS request
Opens a port
Sends data to a server
Connection attempt
Substitutes an application name
Kills critical processes
Traces processes
Deleting of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug lolbin php remote
Link:
https://www.filescan.io/uploads/661337c9b6333d443ccb8d99/reports/661c8f0c-330c-4bf8-8cad-6e18f9c15dd5/overview
Result
Verdict:
MALICIOUS
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02e0f059-d8b4-4acf-8ecd-75bcb7fe616c
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1421924
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Uses known network protocols on non-standard ports
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1421924 Sample: 3mDY8NDLI8.elf Startdate: 08/04/2024 Architecture: LINUX Score: 96 142 197.186.206.24 airtel-tz-asTZ Tanzania United Republic of 2->142 144 157.182.32.20, 37215 WVUUS United States 2->144 146 100 other IPs or domains 2->146 154 Malicious sample detected (through community Yara rule) 2->154 156 Antivirus / Scanner detection for submitted sample 2->156 158 Multi AV Scanner detection for submitted file 2->158 160 3 other signatures 2->160 15 systemd gdm3 2->15         started        17 3mDY8NDLI8.elf 2->17         started        20 systemd accounts-daemon 2->20         started        22 54 other processes 2->22 signatures3 process4 file5 25 gdm3 gdm-session-worker 15->25         started        27 gdm3 gdm-session-worker 15->27         started        29 gdm3 plymouth 15->29         started        39 2 other processes 15->39 148 Sample deletes itself 17->148 31 3mDY8NDLI8.elf 17->31         started        150 Reads system files that contain records of logged in users 20->150 33 accounts-daemon language-validate 20->33         started        140 /var/log/wtmp, data 22->140 dropped 152 Sample reads /proc/mounts (often used for finding a writable filesystem) 22->152 35 gpu-manager sh 22->35         started        37 generate-config pkill 22->37         started        41 3 other processes 22->41 signatures6 process7 process8 43 gdm-session-worker gdm-x-session 25->43         started        45 gdm-session-worker gdm-wayland-session 27->45         started        47 3mDY8NDLI8.elf 31->47         started        50 3mDY8NDLI8.elf 31->50         started        52 3mDY8NDLI8.elf 31->52         started        54 language-validate language-options 33->54         started        56 sh grep 35->56         started        signatures9 58 gdm-x-session dbus-run-session 43->58         started        60 gdm-x-session Xorg Xorg.wrap Xorg 43->60         started        62 gdm-x-session Default 43->62         started        64 gdm-wayland-session dbus-run-session 45->64         started        174 Sample tries to kill multiple processes (SIGKILL) 47->174 66 language-options sh 54->66         started        process10 process11 68 dbus-run-session dbus-daemon 58->68         started        71 dbus-run-session gnome-session gnome-session-binary 58->71         started        73 Xorg sh 60->73         started        75 Xorg sh 60->75         started        77 dbus-run-session dbus-daemon 64->77         started        79 dbus-run-session gnome-session gnome-session-binary 1 64->79         started        81 sh locale 66->81         started        83 sh grep 66->83         started        signatures12 162 Sample tries to kill multiple processes (SIGKILL) 68->162 164 Sample reads /proc/mounts (often used for finding a writable filesystem) 68->164 85 dbus-daemon 68->85         started        87 dbus-daemon 68->87         started        96 9 other processes 68->96 89 gnome-session-binary sh gnome-shell 71->89         started        98 18 other processes 71->98 92 sh xkbcomp 73->92         started        94 sh xkbcomp 75->94         started        100 7 other processes 77->100 102 2 other processes 79->102 process13 signatures14 104 dbus-daemon at-spi-bus-launcher 85->104         started        106 dbus-daemon gjs 87->106         started        166 Sample reads /proc/mounts (often used for finding a writable filesystem) 89->166 109 gnome-shell ibus-daemon 89->109         started        117 9 other processes 96->117 111 gsd-print-notifications 98->111         started        119 2 other processes 98->119 113 dbus-daemon false 100->113         started        115 dbus-daemon false 100->115         started        121 5 other processes 100->121 process15 signatures16 123 at-spi-bus-launcher dbus-daemon 104->123         started        168 Sample reads /proc/mounts (often used for finding a writable filesystem) 106->168 126 ibus-daemon 109->126         started        128 ibus-daemon ibus-memconf 109->128         started        130 ibus-daemon ibus-engine-simple 109->130         started        132 gsd-print-notifications gsd-printer 111->132         started        process17 signatures18 170 Sample tries to kill multiple processes (SIGKILL) 123->170 172 Sample reads /proc/mounts (often used for finding a writable filesystem) 123->172 134 dbus-daemon 123->134         started        136 ibus-daemon ibus-x11 126->136         started        process19 process20 138 dbus-daemon at-spi2-registryd 134->138         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d90c812ba0ffae9ebb0c2a9c0103e0f9796e85ce68ab8489518dadb0b19e103c
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d90c812ba0ffae9ebb0c2a9c0103e0f9796e85ce68ab8489518dadb0b19e103c/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2024-04-08 00:18:11 UTC
File Type:
ELF32 Little (Exe)
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3egick5a76xj5oymfkoaca7a7f4w5booncvyjckrrww3bmm6ca6a._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery linux
Link:
https://tria.ge/reports/240408-alnbaabb34/
Behaviour
Reads runtime system information
Enumerates running processes
Changes its process name
Deletes itself
Traces itself
Unexpected DNS network traffic destination
Contacts a large (36858) amount of remote hosts
Creates a large amount of network flows
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Linux_Trojan_Mirai_0cb1699c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_268aac0b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_2e3f67a9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf d90c812ba0ffae9ebb0c2a9c0103e0f9796e85ce68ab8489518dadb0b19e103c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2803839/
  
URLhaus
https://urlhaus.abuse.ch/url/2804348/
  
URLhaus
https://urlhaus.abuse.ch/url/2803858/
  
URLhaus
https://urlhaus.abuse.ch/url/2801854/

Comments


Avatar
zbet commented on 2024-04-08 00:18:00 UTC

url : hxxp://79.110.62.86/i686_1