MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc1ae6bd7479988304e363f7aac58204577b47bf4140676d9a4524ef16a18932. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc1ae6bd7479988304e363f7aac58204577b47bf4140676d9a4524ef16a18932
SHA3-384 hash: 33c8c880916955ff7510bd7a6ce70e6721e58e8e4cbf36938c9e944561d933cb576bb2f3215b2225a701ff36a10c7ca2
SHA1 hash: b09517a3419c4caabef98c9eef5b0e83e438af4f
MD5 hash: 98e684e57fccda6c85ef49abf6e8fd3b
humanhash: minnesota-nevada-three-blue
File name:boatnet.arm
Download: download sample
Signature Mirai
Create hunting rule
File size:76'848 bytes
First seen:2025-10-01 23:20:20 UTC
Last seen:2025-10-05 11:22:03 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:pQLdBsk/7wBtJY1tSdgFVg0EIgP4nhPF7iS3TDuYmIahWl6sa2C055xZTq35ft0k:pQTgdWMxPgPF3eYmThKFh5E3b
TLSH T14C731842B8C19A27C6E423BBFA6E41CD332563E8D2DF32079D216F5476CA81F0D67691
telfhash t112b012260b220b5d329d86c3907c57349f40f36d57cb35e340102ac8b0ce0e6b03e903
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.29524.LC.UNOFFICIAL
Create hunting rule

Unix.Dropper.Mirai-7135890-0
Create hunting rule

Unix.Dropper.Mirai-7135939-0
Create hunting rule

Unix.Dropper.Mirai-7136025-0
Create hunting rule

Unix.Dropper.Mirai-7355719-0
Create hunting rule

Unix.Dropper.Mirai-9977145-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade mirai obfuscated obfuscated rust
Link:
https://www.filescan.io/uploads/68ddb74c74e5a289899d2592/reports/89eb53f1-1d08-4cd1-abbb-146cf63a12bb/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
not packed
Botnet:
213.209.143.62
Number of open files:
33
Number of processes launched:
9
Processes remaning?
true
Remote TCP ports scanned:
8080,80,37215,2323,23
Full report:
https://elfdigest.com/brief/dc1ae6bd7479988304e363f7aac58204577b47bf4140676d9a4524ef16a18932
Behaviour
Process Renaming
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-10-01T18:23:00Z UTC
Last seen:
2025-10-02T22:27:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/dc1ae6bd7479988304e363f7aac58204577b47bf4140676d9a4524ef16a18932/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/2f30233d-590f-4c64-849f-03d221170b97
Behavior Graph:
Download SVG
%3 guuid=b0d71469-1900-0000-2dff-30e75d140000 pid=5213 /usr/bin/sudo guuid=64ed7f6c-1900-0000-2dff-30e75e140000 pid=5214 /tmp/sample.bin guuid=b0d71469-1900-0000-2dff-30e75d140000 pid=5213->guuid=64ed7f6c-1900-0000-2dff-30e75e140000 pid=5214 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e73657f6-82d6-483e-ac62-d3598bfec537
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1787774
Signature
Antivirus / Scanner detection for submitted sample
Detected Mirai
Multi AV Scanner detection for submitted file
Sample tries to kill multiple processes (SIGKILL)
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1787774 Sample: boatnet.arm.elf Startdate: 02/10/2025 Architecture: LINUX Score: 88 32 123.201.90.39 YOU-INDIA-APYOUBroadbandCableIndiaLtdIN India 2->32 34 67.154.95.190 XO-AS15US United States 2->34 36 98 other IPs or domains 2->36 40 Suricata IDS alerts for network traffic 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Detected Mirai 2->44 46 3 other signatures 2->46 8 boatnet.arm.elf 2->8         started        10 dash rm 2->10         started        12 dash rm 2->12         started        14 python3.8 dpkg 2->14         started        signatures3 process4 process5 16 boatnet.arm.elf 8->16         started        18 boatnet.arm.elf 8->18         started        21 boatnet.arm.elf 8->21         started        signatures6 23 boatnet.arm.elf 16->23         started        26 boatnet.arm.elf 16->26         started        28 boatnet.arm.elf 16->28         started        30 3 other processes 16->30 38 Sample tries to kill multiple processes (SIGKILL) 18->38 process7 signatures8 48 Sample tries to kill multiple processes (SIGKILL) 23->48
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/dc1ae6bd7479988304e363f7aac58204577b47bf4140676d9a4524ef16a18932
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc1ae6bd7479988304e363f7aac58204577b47bf4140676d9a4524ef16a18932/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-10-01 23:21:29 UTC
File Type:
ELF32 Little (Exe)
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3qnonplupgmigbhdmp32vrmcarlxwr57ifago3m2iuso6fvbreza._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:echobot family:mirai
Link:
https://tria.ge/reports/251001-3bqmwattgt/
Verdict:
Malicious
Tags:
botnet mirai Unix.Dropper.Mirai-7135890-0
YARA:
MAL_ELF_LNX_Mirai_Oct10_1
Link:
https://app.threat.zone/submission/1dbf63db-ba2c-4e60-b2d9-f2a39a57de70
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dc1ae6bd7479988304e363f7aac58204577b47bf4140676d9a4524ef16a18932

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CVE_2017_17215
Create hunting rule
Author:NDA0E
Description:Detects exploitation attempt of CVE-2017-17215
Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Generic_Threat_d94e1020
Create hunting rule
Author:Elastic Security
Rule name:MAL_ELF_LNX_Mirai_Oct10_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ELF Mirai variant
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh ad59ecaaabfac1ac91c471b2d3092427308fb4cf58dabf0a179ec65818606f65

Mirai

elf dc1ae6bd7479988304e363f7aac58204577b47bf4140676d9a4524ef16a18932

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3636639/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3639124/
  
URLhaus
https://urlhaus.abuse.ch/url/3639125/
  
URLhaus
https://urlhaus.abuse.ch/url/3639131/
  
Dropped by
SHA256 ad59ecaaabfac1ac91c471b2d3092427308fb4cf58dabf0a179ec65818606f65
  
Dropped by
MD5 4727ef0c7c0c3a6bdc28585d644565e1
  
Dropped by
SHA256 27a4c754dcfb71794aa9cbbfbd97dac743d057eb8712e27be2c7bb24faa50d5d
  
Dropped by
MD5 94cf973e9af4a8de0f63db47d253bf6a
  
Dropped by
SHA256 2162b3f2b397156eec57419a9f6aff25ac70cd59103158a3d7dd1c9122abecc2
  
Dropped by
MD5 d76095caf1ca5368e0666288c1474c9d
  
Dropped by
SHA256 378f251d42ddd94f681c53f79cbf1a2297529859c7d957956326eaabe4c1c541
  
Dropped by
MD5 2a0bf730e281d6f984827b9b4dc19d45
  
URLhaus
https://urlhaus.abuse.ch/url/3636148/
  
URLhaus
https://urlhaus.abuse.ch/url/3639142/
  
URLhaus
https://urlhaus.abuse.ch/url/3639156/
  
URLhaus
https://urlhaus.abuse.ch/url/3639146/
  
URLhaus
https://urlhaus.abuse.ch/url/3639150/
  
URLhaus
https://urlhaus.abuse.ch/url/3639175/
  
URLhaus
https://urlhaus.abuse.ch/url/3639183/
  
URLhaus
https://urlhaus.abuse.ch/url/3639209/
  
URLhaus
https://urlhaus.abuse.ch/url/3639181/
  
URLhaus
https://urlhaus.abuse.ch/url/3639201/
  
URLhaus
https://urlhaus.abuse.ch/url/3639212/
  
URLhaus
https://urlhaus.abuse.ch/url/3639180/
  
URLhaus
https://urlhaus.abuse.ch/url/3639221/
  
Dropped by
SHA256 edd62c3f566e7e0243cd792670103c43811f117d8d82fcc728550ebebb81393f
  
Dropped by
MD5 f42d5fc3566dde0c688c2faaadd94509
  
Dropped by
SHA256 f177c657cd21d6b87f24cb42bb27b4bad67f85a55f75adabcc33c19804b90080
  
Dropped by
MD5 d0c4a8091c3fd4b38b0a9efa9eb04e74
  
Dropped by
SHA256 610bae0a6f718b481455e6a3ba8667dfac2a463a24d6ba669831630fe323b38f
  
Dropped by
MD5 6b9044c79b8dff92c4bf11fa5c69bba2
  
URLhaus
https://urlhaus.abuse.ch/url/3639134/
  
URLhaus
https://urlhaus.abuse.ch/url/3639178/
  
URLhaus
https://urlhaus.abuse.ch/url/3639148/
  
URLhaus
https://urlhaus.abuse.ch/url/3639154/
  
URLhaus
https://urlhaus.abuse.ch/url/3639155/
  
URLhaus
https://urlhaus.abuse.ch/url/3639187/
  
URLhaus
https://urlhaus.abuse.ch/url/3639213/
  
URLhaus
https://urlhaus.abuse.ch/url/3639159/
  
URLhaus
https://urlhaus.abuse.ch/url/3639174/
  
URLhaus
https://urlhaus.abuse.ch/url/3639210/
  
Dropped by
SHA256 65a65aa06f0d021653e07cb74f71be828008cd07eb489a8c2d08378de4f1f47a
  
Dropped by
MD5 09e469465ad0cfefc3fc72836ac6e7c4
  
Dropped by
SHA256 b44c5ad633c0776d18960ce7161611b3936856a15cf131f26608aa564c511c66
  
Dropped by
MD5 af3376cf68a23cfed8005c41ffb49e09
  
Dropped by
SHA256 82520882c22e2b0143bcd35e9f0ecb21d0d626491b68b980b988997bd70eae2f
  
Dropped by
MD5 24132b42556cd86765c9c51a62e5c1c3
  
URLhaus
https://urlhaus.abuse.ch/url/3639157/
  
URLhaus
https://urlhaus.abuse.ch/url/3639160/
  
URLhaus
https://urlhaus.abuse.ch/url/3639205/
  
URLhaus
https://urlhaus.abuse.ch/url/3639164/
  
URLhaus
https://urlhaus.abuse.ch/url/3639217/
  
URLhaus
https://urlhaus.abuse.ch/url/3639224/
  
URLhaus
https://urlhaus.abuse.ch/url/3639176/
  
URLhaus
https://urlhaus.abuse.ch/url/3639203/
  
URLhaus
https://urlhaus.abuse.ch/url/3639225/
  
Dropped by
SHA256 156cdff2828d81547c4ca3d272c401bea55f3d7a8edb72947f7e2f7077bd94e5
  
Dropped by
MD5 08ffa766f766eaee33dd922d147fd385

Comments