MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd0d14fe2b9ea4497fd457b625e98d90aec2728fa82e15a0ab7fcb5b0f2183f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd0d14fe2b9ea4497fd457b625e98d90aec2728fa82e15a0ab7fcb5b0f2183f9
SHA3-384 hash: dc8dd95b0b683d18b73a65c78a4e7f4470978725c14338556bb4fb4a1ffe13dcdf0cb656defc2c26d825e603ff913485
SHA1 hash: ca390b4508dacd166b50b3bfacc5e3157f1e33a0
MD5 hash: d44ddbb8da2cf2e2f8c1935fa37ae353
humanhash: illinois-nine-ohio-bacon
File name:kb
Download: download sample
Signature Mirai
Create hunting rule
File size:112'940 bytes
First seen:2025-10-04 12:57:10 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:1lMudgyGiPAopVtZpL2+HPfyt7Zxd/WLoC2yduSGFp5bcE:7HgviP9JLdHXAZxBkom3moE
TLSH T18DB35BC4F683C0B7EC1215B51037E3369B33EC39502AEA93D369EA36EC56661D61A35C
telfhash t11851fafa5d7e0ce877d4a841d20e7f21ad1ae77b246036a245b3d930339bd914175c39
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30460.LC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9999-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Receives data from a server
Runs as daemon
Opens a port
Launching a process
Sends data to a server
Connection attempt
Substitutes an application name
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
lolbin remote
Link:
https://www.filescan.io/uploads/68e11a20d4a0085473c026ea/reports/a1ce094b-9f9c-408c-b71a-3587fe2edf6d/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
1
Number of processes launched:
3
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/dd0d14fe2b9ea4497fd457b625e98d90aec2728fa82e15a0ab7fcb5b0f2183f9
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-10-04T10:18:00Z UTC
Last seen:
2025-10-04T15:50:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/dd0d14fe2b9ea4497fd457b625e98d90aec2728fa82e15a0ab7fcb5b0f2183f9/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/04d280b5-8e72-44e6-96d0-2d6f85d3c354
Behavior Graph:
Download SVG
%3 guuid=1839c78c-1a00-0000-d24b-1587040e0000 pid=3588 /usr/bin/sudo guuid=2c099d8e-1a00-0000-d24b-1587090e0000 pid=3593 /tmp/sample.bin net guuid=1839c78c-1a00-0000-d24b-1587040e0000 pid=3588->guuid=2c099d8e-1a00-0000-d24b-1587090e0000 pid=3593 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=2c099d8e-1a00-0000-d24b-1587090e0000 pid=3593->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=95fdf28e-1a00-0000-d24b-15870a0e0000 pid=3594 /tmp/sample.bin net send-data zombie guuid=2c099d8e-1a00-0000-d24b-1587090e0000 pid=3593->guuid=95fdf28e-1a00-0000-d24b-15870a0e0000 pid=3594 clone 8e632d57-7de0-574f-8cc2-742f7016c27c 94.16.114.254:53 guuid=95fdf28e-1a00-0000-d24b-15870a0e0000 pid=3594->8e632d57-7de0-574f-8cc2-742f7016c27c send: 170B 5a1eed8a-85fe-5cc9-b13b-21dc70289ae4 0.0.0.0:0 guuid=95fdf28e-1a00-0000-d24b-15870a0e0000 pid=3594->5a1eed8a-85fe-5cc9-b13b-21dc70289ae4 con 1953617f-bd2b-56a9-9ede-0bea1c944f64 178.254.22.166:53 guuid=95fdf28e-1a00-0000-d24b-15870a0e0000 pid=3594->1953617f-bd2b-56a9-9ede-0bea1c944f64 send: 340B 3b60cfb2-6ce4-568a-bb03-bf9c526c5851 51.254.162.59:53 guuid=95fdf28e-1a00-0000-d24b-15870a0e0000 pid=3594->3b60cfb2-6ce4-568a-bb03-bf9c526c5851 send: 170B guuid=62376c93-1a00-0000-d24b-1587120e0000 pid=3602 /tmp/sample.bin guuid=95fdf28e-1a00-0000-d24b-15870a0e0000 pid=3594->guuid=62376c93-1a00-0000-d24b-1587120e0000 pid=3602 clone guuid=19f37893-1a00-0000-d24b-1587130e0000 pid=3603 /usr/bin/dash guuid=62376c93-1a00-0000-d24b-1587120e0000 pid=3602->guuid=19f37893-1a00-0000-d24b-1587130e0000 pid=3603 execve guuid=d659a7a0-1a00-0000-d24b-15873d0e0000 pid=3645 /usr/bin/dash guuid=62376c93-1a00-0000-d24b-1587120e0000 pid=3602->guuid=d659a7a0-1a00-0000-d24b-15873d0e0000 pid=3645 execve guuid=e3f116a1-1a00-0000-d24b-1587400e0000 pid=3648 /usr/bin/dash guuid=62376c93-1a00-0000-d24b-1587120e0000 pid=3602->guuid=e3f116a1-1a00-0000-d24b-1587400e0000 pid=3648 execve guuid=4ed365a1-1a00-0000-d24b-1587430e0000 pid=3651 /usr/bin/dash guuid=62376c93-1a00-0000-d24b-1587120e0000 pid=3602->guuid=4ed365a1-1a00-0000-d24b-1587430e0000 pid=3651 execve guuid=8468aba1-1a00-0000-d24b-1587460e0000 pid=3654 /usr/bin/dash guuid=62376c93-1a00-0000-d24b-1587120e0000 pid=3602->guuid=8468aba1-1a00-0000-d24b-1587460e0000 pid=3654 execve guuid=cffbc593-1a00-0000-d24b-1587150e0000 pid=3605 /usr/sbin/xtables-nft-multi guuid=19f37893-1a00-0000-d24b-1587130e0000 pid=3603->guuid=cffbc593-1a00-0000-d24b-1587150e0000 pid=3605 execve guuid=be24d8a0-1a00-0000-d24b-15873f0e0000 pid=3647 /usr/bin/busybox guuid=d659a7a0-1a00-0000-d24b-15873d0e0000 pid=3645->guuid=be24d8a0-1a00-0000-d24b-15873f0e0000 pid=3647 execve guuid=ee5a4fa1-1a00-0000-d24b-1587420e0000 pid=3650 /usr/bin/dash guuid=e3f116a1-1a00-0000-d24b-1587400e0000 pid=3648->guuid=ee5a4fa1-1a00-0000-d24b-1587420e0000 pid=3650 clone guuid=a9c18ea1-1a00-0000-d24b-1587450e0000 pid=3653 /usr/bin/dash guuid=4ed365a1-1a00-0000-d24b-1587430e0000 pid=3651->guuid=a9c18ea1-1a00-0000-d24b-1587450e0000 pid=3653 clone guuid=223ceaa1-1a00-0000-d24b-1587470e0000 pid=3655 /usr/bin/busybox guuid=8468aba1-1a00-0000-d24b-1587460e0000 pid=3654->guuid=223ceaa1-1a00-0000-d24b-1587470e0000 pid=3655 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d4f27ba-e887-475f-860d-a7cdd307581b
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1789182
Signature
Executes the "iptables" command to insert, remove and/or manipulate rules
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1789182 Sample: kb.elf Startdate: 04/10/2025 Architecture: LINUX Score: 60 35 loadingboats.dyn 23.177.185.57, 52508, 5667 PROVIDENCE-MB-CA-01CA Reserved 2->35 37 188.166.240.30, 2222 DIGITALOCEAN-ASNUS Netherlands 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 10 kb.elf 2->10         started        signatures3 process4 process5 12 kb.elf 10->12         started        process6 14 kb.elf 12->14         started        process7 16 kb.elf sh 14->16         started        18 kb.elf sh 14->18         started        20 kb.elf sh 14->20         started        22 2 other processes 14->22 process8 24 sh iptables 16->24         started        27 sh busybox 18->27         started        29 sh busybox 20->29         started        31 sh 22->31         started        33 sh 22->33         started        signatures9 43 Executes the "iptables" command to insert, remove and/or manipulate rules 24->43
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/dd0d14fe2b9ea4497fd457b625e98d90aec2728fa82e15a0ab7fcb5b0f2183f9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd0d14fe2b9ea4497fd457b625e98d90aec2728fa82e15a0ab7fcb5b0f2183f9/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-10-04 13:44:39 UTC
File Type:
ELF32 Little (Exe)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ugrj7rlt2ses76uk63cl2mnscxme4upvaxbliflp7fvwdzbqp4q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery linux
Link:
https://tria.ge/reports/251004-p7wl4sxms6/
Behaviour
Changes its process name
Reads system network configuration
Enumerates active TCP sockets
Unexpected DNS network traffic destination
Verdict:
Unknown
Tags:
trojan gafgyt mirai
YARA:
Linux_Trojan_Gafgyt_5bf62ce4 Linux_Trojan_Mirai_b14f4c5d Linux_Trojan_Mirai_5f7b67b8 Linux_Trojan_Mirai_88de437f Linux_Trojan_Mirai_ae9d0fa6 Linux_Trojan_Mirai_389ee3e9 Linux_Trojan_Mirai_cc93863b Linux_Trojan_Mirai_8aa7b5d3
Link:
https://app.threat.zone/submission/523a8fc1-8b70-4af3-97c3-ec0e77d2c236
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/dd0d14fe2b9ea4497fd457b625e98d90aec2728fa82e15a0ab7fcb5b0f2183f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Linux_Trojan_Gafgyt_5bf62ce4
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_5f7b67b8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_8aa7b5d3
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_ae9d0fa6
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_b14f4c5d
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf dd0d14fe2b9ea4497fd457b625e98d90aec2728fa82e15a0ab7fcb5b0f2183f9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3656324/
  
Delivery method
Distributed via web download

Comments