MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1b04b11dafa1f91bb91e8d76ce694861746265d55c62ffd54d51dfca4595f2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	e1b04b11dafa1f91bb91e8d76ce694861746265d55c62ffd54d51dfca4595f2b
SHA3-384 hash:	35526a49d60269832ed6af036ee458d529bd176f6d97cf3d0f6471184c4942aaa3aaf02e17fb62e88d620330b7e068ca
SHA1 hash:	dd8207b85c64d746bcacd7f29b088e864456c89a
MD5 hash:	7fed8ef2e952f40fd63e09e4ef550489
humanhash:	orange-mississippi-johnny-utah
File name:	1mpsl
Download:	download sample
Signature	Mirai Create hunting rule
File size:	97'592 bytes
First seen:	2026-02-08 21:26:40 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	1536:SXVdbeEh/kcUY4Iw17yfQ04rAM1gYuZ7hbXsVIGRwhwaBds/xV:SFdbeEh/kDz1rA4uwxeHBc
TLSH	T12793D506BB650FFBD86FCD3746A9070239CC551A22F93B3A3674C91CB51B64A4AE3C64
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf mirai upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 22a81b49666b7d026e8270f4db1606e41f5a2c5ebd8ec7ccbf731ccb47b89a31

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	37'772 bytes
File size (de-compressed) :	97'592 bytes
Format:	linux/mipsel
Packed file:	22a81b49666b7d026e8270f4db1606e41f5a2c5ebd8ec7ccbf731ccb47b89a31

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

Mirai

Details

Mirai

an XOR decryption key and at least a c2 socket address

Link:

https://research.acce.ciphertechsolutions.com/results/8fa697b6-cfe3-4a53-a943-6c5a522fa729/

Detection(s):

Unix.Trojan.Mirai-9858729-0

Unix.Trojan.Mirai-10017641-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Runs as daemon

Receives data from a server

Kills processes

Opens a port

Sends data to a server

Substitutes an application name

Deleting of the original file

Verdict:

Unknown

Threat level:

0/10

Confidence:

100%

Tags:

bash lolbin

Link:

https://www.filescan.io/uploads/6988ffb9930564ff3c92c475/reports/cdf58d04-d740-41f0-abd5-60373fa02d32/overview

Verdict:

Malicious

File Type:

elf.32.le

First seen:

2026-02-08T19:38:00Z UTC

Last seen:

2026-02-09T03:40:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/e1b04b11dafa1f91bb91e8d76ce694861746265d55c62ffd54d51dfca4595f2b/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/86204d8a-0425-4775-90bf-ff09d5ce5de8

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/04b5b072-dd87-4454-a172-c56e8143256c

Result

Threat name:

Mirai

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1865745

Signature

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sample deletes itself

Yara detected Mirai

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/e1b04b11dafa1f91bb91e8d76ce694861746265d55c62ffd54d51dfca4595f2b

Detection:

mirai

Link:

https://mwdb.cert.pl/sample/e1b04b11dafa1f91bb91e8d76ce694861746265d55c62ffd54d51dfca4595f2b/

Threat name:

Linux.Backdoor.Mirai

Status:

Malicious

First seen:

2026-02-08 21:27:41 UTC

File Type:

ELF32 Little (Exe)

AV detection:

16 of 36 (44.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4gyeweo27ipzdo4r5dlwzzuuqylumjs5kxdc77ku2uo7zjczl4vq._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai botnet:mirai defense_evasion discovery

Link:

https://tria.ge/reports/260208-1awfmab15d/

Behaviour

Reads runtime system information

Changes its process name

Deletes itself

Modifies Watchdog functionality

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/e1b04b11dafa1f91bb91e8d76ce694861746265d55c62ffd54d51dfca4595f2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ELF_Mirai Create hunting rule
Author:	NDA0E
Description:	Detects multiple Mirai variants

Rule name:	ELF_Toriilike_persist Create hunting rule
Author:	4r4
Description:	Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:	Identified via researched data