MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e23f8ba7bf289df08075b13c8957fa5d89583ed7d4e7cb52d14fe95b64143c2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 16

Intelligence 16 IOCs YARA 6 File information Comments

SHA256 hash:	e23f8ba7bf289df08075b13c8957fa5d89583ed7d4e7cb52d14fe95b64143c2e
SHA3-384 hash:	9cc40a5411bdcdfbb47cd1680c56e0c2093612aadc9eb7bc34f8e95a106ccf890b7d139f381e243803f6ae87a4eb4d1d
SHA1 hash:	c031ca5b18ddfe763f7d471b5100882e08fe3072
MD5 hash:	6c7dc8d90ecbbf30ac991bde84c2ceb0
humanhash:	asparagus-alabama-montana-foxtrot
File name:	file
Download:	download sample
Signature	Mirai Create hunting rule
File size:	1'016'320 bytes
First seen:	2026-03-02 19:54:36 UTC
Last seen:	2026-03-02 20:37:48 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:odoK67R3Ts5Z6UuQAlm6OD2zvisDdks8G9h:/FjQZlu37tDdks8Eh
Threatray	3 similar samples on MalwareBazaar
TLSH	T10225E07732174E10D3A44373C1DB8A4593ACA683B6A7F70E7585239A14023FFDE5A2A7
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 mirai

Bitsight

url: http://130.12.180.43/files/5532726588/cPr84lu.exe

Intelligence

File Origin

# of uploads :

# of downloads :

117

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

NETReactor

Details

Link:

https://research.acce.ciphertechsolutions.com/results/6c2f45fb-b7a6-4242-92f3-2e25d0a9b41a/

Malware family:

xmrig

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2026-03-02 19:55:45 UTC

Tags:

miner auto-sch-xml netreactor purehvnc xmrig

Link:

https://app.any.run/tasks/04e072b9-3e77-4a86-aad7-186e9ea673f6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/55302/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a5eb2de1f958bf6682dec8

Tags:

shell crypt sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 net_reactor obfuscated obfuscated packed packed

Link:

https://www.filescan.io/uploads/69a5eb2797feb4afd6655005/reports/490b5bba-4ddb-42c7-b79b-cdbcca1fcdcb/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/e23f8ba7bf289df08075b13c8957fa5d89583ed7d4e7cb52d14fe95b64143c2e

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

Link:

https://opentip.kaspersky.com/e23f8ba7bf289df08075b13c8957fa5d89583ed7d4e7cb52d14fe95b64143c2e/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/224ee1c0-dc23-4e14-9489-97a855823b30

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e23f8ba7bf289df08075b13c8957fa5d89583ed7d4e7cb52d14fe95b64143c2e

Gathering data

Detection:

mirai

Link:

https://mwdb.cert.pl/sample/e23f8ba7bf289df08075b13c8957fa5d89583ed7d4e7cb52d14fe95b64143c2e/

Verdict:

Malicious

Threat:

Family.XMRIG

Link:

https://tip.neiki.dev/file/e23f8ba7bf289df08075b13c8957fa5d89583ed7d4e7cb52d14fe95b64143c2e

Threat name:

ByteCode-MSIL.Trojan.Zilla

Status:

Malicious

First seen:

2026-03-02 19:55:33 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

16 of 36 (44.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4i7yxj57fco7badvwe6isv72lwevqpwx2tt4wuwrj7uvwzauhqxa._file

Verdict:

malicious

Label(s):

xmrig

Mirai

2ddc60e198968b3b6a2c900fa225cec6ff3340e67972ebf3b94938423f3dd347

Mirai

error

Mirai

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:xmrig execution miner persistence

Link:

https://tria.ge/reports/260302-ym9gxaf13g/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SetThreadContext

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

XMRig Miner payload

Xmrig family

xmrig

Unpacked files

SH256 hash:

e23f8ba7bf289df08075b13c8957fa5d89583ed7d4e7cb52d14fe95b64143c2e

MD5 hash:

6c7dc8d90ecbbf30ac991bde84c2ceb0

SHA1 hash:

c031ca5b18ddfe763f7d471b5100882e08fe3072

Link:

https://www.unpac.me/results/f6c01804-c557-46c3-96e8-cea19058f1c1/

Malware family:

XMRig

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e23f8ba7bf28/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)