MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6c570ab44d79a67dd9c141e619c6311ed6a159cfc1dfad8b576216820836d56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 14


Intelligence 14 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6c570ab44d79a67dd9c141e619c6311ed6a159cfc1dfad8b576216820836d56
SHA3-384 hash: f8dd1c3ef952237a06a6313f6afbfb44723196d2a65f2b5f2e84f04eaafa3950b73caff9476205a23e548ac6efbc1b28
SHA1 hash: cd7bc8199b8fe0bb4a4fb2f555d1a406539c7a00
MD5 hash: 91428b5ab434b1792a048f82b4feb9d5
humanhash: music-shade-sodium-batman
File name:x86_64
Download: download sample
Signature Mirai
Create hunting rule
File size:197'288 bytes
First seen:2026-01-03 08:35:25 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:fmneEfgAddO70EZyZcoXzwBuYZRU//bA1:O3VXzwUY8/01
TLSH T10B143A06B5C180FEC499C1744BFFB13AD972B45D5238B29B67C4AF222E4DE701B6DA84
telfhash t1f351dd701d96395ca0e6974ab34fef1eecb209045ff534e4af67a9d0ae437880d63426
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 c28d0b54399ba2d3c615d71db6fd072aef323a1071d81a4b7281a94a18dde340
File size (compressed) :74'284 bytes
File size (de-compressed) :197'288 bytes
Format:linux/amd64
Packed file: c28d0b54399ba2d3c615d71db6fd072aef323a1071d81a4b7281a94a18dde340

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Link:
https://research.acce.ciphertechsolutions.com/results/4968e518-5c89-450e-ad40-dfd7425807fd/
Detection(s):
Sanesecurity.Malware.30435.LC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9999-14.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Trojan.Mirai-7135916-0
Create hunting rule

Unix.Dropper.Mirai-7136016-0
Create hunting rule

Unix.Dropper.Mirai-7540662-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Unix.Trojan.Mirai-10056463-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Sets a written file as executable
Runs as daemon
Manages services
Kills processes
Creating a file
Opens a port
Sends data to a server
Launching a process
Substitutes an application name
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash exploit gafgyt lolbin mirai obfuscated
Link:
https://www.filescan.io/uploads/6958d4fd2fb7bb52ca85cbce/reports/8f57ab18-d05b-4ba1-8283-e34b8c67766d/overview
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2026-01-03T03:11:00Z UTC
Last seen:
2026-01-04T01:46:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Mirai.r HEUR:Backdoor.Linux.Mirai.cw HEUR:Backdoor.Linux.Mirai.b HEUR:Backdoor.Linux.Gafgyt.bl HEUR:Backdoor.Linux.Gafgyt.bj
Link:
https://opentip.kaspersky.com/e6c570ab44d79a67dd9c141e619c6311ed6a159cfc1dfad8b576216820836d56/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/8e6f9940-18f4-48d9-8b62-35cdeaa30230
Behavior Graph:
Download SVG
%3 guuid=f5c66adb-1800-0000-9dc8-d84dfb120000 pid=4859 /usr/bin/sudo guuid=83ef7cdd-1800-0000-9dc8-d84d05130000 pid=4869 /tmp/sample.bin net write-config write-file guuid=f5c66adb-1800-0000-9dc8-d84dfb120000 pid=4859->guuid=83ef7cdd-1800-0000-9dc8-d84d05130000 pid=4869 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=83ef7cdd-1800-0000-9dc8-d84d05130000 pid=4869->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d8dd35de-1800-0000-9dc8-d84d09130000 pid=4873 /usr/bin/dash guuid=83ef7cdd-1800-0000-9dc8-d84d05130000 pid=4869->guuid=d8dd35de-1800-0000-9dc8-d84d09130000 pid=4873 execve guuid=5065e8e0-1800-0000-9dc8-d84d14130000 pid=4884 /usr/bin/dash guuid=83ef7cdd-1800-0000-9dc8-d84d05130000 pid=4869->guuid=5065e8e0-1800-0000-9dc8-d84d14130000 pid=4884 execve guuid=dabb0ae3-1800-0000-9dc8-d84d1e130000 pid=4894 /tmp/sample.bin guuid=83ef7cdd-1800-0000-9dc8-d84d05130000 pid=4869->guuid=dabb0ae3-1800-0000-9dc8-d84d1e130000 pid=4894 clone guuid=d78810e3-1800-0000-9dc8-d84d1f130000 pid=4895 /tmp/sample.bin guuid=83ef7cdd-1800-0000-9dc8-d84d05130000 pid=4869->guuid=d78810e3-1800-0000-9dc8-d84d1f130000 pid=4895 clone guuid=38a01ae3-1800-0000-9dc8-d84d22130000 pid=4898 /tmp/sample.bin net send-data zombie guuid=83ef7cdd-1800-0000-9dc8-d84d05130000 pid=4869->guuid=38a01ae3-1800-0000-9dc8-d84d22130000 pid=4898 clone guuid=6a2470de-1800-0000-9dc8-d84d0b130000 pid=4875 /usr/bin/systemctl guuid=d8dd35de-1800-0000-9dc8-d84d09130000 pid=4873->guuid=6a2470de-1800-0000-9dc8-d84d0b130000 pid=4875 execve guuid=8fdc23e1-1800-0000-9dc8-d84d15130000 pid=4885 /usr/bin/systemctl guuid=5065e8e0-1800-0000-9dc8-d84d14130000 pid=4884->guuid=8fdc23e1-1800-0000-9dc8-d84d15130000 pid=4885 execve guuid=66d710e3-1800-0000-9dc8-d84d20130000 pid=4896 /tmp/sample.bin guuid=dabb0ae3-1800-0000-9dc8-d84d1e130000 pid=4894->guuid=66d710e3-1800-0000-9dc8-d84d20130000 pid=4896 clone guuid=120415e3-1800-0000-9dc8-d84d21130000 pid=4897 /tmp/sample.bin guuid=dabb0ae3-1800-0000-9dc8-d84d1e130000 pid=4894->guuid=120415e3-1800-0000-9dc8-d84d21130000 pid=4897 clone guuid=38a01ae3-1800-0000-9dc8-d84d22130000 pid=4898->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=38a01ae3-1800-0000-9dc8-d84d22130000 pid=4898->54d92a3b-1447-55af-b534-047898c60c8d send: 185B 51a553e2-ae0e-5eda-9e98-aa9e45810237 151.242.30.13:12121 guuid=38a01ae3-1800-0000-9dc8-d84d22130000 pid=4898->51a553e2-ae0e-5eda-9e98-aa9e45810237 send: 4B
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4516831-6ae5-4626-ba3a-7699553d37d8
Result
Threat name:
Gafgyt
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1844004
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1844004 Sample: x86_64.elf Startdate: 03/01/2026 Architecture: LINUX Score: 80 35 169.254.169.254, 80 USDOSUS Reserved 2->35 37 151.242.30.13, 12121, 49858 RASANAIR Iran (ISLAMIC Republic Of) 2->37 39 4 other IPs or domains 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for dropped file 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 2 other signatures 2->47 8 x86_64.elf 2->8         started        11 dash rm 2->11         started        13 dash grep 2->13         started        15 2 other processes 2->15 signatures3 process4 file5 33 /usr/local/bin/infinitd, ELF 8->33 dropped 17 x86_64.elf sh 8->17         started        19 x86_64.elf sh 8->19         started        21 x86_64.elf 8->21         started        23 2 other processes 8->23 process6 process7 25 sh systemctl 17->25         started        27 sh systemctl 19->27         started        29 x86_64.elf 21->29         started        31 x86_64.elf 21->31         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/e6c570ab44d79a67dd9c141e619c6311ed6a159cfc1dfad8b576216820836d56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6c570ab44d79a67dd9c141e619c6311ed6a159cfc1dfad8b576216820836d56/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/e6c570ab44d79a67dd9c141e619c6311ed6a159cfc1dfad8b576216820836d56
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-03 07:58:48 UTC
File Type:
ELF64 Little (Exe)
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43cxbk2e26ngpxm4cqpgdhddchwwufm47qo7vwfvoyqwqiednvla._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet defense_evasion discovery linux persistence privilege_escalation
Link:
https://tria.ge/reports/260103-khhxhabv6g/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Enumerates active TCP sockets
Modifies systemd
Write file to user bin folder
Writes file to system bin folder
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
teamc2.duckdns.org
Verdict:
Malicious
Tags:
trojan mirai gafgyt zerobot Unix.Trojan.Mirai-7100807-0
YARA:
Linux_Trojan_Gafgyt_9e9530a7 Linux_Trojan_Gafgyt_807911a2 Linux_Trojan_Gafgyt_d4227dbf Linux_Trojan_Gafgyt_d996d335 Linux_Trojan_Gafgyt_d0c57a2e Linux_Trojan_Gafgyt_620087b9 Linux_Trojan_Gafgyt_0cd591cd Linux_Trojan_Gafgyt_33b4111a Linux_Trojan_Gafgyt_a33a8363 Linux_Trojan_Mirai_6a77af0f Linux_Trojan_Mirai_e0cf29e2 Linux_Trojan_Zerobot_3a5b56dd
Link:
https://app.threat.zone/submission/f49576c2-b2f8-4b10-92d9-edb8dea808b9
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6c570ab44d7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e6c570ab44d79a67dd9c141e619c6311ed6a159cfc1dfad8b576216820836d56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_0cd591cd
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_a33a8363
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d0c57a2e
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d996d335
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_6a77af0f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_e0cf29e2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Zerobot_3a5b56dd
Create hunting rule
Author:Elastic Security
Description:Strings found in the Zerobot Spoofed Header method
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf c28d0b54399ba2d3c615d71db6fd072aef323a1071d81a4b7281a94a18dde340

Mirai

elf e6c570ab44d79a67dd9c141e619c6311ed6a159cfc1dfad8b576216820836d56

(this sample)

  
Dropped by
SHA256 c28d0b54399ba2d3c615d71db6fd072aef323a1071d81a4b7281a94a18dde340
  
URLhaus
https://urlhaus.abuse.ch/url/3722803/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 679ba31aafab4a0560d94c95d15b4e11
  
URLhaus
https://urlhaus.abuse.ch/url/3719328/
  
URLhaus
https://urlhaus.abuse.ch/url/3722806/

Comments