MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e78b085f11226c1acaba5efe9d2d5b60dab6d4043cb49d1a27dd332166a5e70d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e78b085f11226c1acaba5efe9d2d5b60dab6d4043cb49d1a27dd332166a5e70d
SHA3-384 hash: f90e5a567ea36190759b43631de016414a8baa68139a4df0d30f321ffb60c6ddb6c2e65b27ec7aeeb2f07da6abb5a2ba
SHA1 hash: af85cd16b5a1f2623a738b4fb0b422512c504ff4
MD5 hash: c2728c3969fbcb7e59700b7f6bb997db
humanhash: low-hawaii-princess-september
File name:vsbeps
Download: download sample
Signature Mirai
Create hunting rule
File size:211'828 bytes
First seen:2024-12-11 08:56:20 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:09V95FX1A8fXmQOG5ZxaVtXMLVS4IXYVLs+ll4T4Wji:CV95FX1A8fXJOXlMTIXOs+7w41
TLSH T1DE24A51E6E228F7DF668873547B78E259B5C23D613E1D645E1ACD2101E2038E642FFAC
telfhash t19241b7181d7817e5662a6c5d049cff26d6a331ef3e162c238e00e85eeb29f835d21c1c
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28880.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29325.LC.Pl.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Mirai-81.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28886.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30423.LX.BOT.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-8041698-0
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Unix.Trojan.Mirai-9970440-0
Create hunting rule

Unix.Trojan.Mirai-10011027-0
Create hunting rule

Unix.Trojan.Mirai-10011918-0
Create hunting rule

Unix.Trojan.Mirai-10017641-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67595606b17d24d5e3c4577flinux22vpnfull_triage
Tags:
mirai
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Connection attempt
Kills processes
Sends data to a server
Receives data from a server
Creating a file
Runs as daemon
Opens a port
Substitutes an application name
Deleting of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug bash lolbin mirai remote
Link:
https://www.filescan.io/uploads/675953e45a3621d72e890e77/reports/a01110c1-e01f-40fb-963a-f2a022413d06/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
81
Number of processes launched:
4
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/e78b085f11226c1acaba5efe9d2d5b60dab6d4043cb49d1a27dd332166a5e70d
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5b20444a-9f1b-461b-b487-4558de4a3d71
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1572942
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill a massive number of system processes
Sample tries to kill multiple processes (SIGKILL)
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572942 Sample: vsbeps.elf Startdate: 11/12/2024 Architecture: LINUX Score: 96 140 raw.cardiacpure.ru 178.215.238.4, 33966, 50076, 50080 LVLT-10753US Germany 2->140 142 89.190.156.145, 37424, 37428, 37432 HOSTUS-GLOBAL-ASHostUSHK United Kingdom 2->142 148 Malicious sample detected (through community Yara rule) 2->148 150 Antivirus / Scanner detection for submitted sample 2->150 152 Multi AV Scanner detection for submitted file 2->152 154 Yara detected Mirai 2->154 13 systemd gdm3 2->13         started        15 dash rm vsbeps.elf 2->15         started        17 systemd systemd 2->17         started        19 73 other processes 2->19 signatures3 process4 file5 23 gdm3 gdm-session-worker 13->23         started        25 gdm3 gdm-session-worker 13->25         started        36 3 other processes 13->36 27 vsbeps.elf 15->27         started        30 systemd dbus-daemon 17->30         started        38 3 other processes 17->38 138 /var/log/wtmp, data 19->138 dropped 156 Sample reads /proc/mounts (often used for finding a writable filesystem) 19->156 158 Reads system files that contain records of logged in users 19->158 32 accounts-daemon language-validate 19->32         started        34 accounts-daemon language-validate 19->34         started        40 48 other processes 19->40 signatures6 process7 signatures8 42 gdm-session-worker gdm-x-session 23->42         started        44 gdm-session-worker gdm-wayland-session 25->44         started        164 Sample deletes itself 27->164 46 vsbeps.elf 27->46         started        166 Sample reads /proc/mounts (often used for finding a writable filesystem) 30->166 49 language-validate language-options 32->49         started        51 language-validate language-options 34->51         started        53 systemd 30-systemd-environment-d-generator 38->53         started        55 language-validate language-options 40->55         started        57 sh grep 40->57         started        59 33 other processes 40->59 process9 signatures10 61 gdm-x-session dbus-run-session 42->61         started        63 gdm-x-session Xorg Xorg.wrap Xorg 42->63         started        65 gdm-x-session Default 42->65         started        67 gdm-wayland-session dbus-run-session 44->67         started        69 gdm-wayland-session dbus-daemon 44->69         started        168 Sample tries to kill a massive number of system processes 46->168 170 Sample tries to kill multiple processes (SIGKILL) 46->170 78 2 other processes 46->78 72 language-options sh 49->72         started        74 language-options sh 51->74         started        76 language-options sh 55->76         started        process11 signatures12 80 dbus-run-session dbus-daemon 61->80         started        83 dbus-run-session gnome-session gnome-session-binary 61->83         started        85 Xorg sh 63->85         started        89 2 other processes 67->89 160 Sample reads /proc/mounts (often used for finding a writable filesystem) 69->160 87 dbus-daemon 69->87         started        91 2 other processes 72->91 93 2 other processes 74->93 95 2 other processes 76->95 97 2 other processes 78->97 process13 signatures14 144 Sample tries to kill multiple processes (SIGKILL) 80->144 146 Sample reads /proc/mounts (often used for finding a writable filesystem) 80->146 99 dbus-daemon 80->99         started        111 7 other processes 80->111 101 gnome-session-binary gnome-session-check-accelerated 83->101         started        113 2 other processes 83->113 103 sh xkbcomp 85->103         started        105 dbus-daemon false 87->105         started        107 dbus-daemon 89->107         started        109 dbus-daemon 89->109         started        115 6 other processes 89->115 process15 process16 117 dbus-daemon at-spi-bus-launcher 99->117         started        131 2 other processes 101->131 119 dbus-daemon false 107->119         started        121 dbus-daemon false 109->121         started        133 7 other processes 111->133 123 dbus-daemon false 115->123         started        125 dbus-daemon false 115->125         started        127 dbus-daemon false 115->127         started        129 dbus-daemon false 115->129         started        process17 135 at-spi-bus-launcher dbus-daemon 117->135         started        signatures18 162 Sample reads /proc/mounts (often used for finding a writable filesystem) 135->162
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/e78b085f11226c1acaba5efe9d2d5b60dab6d4043cb49d1a27dd332166a5e70d
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e78b085f11226c1acaba5efe9d2d5b60dab6d4043cb49d1a27dd332166a5e70d/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2024-12-10 20:35:36 UTC
File Type:
ELF32 Big (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=46fqqxyrejwbvsv2l37j2lk3mdnlnvaehs2j2grh3uzsczvf44gq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai discovery
Link:
https://tria.ge/reports/241211-kwky1swjcv/
Behaviour
Reads runtime system information
Changes its process name
Enumerates running processes
Deletes itself
Verdict:
Malicious
Tags:
trojan gafgyt Unix.Trojan.Mirai-8041698-0
YARA:
Linux_Trojan_Gafgyt_28a2fe0c Linux_Gafgyt_May_2024
Link:
https://app.threat.zone/submission/45637fdd-7c50-4656-a3e2-7dd466ee650d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e78b085f11226c1acaba5efe9d2d5b60dab6d4043cb49d1a27dd332166a5e70d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_28a2fe0c
Create hunting rule
Author:Elastic Security
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf e78b085f11226c1acaba5efe9d2d5b60dab6d4043cb49d1a27dd332166a5e70d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3344874/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3345458/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments