MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9139339a4538b4944d6fecfaf50cff3fd9b25085b099e8dc1f80e0cd878ccaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	e9139339a4538b4944d6fecfaf50cff3fd9b25085b099e8dc1f80e0cd878ccaa
SHA3-384 hash:	1f1531e84cc21b67f053d6a317d8238e6927fa896795ba1d70c2af6edf7992b7ca36405003ba3c62de37f1af41fc2e93
SHA1 hash:	bf000ce4cc2341764fbb8f1a87850e0b7e80bdc4
MD5 hash:	2a49ec5f995e0a6db2bab969b873357c
humanhash:	ink-hydrogen-artist-yellow
File name:	morte.arm6
Download:	download sample
Signature	Mirai Create hunting rule
File size:	112'012 bytes
First seen:	2025-11-09 03:55:23 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	3072:rpcJlSyMQRswvWpT9a6tW6jTMfnjOfq2y:rptaD+phar6UfnSq2y
TLSH	T147B33C46B9918A11C5D322BAFB5E518D33136FB8E3EE7202CD24AFB123865DB0D77512
telfhash	t123d012a68f280e996b589b149edd120683fc7c6433420767de40965bc1451d1f15d941
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf mirai upx-dec

abuse_ch

UPX decompressed file, sourced from SHA256 0edcbf7bb6b4b62b3639853627fae1129c58989df01702fe1bede75346cec8f8

UPX unpacked

This file is the unpacked version of a file that has been packed with UPX. Below is furhter information about the parent (compressed) file.

File size (compressed) :	47'568 bytes
File size (de-compressed) :	112'012 bytes
Format:	linux/arm
Packed file:	0edcbf7bb6b4b62b3639853627fae1129c58989df01702fe1bede75346cec8f8

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30435.LC.UNOFFICIAL

SecuriteInfo.com.Linux.Siggen.9999-6.UNOFFICIAL

Unix.Trojan.Mirai-7100807-0

Unix.Dropper.Mirai-7135897-0

Unix.Dropper.Mirai-7135901-0

Unix.Dropper.Mirai-7135909-0

Unix.Trojan.Mirai-7135916-0

Unix.Dropper.Mirai-7135918-0

Unix.Dropper.Mirai-7135954-0

Unix.Dropper.Mirai-7136016-0

Unix.Dropper.Mirai-7136028-0

Unix.Dropper.Mirai-7355719-0

Unix.Trojan.Mirai-8025795-0

Unix.Dropper.Mirai-10007027-0

Unix.Trojan.Mirai-10009361-0

Unix.Trojan.Mirai-5607483-0

Unix.Trojan.Gafgyt-6748839-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

DNS request

Runs as daemon

Receives data from a server

Opens a port

Sends data to a server

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

gcc masquerade mirai obfuscated rust

Link:

https://www.filescan.io/uploads/691010df45d0218fdf1f9d02/reports/0cb153b5-2c75-4a75-b6a8-01a44b040961/overview

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

false

Architecture:

arm

Packer:

not packed

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

37215,80,8080

Full report:

https://elfdigest.com/brief/e9139339a4538b4944d6fecfaf50cff3fd9b25085b099e8dc1f80e0cd878ccaa

Behaviour

Information Gathering

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

not identified

Verdict:

Malicious

File Type:

elf.32.le

First seen:

2025-11-09T01:39:00Z UTC

Last seen:

2025-11-09T05:18:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/e9139339a4538b4944d6fecfaf50cff3fd9b25085b099e8dc1f80e0cd878ccaa/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/69972386-34f5-420f-9f39-c0314d3cabae

Behavior Graph:

Download SVG

Gathering data

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/e9139339a4538b4944d6fecfaf50cff3fd9b25085b099e8dc1f80e0cd878ccaa

Detection:

mirai

Link:

https://mwdb.cert.pl/sample/e9139339a4538b4944d6fecfaf50cff3fd9b25085b099e8dc1f80e0cd878ccaa/

Threat name:

Linux.Worm.Mirai

Status:

Malicious

First seen:

2025-11-09 03:56:18 UTC

File Type:

ELF32 Little (Exe)

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ejzgonekofusrgw73h26ugp6p6zwjiilmez5dob7ahazwdyzsva._file

Result

Malware family:

mirai

Score:

10/10

Tags:

family:mirai defense_evasion discovery

Link:

https://tria.ge/reports/251109-ehgfsazpbk/

Behaviour

Reads runtime system information

Enumerates running processes

Writes file to system bin folder

Modifies Watchdog functionality

Contacts a large (531412) amount of remote hosts

Creates a large amount of network flows

Malware Config

C2 Extraction:

teamc2.duckdns.org

Verdict:

Malicious

Tags:

Unix.Trojan.Mirai-7100807-0

YARA:

n/a

Link:

https://app.threat.zone/submission/62c0c729-0899-4d74-a908-e8de14333de1

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CVE_2017_17215 Create hunting rule
Author:	NDA0E
Description:	Detects exploitation attempt of CVE-2017-17215

Rule name:	ELF_Mirai Create hunting rule
Author:	NDA0E
Description:	Detects multiple Mirai variants

Rule name:	SUSP_XORed_Mozilla_Oct19 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:	https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()

Rule name:	SUSP_XORed_Mozilla_RID2DB4 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed keyword - Mozilla/5.0
Reference:	Internal Research