MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea95889e1be7ae3975562b861493eb7ee6d2ef2e01b5d2960b52cd53305db4a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea95889e1be7ae3975562b861493eb7ee6d2ef2e01b5d2960b52cd53305db4a3
SHA3-384 hash: 289ffdf77e1313256917855cba643bee1f3d4e470052e49c92e444dff4dc25bdbd59aebe8c32f93b0a3e10748c06e071
SHA1 hash: f81f28a197aed403abe25f0242b3093e1df7298b
MD5 hash: 65834d748a2da9ee4a625160c1b79ff7
humanhash: alanine-nineteen-angel-rugby
File name:x86_64.uhavenobotsxd
Download: download sample
Signature Mirai
Create hunting rule
File size:92'560 bytes
First seen:2025-12-22 04:00:14 UTC
Last seen:2025-12-22 12:27:23 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:eMhV+3Q683jDY5Z7W9Zfh2Vop14bMReKMmFXofP0tk45qmCL:LHf3o5Vafh2618MRcmFS8tkiq
TLSH T1ED935B07B6C194FCD89AC238665FA176C932F42D1236725B57C0FA26BCCDE203F2A655
telfhash t1b7314930789a2968a1ffbb36f346f4a6d4a31d7518e034a1897799e6cfaa3e04c01452
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
38
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30455.LC.BadVar.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-10001386-0
Create hunting rule

Unix.Trojan.Mirai-10017351-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Deleting a recently created file
Sends data to a server
Launching a process
Sets a written file as executable
Attempts to kill processes by name
Deletes a file
Changes the time when the file was created, accessed, or modified
Opens a port
Receives data from a server
Creating a file
Runs as daemon
Connection attempt
Changes access rights for a written file
Creating a process from a recently created file
Kills processes
Writes files to system directory
Substitutes an application name
Creates or modifies files in /cron to set up autorun
Creates or modifies files in /init.d to set up autorun
Creates or modifies files to set up autorun
Creates or modifies symbolic links in /init.d to set up autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gafgyt mirai
Link:
https://www.filescan.io/uploads/6948c257a7163552ba038c7d/reports/f5be23a2-4d56-41f1-9705-6e26d7b2f50e/overview
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2025-12-22T00:17:00Z UTC
Last seen:
2025-12-22T01:28:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Mirai.b
Link:
https://opentip.kaspersky.com/ea95889e1be7ae3975562b861493eb7ee6d2ef2e01b5d2960b52cd53305db4a3/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/19a032f4-e00f-4885-a3cb-ea175e090a27
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1837396
Signature
Drops files in suspicious directories
Drops invisible ELF files
Executes the "crontab" command typically for achieving persistence
Malicious sample detected (through community Yara rule)
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Terminates several processes with shell command 'killall'
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1837396 Sample: x86_64.uhavenobotsxd.elf Startdate: 22/12/2025 Architecture: LINUX Score: 100 100 Malicious sample detected (through community Yara rule) 2->100 102 Multi AV Scanner detection for submitted file 2->102 10 x86_64.uhavenobotsxd.elf 2->10         started        13 dash rm 2->13         started        15 dash rm 2->15         started        process3 signatures4 116 Sample reads /proc/mounts (often used for finding a writable filesystem) 10->116 17 x86_64.uhavenobotsxd.elf 10->17         started        process5 file6 78 /var/spool/cron/root, ASCII 17->78 dropped 80 /var/spool/cron/crontabs/root, ASCII 17->80 dropped 82 /root/.bashrc, ASCII 17->82 dropped 84 8 other files (7 malicious) 17->84 dropped 104 Sample tries to set files in /etc globally writable 17->104 106 Sample tries to persist itself using /etc/profile 17->106 108 Drops files in suspicious directories 17->108 110 4 other signatures 17->110 21 x86_64.uhavenobotsxd.elf sh 17->21         started        23 x86_64.uhavenobotsxd.elf sh 17->23         started        25 x86_64.uhavenobotsxd.elf sh 17->25         started        27 57 other processes 17->27 signatures7 process8 signatures9 30 sh S99network 21->30         started        32 sh crontab 23->32         started        36 sh 23->36         started        38 sh cp 25->38         started        118 Sample tries to kill multiple processes (SIGKILL) 27->118 40 sh .monitor 27->40         started        42 x86_64.uhavenobotsxd.elf sh 27->42         started        44 x86_64.uhavenobotsxd.elf sh 27->44         started        46 55 other processes 27->46 process10 file11 48 S99network 30->48         started        74 /var/spool/cron/crontabs/tmp.61GmWx, ASCII 32->74 dropped 86 Sample tries to persist itself using cron 32->86 88 Executes the "crontab" command typically for achieving persistence 32->88 50 sh crontab 36->50         started        76 /usr/bin/.update, ELF 38->76 dropped 90 Drops invisible ELF files 38->90 92 Drops files in suspicious directories 38->92 53 .monitor 40->53         started        55 sh .update 42->55         started        57 sh .update 44->57         started        94 Sample tries to kill multiple processes (SIGKILL) 46->94 96 Sample deletes itself 46->96 98 Terminates several processes with shell command 'killall' 46->98 59 sh .update 46->59         started        signatures12 process13 signatures14 61 S99network .update 48->61         started        64 S99network .update 48->64         started        66 S99network .update 48->66         started        72 23 other processes 48->72 112 Executes the "crontab" command typically for achieving persistence 50->112 68 .monitor .update 53->68         started        70 .monitor sleep 53->70         started        114 Sample reads /proc/mounts (often used for finding a writable filesystem) 55->114 process15 signatures16 120 Sample reads /proc/mounts (often used for finding a writable filesystem) 61->120
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ea95889e1be7ae3975562b861493eb7ee6d2ef2e01b5d2960b52cd53305db4a3
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ea95889e1be7ae3975562b861493eb7ee6d2ef2e01b5d2960b52cd53305db4a3/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/ea95889e1be7ae3975562b861493eb7ee6d2ef2e01b5d2960b52cd53305db4a3
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-12-22 04:00:27 UTC
File Type:
ELF64 Little (Exe)
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5kkyrhq346xds5kwfodbje7lp3tnf3zoag25ffqlklgvgmc5wsrq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/251222-ekx7bady8f/
Behaviour
Reads runtime system information
Writes file to shm directory
Changes its process name
Modifies Bash startup script
Creates/modifies Cron job
Creates/modifies environment variables
Deletes log files
Enumerates running processes
Modifies init.d
Modifies rc script
Write file to user bin folder
Executes dropped EXE
Mirai
Mirai family
Verdict:
Malicious
Tags:
trojan mirai gafgyt Unix.Trojan.Mirai-7640640-0
YARA:
Linux_Trojan_Gafgyt_9e9530a7 Linux_Trojan_Gafgyt_807911a2 Linux_Trojan_Gafgyt_d4227dbf Linux_Trojan_Gafgyt_d996d335 Linux_Trojan_Gafgyt_620087b9 Linux_Trojan_Gafgyt_33b4111a Linux_Trojan_Mirai_6a77af0f Linux_Trojan_Mirai_e0cf29e2
Link:
https://app.threat.zone/submission/a8a0b59c-2146-4ff2-966f-296305b0eea3
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ea95889e1be7ae3975562b861493eb7ee6d2ef2e01b5d2960b52cd53305db4a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d996d335
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_6a77af0f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_e0cf29e2
Create hunting rule
Author:Elastic Security
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 32243b67c0497c60f7cf939615958a00204bde921a2c856e9a7afb8ba930f807

Mirai

elf ea95889e1be7ae3975562b861493eb7ee6d2ef2e01b5d2960b52cd53305db4a3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3714269/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 32243b67c0497c60f7cf939615958a00204bde921a2c856e9a7afb8ba930f807
  
Dropped by
MD5 66dc9969ce97c9dd18d334411620efec
  
URLhaus
https://urlhaus.abuse.ch/url/3734248/
  
Dropped by
SHA256 f76b64d42bb61296d51f9c312fda96f8bfffc55f9e8f8a10d3c79faa6e314219
  
Dropped by
MD5 393798b2e6e3d44611577778c4e38e0b

Comments