MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 ea98289493f8bb49e0c2b8b26852db6c2143889fb5136b38e9a6a56f7baed2b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Mirai
Vendor detections: 7
| SHA256 hash: | ea98289493f8bb49e0c2b8b26852db6c2143889fb5136b38e9a6a56f7baed2b2 |
|---|---|
| SHA3-384 hash: | 96ea11e08cff19ae51b3ac80f96a2e355e6a497d145e6cb90dc7efdb1b07748e65bee5db4f1bec7c4cb3f588729e71f0 |
| SHA1 hash: | 68394dbd4c437e5fe814fb34c952581cd6f2672f |
| MD5 hash: | 2606cd759a6f20384bcc9a8c0d052054 |
| humanhash: | grey-orange-magnesium-december |
| File name: | Mozi.m |
| Download: | download sample |
| Signature | Mirai |
| File size: | 307'960 bytes |
| First seen: | 2021-07-20 03:03:50 UTC |
| Last seen: | Never |
| File type: | elf |
| MIME type: | application/x-executable |
| ssdeep | 3072:phNlHuBafLeBtfCzpta8xlBIOdVo3/4sxLJ10xiomwPa5POdOQ33Q:p3lOYoaja8xzx/0wsxzSiFfPqOJ |
| TLSH | T13764F2CAFF11BC3AE984067629AB074DB3B49F95C3C3F190F294C55E38AD685AB610D4 |
| Reporter |  tolisec |
| Tags: | mirai |
Intelligence
File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL
Unix.Dropper.Botnet-6566040-0
Unix.Packed.Botnet-6566031-0
Unix.Trojan.Gafgyt-6748839-0
Unix.Trojan.Mirai-7100807-0
Unix.Dropper.Mirai-7135934-0
Unix.Dropper.Mirai-7136013-0
Unix.Dropper.Mirai-7136057-0
Unix.Dropper.Mirai-7136070-0
Unix.Trojan.Mirai-8025795-0
Unix.Trojan.Mirai-9762350-0
Unix.Trojan.Mirai-9763616-0
Unix.Trojan.Mirai-9769616-0
Unix.Exploit.Mirai-9795501-0
Unix.Trojan.Mozi-9840825-0
Unix.Trojan.Mirai-9843255-0
Unix.Trojan.Mirai-9858729-0
Unix.Trojan.Gafgyt-6735924-0
SecuriteInfo.com.Linux.Mirai-29.UNOFFICIAL
Unix.Dropper.Botnet-6566040-0
Unix.Packed.Botnet-6566031-0
Unix.Trojan.Gafgyt-6748839-0
Unix.Trojan.Mirai-7100807-0
Unix.Dropper.Mirai-7135934-0
Unix.Dropper.Mirai-7136013-0
Unix.Dropper.Mirai-7136057-0
Unix.Dropper.Mirai-7136070-0
Unix.Trojan.Mirai-8025795-0
Unix.Trojan.Mirai-9762350-0
Unix.Trojan.Mirai-9763616-0
Unix.Trojan.Mirai-9769616-0
Unix.Exploit.Mirai-9795501-0
Unix.Trojan.Mozi-9840825-0
Unix.Trojan.Mirai-9843255-0
Unix.Trojan.Mirai-9858729-0
Unix.Trojan.Gafgyt-6735924-0
Verdict:
Malicious
Uses P2P?:
true
Uses anti-vm?:
false
Architecture:
mips
Packer:
UPX
Botnet:
117.201.197.129:34801
Number of open files:
430
Number of processes launched:
38
Processes remaning?
true
Remote TCP ports scanned:
8080,80,8081,5555,8443,37215,60001,8181,7574,52869,49152,81,23,2323
Full report:
Behaviour
Process Renaming
Firewall Changes
Information Gathering
Botnet C2s
TCP botnet C2(s):
212.129.33.59:6881
87.98.162.88:6881
67.215.246.10:6881
82.221.103.244:6881
130.239.18.159:6881
73.235.213.40:6881
62.192.61.57:6881
1.231.67.193:6881
79.68.1.163:6881
174.101.152.208:6881
46.30.160.124:6881
5.189.91.191:6881
5.172.9.156:6881
35.155.156.153:6881
173.82.155.70:6881
150.109.116.15:6881
144.76.184.243:51413
178.154.247.114:51413
46.0.193.14:51413
89.42.234.232:51413
136.243.37.152:51413
193.119.56.57:51413
78.36.202.218:51413
186.156.100.88:51413
88.212.37.136:25613
217.178.130.35:12589
80.246.94.141:5633
130.239.18.159:8792
128.69.179.116:39999
201.91.213.234:14318
178.72.75.141:13483
58.97.227.199:5353
117.221.75.111:5353
113.53.4.133:5353
95.25.37.49:46460
109.60.148.104:64255
176.222.159.29:24525
2.61.147.199:27015
188.226.88.5:60936
47.215.179.171:50321
65.75.96.10:50321
187.64.175.156:50321
37.99.113.114:39027
117.196.18.46:22327
2.31.34.112:24309
68.61.113.232:6882
46.4.89.177:50000
78.46.100.59:50000
178.63.54.26:50000
178.63.94.116:50000
178.63.60.100:50000
162.55.82.120:50000
95.216.14.178:50000
46.4.89.183:50000
49.12.81.12:50000
116.202.225.10:50000
94.130.236.94:50000
178.63.63.206:50000
178.63.54.123:50000
178.63.78.74:50000
223.130.31.240:26222
175.202.65.86:41184
210.89.58.111:49244
211.55.152.153:40803
103.135.33.74:8083
117.215.211.59:8083
178.141.25.206:8083
27.215.123.101:8083
180.188.237.60:7819
135.181.182.189:47844
37.113.107.14:39503
93.95.160.61:28180
157.48.221.21:62985
45.231.209.53:8000
177.86.235.205:8000
182.61.18.63:8000
128.75.29.249:11935
37.146.216.93:35674
109.195.115.17:30480
80.98.43.158:35892
46.188.82.76:44033
123.203.139.75:11660
117.222.174.14:1027
59.96.56.74:1027
185.25.18.50:11264
5.79.134.39:49144
91.235.175.119:46244
45.66.40.217:6889
101.78.242.88:6889
46.188.28.205:64274
93.177.6.173:49213
94.158.98.47:54267
92.245.116.10:44512
130.239.18.159:8723
202.164.139.195:10314
112.27.124.123:8082
220.118.50.206:8082
135.181.182.188:51575
113.169.164.136:27868
95.211.136.213:60828
27.6.252.245:39469
78.36.10.247:60838
180.214.76.197:48128
174.96.30.156:52437
54.237.228.189:49167
59.148.127.38:15041
82.151.123.84:7424
130.239.18.159:8646
213.136.79.205:6950
180.188.250.16:5870
125.52.7.249:27314
47.132.192.149:52920
111.92.76.204:10487
220.76.252.222:57401
109.130.36.135:55555
126.241.53.177:55555
93.81.72.162:24050
62.210.112.220:8200
175.97.135.220:60020
59.94.193.117:1480
47.149.50.82:55373
114.134.24.243:39413
202.164.139.124:20099
117.215.210.253:51386
111.92.80.117:46407
222.113.4.126:41160
211.197.58.147:40980
203.234.248.64:40906
125.142.85.69:40967
178.141.146.110:4000
117.215.250.203:54878
62.171.159.65:8080
180.188.249.59:58338
188.243.71.5:18114
2.92.126.57:25972
185.24.112.164:29164
176.124.162.86:19869
45.12.5.74:12404
178.71.236.93:32151
185.207.165.191:51755
185.107.71.137:28012
213.108.36.115:49160
221.156.76.95:20637
121.138.24.94:40628
188.209.56.9:28054
92.253.194.38:20611
37.79.35.134:1401
91.196.94.231:22468
95.71.45.236:47686
5.189.99.171:48833
95.32.243.116:59121
95.24.16.158:36463
46.117.113.179:30147
123.23.113.39:15927
111.92.117.138:26245
202.164.139.160:40119
73.93.73.247:50278
117.194.166.131:47828
182.56.76.185:44099
59.99.203.131:64047
27.5.18.17:15263
117.194.175.140:53918
213.34.171.254:64848
212.178.154.174:18183
87.98.162.88:6881
67.215.246.10:6881
82.221.103.244:6881
130.239.18.159:6881
73.235.213.40:6881
62.192.61.57:6881
1.231.67.193:6881
79.68.1.163:6881
174.101.152.208:6881
46.30.160.124:6881
5.189.91.191:6881
5.172.9.156:6881
35.155.156.153:6881
173.82.155.70:6881
150.109.116.15:6881
144.76.184.243:51413
178.154.247.114:51413
46.0.193.14:51413
89.42.234.232:51413
136.243.37.152:51413
193.119.56.57:51413
78.36.202.218:51413
186.156.100.88:51413
88.212.37.136:25613
217.178.130.35:12589
80.246.94.141:5633
130.239.18.159:8792
128.69.179.116:39999
201.91.213.234:14318
178.72.75.141:13483
58.97.227.199:5353
117.221.75.111:5353
113.53.4.133:5353
95.25.37.49:46460
109.60.148.104:64255
176.222.159.29:24525
2.61.147.199:27015
188.226.88.5:60936
47.215.179.171:50321
65.75.96.10:50321
187.64.175.156:50321
37.99.113.114:39027
117.196.18.46:22327
2.31.34.112:24309
68.61.113.232:6882
46.4.89.177:50000
78.46.100.59:50000
178.63.54.26:50000
178.63.94.116:50000
178.63.60.100:50000
162.55.82.120:50000
95.216.14.178:50000
46.4.89.183:50000
49.12.81.12:50000
116.202.225.10:50000
94.130.236.94:50000
178.63.63.206:50000
178.63.54.123:50000
178.63.78.74:50000
223.130.31.240:26222
175.202.65.86:41184
210.89.58.111:49244
211.55.152.153:40803
103.135.33.74:8083
117.215.211.59:8083
178.141.25.206:8083
27.215.123.101:8083
180.188.237.60:7819
135.181.182.189:47844
37.113.107.14:39503
93.95.160.61:28180
157.48.221.21:62985
45.231.209.53:8000
177.86.235.205:8000
182.61.18.63:8000
128.75.29.249:11935
37.146.216.93:35674
109.195.115.17:30480
80.98.43.158:35892
46.188.82.76:44033
123.203.139.75:11660
117.222.174.14:1027
59.96.56.74:1027
185.25.18.50:11264
5.79.134.39:49144
91.235.175.119:46244
45.66.40.217:6889
101.78.242.88:6889
46.188.28.205:64274
93.177.6.173:49213
94.158.98.47:54267
92.245.116.10:44512
130.239.18.159:8723
202.164.139.195:10314
112.27.124.123:8082
220.118.50.206:8082
135.181.182.188:51575
113.169.164.136:27868
95.211.136.213:60828
27.6.252.245:39469
78.36.10.247:60838
180.214.76.197:48128
174.96.30.156:52437
54.237.228.189:49167
59.148.127.38:15041
82.151.123.84:7424
130.239.18.159:8646
213.136.79.205:6950
180.188.250.16:5870
125.52.7.249:27314
47.132.192.149:52920
111.92.76.204:10487
220.76.252.222:57401
109.130.36.135:55555
126.241.53.177:55555
93.81.72.162:24050
62.210.112.220:8200
175.97.135.220:60020
59.94.193.117:1480
47.149.50.82:55373
114.134.24.243:39413
202.164.139.124:20099
117.215.210.253:51386
111.92.80.117:46407
222.113.4.126:41160
211.197.58.147:40980
203.234.248.64:40906
125.142.85.69:40967
178.141.146.110:4000
117.215.250.203:54878
62.171.159.65:8080
180.188.249.59:58338
188.243.71.5:18114
2.92.126.57:25972
185.24.112.164:29164
176.124.162.86:19869
45.12.5.74:12404
178.71.236.93:32151
185.207.165.191:51755
185.107.71.137:28012
213.108.36.115:49160
221.156.76.95:20637
121.138.24.94:40628
188.209.56.9:28054
92.253.194.38:20611
37.79.35.134:1401
91.196.94.231:22468
95.71.45.236:47686
5.189.99.171:48833
95.32.243.116:59121
95.24.16.158:36463
46.117.113.179:30147
123.23.113.39:15927
111.92.117.138:26245
202.164.139.160:40119
73.93.73.247:50278
117.194.166.131:47828
182.56.76.185:44099
59.99.203.131:64047
27.5.18.17:15263
117.194.175.140:53918
213.34.171.254:64848
212.178.154.174:18183
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Malware family:
Mozi
Verdict:
Malicious
Result
Threat name:
Mirai
Detection:
malicious
Classification:
spre.troj.evad
Score:
88 / 100
Signature
Found strings indicative of a multi-platform dropper
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Yara detected Mirai
Behaviour
Behavior Graph:
Threat name:
Linux.Trojan.Skeeyah
Status:
Malicious
First seen:
2021-07-20 02:56:11 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
5/5
Result
Malware family:
n/a
Score:
9/10
Tags:
linux
Behaviour
Reads runtime system information
Writes file to tmp directory
Reads system network configuration
Enumerates active TCP sockets
Reads system routing table
Modifies hosts file
Modifies the Watchdog daemon
Writes file to system bin folder
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | linux_generic_ipv6_catcher |
|---|---|
| Author: | @_lubiedo |
| Description: | ELF samples using IPv6 addresses |
| Rule name: | linux_generic_p2p_catcher |
|---|---|
| Author: | @_lubiedo |
| Description: | Generic catcher for P2P capable linux ELFs |
| Rule name: | SUSP_ELF_LNX_UPX_Compressed_File |
|---|---|
| Author: | Florian Roth |
| Description: | Detects a suspicious ELF binary with UPX compression |
| Reference: | Internal Research |
| Rule name: | SUSP_XORed_Mozilla |
|---|---|
| Author: | Florian Roth |
| Description: | Detects suspicious XORed keyword - Mozilla/5.0 |
| Reference: | Internal Research |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.