MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee0dd1fc46f34c3c8e957418af6556ebd43f0903b072784e8e737441fd430e12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee0dd1fc46f34c3c8e957418af6556ebd43f0903b072784e8e737441fd430e12
SHA3-384 hash: 589efe7a88d803610efa70ad0e97f32361a31a98066c595cc9db9e723c5859208ae7cfe583e0bc52bbf6db3b05108d22
SHA1 hash: cbe0e62fd8c35fbc82d5f1917200b7ada82e5a7e
MD5 hash: b32ebe71d96456a77447ff1241f49b34
humanhash: asparagus-ack-beryllium-jig
File name:sora.arm
Download: download sample
Signature Mirai
Create hunting rule
File size:72'304 bytes
First seen:2026-02-09 01:25:46 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:BgNL4Rs24f0rf3zcGEd83+k0D9yJHjMhW25WeiA7s:BgN8BEmOk0RyJHGv5G
TLSH T1D06316857880AA26CBC0167BFA5F008E331467D8E1DB73479C145FA176CAD1F0DABB5A
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Link:
https://research.acce.ciphertechsolutions.com/results/097146ae-729b-4cef-a6ab-7383ba28ae7b/
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30435.LC.UNOFFICIAL
Create hunting rule

Unix.Dropper.Mirai-7135890-0
Create hunting rule

Unix.Dropper.Mirai-7135897-0
Create hunting rule

Unix.Dropper.Mirai-7135901-0
Create hunting rule

Unix.Trojan.Mirai-7135916-0
Create hunting rule

Unix.Dropper.Mirai-7135918-0
Create hunting rule

Unix.Dropper.Mirai-7135939-0
Create hunting rule

Unix.Dropper.Mirai-7135954-0
Create hunting rule

Unix.Dropper.Mirai-7136025-0
Create hunting rule

Unix.Dropper.Mirai-7136028-0
Create hunting rule

Unix.Trojan.Mirai-9819563-0
Create hunting rule

Unix.Trojan.Mirai-9820623-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
masquerade mirai rust
Link:
https://www.filescan.io/uploads/698937b3b6bd365f0a6a85b4/reports/f353ec05-d406-4181-8068-416b43fa366f/overview
Result
Gathering data
Verdict:
Malicious
File Type:
elf.32.le
Detections:
HEUR:Backdoor.Linux.Mirai.b HEUR:Backdoor.Linux.Mirai.r HEUR:Backdoor.Linux.Mirai.ba
Link:
https://opentip.kaspersky.com/ee0dd1fc46f34c3c8e957418af6556ebd43f0903b072784e8e737441fd430e12/results?tab=lookup
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a5bb989-971a-48f4-8033-cebc670ed758
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1865820
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1865820 Sample: sora.arm.elf Startdate: 09/02/2026 Architecture: LINUX Score: 88 28 159.1.157.28 WA-STATE-GOVUS United States 2->28 30 67.229.74.138 VPLSNETUS United States 2->30 32 98 other IPs or domains 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected Mirai 2->40 8 sora.arm.elf 2->8         started        10 dash rm 2->10         started        12 dash rm 2->12         started        14 python3.8 dpkg 2->14         started        signatures3 process4 process5 16 sora.arm.elf 8->16         started        18 sora.arm.elf 8->18         started        20 sora.arm.elf 8->20         started        process6 22 sora.arm.elf 16->22         started        24 sora.arm.elf 16->24         started        26 sora.arm.elf 16->26         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ee0dd1fc46f34c3c8e957418af6556ebd43f0903b072784e8e737441fd430e12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee0dd1fc46f34c3c8e957418af6556ebd43f0903b072784e8e737441fd430e12/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/ee0dd1fc46f34c3c8e957418af6556ebd43f0903b072784e8e737441fd430e12
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-02-09 00:33:34 UTC
File Type:
ELF32 Little (Exe)
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5yg5d7cg6ngdzduvoqmk6zkw5pkd6cidwbzhqtuoon2ed7kdbyja._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:sora
Link:
https://tria.ge/reports/260209-btkqsshs6h/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/ee0dd1fc46f34c3c8e957418af6556ebd43f0903b072784e8e737441fd430e12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Generic_Threat_d94e1020
Create hunting rule
Author:Elastic Security
Rule name:MAL_ELF_LNX_Mirai_Oct10_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A
Create hunting rule
Author:Florian Roth
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf ee0dd1fc46f34c3c8e957418af6556ebd43f0903b072784e8e737441fd430e12

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3774370/
  
Delivery method
Distributed via web download

Comments