MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efb5dd988589695eeaf0c856214bc3d318ea3cb860b854fb2e8a703452cd9d09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efb5dd988589695eeaf0c856214bc3d318ea3cb860b854fb2e8a703452cd9d09
SHA3-384 hash: 46e605b4df4a0b62c33bce3c7c3ae131e95eb62f99b02ad556a1d36dea42bd9f9fe6a2e540b7cc1503d62869e82419ec
SHA1 hash: ac761720a2545694bcfe70f81fd65040ca72a559
MD5 hash: ec189510f0181cba47f86d47b94392bb
humanhash: ceiling-zebra-alabama-venus
File name:cron
Download: download sample
Signature Mirai
Create hunting rule
File size:87'812 bytes
First seen:2025-07-18 00:41:52 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:PQSj7HELqqj/nJQB35TNBoWDqNU1TrWCG46yPjJH7WoFg:PQScLqqj/JqrOoTrWCGpysoi
TLSH T1D4836CC6E68B44F6D81304B47056B37BDE32C96A8432CA47FB459E71DE3790292273D9
telfhash t1eb41f7b35e7a08edb3d06801e31e36206d6ad77b14a432a755739531329aec142bbd3e
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
21
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Receives data from a server
Opens a port
Kills processes
Runs as daemon
Sends data to a server
Connection attempt
Launching a process
Substitutes an application name
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/687998648a7d628a81b55faf/reports/0114ae2e-0f55-4cbb-a1f1-a160dc7b60c0/overview
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aac5f970-8373-42b2-8eea-7ad26135273c
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1739293
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Terminates several processes with shell command 'killall'
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1739293 Sample: cron.elf Startdate: 18/07/2025 Architecture: LINUX Score: 60 62 221.167.55.176 YSU-AS-KRyoungsanuniversityKR Korea Republic of 2->62 64 98.137.186.208 YAHOO-GQ1US United States 2->64 66 99 other IPs or domains 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Multi AV Scanner detection for submitted file 2->70 9 cron.elf 2->9         started        11 xfce4-session xfce4-panel 2->11         started        13 xfce4-session xfce4-panel 2->13         started        15 12 other processes 2->15 signatures3 process4 process5 17 cron.elf 9->17         started        29 2 other processes 9->29 19 xfce4-panel wrapper-2.0 11->19         started        21 xfce4-panel wrapper-2.0 11->21         started        23 xfce4-panel wrapper-2.0 11->23         started        31 3 other processes 11->31 25 xfce4-panel wrapper-2.0 13->25         started        27 xfce4-panel wrapper-2.0 13->27         started        33 4 other processes 13->33 process6 35 cron.elf sh 17->35         started        37 cron.elf sh 17->37         started        39 cron.elf sh 17->39         started        45 78 other processes 17->45 41 wrapper-2.0 xfpm-power-backlight-helper 19->41         started        43 wrapper-2.0 xfpm-power-backlight-helper 25->43         started        process7 47 sh killall 35->47         started        50 sh killall 37->50         started        52 sh killall 39->52         started        54 sh killall 45->54         started        56 sh killall 45->56         started        58 sh killall 45->58         started        60 75 other processes 45->60 signatures8 72 Terminates several processes with shell command 'killall' 47->72
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/efb5dd988589695eeaf0c856214bc3d318ea3cb860b854fb2e8a703452cd9d09
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/efb5dd988589695eeaf0c856214bc3d318ea3cb860b854fb2e8a703452cd9d09/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-07-18 00:42:16 UTC
File Type:
ELF32 Little (Exe)
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=56253gefrfuv52xqzblccs6d2mmoupfymc4fj6zorjydiuwntueq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:kyton defense_evasion discovery linux
Link:
https://tria.ge/reports/250718-a2falsfk4s/
Behaviour
Reads runtime system information
Changes its process name
Reads CPU attributes
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Contacts a large (148233) amount of remote hosts
Creates a large amount of network flows
Verdict:
Malicious
Tags:
trojan mirai
YARA:
Linux_Trojan_Mirai_268aac0b Linux_Trojan_Mirai_0cb1699c Linux_Trojan_Mirai_70ef58f1 Linux_Trojan_Mirai_0d73971c Linux_Trojan_Mirai_88de437f Linux_Trojan_Mirai_cc93863b
Link:
https://app.threat.zone/submission/efb39270-3b89-4cf6-ae24-721427f7bae9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efb5dd988589695eeaf0c856214bc3d318ea3cb860b854fb2e8a703452cd9d09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Trojan_Mirai_0cb1699c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_0d73971c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_268aac0b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_70ef58f1
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf efb5dd988589695eeaf0c856214bc3d318ea3cb860b854fb2e8a703452cd9d09

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3584497/
  
Delivery method
Distributed via web download

Comments