MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efe8e89bdfddfee898d422522e6ca66e09175d93496720d00f164bcd1cd721e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash: efe8e89bdfddfee898d422522e6ca66e09175d93496720d00f164bcd1cd721e5
SHA3-384 hash: 0c926e5e58bd429fe1d2021c5601a77250aa9f0578e02366a9d5d1730ca4713bb3d2e0313f91f53db55b1578de68ba7e
SHA1 hash: 83486e10ebfbc0f28e18bf22f1f3cd38c7a02454
MD5 hash: fc318d4e9fadd69e72c59384015caf69
humanhash: hydrogen-queen-autumn-mockingbird
File name:putita.arm6
Download: download sample
Signature Mirai
File size:128'452 bytes
First seen:2026-07-18 16:07:49 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 3072:6DFDOZ56/8E/dl2VlwoqlcHZcYEEUUR7pUx2yxbRqNZ7vUpuT+2f1Dl:6D84SkqZcYEEUUR7pS2oVqNK8C295
TLSH T1C5C319A9F890DE52C6D1267AF75E118C33231778C3DE7106CE249E3477EB95A0A3E942
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 501379aa82b510cae61abd88b2403d05bd71febcd0b8a40e90ca817422c6731d
File size (compressed) :55'300 bytes
File size (de-compressed) :128'452 bytes
Format:linux/arm
Packed file: 501379aa82b510cae61abd88b2403d05bd71febcd0b8a40e90ca817422c6731d

Intelligence


File Origin
# of uploads :
1
# of downloads :
77
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Opens a port
Sets a written file as executable
Launching a process
Connection attempt
Runs as daemon
Receives data from a server
Sends data to a server
Changes the time when the file was created, accessed, or modified
Changes access rights for a written file
Creating a file
Creates or modifies symbolic links
Substitutes an application name
Writes files to system directory
Creates or modifies files in /cron to set up autorun
Creates or modifies files to set up autorun
Deleting of the original file
Creates or modifies symbolic links in /init.d to set up autorun
Creates or modifies files in /init.d to set up autorun
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
gcc masquerade rust
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
UPX
Botnet:
unknown
Number of open files:
51
Number of processes launched:
16
Processes remaning?
true
Remote TCP ports scanned:
not identified
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Status:
terminated
Behavior Graph:
%3 guuid=d0fd8103-1800-0000-3b0a-bf49a00a0000 pid=2720 /usr/bin/sudo guuid=c57b8605-1800-0000-3b0a-bf49a60a0000 pid=2726 /tmp/sample.bin guuid=d0fd8103-1800-0000-3b0a-bf49a00a0000 pid=2720->guuid=c57b8605-1800-0000-3b0a-bf49a60a0000 pid=2726 execve
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
84 / 100
Signature
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Multi AV Scanner detection for submitted file
Protects files from modification
Sample deletes itself
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1944620 Sample: putita.arm6.elf Startdate: 18/07/2026 Architecture: LINUX Score: 84 53 64.89.163.215, 60658, 60660, 60662 NETIFACE-TORONTO-NetifaceAmericaIncUS Germany 2->53 55 109.202.202.202, 80 INIT7CH Switzerland 2->55 57 3 other IPs or domains 2->57 59 Multi AV Scanner detection for submitted file 2->59 9 putita.arm6.elf 2->9         started        13 dash rm 2->13         started        15 dash rm 2->15         started        signatures3 process4 file5 43 /usr/lib/kworker-helper, ELF 9->43 dropped 45 /root/.bashrc, ASCII 9->45 dropped 47 /etc/systemd/system/kworker-helper.service, ASCII 9->47 dropped 49 3 other malicious files 9->49 dropped 65 Sample tries to set files in /etc globally writable 9->65 67 Sample tries to persist itself using /etc/profile 9->67 69 Drops files in suspicious directories 9->69 71 3 other signatures 9->71 17 putita.arm6.elf sh 9->17         started        19 putita.arm6.elf sh 9->19         started        21 putita.arm6.elf chattr 9->21         started        24 6 other processes 9->24 signatures6 process7 signatures8 26 sh crontab 17->26         started        30 sh 17->30         started        32 sh crontab 19->32         started        61 Protects files from modification 21->61 34 putita.arm6.elf 24->34         started        36 putita.arm6.elf 24->36         started        38 putita.arm6.elf 24->38         started        process9 file10 51 /var/spool/cron/crontabs/tmp.eRJYMb, ASCII 26->51 dropped 73 Sample tries to persist itself using cron 26->73 75 Executes the "crontab" command typically for achieving persistence 26->75 40 sh crontab 30->40         started        signatures11 process12 signatures13 63 Executes the "crontab" command typically for achieving persistence 40->63
Threat name:
Linux.Worm.Mirai
Status:
Malicious
First seen:
2026-07-18 16:08:37 UTC
File Type:
ELF32 Little (SO)
AV detection:
6 of 36 (16.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion execution persistence privilege_escalation
Behaviour
Changes its process name
Modifies Bash startup script
Creates/modifies Cron job
Creates/modifies environment variables
Modifies init.d
Modifies rc script
Modifies systemd
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:elf_arm_mips_ko_so
Rule name:ELF_IoT_Persistence_Hunt
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:ELF_Mirai
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf efe8e89bdfddfee898d422522e6ca66e09175d93496720d00f164bcd1cd721e5

(this sample)

  
Delivery method
Distributed via web download

Comments