MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0fefbfa07e17f4c0806d9a29bcd461da38732f1d8e66a4ce14b0902684f099f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0fefbfa07e17f4c0806d9a29bcd461da38732f1d8e66a4ce14b0902684f099f
SHA3-384 hash: 831ab46d40d0fa2c7edab2ec4a6a44da2ed77c6b712b6bb48098ff7e3304c5a5c86cbca2f2cb9ff141b7396fd85ac536
SHA1 hash: eb720839767304434d2a13d9fa6b3d68d3c818ca
MD5 hash: 0be5c27b4d57d7a4cdd5b1c8c02060f3
humanhash: ten-leopard-zulu-bacon
File name:0be5c27b4d57d7a4cdd5b1c8c02060f3
Download: download sample
Signature Mirai
Create hunting rule
File size:38'192 bytes
First seen:2023-02-26 15:04:30 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:1vaSAUVbEwPFx0UU/fhzIyURkVYJM+kRsImPyUunbcuyD7UHQRjI:BaSAUVbfPH45zIXRyYP0bmJunouy8HyM
TLSH T1B403F2B0DB5943A3E3AC933299FDBA4E1570D76F50E592F9ACD050334812F393A192D2
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter zbetcheckin
Tags:32 elf intel mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Unix.Dropper.Mirai-7135858-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug gafgyt mirai
Link:
https://www.filescan.io/uploads/63fb75225d47c2515e804cb0/reports/944f74d4-8276-4c7e-b4d8-abedcc5c8ad1/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
2
Number of processes launched:
7
Processes remaning?
false
Remote TCP ports scanned:
23
Full report:
https://elfdigest.com/brief/f0fefbfa07e17f4c0806d9a29bcd461da38732f1d8e66a4ce14b0902684f099f
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
212.87.204.161:9560
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a3c458c-8a42-4fe0-96d4-e63525b0bcbe
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1182661
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample is packed with UPX
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Uses known network protocols on non-standard ports
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 815493 Sample: wEdKa4CWHB.elf Startdate: 26/02/2023 Architecture: LINUX Score: 84 103 185.116.54.246, 23 YOTIGB United Kingdom 2->103 105 105.255.102.145, 23 Vodacom-VBZA South Africa 2->105 107 98 other IPs or domains 2->107 109 Malicious sample detected (through community Yara rule) 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 Yara detected Mirai 2->113 115 2 other signatures 2->115 11 gdm3 gdm-session-worker 2->11         started        13 wEdKa4CWHB.elf 2->13         started        15 systemd accounts-daemon 2->15         started        18 31 other processes 2->18 signatures3 process4 signatures5 20 gdm-session-worker gdm-wayland-session 11->20         started        22 wEdKa4CWHB.elf 13->22         started        24 wEdKa4CWHB.elf 13->24         started        27 wEdKa4CWHB.elf 13->27         started        123 Reads system files that contain records of logged in users 15->123 29 accounts-daemon language-validate 15->29         started        125 Sample reads /proc/mounts (often used for finding a writable filesystem) 18->125 31 gdm-session-worker gdm-x-session 18->31         started        33 accounts-daemon language-validate 18->33         started        35 gnome-shell ibus-daemon 18->35         started        37 13 other processes 18->37 process6 signatures7 39 gdm-wayland-session dbus-run-session 20->39         started        41 wEdKa4CWHB.elf 22->41         started        56 2 other processes 22->56 117 Sample tries to kill multiple processes (SIGKILL) 24->117 44 language-validate language-options 29->44         started        46 gdm-x-session Xorg Xorg.wrap Xorg 31->46         started        48 language-validate language-options 33->48         started        50 ibus-daemon 35->50         started        52 ibus-daemon ibus-memconf 35->52         started        54 wrapper-2.0 xfpm-power-backlight-helper 37->54         started        process8 signatures9 58 dbus-run-session dbus-daemon 39->58         started        61 dbus-run-session gnome-session gnome-session-binary 1 39->61         started        119 Sample tries to kill multiple processes (SIGKILL) 41->119 63 language-options sh 44->63         started        65 Xorg sh 46->65         started        67 language-options sh 48->67         started        69 ibus-daemon ibus-x11 50->69         started        process10 signatures11 121 Sample reads /proc/mounts (often used for finding a writable filesystem) 58->121 71 dbus-daemon 58->71         started        73 dbus-daemon 58->73         started        75 dbus-daemon 58->75         started        83 4 other processes 58->83 77 gnome-session-binary sh gnome-shell 61->77         started        79 gnome-session-binary session-migration 61->79         started        85 2 other processes 63->85 81 sh xkbcomp 65->81         started        87 2 other processes 67->87 process12 process13 89 dbus-daemon false 71->89         started        91 dbus-daemon false 73->91         started        93 dbus-daemon false 75->93         started        95 dbus-daemon false 83->95         started        97 dbus-daemon false 83->97         started        99 dbus-daemon false 83->99         started        101 dbus-daemon false 83->101         started       
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f0fefbfa07e17f4c0806d9a29bcd461da38732f1d8e66a4ce14b0902684f099f/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2023-02-26 15:05:08 UTC
File Type:
ELF32 Little (Exe)
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6d7px6qh4f7uycag3grjxtkgdwryomxr3dtguthbjmeqe2cpbgpq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery linux
Link:
https://tria.ge/reports/230226-sf6vjshc38/
Behaviour
Contacts a large (20130) amount of remote hosts
Creates a large amount of network flows
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f0fefbfa07e17f4c0806d9a29bcd461da38732f1d8e66a4ce14b0902684f099f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_ELF_LNX_UPX_Compressed_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious ELF binary with UPX compression
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf f0fefbfa07e17f4c0806d9a29bcd461da38732f1d8e66a4ce14b0902684f099f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2551077/

Comments


Avatar
zbet commented on 2023-02-26 15:04:31 UTC

url : hxxp://212.87.204.161/d/hotnet.x86