MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1b7e0a54802d2456b4e5525341c09e9f496ab8db367b7a679023241a02d7cdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 12 File information Comments

SHA256 hash: f1b7e0a54802d2456b4e5525341c09e9f496ab8db367b7a679023241a02d7cdb
SHA3-384 hash: 246ce23329c4399ae9edcc09e009210fe1ef5ae44c4ac400a432c334e60a1080aea74e344fdd5c6e095732813404d7fc
SHA1 hash: 0c1b11bd40a6f01490ba8e5c50be1e3f5de4f535
MD5 hash: ac0853c8cc0c22166e622862b96a02bc
humanhash: thirteen-nitrogen-maine-carpet
File name:i586
Download: download sample
Signature Mirai
File size:70'352 bytes
First seen:2026-05-02 04:03:46 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:K33Ah4QkZOoLs7BX2ReUByBHVg9QBwUQI5yuY0YPxOIH8rx:Mg4QkQoEBivyBKGBwUl59vwEEc
TLSH T1636319C16A43CEF7E81311F112F7AB324A32FD3E0866DA86D364FDA25A515C1B51636C
telfhash t1c131e8f60e6e58e8b7c09440c34e6fd21a7ee537256076a14572982133abd8291f9c3e
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence


File Origin
# of uploads :
1
# of downloads :
90
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
DNS request
Changes access rights for a written file
Changes the time when the file was created, accessed, or modified
Runs as daemon
Manages services
Creating a file
Opens a port
Launching a process
Creates or modifies files in /cron to set up autorun
Writes files to system subdirectory
Substitutes an application name
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
54
Number of processes launched:
3
Processes remaning?
true
Remote TCP ports scanned:
not identified
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-05-02T01:26:00Z UTC
Last seen:
2026-05-04T00:45:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=84a4a0d0-1c00-0000-c9b6-90a7b0090000 pid=2480 /usr/bin/sudo guuid=bc46cdd2-1c00-0000-c9b6-90a7b7090000 pid=2487 /tmp/sample.bin net guuid=84a4a0d0-1c00-0000-c9b6-90a7b0090000 pid=2480->guuid=bc46cdd2-1c00-0000-c9b6-90a7b7090000 pid=2487 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=bc46cdd2-1c00-0000-c9b6-90a7b7090000 pid=2487->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=534028d3-1c00-0000-c9b6-90a7b9090000 pid=2489 /tmp/sample.bin write-file zombie guuid=bc46cdd2-1c00-0000-c9b6-90a7b7090000 pid=2487->guuid=534028d3-1c00-0000-c9b6-90a7b9090000 pid=2489 clone guuid=755d36d3-1c00-0000-c9b6-90a7ba090000 pid=2490 /tmp/sample.bin guuid=534028d3-1c00-0000-c9b6-90a7b9090000 pid=2489->guuid=755d36d3-1c00-0000-c9b6-90a7ba090000 pid=2490 clone guuid=cb9be2df-1c00-0000-c9b6-90a7d3090000 pid=2515 /tmp/sample.bin guuid=534028d3-1c00-0000-c9b6-90a7b9090000 pid=2489->guuid=cb9be2df-1c00-0000-c9b6-90a7d3090000 pid=2515 clone guuid=73dfe7df-1c00-0000-c9b6-90a7d4090000 pid=2516 /tmp/sample.bin dns net send-data zombie guuid=534028d3-1c00-0000-c9b6-90a7b9090000 pid=2489->guuid=73dfe7df-1c00-0000-c9b6-90a7d4090000 pid=2516 clone guuid=d5d8f2df-1c00-0000-c9b6-90a7d5090000 pid=2517 /usr/bin/dash guuid=534028d3-1c00-0000-c9b6-90a7b9090000 pid=2489->guuid=d5d8f2df-1c00-0000-c9b6-90a7d5090000 pid=2517 execve guuid=c5916beb-1c00-0000-c9b6-90a7f6090000 pid=2550 /usr/bin/dash guuid=534028d3-1c00-0000-c9b6-90a7b9090000 pid=2489->guuid=c5916beb-1c00-0000-c9b6-90a7f6090000 pid=2550 execve 54d92a3b-1447-55af-b534-047898c60c8d 1.1.1.1:53 guuid=73dfe7df-1c00-0000-c9b6-90a7d4090000 pid=2516->54d92a3b-1447-55af-b534-047898c60c8d send: 26B bd930d39-22db-55fb-bdda-fdc26d8734a0 bahk.pro:1290 guuid=73dfe7df-1c00-0000-c9b6-90a7d4090000 pid=2516->bd930d39-22db-55fb-bdda-fdc26d8734a0 send: 333B guuid=aa587be0-1c00-0000-c9b6-90a7d7090000 pid=2519 /usr/bin/dash guuid=d5d8f2df-1c00-0000-c9b6-90a7d5090000 pid=2517->guuid=aa587be0-1c00-0000-c9b6-90a7d7090000 pid=2519 execve guuid=60c282e0-1c00-0000-c9b6-90a7d8090000 pid=2520 /usr/bin/dash guuid=d5d8f2df-1c00-0000-c9b6-90a7d5090000 pid=2517->guuid=60c282e0-1c00-0000-c9b6-90a7d8090000 pid=2520 clone guuid=77018ee0-1c00-0000-c9b6-90a7d9090000 pid=2521 /usr/bin/chmod guuid=aa587be0-1c00-0000-c9b6-90a7d7090000 pid=2519->guuid=77018ee0-1c00-0000-c9b6-90a7d9090000 pid=2521 execve guuid=35d4ede0-1c00-0000-c9b6-90a7db090000 pid=2523 /usr/bin/dash guuid=aa587be0-1c00-0000-c9b6-90a7d7090000 pid=2519->guuid=35d4ede0-1c00-0000-c9b6-90a7db090000 pid=2523 execve guuid=93f11ee1-1c00-0000-c9b6-90a7dd090000 pid=2525 /usr/bin/curl guuid=aa587be0-1c00-0000-c9b6-90a7d7090000 pid=2519->guuid=93f11ee1-1c00-0000-c9b6-90a7dd090000 pid=2525 execve guuid=b2bc44e9-1c00-0000-c9b6-90a7f1090000 pid=2545 /usr/bin/chmod guuid=aa587be0-1c00-0000-c9b6-90a7d7090000 pid=2519->guuid=b2bc44e9-1c00-0000-c9b6-90a7f1090000 pid=2545 execve guuid=93f11ee1-1c00-0000-c9b6-90a7dd090000 pid=2539 /usr/bin/curl dns net send-data guuid=93f11ee1-1c00-0000-c9b6-90a7dd090000 pid=2525->guuid=93f11ee1-1c00-0000-c9b6-90a7dd090000 pid=2539 clone 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=93f11ee1-1c00-0000-c9b6-90a7dd090000 pid=2539->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 104B guuid=a416b2eb-1c00-0000-c9b6-90a7f8090000 pid=2552 /usr/bin/systemctl guuid=c5916beb-1c00-0000-c9b6-90a7f6090000 pid=2550->guuid=a416b2eb-1c00-0000-c9b6-90a7f8090000 pid=2552 execve
Result
Threat name:
Detection:
malicious
Classification:
troj
Score:
76 / 100
Signature
Executes the "crontab" command typically for achieving persistence
Malicious sample detected (through community Yara rule)
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Yara detected Mirai
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1907586 Sample: i586.elf Startdate: 02/05/2026 Architecture: LINUX Score: 76 51 bahk.pro 195.154.171.146, 1290, 33062 OnlineSASFR France 2->51 53 109.202.202.202, 80 INIT7CH Switzerland 2->53 55 3 other IPs or domains 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected Mirai 2->61 10 i586.elf 2->10         started        12 systemd snapd-env-generator 2->12         started        14 dash rm 2->14         started        16 dash rm 2->16         started        signatures3 process4 process5 18 i586.elf 10->18         started        file6 47 /root/.bashrc, ASCII 18->47 dropped 63 Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions 18->63 22 i586.elf sh 18->22         started        24 i586.elf sh 18->24         started        26 i586.elf 18->26         started        28 2 other processes 18->28 signatures7 process8 process9 30 sh crontab 22->30         started        34 sh sh 22->34         started        36 sh systemctl 24->36         started        file10 49 /var/spool/cron/crontabs/tmp.NPTxFD, ASCII 30->49 dropped 67 Sample tries to persist itself using cron 30->67 69 Executes the "crontab" command typically for achieving persistence 30->69 38 sh crontab 34->38         started        41 sh chmod 34->41         started        43 sh sh 34->43         started        45 2 other processes 34->45 signatures11 process12 signatures13 65 Executes the "crontab" command typically for achieving persistence 38->65
Threat name:
Linux.Backdoor.Mirai
Status:
Malicious
First seen:
2026-05-02 04:04:35 UTC
File Type:
ELF32 Little (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution linux persistence privilege_escalation
Behaviour
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Reads system network configuration
Modifies Bash startup script
Creates/modifies Cron job
Creates/modifies environment variables
Enumerates active TCP sockets
Enumerates running processes
Modifies systemd
File and Directory Permissions Modification
Modifies Watchdog functionality
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Toriilike_persist
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:Linux_Trojan_Gafgyt_5bf62ce4
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_389ee3e9
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_5f7b67b8
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_8aa7b5d3
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_ae9d0fa6
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_b14f4c5d
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_fa3ad9d0
Author:Elastic Security
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf f1b7e0a54802d2456b4e5525341c09e9f496ab8db367b7a679023241a02d7cdb

(this sample)

  
Delivery method
Distributed via web download

Comments