MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5185ead8952444b0e6eef5faaafe66ff8d06f928f0277c6fe40a486b6cb1c67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash: f5185ead8952444b0e6eef5faaafe66ff8d06f928f0277c6fe40a486b6cb1c67
SHA3-384 hash: ac7d2409195526335831db609e439799af1d6087b37b1e4e24d919314cc83b823bccb902d2d120d722c6107efa403232
SHA1 hash: 633fc90869954f6d457f26b55584cead48e1c89c
MD5 hash: 1f7946b3ae524aab4ba73b3af89f2272
humanhash: skylark-helium-utah-nevada
File name:niggah.mpsl
Download: download sample
Signature Mirai
File size:72'664 bytes
First seen:2025-11-29 04:56:30 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:LbnXBb/yk74QSIa1ECVYZ2ZEhNH+9BxJ1Eqqe:LbnXBq3J1EdZ2Jj1Eqh
TLSH T18B63A50AFF650EBBEC6BDD3705A9070534CC651A12A93B393974D82CF55A14F49E3CA8
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 93c0bfa413b09bc191e8ce6df40662d43f83341b9b8c8f9fd1a256190edf47cf
File size (compressed) :28'940 bytes
File size (de-compressed) :72'664 bytes
Format:linux/mipsel
Packed file: 93c0bfa413b09bc191e8ce6df40662d43f83341b9b8c8f9fd1a256190edf47cf

Intelligence


File Origin
# of uploads :
1
# of downloads :
82
Origin country :
NL NL
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Runs as daemon
Creating a file in the %temp% directory
Kills processes
Locks files
Opens a port
Deleting a recently created file
Sends data to a server
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-11-29T04:57:00Z UTC
Last seen:
2025-11-29T05:22:00Z UTC
Hits:
~10
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1822704 Sample: niggah.mpsl.elf Startdate: 29/11/2025 Architecture: LINUX Score: 56 15 91.200.220.65, 36788 VICATVUA Ukraine 2->15 17 daisy.ubuntu.com 2->17 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 7 niggah.mpsl.elf 2->7         started        9 python3.8 dpkg 2->9         started        signatures3 process4 process5 11 niggah.mpsl.elf 7->11         started        13 niggah.mpsl.elf 7->13         started       
Threat name:
Linux.Worm.Mirai
Status:
Malicious
First seen:
2025-11-29 04:57:15 UTC
File Type:
ELF32 Little (Exe)
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Writes file to tmp directory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf f5185ead8952444b0e6eef5faaafe66ff8d06f928f0277c6fe40a486b6cb1c67

(this sample)

  
Delivery method
Distributed via web download

Comments