MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5a7fd53488638cd3c36f39bdb6b9b35dc6df14ad837dd30eb87b95262feb2f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5a7fd53488638cd3c36f39bdb6b9b35dc6df14ad837dd30eb87b95262feb2f5
SHA3-384 hash: 780d5f2b359cc2234b5eb68cda1ff98bda2aeb2cb8a12caf98791b253251f0e80d9bee9c00cd105ddc48ec2bc3707217
SHA1 hash: 64f2392711a5dacad0285d82823638f2337216b3
MD5 hash: 204c72c575772807a142cd60c59a6823
humanhash: sink-london-arizona-helium
File name:bot
Download: download sample
Signature Mirai
Create hunting rule
File size:3'683'088 bytes
First seen:2025-11-25 17:32:33 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 98304:VonJ1gL2vfaWtmj9OmHPxfvDsHUg4jZH2vY/LKwxRnIcG:VcrUMU5nLhd2vsWGRnI/
TLSH T16406337E9F19FDA3F5C09D3460276A94CAD25B0600DD3EF09D847962DCB02F75AAB086
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai UPX
File size (compressed) :3'683'088 bytes
File size (de-compressed) :10'166'984 bytes
Format:linux/amd64
Unpacked file: 85fb4996fd46b91bda84aae63acad45d0d5784782d09fbf5141aeb426a2ca5c6

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Changes the time when the file was created, accessed, or modified
Manages services
Receives data from a server
Collects information on the OS
Opens a port
Deleting a recently created file
Collects information on the RAM
Launching a process
Sends data to a server
Connection attempt
Sets a written file as executable
Creating a file
Collects information on the CPU
Changes access rights for a written file
Runs as daemon
Creating a process from a recently created file
Creating a file in the %temp% directory
Locks files
Creates or modifies files in /cron to set up autorun
Loading a system driver
Substitutes an application name
Creates or modifies files in /init.d to set up autorun
Creates or modifies files to set up autorun
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
miner monero packed upx xmrig
Link:
https://www.filescan.io/uploads/6925e8622bd5e6c05577e8c8/reports/70901b66-95a4-4a35-9c65-0428b98f66bc/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
70
Number of processes launched:
24
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/f5a7fd53488638cd3c36f39bdb6b9b35dc6df14ad837dd30eb87b95262feb2f5
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.64.le
First seen:
2025-11-25T10:19:00Z UTC
Last seen:
2025-11-26T00:31:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/f5a7fd53488638cd3c36f39bdb6b9b35dc6df14ad837dd30eb87b95262feb2f5/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d7e89c98-467b-4eec-9f32-13c029c3f746
Behavior Graph:
Download SVG
%3 guuid=80c3a36f-1900-0000-23ac-8147f4110000 pid=4596 /usr/bin/sudo guuid=fc1c3771-1900-0000-23ac-8147fd110000 pid=4605 /tmp/sample.bin write-file guuid=80c3a36f-1900-0000-23ac-8147f4110000 pid=4596->guuid=fc1c3771-1900-0000-23ac-8147fd110000 pid=4605 execve guuid=07838089-1900-0000-23ac-814751120000 pid=4689 /tmp/dockerd net send-data write-config write-file zombie guuid=fc1c3771-1900-0000-23ac-8147fd110000 pid=4605->guuid=07838089-1900-0000-23ac-814751120000 pid=4689 clone 5ad56c95-acd0-5f58-bd4b-c54f6757cd18 223.5.5.5:80 guuid=07838089-1900-0000-23ac-814751120000 pid=4689->5ad56c95-acd0-5f58-bd4b-c54f6757cd18 send: 25600B ff10556a-515f-5ab1-af3d-7acefafa9524 195.24.237.46:48996 guuid=07838089-1900-0000-23ac-814751120000 pid=4689->ff10556a-515f-5ab1-af3d-7acefafa9524 send: 550B guuid=b967fda3-1900-0000-23ac-8147a2120000 pid=4770 /tmp/dockerd guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=b967fda3-1900-0000-23ac-8147a2120000 pid=4770 clone guuid=2938dbac-1900-0000-23ac-8147c2120000 pid=4802 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=2938dbac-1900-0000-23ac-8147c2120000 pid=4802 execve guuid=ff653362-1a00-0000-23ac-814774140000 pid=5236 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=ff653362-1a00-0000-23ac-814774140000 pid=5236 execve guuid=3b1bd01e-1b00-0000-23ac-8147bf140000 pid=5311 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=3b1bd01e-1b00-0000-23ac-8147bf140000 pid=5311 execve guuid=e71b511f-1b00-0000-23ac-8147c0140000 pid=5312 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=e71b511f-1b00-0000-23ac-8147c0140000 pid=5312 execve guuid=95af2020-1b00-0000-23ac-8147c1140000 pid=5313 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=95af2020-1b00-0000-23ac-8147c1140000 pid=5313 execve guuid=675d1322-1b00-0000-23ac-8147c3140000 pid=5315 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=675d1322-1b00-0000-23ac-8147c3140000 pid=5315 execve guuid=13c14524-1b00-0000-23ac-8147c5140000 pid=5317 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=13c14524-1b00-0000-23ac-8147c5140000 pid=5317 execve guuid=0a51b4b0-1b00-0000-23ac-8147db140000 pid=5339 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=0a51b4b0-1b00-0000-23ac-8147db140000 pid=5339 execve guuid=f04c05ed-1b00-0000-23ac-8147f1140000 pid=5361 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=f04c05ed-1b00-0000-23ac-8147f1140000 pid=5361 execve guuid=ff8c1cee-1b00-0000-23ac-8147f3140000 pid=5363 /usr/bin/dash write-file guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=ff8c1cee-1b00-0000-23ac-8147f3140000 pid=5363 execve guuid=248d55ee-1b00-0000-23ac-8147f4140000 pid=5364 /usr/bin/dash write-config guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=248d55ee-1b00-0000-23ac-8147f4140000 pid=5364 execve guuid=aead8aee-1b00-0000-23ac-8147f5140000 pid=5365 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=aead8aee-1b00-0000-23ac-8147f5140000 pid=5365 execve guuid=06d3c0ee-1b00-0000-23ac-8147f6140000 pid=5366 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=06d3c0ee-1b00-0000-23ac-8147f6140000 pid=5366 execve guuid=fdd9eaee-1b00-0000-23ac-8147f7140000 pid=5367 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=fdd9eaee-1b00-0000-23ac-8147f7140000 pid=5367 execve guuid=9d0212ef-1b00-0000-23ac-8147f8140000 pid=5368 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=9d0212ef-1b00-0000-23ac-8147f8140000 pid=5368 execve guuid=d2ea42ef-1b00-0000-23ac-8147f9140000 pid=5369 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=d2ea42ef-1b00-0000-23ac-8147f9140000 pid=5369 execve guuid=c5bc7def-1b00-0000-23ac-8147fa140000 pid=5370 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=c5bc7def-1b00-0000-23ac-8147fa140000 pid=5370 execve guuid=eacc2efe-1b00-0000-23ac-814700150000 pid=5376 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=eacc2efe-1b00-0000-23ac-814700150000 pid=5376 execve guuid=d463cefe-1b00-0000-23ac-814702150000 pid=5378 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=d463cefe-1b00-0000-23ac-814702150000 pid=5378 execve guuid=dd7099ff-1b00-0000-23ac-814704150000 pid=5380 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=dd7099ff-1b00-0000-23ac-814704150000 pid=5380 execve guuid=cfca0a00-1c00-0000-23ac-814706150000 pid=5382 /usr/bin/dash guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=cfca0a00-1c00-0000-23ac-814706150000 pid=5382 execve guuid=07838089-1900-0000-23ac-814751120000 pid=5384 /tmp/dockerd delete-file write-file zombie guuid=07838089-1900-0000-23ac-814751120000 pid=4689->guuid=07838089-1900-0000-23ac-814751120000 pid=5384 clone guuid=fb4308ad-1900-0000-23ac-8147c4120000 pid=4804 /usr/bin/systemctl guuid=2938dbac-1900-0000-23ac-8147c2120000 pid=4802->guuid=fb4308ad-1900-0000-23ac-8147c4120000 pid=4804 execve guuid=f76b7fad-1900-0000-23ac-8147c6120000 pid=4806 /usr/bin/basename guuid=fb4308ad-1900-0000-23ac-8147c4120000 pid=4804->guuid=f76b7fad-1900-0000-23ac-8147c6120000 pid=4806 execve guuid=f37fbcad-1900-0000-23ac-8147c9120000 pid=4809 /usr/bin/basename guuid=fb4308ad-1900-0000-23ac-8147c4120000 pid=4804->guuid=f37fbcad-1900-0000-23ac-8147c9120000 pid=4809 execve guuid=8a4831ae-1900-0000-23ac-8147cb120000 pid=4811 /usr/bin/dash guuid=fb4308ad-1900-0000-23ac-8147c4120000 pid=4804->guuid=8a4831ae-1900-0000-23ac-8147cb120000 pid=4811 clone guuid=c3843aae-1900-0000-23ac-8147cc120000 pid=4812 /usr/bin/systemctl guuid=8a4831ae-1900-0000-23ac-8147cb120000 pid=4811->guuid=c3843aae-1900-0000-23ac-8147cc120000 pid=4812 execve guuid=e89f3fae-1900-0000-23ac-8147cd120000 pid=4813 /usr/bin/sed guuid=8a4831ae-1900-0000-23ac-8147cb120000 pid=4811->guuid=e89f3fae-1900-0000-23ac-8147cd120000 pid=4813 execve guuid=0c0b5e62-1a00-0000-23ac-814775140000 pid=5237 /usr/bin/systemctl guuid=ff653362-1a00-0000-23ac-814774140000 pid=5236->guuid=0c0b5e62-1a00-0000-23ac-814775140000 pid=5237 execve guuid=2a132463-1a00-0000-23ac-814776140000 pid=5238 /usr/lib/systemd/systemd-sysv-install guuid=0c0b5e62-1a00-0000-23ac-814775140000 pid=5237->guuid=2a132463-1a00-0000-23ac-814776140000 pid=5238 execve guuid=2dd2796d-1a00-0000-23ac-814777140000 pid=5239 /usr/bin/getopt guuid=2a132463-1a00-0000-23ac-814776140000 pid=5238->guuid=2dd2796d-1a00-0000-23ac-814777140000 pid=5239 execve guuid=ce09f56d-1a00-0000-23ac-814778140000 pid=5240 /usr/sbin/update-rc.d guuid=2a132463-1a00-0000-23ac-814776140000 pid=5238->guuid=ce09f56d-1a00-0000-23ac-814778140000 pid=5240 execve guuid=b03f1bbe-1a00-0000-23ac-81478e140000 pid=5262 /usr/sbin/update-rc.d guuid=2a132463-1a00-0000-23ac-814776140000 pid=5238->guuid=b03f1bbe-1a00-0000-23ac-81478e140000 pid=5262 execve guuid=40b86e83-1a00-0000-23ac-814779140000 pid=5241 /usr/bin/systemctl guuid=ce09f56d-1a00-0000-23ac-814778140000 pid=5240->guuid=40b86e83-1a00-0000-23ac-814779140000 pid=5241 execve guuid=54bde8bf-1a00-0000-23ac-81478f140000 pid=5263 /usr/bin/systemctl guuid=b03f1bbe-1a00-0000-23ac-81478e140000 pid=5262->guuid=54bde8bf-1a00-0000-23ac-81478f140000 pid=5263 execve guuid=ee797420-1b00-0000-23ac-8147c2140000 pid=5314 /usr/bin/systemctl guuid=95af2020-1b00-0000-23ac-8147c1140000 pid=5313->guuid=ee797420-1b00-0000-23ac-8147c2140000 pid=5314 execve guuid=452b4522-1b00-0000-23ac-8147c4140000 pid=5316 /usr/bin/systemctl guuid=675d1322-1b00-0000-23ac-8147c3140000 pid=5315->guuid=452b4522-1b00-0000-23ac-8147c4140000 pid=5316 execve guuid=b0898524-1b00-0000-23ac-8147c6140000 pid=5318 /usr/bin/systemctl guuid=13c14524-1b00-0000-23ac-8147c5140000 pid=5317->guuid=b0898524-1b00-0000-23ac-8147c6140000 pid=5318 execve guuid=d654e1b0-1b00-0000-23ac-8147dc140000 pid=5340 /usr/bin/systemctl guuid=0a51b4b0-1b00-0000-23ac-8147db140000 pid=5339->guuid=d654e1b0-1b00-0000-23ac-8147dc140000 pid=5340 execve guuid=7fa53eed-1b00-0000-23ac-8147f2140000 pid=5362 /usr/sbin/sysctl write-file guuid=f04c05ed-1b00-0000-23ac-8147f1140000 pid=5361->guuid=7fa53eed-1b00-0000-23ac-8147f2140000 pid=5362 execve guuid=5edda7ef-1b00-0000-23ac-8147fb140000 pid=5371 /usr/sbin/xtables-nft-multi guuid=c5bc7def-1b00-0000-23ac-8147fa140000 pid=5370->guuid=5edda7ef-1b00-0000-23ac-8147fb140000 pid=5371 execve guuid=6aab6bfe-1b00-0000-23ac-814701150000 pid=5377 /usr/sbin/xtables-nft-multi guuid=eacc2efe-1b00-0000-23ac-814700150000 pid=5376->guuid=6aab6bfe-1b00-0000-23ac-814701150000 pid=5377 execve guuid=2d23f7fe-1b00-0000-23ac-814703150000 pid=5379 /usr/sbin/xtables-nft-multi guuid=d463cefe-1b00-0000-23ac-814702150000 pid=5378->guuid=2d23f7fe-1b00-0000-23ac-814703150000 pid=5379 execve guuid=92dbbdff-1b00-0000-23ac-814705150000 pid=5381 /usr/sbin/xtables-nft-multi guuid=dd7099ff-1b00-0000-23ac-814704150000 pid=5380->guuid=92dbbdff-1b00-0000-23ac-814705150000 pid=5381 execve guuid=3cc33d00-1c00-0000-23ac-814707150000 pid=5383 /usr/sbin/xtables-nft-multi guuid=cfca0a00-1c00-0000-23ac-814706150000 pid=5382->guuid=3cc33d00-1c00-0000-23ac-814707150000 pid=5383 execve guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5391 /tmp/docker-daemon mprotect-exec guuid=07838089-1900-0000-23ac-814751120000 pid=5384->guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5391 execve guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5423 /tmp/docker-daemon mprotect-exec guuid=07838089-1900-0000-23ac-814751120000 pid=5384->guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5423 execve guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5429 /tmp/docker-daemon mprotect-exec guuid=07838089-1900-0000-23ac-814751120000 pid=5384->guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5429 execve guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5435 /tmp/docker-daemon mprotect-exec guuid=07838089-1900-0000-23ac-814751120000 pid=5384->guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5435 execve guuid=c60dc662-2600-0000-23ac-814741150000 pid=5441 /tmp/docker-daemon mprotect-exec guuid=07838089-1900-0000-23ac-814751120000 pid=5384->guuid=c60dc662-2600-0000-23ac-814741150000 pid=5441 execve guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5392 /tmp/docker-daemon guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5391->guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5392 clone guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5393 /tmp/docker-daemon guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5391->guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5393 clone guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5394 /tmp/docker-daemon guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5391->guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5394 clone guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5395 /tmp/docker-daemon guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5391->guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5395 clone guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5396 /tmp/docker-daemon guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5391->guuid=2e4ab741-1c00-0000-23ac-81470f150000 pid=5396 clone guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5424 /tmp/docker-daemon guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5423->guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5424 clone guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5425 /tmp/docker-daemon guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5423->guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5425 clone guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5426 /tmp/docker-daemon guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5423->guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5426 clone guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5427 /tmp/docker-daemon guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5423->guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5427 clone guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5428 /tmp/docker-daemon guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5423->guuid=12425ed2-1e00-0000-23ac-81472f150000 pid=5428 clone guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5430 /tmp/docker-daemon guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5429->guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5430 clone guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5431 /tmp/docker-daemon guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5429->guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5431 clone guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5432 /tmp/docker-daemon guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5429->guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5432 clone guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5433 /tmp/docker-daemon guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5429->guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5433 clone guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5434 /tmp/docker-daemon guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5429->guuid=f67a3f54-2100-0000-23ac-814735150000 pid=5434 clone guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5436 /tmp/docker-daemon guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5435->guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5436 clone guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5437 /tmp/docker-daemon guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5435->guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5437 clone guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5438 /tmp/docker-daemon guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5435->guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5438 clone guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5439 /tmp/docker-daemon guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5435->guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5439 clone guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5440 /tmp/docker-daemon guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5435->guuid=bdb130e7-2300-0000-23ac-81473b150000 pid=5440 clone guuid=c60dc662-2600-0000-23ac-814741150000 pid=5442 /tmp/docker-daemon guuid=c60dc662-2600-0000-23ac-814741150000 pid=5441->guuid=c60dc662-2600-0000-23ac-814741150000 pid=5442 clone guuid=c60dc662-2600-0000-23ac-814741150000 pid=5443 /tmp/docker-daemon guuid=c60dc662-2600-0000-23ac-814741150000 pid=5441->guuid=c60dc662-2600-0000-23ac-814741150000 pid=5443 clone guuid=c60dc662-2600-0000-23ac-814741150000 pid=5444 /tmp/docker-daemon guuid=c60dc662-2600-0000-23ac-814741150000 pid=5441->guuid=c60dc662-2600-0000-23ac-814741150000 pid=5444 clone guuid=c60dc662-2600-0000-23ac-814741150000 pid=5445 /tmp/docker-daemon guuid=c60dc662-2600-0000-23ac-814741150000 pid=5441->guuid=c60dc662-2600-0000-23ac-814741150000 pid=5445 clone guuid=c60dc662-2600-0000-23ac-814741150000 pid=5446 /tmp/docker-daemon guuid=c60dc662-2600-0000-23ac-814741150000 pid=5441->guuid=c60dc662-2600-0000-23ac-814741150000 pid=5446 clone
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1b7b1483-ee89-4d2d-90d3-a870b52e3973
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1820715
Signature
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings related to Crypto-Mining
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample is packed with UPX
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1820715 Sample: bot.elf Startdate: 25/11/2025 Architecture: LINUX Score: 92 91 169.254.169.254, 80 USDOSUS Reserved 2->91 93 195.24.237.46, 34416, 48996 NTI-AS9MaiBlocB11ScaraDEtaj2Ap67RO Romania 2->93 95 3 other IPs or domains 2->95 99 Malicious sample detected (through community Yara rule) 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 Found strings related to Crypto-Mining 2->103 105 Sample is packed with UPX 2->105 12 bot.elf 2->12         started        14 systemd true 2->14         started        16 systemd snapd-env-generator 2->16         started        18 4 other processes 2->18 signatures3 process4 process5 20 bot.elf 12->20         started        file6 83 /tmp/docker-daemon, ELF 20->83 dropped 85 /etc/init.d/systemhelper, POSIX 20->85 dropped 87 /etc/cron.d/systemhelper, ASCII 20->87 dropped 89 /etc/cron.d/syshelper, ASCII 20->89 dropped 107 Drops files in suspicious directories 20->107 109 Sample deletes itself 20->109 111 Sample reads /proc/mounts (often used for finding a writable filesystem) 20->111 113 Sample tries to persist itself using cron 20->113 24 bot.elf sh 20->24         started        26 bot.elf sh 20->26         started        28 bot.elf sh 20->28         started        30 26 other processes 20->30 signatures7 process8 process9 32 sh ufw 24->32         started        34 sh ufw 26->34         started        36 sh systemctl 28->36         started        38 sh crontab 30->38         started        41 sh iptables 30->41         started        43 sh iptables 30->43         started        45 10 other processes 30->45 signatures10 47 ufw iptables 32->47         started        50 ufw iptables 32->50         started        52 ufw iptables 32->52         started        60 8 other processes 32->60 54 ufw iptables 34->54         started        56 ufw iptables 34->56         started        62 9 other processes 34->62 58 systemctl systemd-sysv-install 36->58         started        115 Executes the "crontab" command typically for achieving persistence 38->115 117 Executes the "iptables" command to insert, remove and/or manipulate rules 41->117 64 5 other processes 45->64 process11 signatures12 119 Executes the "iptables" command to insert, remove and/or manipulate rules 47->119 66 systemd-sysv-install update-rc.d 58->66         started        69 systemd-sysv-install update-rc.d 58->69         started        71 systemd-sysv-install getopt 58->71         started        73 ip6tables modprobe 60->73         started        75 service systemctl 64->75         started        77 service sed 64->77         started        process13 signatures14 97 Sample tries to persist itself using System V runlevels 66->97 79 update-rc.d systemctl 66->79         started        81 update-rc.d systemctl 69->81         started        process15
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/f5a7fd53488638cd3c36f39bdb6b9b35dc6df14ad837dd30eb87b95262feb2f5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5a7fd53488638cd3c36f39bdb6b9b35dc6df14ad837dd30eb87b95262feb2f5/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Suspicious
First seen:
2025-11-25 17:33:25 UTC
File Type:
ELF64 Little (SO)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6wt72u2iqy4m2pbw6on5w243gxog34kk3a352mhlq64veyx6wl2q._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig antivm defense_evasion discovery exection execution linux miner persistence privilege_escalation rootkit upx
Link:
https://tria.ge/reports/251125-v41pjsfq8x/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Reads CPU attributes
Changes its process name
Checks CPU configuration
UPX packed file
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Disables AppArmor
Disables SELinux
Enumerates running processes
Modifies init.d
Reads hardware information
Write file to user bin folder
Executes dropped EXE
Loads a kernel module
Modifies hosts file
Renames itself
Modifies the dynamic linker configuration file
XMRig Miner payload
Xmrig family
xmrig
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f8170bbd-23f3-404b-a7c9-541917318b85
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/f5a7fd53488638cd3c36f39bdb6b9b35dc6df14ad837dd30eb87b95262feb2f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:upx_packed_elf_v1
Create hunting rule
Author:RandomMalware
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf f5a7fd53488638cd3c36f39bdb6b9b35dc6df14ad837dd30eb87b95262feb2f5

(this sample)

Mirai

elf 85fb4996fd46b91bda84aae63acad45d0d5784782d09fbf5141aeb426a2ca5c6

  
URLhaus
https://urlhaus.abuse.ch/url/3715325/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 85fb4996fd46b91bda84aae63acad45d0d5784782d09fbf5141aeb426a2ca5c6
  
Dropping
MD5 d8f62389b2c5c156bcacd96241bb8ff8

Comments