MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7c727d825e8e956578ecde37f0437f04368d19ac35bb962e7c2f166ce9a9bf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7c727d825e8e956578ecde37f0437f04368d19ac35bb962e7c2f166ce9a9bf4
SHA3-384 hash: 863a1504d322771cf05c363fbe03483dfb5d6fc96bc823c3f94e6d02693846b9819979654def0720d5af7e96c80d8136
SHA1 hash: 7bc5fbf752902487f396625a2805b1fb29dcd1be
MD5 hash: 691e3ad0aaaaab3f0f911d414ca573d4
humanhash: rugby-football-cat-michigan
File name:aarch64
Download: download sample
Signature Mirai
Create hunting rule
File size:1'246'352 bytes
First seen:2025-05-17 11:29:31 UTC
Last seen:2025-05-17 15:31:13 UTC
File type: elf
MIME type:application/x-executable
ssdeep 12288:jmbWxXD0YnU2ZlDAA46B6N/6dvfvASAg5HrFghDYmnKnHJ76CsG6pDN0d6mt5fZ:hDnBZlDx4QoSFFRL6TBpDN0cmt5f
TLSH T1AD459D97BF4C3D47C696C33E8AA683701337F996534396173904A23CEDE3AA8CE91945
telfhash t11ed02ef20fa884005402f81028c500bd6e8ce9012ec6f840ee4dd8824c3002c2b5398b
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Siggen.9023.25425.20578.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68287436e5aa44ec2e1a24d9linux22vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Connection attempt
Runs as daemon
Creating a file
Sets a written file as executable
Writes files to system directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash gcc lolbin remote
Link:
https://www.filescan.io/uploads/68287342c609634bd7c6dc97/reports/5c063042-a889-4374-b95e-98a59ae5b819/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
not packed
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/f7c727d825e8e956578ecde37f0437f04368d19ac35bb962e7c2f166ce9a9bf4
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/fcc9e962-0051-44da-bab9-391a13bc050b
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1692840
Signature
Drops files in suspicious directories
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1692840 Sample: aarch64.elf Startdate: 17/05/2025 Architecture: LINUX Score: 48 136 109.202.202.202, 80 INIT7CH Switzerland 2->136 138 91.189.91.42, 443 CANONICAL-ASGB United Kingdom 2->138 140 91.189.91.43, 443 CANONICAL-ASGB United Kingdom 2->140 14 aarch64.elf 2->14         started        process3 process4 16 aarch64.elf 14->16         started        signatures5 142 Writes identical ELF files to multiple locations 16->142 144 Drops files in suspicious directories 16->144 19 aarch64.elf update 16->19         started        21 aarch64.elf update 16->21         started        23 aarch64.elf update 16->23         started        25 6 other processes 16->25 process6 process7 27 update 19->27         started        30 update 21->30         started        32 update 23->32         started        34 update 25->34         started        36 update 25->36         started        38 update 25->38         started        40 3 other processes 25->40 signatures8 148 Drops files in suspicious directories 27->148 42 update update 27->42         started        44 update update 27->44         started        46 update update 27->46         started        50 5 other processes 27->50 150 Writes identical ELF files to multiple locations 30->150 52 3 other processes 30->52 54 5 other processes 32->54 56 7 other processes 34->56 58 2 other processes 36->58 48 update 38->48         started        process9 process10 60 update 42->60         started        64 update 44->64         started        66 update 46->66         started        68 update 54->68         started        70 update 54->70         started        72 update 54->72         started        74 update 56->74         started        76 update 56->76         started        file11 134 /usr/games/update, ELF 60->134 dropped 152 Drops files in suspicious directories 60->152 78 update update 60->78         started        80 update update 60->80         started        82 update update 60->82         started        88 4 other processes 60->88 84 update update 64->84         started        90 5 other processes 64->90 92 3 other processes 66->92 94 2 other processes 68->94 86 update 74->86         started        signatures12 process13 process14 96 update 78->96         started        100 update 80->100         started        102 update 82->102         started        104 update 84->104         started        106 update 90->106         started        108 update 90->108         started        110 update 90->110         started        file15 132 /usr/bin/update, ELF 96->132 dropped 146 Drops files in suspicious directories 96->146 112 update update 96->112         started        114 update update 96->114         started        116 update update 96->116         started        126 3 other processes 96->126 118 update update 100->118         started        128 2 other processes 100->128 120 update update 102->120         started        122 update update 102->122         started        124 update 104->124         started        signatures16 process17 process18 130 update 120->130         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/f7c727d825e8e956578ecde37f0437f04368d19ac35bb962e7c2f166ce9a9bf4
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f7c727d825e8e956578ecde37f0437f04368d19ac35bb962e7c2f166ce9a9bf4/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-05-17 11:30:40 UTC
File Type:
ELF64 Little (Exe)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=67dspwbf5duvmv4ozxrx6bbx6bbwrum2ynn3syxhylywntu2tp2a._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/250517-nl22bsel9w/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Mirai
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/f7c727d825e8e956578ecde37f0437f04368d19ac35bb962e7c2f166ce9a9bf4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:malwareelf55503
Create hunting rule
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf f7c727d825e8e956578ecde37f0437f04368d19ac35bb962e7c2f166ce9a9bf4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3545670/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments