MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa9cc515a7c82e8d4c0508138cce62a676d18d73ebb0779b0032f7d5471563e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa9cc515a7c82e8d4c0508138cce62a676d18d73ebb0779b0032f7d5471563e2
SHA3-384 hash: 3c4525237fa46fcdaaf4c9615fa101ddb82cf813c725d490312909140eaa0dd51297e7f25b78a003ce3fbea2b9d05ee0
SHA1 hash: 6929bfbe05290e0ff56f774210b15bc447c06844
MD5 hash: d515bf342d07caba906ff33cf209c954
humanhash: lion-steak-video-seventeen
File name:Fantazy.i486
Download: download sample
Signature Mirai
Create hunting rule
File size:62'048 bytes
First seen:2026-01-06 12:36:55 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 768:0HM+HZ7PporS5eFRMzFpQRPagnmaWqby2iLZ06jR3vrNpHFfhsIGExSmVDVexBuv:0HM+HlxqSE9N+/JR/rNpJGgxSHqjduQ
TLSH T195534A8BD6C7F9F0DD42057C20ABAA35D436A8223174CFE7F7D9B513E966602A01236D
telfhash t17811c4f61ebe08ecfbe58400820f6f504abae53b256072a01771e214329bf426537c7d
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
Mirai
Details
Mirai
an XOR decryption key and at least a c2 socket address
Link:
https://research.acce.ciphertechsolutions.com/results/1ad83ee4-67c9-4026-b165-0fe850fb0258/
Detection(s):
Unix.Trojan.Mirai-7135937-0
Create hunting rule

Unix.Dropper.Mirai-7136014-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Runs as daemon
Receives data from a server
Kills processes
Opens a port
Sends data to a server
Substitutes an application name
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
masquerade rust
Link:
https://www.filescan.io/uploads/695d01fb4f8ce373508d7060/reports/eaead125-af15-4562-8e23-76e56c828af3/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-01-06T11:15:00Z UTC
Last seen:
2026-01-07T06:12:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/fa9cc515a7c82e8d4c0508138cce62a676d18d73ebb0779b0032f7d5471563e2/results?tab=lookup
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf2d15da-89f6-4b18-8ab8-6f52c8558ff9
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1845440
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1845440 Sample: Fantazy.i486.elf Startdate: 06/01/2026 Architecture: LINUX Score: 76 156 102.87.94.147, 23 ZAINUGASUG Uganda 2->156 158 69.166.52.21, 23 WSU-ASUS United States 2->158 160 98 other IPs or domains 2->160 166 Malicious sample detected (through community Yara rule) 2->166 168 Antivirus / Scanner detection for submitted sample 2->168 170 Multi AV Scanner detection for submitted file 2->170 15 systemd gdm3 2->15         started        17 systemd gdm3 2->17         started        19 systemd gpu-manager 2->19         started        21 55 other processes 2->21 signatures3 process4 file5 25 gdm3 gdm-session-worker 15->25         started        27 gdm3 gdm-session-worker 15->27         started        35 5 other processes 15->35 29 gdm3 gdm-session-worker 17->29         started        31 gdm3 gdm-session-worker 17->31         started        37 5 other processes 17->37 39 8 other processes 19->39 154 /var/log/wtmp, data 21->154 dropped 174 Sample reads /proc/mounts (often used for finding a writable filesystem) 21->174 176 Reads system files that contain records of logged in users 21->176 33 Fantazy.i486.elf 21->33         started        41 24 other processes 21->41 signatures6 process7 process8 43 gdm-session-worker gdm-x-session 25->43         started        45 gdm-session-worker gdm-wayland-session 27->45         started        47 gdm-session-worker gdm-wayland-session 29->47         started        49 gdm-session-worker gdm-x-session 31->49         started        51 Fantazy.i486.elf 33->51         started        56 2 other processes 33->56 58 8 other processes 39->58 54 language-validate language-options 41->54         started        60 12 other processes 41->60 signatures9 62 gdm-x-session dbus-run-session 43->62         started        64 gdm-x-session Xorg Xorg.wrap Xorg 43->64         started        66 gdm-x-session Default 43->66         started        68 gdm-wayland-session dbus-run-session 45->68         started        70 gdm-wayland-session dbus-run-session 47->70         started        72 gdm-x-session dbus-run-session 49->72         started        78 2 other processes 49->78 172 Sample tries to kill multiple processes (SIGKILL) 51->172 74 language-options sh 54->74         started        76 language-options sh 60->76         started        process10 process11 80 dbus-run-session dbus-daemon 62->80         started        83 dbus-run-session gnome-session gnome-session-binary 1 62->83         started        87 2 other processes 64->87 89 2 other processes 68->89 91 2 other processes 70->91 93 2 other processes 72->93 95 2 other processes 74->95 97 2 other processes 76->97 85 Xorg sh 78->85         started        signatures12 162 Sample tries to kill multiple processes (SIGKILL) 80->162 164 Sample reads /proc/mounts (often used for finding a writable filesystem) 80->164 99 dbus-daemon 80->99         started        101 dbus-daemon 80->101         started        107 9 other processes 80->107 109 20 other processes 83->109 103 sh xkbcomp 85->103         started        112 2 other processes 87->112 114 9 other processes 89->114 116 9 other processes 91->116 105 gnome-session-binary gnome-session-check-accelerated 93->105         started        process13 signatures14 118 dbus-daemon at-spi-bus-launcher 99->118         started        120 dbus-daemon gjs 101->120         started        131 9 other processes 107->131 184 Sample reads /proc/mounts (often used for finding a writable filesystem) 109->184 123 gnome-shell ibus-daemon 109->123         started        125 gsd-print-notifications 109->125         started        127 gnome-session-check-accelerated gnome-session-check-accelerated-gl-helper 109->127         started        129 gnome-session-check-accelerated gnome-session-check-accelerated-gles-helper 109->129         started        133 7 other processes 114->133 135 7 other processes 116->135 process15 signatures16 137 at-spi-bus-launcher dbus-daemon 118->137         started        178 Sample reads /proc/mounts (often used for finding a writable filesystem) 120->178 140 ibus-daemon 123->140         started        142 ibus-daemon ibus-memconf 123->142         started        144 ibus-daemon ibus-engine-simple 123->144         started        146 gsd-print-notifications gsd-printer 125->146         started        process17 signatures18 180 Sample tries to kill multiple processes (SIGKILL) 137->180 182 Sample reads /proc/mounts (often used for finding a writable filesystem) 137->182 148 dbus-daemon 137->148         started        150 ibus-daemon ibus-x11 140->150         started        process19 process20 152 dbus-daemon at-spi2-registryd 148->152         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/fa9cc515a7c82e8d4c0508138cce62a676d18d73ebb0779b0032f7d5471563e2
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fa9cc515a7c82e8d4c0508138cce62a676d18d73ebb0779b0032f7d5471563e2/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-06 12:37:16 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7komkfnhzaxi2tafbajyzttcuz3nddlt5oyhpgyagl35kryvmpra._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/260106-p5nhqahk9s/
Behaviour
Reads runtime system information
Changes its process name
Reads process memory
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Contacts a large (23846) amount of remote hosts
Creates a large amount of network flows
Verdict:
Malicious
Tags:
trojan mirai Unix.Trojan.Mirai-7135937-0
YARA:
Linux_Trojan_Mirai_aa39fb02 Linux_Trojan_Mirai_3a56423b Linux_Trojan_Mirai_575f5bc8 Linux_Trojan_Mirai_6e8e9257
Link:
https://app.threat.zone/submission/93f2dd79-48bd-44f1-ab50-0227e6f3f206
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa9cc515a7c82e8d4c0508138cce62a676d18d73ebb0779b0032f7d5471563e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Mirai_3a56423b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_575f5bc8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_6e8e9257
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_aa39fb02
Create hunting rule
Author:Elastic Security
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf fa9cc515a7c82e8d4c0508138cce62a676d18d73ebb0779b0032f7d5471563e2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3750691/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3750690/

Comments