MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fafc2152e9f17e9aa6014b10c18aa58b31ba2e7c125dc31530a7fef4878d80eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 12


Intelligence 12 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fafc2152e9f17e9aa6014b10c18aa58b31ba2e7c125dc31530a7fef4878d80eb
SHA3-384 hash: 2b258ecc2e0d48710bad22098edffcf4105e122cb93b7a5a78864a6427ed5e4c3d1061a00ba60ed0cce24432083229c9
SHA1 hash: 9980bbc904ff2fc79bef3a93120d2bb2cf804358
MD5 hash: b1af58c923f4205a18bc15179625358b
humanhash: michigan-network-equal-yankee
File name:mao.i686
Download: download sample
Signature Mirai
Create hunting rule
File size:74'324 bytes
First seen:2026-04-06 10:39:46 UTC
Last seen:2026-04-07 09:42:41 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:Ab8vIjJtrsF5yp6kmVur5G/x19KedHEvqqk6u689:Ab8QjDrg5yp6kmMrE/b9vevqV
TLSH T170732B85F9CB81F5C91B487090E6F23FCB31D9668170996DEF995F31DA77A02A2132C8
telfhash t1f621f6fa1abd49e8b7c09845934f5e607a9da77f64a0727301232538227fdc640bbc75
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
51
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Detection(s):
Sanesecurity.Malware.30455.LC.BadVar.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-9907086-0
Create hunting rule

Unix.Trojan.Mirai-9945193-0
Create hunting rule

Unix.Trojan.Mirai-9946826-0
Create hunting rule

Unix.Trojan.Mirai-10005580-0
Create hunting rule

Unix.Dropper.Mirai-10008433-0
Create hunting rule

Unix.Trojan.Mirai-10028946-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Kills processes
Launching a process
Creating a file in the %temp% directory
Manages services
Creating a file
Sets a written file as executable
Runs as daemon
Opens a port
DNS request
Creates or modifies files in /cron to set up autorun
Substitutes an application name
Creates or modifies symbolic links in /init.d to set up autorun
Creates or modifies files in /init.d to set up autorun
Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
1
Number of processes launched:
8
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/fafc2152e9f17e9aa6014b10c18aa58b31ba2e7c125dc31530a7fef4878d80eb
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-04-06T08:29:00Z UTC
Last seen:
2026-04-07T06:51:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/fafc2152e9f17e9aa6014b10c18aa58b31ba2e7c125dc31530a7fef4878d80eb/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/37085fba-b6ea-4ecc-ac7d-46df3dce6c83
Behavior Graph:
Download SVG
%3 guuid=9410687a-1800-0000-89b7-899a570d0000 pid=3415 /usr/bin/sudo guuid=dabcd37c-1800-0000-89b7-899a5f0d0000 pid=3423 /tmp/sample.bin net guuid=9410687a-1800-0000-89b7-899a570d0000 pid=3415->guuid=dabcd37c-1800-0000-89b7-899a5f0d0000 pid=3423 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=dabcd37c-1800-0000-89b7-899a5f0d0000 pid=3423->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=3635337d-1800-0000-89b7-899a610d0000 pid=3425 /tmp/sample.bin guuid=dabcd37c-1800-0000-89b7-899a5f0d0000 pid=3423->guuid=3635337d-1800-0000-89b7-899a610d0000 pid=3425 clone guuid=aa4e6c7d-1800-0000-89b7-899a620d0000 pid=3426 /tmp/sample.bin guuid=3635337d-1800-0000-89b7-899a610d0000 pid=3425->guuid=aa4e6c7d-1800-0000-89b7-899a620d0000 pid=3426 clone guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427 /tmp/sample.bin dns net send-data write-config write-file guuid=aa4e6c7d-1800-0000-89b7-899a620d0000 pid=3426->guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427 clone guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 29B a11803fe-5fd8-544d-b13b-84f58f3c81f8 mn.34509.su:25565 guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427->a11803fe-5fd8-544d-b13b-84f58f3c81f8 con guuid=5084887d-1800-0000-89b7-899a640d0000 pid=3428 /tmp/sample.bin guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427->guuid=5084887d-1800-0000-89b7-899a640d0000 pid=3428 clone guuid=d757b17d-1800-0000-89b7-899a650d0000 pid=3429 /usr/bin/dash guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427->guuid=d757b17d-1800-0000-89b7-899a650d0000 pid=3429 execve guuid=b87645b8-1800-0000-89b7-899a090e0000 pid=3593 /usr/bin/dash guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427->guuid=b87645b8-1800-0000-89b7-899a090e0000 pid=3593 execve guuid=3ed787b8-1800-0000-89b7-899a0b0e0000 pid=3595 /usr/bin/dash guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427->guuid=3ed787b8-1800-0000-89b7-899a0b0e0000 pid=3595 execve guuid=dd96a3e8-1800-0000-89b7-899a9e0e0000 pid=3742 /usr/bin/dash guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427->guuid=dd96a3e8-1800-0000-89b7-899a9e0e0000 pid=3742 execve guuid=db6bfc22-1900-0000-89b7-899a5a0f0000 pid=3930 /usr/bin/dash guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427->guuid=db6bfc22-1900-0000-89b7-899a5a0f0000 pid=3930 execve guuid=78a8b126-1900-0000-89b7-899a6e0f0000 pid=3950 /usr/bin/dash guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427->guuid=78a8b126-1900-0000-89b7-899a6e0f0000 pid=3950 execve guuid=6e0b2727-1900-0000-89b7-899a720f0000 pid=3954 /tmp/sample.bin guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427->guuid=6e0b2727-1900-0000-89b7-899a720f0000 pid=3954 clone guuid=c4372c27-1900-0000-89b7-899a730f0000 pid=3955 /tmp/sample.bin guuid=fc8b807d-1800-0000-89b7-899a630d0000 pid=3427->guuid=c4372c27-1900-0000-89b7-899a730f0000 pid=3955 clone guuid=4fb3107e-1800-0000-89b7-899a680d0000 pid=3432 /usr/sbin/update-rc.d guuid=d757b17d-1800-0000-89b7-899a650d0000 pid=3429->guuid=4fb3107e-1800-0000-89b7-899a680d0000 pid=3432 execve guuid=46f3ef80-1800-0000-89b7-899a730d0000 pid=3443 /usr/bin/systemctl guuid=4fb3107e-1800-0000-89b7-899a680d0000 pid=3432->guuid=46f3ef80-1800-0000-89b7-899a730d0000 pid=3443 execve guuid=5417b0b8-1800-0000-89b7-899a0d0e0000 pid=3597 /usr/bin/systemctl guuid=3ed787b8-1800-0000-89b7-899a0b0e0000 pid=3595->guuid=5417b0b8-1800-0000-89b7-899a0d0e0000 pid=3597 execve guuid=324bdde8-1800-0000-89b7-899a9f0e0000 pid=3743 /usr/bin/systemctl guuid=dd96a3e8-1800-0000-89b7-899a9e0e0000 pid=3742->guuid=324bdde8-1800-0000-89b7-899a9f0e0000 pid=3743 execve guuid=98892e23-1900-0000-89b7-899a5b0f0000 pid=3931 /usr/bin/systemctl guuid=db6bfc22-1900-0000-89b7-899a5a0f0000 pid=3930->guuid=98892e23-1900-0000-89b7-899a5b0f0000 pid=3931 execve guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1 /usr/lib/systemd/systemd guuid=b9397e24-1900-0000-89b7-899a640f0000 pid=3940 /tmp/sample.bin net guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1->guuid=b9397e24-1900-0000-89b7-899a640f0000 pid=3940 execve guuid=755cd180-1b00-0000-89b7-899ab5140000 pid=5301 /tmp/sample.bin net guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1->guuid=755cd180-1b00-0000-89b7-899ab5140000 pid=5301 execve guuid=af136eba-1c00-0000-89b7-899ac0140000 pid=5312 /tmp/sample.bin net guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1->guuid=af136eba-1c00-0000-89b7-899ac0140000 pid=5312 execve guuid=8f1022f2-1d00-0000-89b7-899ae2140000 pid=5346 /tmp/sample.bin net guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1->guuid=8f1022f2-1d00-0000-89b7-899ae2140000 pid=5346 execve guuid=3f4a122b-1f00-0000-89b7-899ae5140000 pid=5349 /tmp/sample.bin net guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1->guuid=3f4a122b-1f00-0000-89b7-899ae5140000 pid=5349 execve guuid=7c04ab63-2000-0000-89b7-899aea140000 pid=5354 /tmp/sample.bin net guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1->guuid=7c04ab63-2000-0000-89b7-899aea140000 pid=5354 execve guuid=7cafe29c-2100-0000-89b7-899aee140000 pid=5358 /tmp/sample.bin net guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1->guuid=7cafe29c-2100-0000-89b7-899aee140000 pid=5358 execve guuid=183b79d5-2200-0000-89b7-899af1140000 pid=5361 /tmp/sample.bin net guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1->guuid=183b79d5-2200-0000-89b7-899af1140000 pid=5361 execve guuid=9fd9b80e-2400-0000-89b7-899af4140000 pid=5364 /tmp/sample.bin net guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1->guuid=9fd9b80e-2400-0000-89b7-899af4140000 pid=5364 execve guuid=af8e9f47-2500-0000-89b7-899af7140000 pid=5367 /tmp/sample.bin net guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1->guuid=af8e9f47-2500-0000-89b7-899af7140000 pid=5367 execve guuid=e2b79a80-2600-0000-89b7-899a04150000 pid=5380 /tmp/sample.bin net guuid=2fdaba13-0000-0000-89b7-899a01000000 pid=1->guuid=e2b79a80-2600-0000-89b7-899a04150000 pid=5380 execve guuid=b9397e24-1900-0000-89b7-899a640f0000 pid=3940->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con b2d8e54b-c731-5e9d-91ce-9be6b900c2bd 0.0.0.0:63841 guuid=b9397e24-1900-0000-89b7-899a640f0000 pid=3940->b2d8e54b-c731-5e9d-91ce-9be6b900c2bd con guuid=3891b650-1a00-0000-89b7-899a9f130000 pid=5023 /tmp/sample.bin guuid=b9397e24-1900-0000-89b7-899a640f0000 pid=3940->guuid=3891b650-1a00-0000-89b7-899a9f130000 pid=5023 clone guuid=7324e126-1900-0000-89b7-899a700f0000 pid=3952 /usr/bin/chmod guuid=78a8b126-1900-0000-89b7-899a6e0f0000 pid=3950->guuid=7324e126-1900-0000-89b7-899a700f0000 pid=3952 execve guuid=755cd180-1b00-0000-89b7-899ab5140000 pid=5301->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=81dee383-1b00-0000-89b7-899ab6140000 pid=5302 /tmp/sample.bin guuid=755cd180-1b00-0000-89b7-899ab5140000 pid=5301->guuid=81dee383-1b00-0000-89b7-899ab6140000 pid=5302 clone guuid=0dd9fa83-1b00-0000-89b7-899ab7140000 pid=5303 /tmp/sample.bin guuid=81dee383-1b00-0000-89b7-899ab6140000 pid=5302->guuid=0dd9fa83-1b00-0000-89b7-899ab7140000 pid=5303 clone guuid=af136eba-1c00-0000-89b7-899ac0140000 pid=5312->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=172751bd-1c00-0000-89b7-899ac1140000 pid=5313 /tmp/sample.bin guuid=af136eba-1c00-0000-89b7-899ac0140000 pid=5312->guuid=172751bd-1c00-0000-89b7-899ac1140000 pid=5313 clone guuid=8f1022f2-1d00-0000-89b7-899ae2140000 pid=5346->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=9b4fd5f4-1d00-0000-89b7-899ae3140000 pid=5347 /tmp/sample.bin guuid=8f1022f2-1d00-0000-89b7-899ae2140000 pid=5346->guuid=9b4fd5f4-1d00-0000-89b7-899ae3140000 pid=5347 clone guuid=839de8f4-1d00-0000-89b7-899ae4140000 pid=5348 /tmp/sample.bin guuid=9b4fd5f4-1d00-0000-89b7-899ae3140000 pid=5347->guuid=839de8f4-1d00-0000-89b7-899ae4140000 pid=5348 clone guuid=3f4a122b-1f00-0000-89b7-899ae5140000 pid=5349->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=93b36e2d-1f00-0000-89b7-899ae6140000 pid=5350 /tmp/sample.bin guuid=3f4a122b-1f00-0000-89b7-899ae5140000 pid=5349->guuid=93b36e2d-1f00-0000-89b7-899ae6140000 pid=5350 clone guuid=983f832d-1f00-0000-89b7-899ae7140000 pid=5351 /tmp/sample.bin guuid=93b36e2d-1f00-0000-89b7-899ae6140000 pid=5350->guuid=983f832d-1f00-0000-89b7-899ae7140000 pid=5351 clone guuid=365d9c2d-1f00-0000-89b7-899ae8140000 pid=5352 /tmp/sample.bin guuid=983f832d-1f00-0000-89b7-899ae7140000 pid=5351->guuid=365d9c2d-1f00-0000-89b7-899ae8140000 pid=5352 clone guuid=fad9a82d-1f00-0000-89b7-899ae9140000 pid=5353 /tmp/sample.bin guuid=365d9c2d-1f00-0000-89b7-899ae8140000 pid=5352->guuid=fad9a82d-1f00-0000-89b7-899ae9140000 pid=5353 clone guuid=7c04ab63-2000-0000-89b7-899aea140000 pid=5354->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=9d5a6265-2000-0000-89b7-899aeb140000 pid=5355 /tmp/sample.bin guuid=7c04ab63-2000-0000-89b7-899aea140000 pid=5354->guuid=9d5a6265-2000-0000-89b7-899aeb140000 pid=5355 clone guuid=cbf46c65-2000-0000-89b7-899aec140000 pid=5356 /tmp/sample.bin guuid=9d5a6265-2000-0000-89b7-899aeb140000 pid=5355->guuid=cbf46c65-2000-0000-89b7-899aec140000 pid=5356 clone guuid=c7617665-2000-0000-89b7-899aed140000 pid=5357 /tmp/sample.bin guuid=cbf46c65-2000-0000-89b7-899aec140000 pid=5356->guuid=c7617665-2000-0000-89b7-899aed140000 pid=5357 clone guuid=7cafe29c-2100-0000-89b7-899aee140000 pid=5358->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=646e8b9f-2100-0000-89b7-899aef140000 pid=5359 /tmp/sample.bin guuid=7cafe29c-2100-0000-89b7-899aee140000 pid=5358->guuid=646e8b9f-2100-0000-89b7-899aef140000 pid=5359 clone guuid=6e26a09f-2100-0000-89b7-899af0140000 pid=5360 /tmp/sample.bin guuid=646e8b9f-2100-0000-89b7-899aef140000 pid=5359->guuid=6e26a09f-2100-0000-89b7-899af0140000 pid=5360 clone guuid=183b79d5-2200-0000-89b7-899af1140000 pid=5361->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=1ceaa2d7-2200-0000-89b7-899af2140000 pid=5362 /tmp/sample.bin guuid=183b79d5-2200-0000-89b7-899af1140000 pid=5361->guuid=1ceaa2d7-2200-0000-89b7-899af2140000 pid=5362 clone guuid=e697abd7-2200-0000-89b7-899af3140000 pid=5363 /tmp/sample.bin guuid=1ceaa2d7-2200-0000-89b7-899af2140000 pid=5362->guuid=e697abd7-2200-0000-89b7-899af3140000 pid=5363 clone guuid=9fd9b80e-2400-0000-89b7-899af4140000 pid=5364->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4ca04812-2400-0000-89b7-899af5140000 pid=5365 /tmp/sample.bin guuid=9fd9b80e-2400-0000-89b7-899af4140000 pid=5364->guuid=4ca04812-2400-0000-89b7-899af5140000 pid=5365 clone guuid=bd9c5c12-2400-0000-89b7-899af6140000 pid=5366 /tmp/sample.bin guuid=4ca04812-2400-0000-89b7-899af5140000 pid=5365->guuid=bd9c5c12-2400-0000-89b7-899af6140000 pid=5366 clone guuid=af8e9f47-2500-0000-89b7-899af7140000 pid=5367->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=54bd974a-2500-0000-89b7-899af8140000 pid=5368 /tmp/sample.bin guuid=af8e9f47-2500-0000-89b7-899af7140000 pid=5367->guuid=54bd974a-2500-0000-89b7-899af8140000 pid=5368 clone guuid=82faa64a-2500-0000-89b7-899af9140000 pid=5369 /tmp/sample.bin guuid=54bd974a-2500-0000-89b7-899af8140000 pid=5368->guuid=82faa64a-2500-0000-89b7-899af9140000 pid=5369 clone guuid=e2b79a80-2600-0000-89b7-899a04150000 pid=5380->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5eac5d82-2600-0000-89b7-899a05150000 pid=5381 /tmp/sample.bin guuid=e2b79a80-2600-0000-89b7-899a04150000 pid=5380->guuid=5eac5d82-2600-0000-89b7-899a05150000 pid=5381 clone guuid=25627082-2600-0000-89b7-899a06150000 pid=5382 /tmp/sample.bin guuid=5eac5d82-2600-0000-89b7-899a05150000 pid=5381->guuid=25627082-2600-0000-89b7-899a06150000 pid=5382 clone guuid=c6f97982-2600-0000-89b7-899a07150000 pid=5383 /tmp/sample.bin guuid=25627082-2600-0000-89b7-899a06150000 pid=5382->guuid=c6f97982-2600-0000-89b7-899a07150000 pid=5383 clone guuid=41b48082-2600-0000-89b7-899a08150000 pid=5384 /tmp/sample.bin guuid=c6f97982-2600-0000-89b7-899a07150000 pid=5383->guuid=41b48082-2600-0000-89b7-899a08150000 pid=5384 clone
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5e6bd8bb-3ffd-4436-8856-6bfad3423c22
Result
Threat name:
Okiru
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1893938
Signature
Drops files in suspicious directories
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Yara detected Okiru
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1893938 Sample: mao.i686.elf Startdate: 06/04/2026 Architecture: LINUX Score: 76 107 109.202.202.202, 80 INIT7CH Switzerland 2->107 109 mn.34509.su 89.190.156.14, 25565, 49932 HOSTUS-GLOBAL-ASHostUSHK United Kingdom 2->109 111 3 other IPs or domains 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Multi AV Scanner detection for submitted file 2->115 117 Yara detected Okiru 2->117 12 mao.i686.elf 2->12         started        14 systemd mao.i686.elf 2->14         started        16 systemd mao.i686.elf 2->16         started        18 26 other processes 2->18 signatures3 process4 process5 20 mao.i686.elf 12->20         started        22 mao.i686.elf 14->22         started        24 mao.i686.elf 16->24         started        26 mao.i686.elf 18->26         started        28 mao.i686.elf 18->28         started        30 mao.i686.elf 18->30         started        32 18 other processes 18->32 process6 34 mao.i686.elf 20->34         started        36 mao.i686.elf 22->36         started        38 mao.i686.elf 24->38         started        40 mao.i686.elf 26->40         started        42 mao.i686.elf 28->42         started        44 mao.i686.elf 30->44         started        46 mao.i686.elf 32->46         started        48 mao.i686.elf 32->48         started        50 15 other processes 32->50 process7 52 mao.i686.elf 34->52         started        56 mao.i686.elf 36->56         started        58 mao.i686.elf 38->58         started        60 mao.i686.elf 40->60         started        62 mao.i686.elf 42->62         started        64 mao.i686.elf 44->64         started        66 mao.i686.elf 46->66         started        68 mao.i686.elf 48->68         started        70 15 other processes 50->70 file8 101 /etc/init.d/.sys_daemon, POSIX 52->101 dropped 103 /etc/cron.d/.sys_update, ASCII 52->103 dropped 105 /tmp/.sys_recovery.sh, POSIX 52->105 dropped 119 Drops files in suspicious directories 52->119 121 Sample tries to persist itself using cron 52->121 86 9 other processes 52->86 72 mao.i686.elf 56->72         started        74 mao.i686.elf 58->74         started        76 mao.i686.elf 60->76         started        78 mao.i686.elf 62->78         started        80 mao.i686.elf 64->80         started        82 mao.i686.elf 66->82         started        84 mao.i686.elf 68->84         started        88 13 other processes 70->88 signatures9 process10 process11 90 sh update-rc.d 86->90         started        93 sh systemctl 86->93         started        95 sh systemctl 86->95         started        97 2 other processes 86->97 signatures12 123 Sample tries to persist itself using System V runlevels 90->123 99 update-rc.d systemctl 90->99         started        process13
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/fafc2152e9f17e9aa6014b10c18aa58b31ba2e7c125dc31530a7fef4878d80eb
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fafc2152e9f17e9aa6014b10c18aa58b31ba2e7c125dc31530a7fef4878d80eb/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-04-06 10:40:23 UTC
File Type:
ELF32 Little (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7l6ccuxj6f7jvjqbjmimdcvfrmy3ult4cjo4gfjqu77pjb4nqdvq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260406-mqn5ladx9l/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Creates/modifies Cron job
Modifies init.d
Modifies systemd
File and Directory Permissions Modification
Modifies Watchdog functionality
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/fafc2152e9f17e9aa6014b10c18aa58b31ba2e7c125dc31530a7fef4878d80eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:Linux_Generic_Threat_3bcc1630
Create hunting rule
Author:Elastic Security
Rule name:Linux_Generic_Threat_da28eb8b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_0cb1699c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_0d73971c
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_268aac0b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_2e3f67a9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_70ef58f1
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_88de437f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_cc93863b
Create hunting rule
Author:Elastic Security
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf fafc2152e9f17e9aa6014b10c18aa58b31ba2e7c125dc31530a7fef4878d80eb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3766750/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3812803/

Comments