MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
SHA3-384 hash: d3bc6c2e85d8749d1d48a4b146ddb7685ae27414801202fcac1d4c55be3f65c55a334c6379cbfb3e366f7d71b3d0330c
SHA1 hash: 3997a0fc0bd5958783f1751364ec407c5b170adc
MD5 hash: 559f129d380ad1cfb60792c6b2dc3d32
humanhash: minnesota-double-october-carbon
File name:mips
Download: download sample
Signature Mirai
Create hunting rule
File size:101'564 bytes
First seen:2024-11-08 01:56:47 UTC
Last seen:2025-01-03 23:35:30 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:1LuJu12iTfjZWMQ1PYQoUfV2uV2RM2ev82krWtESNUngvReJAbdO2IAo:1ufmWxloUQ2kitt9+2IP
TLSH T160A3C80E6E219FBDF368823447B78E31A75933D627E1D681E26CD6101F6024E585FFA8
telfhash t1e921515c4a7422f067365c896badef77e1a130df5b216d378e01b8adba6d9815e00c0c
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
6
# of downloads :
106
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.31076.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672d6fefa5bee3c9d42ba5b3linux22vpnfull_triage
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Mounts file systems
Connection attempt
Kills processes
Changes the time when the file was created, accessed, or modified
Sends data to a server
Receives data from a server
Creating a file
Launching a process
Runs as daemon
Opens a port
Changes access rights for a written file
Substitutes an application name
Creates or modifies files in /cron to set up autorun
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug lolbin remote
Link:
https://www.filescan.io/uploads/672d6fef030d1b0aaf402869/reports/484d5261-741e-43d4-964f-105160a650d2/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
16
Number of processes launched:
8
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
Behaviour
Anti-VM
Process Renaming
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c11c5f73-6724-4298-9e51-86898210c4b8
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1551711
Signature
Antivirus / Scanner detection for submitted sample
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1551711 Sample: mips.elf Startdate: 08/11/2024 Architecture: LINUX Score: 64 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 8 mips.elf 2->8         started        process3 process4 10 mips.elf sh 8->10         started        12 mips.elf 8->12         started        14 mips.elf 8->14         started        16 mips.elf 8->16         started        process5 18 sh crontab 10->18         started        22 sh 10->22         started        24 mips.elf 12->24         started        26 mips.elf 14->26         started        28 mips.elf 14->28         started        file6 35 /var/spool/cron/crontabs/tmp.i33T3j, ASCII 18->35 dropped 41 Sample tries to persist itself using cron 18->41 43 Executes the "crontab" command typically for achieving persistence 18->43 30 sh crontab 22->30         started        33 mips.elf 24->33         started        signatures7 process8 signatures9 45 Executes the "crontab" command typically for achieving persistence 30->45
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d/
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2024-11-08 01:57:05 UTC
File Type:
ELF32 Big (Exe)
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7pn5aojfdhsjucpgi7mmqmcg7mk5nxf3qjdo4l4bhuiadc5ivq6q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery execution persistence privilege_escalatio
Link:
https://tria.ge/reports/241108-cc9h9s1rft/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Creates/modifies Cron job
File and Directory Permissions Modification
Renames itself
Unexpected DNS network traffic destination
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2f49f588-5a77-463e-8165-12f4775b00f2
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 712f6ecf11a72a6182061c1ec7e778b80a6c433d19f817a22f88bae7839d7cb7

Mirai

elf fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3280993/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3192188/
  
URLhaus
https://urlhaus.abuse.ch/url/3254739/
  
Dropped by
SHA256 712f6ecf11a72a6182061c1ec7e778b80a6c433d19f817a22f88bae7839d7cb7
  
Dropped by
MD5 8d1c7910b1a5099576ff43b0ea34c6be

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments