MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd6c44ebfd9ae04f9bb4879100120b0cbad215b8c921b433b83e3f84bf00f4ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd6c44ebfd9ae04f9bb4879100120b0cbad215b8c921b433b83e3f84bf00f4ca
SHA3-384 hash: 47d05c4169e3cddbb9d536b67e8cbbe5c6276a815622490c17bea0d01c5d19d66292502bafcf391c362e75b5cbc6a1eb
SHA1 hash: a3680bf322a83be06a0d2ba080e5269cc15db1e7
MD5 hash: 9294e791ff9bb1a06f443f37aa37be07
humanhash: winner-connecticut-oxygen-romeo
File name:morte.arm7
Download: download sample
Signature Mirai
Create hunting rule
File size:119'712 bytes
First seen:2025-11-08 23:24:16 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:D2YTt0av4uI6F+5aPFwfFRIDjzoeyCo7jUvmO:D2OAu05aPFwfFR+jz8CkjUmO
TLSH T1B3C32946F9819F11D5D721FAFB5E408933136BA8E3FA3102CD24AF6163C699B0EB7512
telfhash t1d621b161d66c1ecc57d4c74842ce22188eda31f917122ab5cd5d978b41535c2366bd3b
Magika elf
Reporter abuse_ch
Tags:elf mirai upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 7271a0b2c3ab5f774de4eab4dfb7a76afb0b451a5af953a7df31f532b59706d0
File size (compressed) :50'872 bytes
File size (de-compressed) :119'712 bytes
Format:linux/arm
Packed file: 7271a0b2c3ab5f774de4eab4dfb7a76afb0b451a5af953a7df31f532b59706d0

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.29524.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30435.LC.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.9999-6.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Dropper.Mirai-7135897-0
Create hunting rule

Unix.Dropper.Mirai-7135901-0
Create hunting rule

Unix.Dropper.Mirai-7135909-0
Create hunting rule

Unix.Trojan.Mirai-7135916-0
Create hunting rule

Unix.Dropper.Mirai-7135918-0
Create hunting rule

Unix.Dropper.Mirai-7135954-0
Create hunting rule

Unix.Dropper.Mirai-7136016-0
Create hunting rule

Unix.Dropper.Mirai-7136028-0
Create hunting rule

Unix.Dropper.Mirai-7355719-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Dropper.Mirai-9977145-0
Create hunting rule

Unix.Dropper.Mirai-10007027-0
Create hunting rule

Unix.Trojan.Mirai-10009361-0
Create hunting rule

Unix.Trojan.Mirai-5607483-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Runs as daemon
Receives data from a server
Opens a port
Sends data to a server
DNS request
Connection attempt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gcc masquerade mirai obfuscated rust
Link:
https://www.filescan.io/uploads/690fd15e8938e2fe221767d6/reports/5fe163e8-e009-4696-a4eb-f953fb180bff/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-11-08T20:47:00Z UTC
Last seen:
2025-11-08T21:43:00Z UTC
Hits:
~10
Detections:
HEUR:Backdoor.Linux.Mirai.b HEUR:Backdoor.Linux.Gafgyt.bl HEUR:Backdoor.Linux.Gafgyt.bj HEUR:Exploit.Linux.Zyxel.c HEUR:Exploit.Linux.CVE-2017-17215.a HEUR:Backdoor.Linux.Mirai.r
Link:
https://opentip.kaspersky.com/fd6c44ebfd9ae04f9bb4879100120b0cbad215b8c921b433b83e3f84bf00f4ca/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f8b78fc4-814e-4f08-a9dd-acbf2b85284c
Behavior Graph:
Download SVG
%3 guuid=5e96b319-1a00-0000-74f8-f32f14090000 pid=2324 /usr/bin/sudo guuid=ce3fb21d-1a00-0000-74f8-f32f18090000 pid=2328 /tmp/sample.bin guuid=5e96b319-1a00-0000-74f8-f32f14090000 pid=2324->guuid=ce3fb21d-1a00-0000-74f8-f32f18090000 pid=2328 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79cd19ad-904b-41ee-9e71-8441a9e7dfc4
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1810737
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1810737 Sample: morte.arm7.elf Startdate: 09/11/2025 Architecture: LINUX Score: 72 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Mirai 2->49 9 dash rm morte.arm7.elf 2->9         started        11 dash rm 2->11         started        13 dash cut 2->13         started        15 8 other processes 2->15 process3 process4 17 morte.arm7.elf 9->17         started        19 morte.arm7.elf 9->19         started        21 morte.arm7.elf 9->21         started        23 2 other processes 9->23 process5 25 morte.arm7.elf 17->25         started        27 morte.arm7.elf 17->27         started        29 morte.arm7.elf 17->29         started        31 morte.arm7.elf 17->31         started        33 morte.arm7.elf 19->33         started        35 morte.arm7.elf 19->35         started        process6 37 morte.arm7.elf 25->37         started        39 morte.arm7.elf 33->39         started        41 morte.arm7.elf 35->41         started        process7 43 morte.arm7.elf 37->43         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/fd6c44ebfd9ae04f9bb4879100120b0cbad215b8c921b433b83e3f84bf00f4ca
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fd6c44ebfd9ae04f9bb4879100120b0cbad215b8c921b433b83e3f84bf00f4ca/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/fd6c44ebfd9ae04f9bb4879100120b0cbad215b8c921b433b83e3f84bf00f4ca
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-11-08 23:25:20 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7vwej275tlqe7g5uq6iqaeqlbs5nefnyzeq3im5yhy7yjpya6tfa._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai defense_evasion discovery
Link:
https://tria.ge/reports/251108-3efbbacy9e/
Behaviour
Reads runtime system information
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Contacts a large (352897) amount of remote hosts
Creates a large amount of network flows
Malware Config
C2 Extraction:
teamc2.duckdns.org
Verdict:
Malicious
Tags:
botnet mirai Unix.Trojan.Mirai-7100807-0
YARA:
MAL_ELF_LNX_Mirai_Oct10_1
Link:
https://app.threat.zone/submission/7dc52b5c-7329-40c5-82ee-14fa9f545d49
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CVE_2017_17215
Create hunting rule
Author:NDA0E
Description:Detects exploitation attempt of CVE-2017-17215
Rule name:ELF_Mirai
Create hunting rule
Author:NDA0E
Description:Detects multiple Mirai variants
Rule name:Linux_Generic_Threat_8299c877
Create hunting rule
Author:Elastic Security
Rule name:MAL_ELF_LNX_Mirai_Oct10_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects ELF Mirai variant
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_Oct19
Create hunting rule
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 7271a0b2c3ab5f774de4eab4dfb7a76afb0b451a5af953a7df31f532b59706d0

Mirai

elf fd6c44ebfd9ae04f9bb4879100120b0cbad215b8c921b433b83e3f84bf00f4ca

(this sample)

  
Dropped by
SHA256 7271a0b2c3ab5f774de4eab4dfb7a76afb0b451a5af953a7df31f532b59706d0
  
URLhaus
https://urlhaus.abuse.ch/url/3697763/
  
Delivery method
Distributed via web download
  
Dropped by
MD5 9a78987672c67178b3ff2d57504eff32
  
URLhaus
https://urlhaus.abuse.ch/url/3697944/

Comments