MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe435122d82716e7c7b006d091bfdad9fe4fb22ed8987ac8db3ba89e053251d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe435122d82716e7c7b006d091bfdad9fe4fb22ed8987ac8db3ba89e053251d1
SHA3-384 hash: a842353e4b5c017dac210746d1defe8eddfcbe9caebd585609bf09ae16390fa9e2da62580dd39b0277684fad83c5bb98
SHA1 hash: 4d526b052811763e8708cbf2ec23bb89e7fb0c50
MD5 hash: 6c89a888276b7f96a3f2048211376469
humanhash: saturn-mirror-three-idaho
File name:m68k
Download: download sample
Signature Mirai
Create hunting rule
File size:74'460 bytes
First seen:2026-01-02 06:11:45 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:fX0j/0P6LX4hmI0kvxF/ADwoKf8zNyYQqqCXmbL7cfolQUDrWhTp/v:fkDkdnt/ADwoK0yYQq707woCrBv
TLSH T15A7329D6F400DDBEF80EE73B84574505B230E7A60F921B76231B796BAC750A5193AF82
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Unix.Trojan.Gafgyt-7782058-0
Create hunting rule

Unix.Trojan.Mirai-9940650-0
Create hunting rule

Unix.Trojan.Mirai-10018298-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
mirai
Link:
https://www.filescan.io/uploads/695761c4127d6a14e0cc090a/reports/36f843fa-c17a-419d-9d44-0151f1103f56/overview
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2026-01-02T00:55:00Z UTC
Last seen:
2026-01-02T05:53:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/fe435122d82716e7c7b006d091bfdad9fe4fb22ed8987ac8db3ba89e053251d1/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/72dc904c-0fb4-4901-8662-748e8ff1e9fd
Behavior Graph:
Download SVG
%3 guuid=f58bb34e-1a00-0000-a8b5-4bc9bb0a0000 pid=2747 /usr/bin/sudo guuid=6550fa50-1a00-0000-a8b5-4bc9bf0a0000 pid=2751 /tmp/sample.bin guuid=f58bb34e-1a00-0000-a8b5-4bc9bb0a0000 pid=2747->guuid=6550fa50-1a00-0000-a8b5-4bc9bf0a0000 pid=2751 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/59ad03fd-7f0a-4104-ab40-563cae4a2200
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1843439
Signature
Connects to many ports of the same IP (likely port scanning)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1843439 Sample: m68k.elf Startdate: 02/01/2026 Architecture: LINUX Score: 64 133 222.253.41.133, 58963, 60848 VNPT-AS-VNVNPTCorpVN Viet Nam 2->133 135 208.224.41.162, 31607 THE-ISERV-COMPANYUS United States 2->135 137 24 other IPs or domains 2->137 145 Multi AV Scanner detection for submitted file 2->145 147 Connects to many ports of the same IP (likely port scanning) 2->147 14 systemd gdm3 2->14         started        16 systemd gpu-manager 2->16         started        18 systemd accounts-daemon 2->18         started        21 24 other processes 2->21 signatures3 process4 file5 24 gdm3 gdm-session-worker 14->24         started        26 gdm3 gdm-session-worker 14->26         started        36 3 other processes 14->36 28 gpu-manager sh 16->28         started        30 gpu-manager sh 16->30         started        32 gpu-manager sh 16->32         started        38 5 other processes 16->38 139 Reads system files that contain records of logged in users 18->139 34 accounts-daemon language-validate 18->34         started        131 /var/log/wtmp, data 21->131 dropped 141 Sample tries to kill multiple processes (SIGKILL) 21->141 143 Sample reads /proc/mounts (often used for finding a writable filesystem) 21->143 40 6 other processes 21->40 signatures6 process7 process8 42 gdm-session-worker gdm-x-session 24->42         started        44 gdm-session-worker gdm-wayland-session 26->44         started        46 sh grep 28->46         started        48 sh grep 30->48         started        50 sh grep 32->50         started        52 language-validate language-options 34->52         started        54 sh grep 38->54         started        56 sh grep 38->56         started        58 3 other processes 38->58 process9 60 gdm-x-session dbus-run-session 42->60         started        62 gdm-x-session Xorg Xorg.wrap Xorg 42->62         started        64 gdm-x-session Default 42->64         started        66 gdm-wayland-session dbus-run-session 44->66         started        68 language-options sh 52->68         started        process10 70 dbus-run-session dbus-daemon 60->70         started        73 dbus-run-session gnome-session gnome-session-binary 1 60->73         started        75 Xorg sh 62->75         started        77 dbus-run-session dbus-daemon 66->77         started        79 dbus-run-session gnome-session gnome-session-binary 1 66->79         started        81 sh locale 68->81         started        83 sh grep 68->83         started        signatures11 149 Sample tries to kill multiple processes (SIGKILL) 70->149 151 Sample reads /proc/mounts (often used for finding a writable filesystem) 70->151 85 dbus-daemon 70->85         started        98 8 other processes 70->98 87 gnome-session-binary sh gnome-shell 73->87         started        90 gnome-session-binary gnome-session-check-accelerated 73->90         started        92 gnome-session-binary session-migration 73->92         started        94 sh xkbcomp 75->94         started        96 dbus-daemon 77->96         started        100 6 other processes 77->100 102 2 other processes 79->102 process12 signatures13 104 dbus-daemon at-spi-bus-launcher 85->104         started        153 Sample reads /proc/mounts (often used for finding a writable filesystem) 87->153 106 gnome-shell ibus-daemon 87->106         started        108 gnome-session-check-accelerated gnome-session-check-accelerated-gl-helper 90->108         started        110 gnome-session-check-accelerated gnome-session-check-accelerated-gles-helper 90->110         started        112 dbus-daemon false 96->112         started        118 8 other processes 98->118 114 dbus-daemon false 100->114         started        116 dbus-daemon false 100->116         started        120 4 other processes 100->120 process14 process15 122 at-spi-bus-launcher dbus-daemon 104->122         started        125 ibus-daemon 106->125         started        127 ibus-daemon ibus-memconf 106->127         started        signatures16 155 Sample reads /proc/mounts (often used for finding a writable filesystem) 122->155 129 ibus-daemon ibus-x11 125->129         started        process17
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/fe435122d82716e7c7b006d091bfdad9fe4fb22ed8987ac8db3ba89e053251d1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe435122d82716e7c7b006d091bfdad9fe4fb22ed8987ac8db3ba89e053251d1/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2026-01-02 05:44:00 UTC
File Type:
ELF32 Big (Exe)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zbvciwye4lopr5qa3ijdp623h7e7mro3cmhvsg3houj4bjskhiq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/260102-gyd2ps1khn/
Verdict:
Malicious
Tags:
Unix.Trojan.Gafgyt-7782058-0
YARA:
n/a
Link:
https://app.threat.zone/submission/68c63d56-c7d3-4132-94e5-78853c815a4b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/fe435122d82716e7c7b006d091bfdad9fe4fb22ed8987ac8db3ba89e053251d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf fe435122d82716e7c7b006d091bfdad9fe4fb22ed8987ac8db3ba89e053251d1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3745420/
  
Delivery method
Distributed via web download

Comments