VirusTotal Result Comparisons for Honeypot Malware
[This post was submitted by Jesse La Grew]
VirusTotal has become an important tool for researchers and defenders alike. Unusual executables or files can be uploaded to get an idea of how different antivirus vendors will classify it. Keeping the discovery of customized malware secret is also important and, in those cases, file hashes can be used to find any preexisting results. It should always be assumed that any file submitted to VirusTotal is being looked at by someone. The malware seen by public honeypots, such as the DShield honeypot, generally are not considered sensitive. Malware seen by these devices is being broadly used around the world in an attempt to compromise IoT (Internet of Things) devices.
Examples below are from a honeypot that is configured to submit samples to VirusTotal when a new file is downloaded from or uploaded to the honeypot [3]. This helps to summarize attacks and attempt to classify the type of malware being used. A common finding is that there are very different naming conventions and results from vendor to vendor.
Figure 1: VirusTotal results for a file created on honeypot
Vendors With No Results
A surprising item was just how many vendors never gave any results for files seen on this honeypot.
Acronis Alibaba APEX BitDefenderFalx Bkav CMC CrowdStrike Cybereason Cylance |
eGambit Endgame F-Prot Invincea Kingsoft Malwarebytes Paloalto Qihoo-360 SUPERAntiSpyware |
SymantecMobileInsight TACHYON tehtris TotalDefense trapmine Trustlook VBA32 Webroot Zoner |
A possibility is that many of these vendors are not supplying data at this time or may not have been used in VirusTotal results in the past. These vendor lists do change over time:
• 73 Providers from date range 6/7/2022 – 7/31/2022
• 82 Providers from date range 6/7/2022 – 9/3/2022
That means in the last month, there has been an increase of 9 vendors, although this doesn’t consider any vendors that may have also been removed at this time.
Suggested Threat Results
VirusTotal will also give general threat classifications that can help to give a good high-level picture.
VT Threat Classification |
Count of VT Threat Classification |
Percentage |
trojan.shell/malkey |
5579 |
52.43% |
trojan.shell/linux |
3816 |
35.86% |
downloader.bash/miraia |
299 |
2.81% |
downloader.shell |
277 |
2.60% |
trojan.linux/mirai |
119 |
1.12% |
downloader. |
118 |
1.11% |
trojan.mirai/linux |
92 |
0.86% |
downloader.bash/linux |
54 |
0.51% |
trojan.linux/shell |
53 |
0.50% |
downloader.miraia/bash |
31 |
0.29% |
Out of over 10,000 different honeypot results, files associated with malicious SSH authorized_keys were the most prevalent. Another item high on the list is Mirai, which is a popular botnet [4]. Many Mirai variants are seen on a regular basis by honeypots. Results Change Over Time We have already seen that results can be different between vendors; those vendors change and even VirusTotal threat classifications can sometimes seem inconsistent. Malware changes and new variants appear. Knowledge about this malware also changes, and this also changes the information received from a variety of tools. Looking at one example, it was seen that within a 6-hour period, the number of vendors seeing a particular hash as malware increased by 13, and the threat classification from VirusTotal also change from “trojan.mirai/linux” to “trojan.linux/mirai”.
Normalizing the stored hashes with the latest stored VirusTotal threat classification gives a different picture than seen before.
Mirai is still a significant contender for popularity but the use of creating an authorized_keys file is by far the most common. A little help came from Excel and the XLOOKUP function to gather the latest locally stored results for a particular hash [5].
Different Provider Comparisons
So far, this has only focused on suggested classifications from VirusTotal. The naming of these threats from the various vendors also differs quite a bit and we see a much different number of results.
Provider |
Number of Results |
No Classification |
Provider Data Not Available |
Total |
Avast |
1273 |
519 |
0 |
1792 |
AVG |
1273 |
34 |
485 |
1792 |
GData |
1201 |
591 |
0 |
1792 |
DrWeb |
1151 |
641 |
0 |
1792 |
MicroWorld-eScan |
1132 |
660 |
0 |
1792 |
Ad-Aware |
1130 |
662 |
0 |
1792 |
BitDefender |
1128 |
664 |
0 |
1792 |
FireEye |
1117 |
675 |
0 |
1792 |
Emsisoft |
1079 |
695 |
18 |
1792 |
ALYac |
1030 |
762 |
0 |
1792 |
Ikarus |
1021 |
771 |
0 |
1792 |
AhnLab-V3 |
971 |
821 |
0 |
1792 |
TrendMicro |
942 |
850 |
0 |
1792 |
TrendMicro-HouseCall |
941 |
851 |
0 |
1792 |
CAT-QuickHeal |
915 |
877 |
0 |
1792 |
Kaspersky |
796 |
996 |
0 |
1792 |
Comodo |
775 |
1017 |
0 |
1792 |
Arcabit |
756 |
1036 |
0 |
1792 |
Lionic |
714 |
1078 |
0 |
1792 |
Avira |
701 |
1091 |
0 |
1792 |
VIPRE |
692 |
262 |
838 |
1792 |
Cynet |
686 |
1077 |
29 |
1792 |
ESET-NOD32 |
628 |
1164 |
0 |
1792 |
MAX |
622 |
1170 |
0 |
1792 |
Tencent |
562 |
1230 |
0 |
1792 |
Microsoft |
533 |
1257 |
2 |
1792 |
Fortinet |
524 |
1239 |
29 |
1792 |
Cyren |
523 |
1269 |
0 |
1792 |
Rising |
517 |
1275 |
0 |
1792 |
McAfee-GW-Edition |
501 |
1290 |
1 |
1792 |
Sophos |
496 |
1284 |
12 |
1792 |
McAfee |
486 |
1305 |
1 |
1792 |
Sangfor |
458 |
1158 |
176 |
1792 |
Symantec |
422 |
1039 |
331 |
1792 |
NANO-Antivirus |
405 |
1387 |
0 |
1792 |
ZoneAlarm |
305 |
1478 |
9 |
1792 |
|
188 |
60 |
1544 |
1792 |
F-Secure |
155 |
1637 |
0 |
1792 |
Antiy-AVL |
121 |
890 |
781 |
1792 |
ClamAV |
107 |
1671 |
14 |
1792 |
SentinelOne |
94 |
1698 |
0 |
1792 |
Elastic |
74 |
1707 |
11 |
1792 |
MaxSecure |
72 |
1710 |
10 |
1792 |
Jiangmin |
71 |
1721 |
0 |
1792 |
Avast-Mobile |
70 |
1722 |
0 |
1792 |
BitDefenderTheta |
59 |
1729 |
4 |
1792 |
Zillya |
56 |
1736 |
0 |
1792 |
VirIT |
51 |
1726 |
15 |
1792 |
ViRobot |
48 |
1744 |
0 |
1792 |
Gridinsoft |
23 |
1758 |
11 |
1792 |
Yandex |
22 |
1770 |
0 |
1792 |
Baidu |
7 |
1785 |
0 |
1792 |
Panda |
5 |
1780 |
7 |
1792 |
K7AntiVirus |
2 |
1790 |
0 |
1792 |
K7GW |
2 |
1790 |
0 |
1792 |
CMC |
0 |
995 |
797 |
1792 |
TACHYON |
0 |
1792 |
0 |
1792 |
Malwarebytes |
0 |
1774 |
18 |
1792 |
Trustlook |
0 |
1792 |
0 |
1792 |
Zoner |
0 |
1792 |
0 |
1792 |
BitDefenderFalx |
0 |
1781 |
11 |
1792 |
TotalDefense |
0 |
11 |
1781 |
1792 |
eGambit |
0 |
14 |
1778 |
1792 |
Kingsoft |
0 |
1783 |
9 |
1792 |
Acronis |
0 |
1792 |
0 |
1792 |
Invincea |
0 |
11 |
1781 |
1792 |
CrowdStrike |
0 |
1792 |
0 |
1792 |
F-Prot |
0 |
11 |
1781 |
1792 |
VBA32 |
0 |
1792 |
0 |
1792 |
APEX |
0 |
1792 |
0 |
1792 |
tehtris |
0 |
1777 |
15 |
1792 |
SUPERAntiSpyware |
0 |
1792 |
0 |
1792 |
Webroot |
0 |
1792 |
0 |
1792 |
SymantecMobileInsight |
0 |
1792 |
0 |
1792 |
Qihoo-360 |
0 |
11 |
1781 |
1792 |
Cybereason |
0 |
1671 |
121 |
1792 |
Endgame |
0 |
11 |
1781 |
1792 |
Alibaba |
0 |
1792 |
0 |
1792 |
Bkav |
0 |
1792 |
0 |
1792 |
Trapmine |
0 |
1746 |
46 |
1792 |
Paloalto |
0 |
1792 |
0 |
1792 |
Cylance |
0 |
1787 |
5 |
1792 |
This also highlights towards the end of this list vendors that did not have any results. Looking at some of the most popular providers, we also see a difference with naming of threats.
Avast Result |
Count |
VirusTotal Suggested Threats |
Other:Malware-gen [Trj] |
517 |
trojan.shell/linux', 'trojan.shell/malkey', 'trojan.linux/bruteforce', 'trojan.linux/shell', 'trojan.linux/bash', 'trojan.linux/sshbru', 'trojan.linux' |
BV:Downloader-AAN [Drp] |
185 |
downloader.linux', 'trojan.linux/shell', 'downloader.bash/linux', 'downloader.bash/miraia', 'downloader.linux/bash', 'downloader.linux/shell' |
BV:Downloader-AEH [Drp] |
146 |
'downloader.miraia/bash', 'trojan.linux/mirai', 'downloader.linux', 'downloader.gen2', 'downloader.bash/linux', 'downloader.', 'downloader.shell', 'downloader.bash/miraia' |
BV:Agent-BAP [Trj] |
97 |
'trojan.shell/linux', 'trojan.linux/shell', 'trojan.ircbot/shell', 'trojan.ircbot/linux', 'trojan.linux/ircbot', 'trojan.shell/ircbot' |
BV:Downloader-II [Trj] |
93 |
'trojan.shell/vsntcg22', 'downloader.', 'downloader.jvhi/shell', 'downloader.shell', 'downloader.shell/linux' |
BV:Downloader-OJ [Drp] |
78 |
'trojan.shell', 'downloader.shell', 'trojan.shell/gen2' |
ELF:Mirai-BOD [Trj] |
25 |
'trojan.mirai/linux', 'trojan.linux/mirai' |
ELF:Xorddos-AB [Trj] |
23 |
'trojan.linux/xorddos' |
BV:Downloader-APV [Drp] |
19 |
'downloader.bash/miraib', 'downloader.miraib/bash' |
ELF:Miner-KC [Trj] |
19 |
'trojan.linux', 'trojan.linux/uselvhs22', 'trojan.linux/multiverze', 'trojan.linux/tygpz' |
BV:Downloader-APK [Drp] |
17 |
'downloader.bash/miraib', 'trojan.linux/shell', 'downloader.shell/bashdlod', 'downloader.miraib/bash' |
ELF:BitCoinMiner-HF [Trj] |
9 |
'miner.linux/camelot' |
ELF:Mirai-ADP [Trj] |
9 |
'trojan.mirai/linux', 'trojan.linux/mirai' |
ELF:Mirai-AHC [Trj] |
5 |
'trojan.linux/mirai' |
Perl:IRCBot-AD [Trj] |
4 |
'ircbot/perl' |
Perl:IRCBot-D [Trj] |
4 |
'trojan.perl/shellbot' |
ELF:Mirai-ARL [Trj] |
4 |
'trojan.linux/gafgyt' |
ELF:Mirai-BWY [Trj] |
4 |
'trojan.mirai/linux' |
BV:Downloader-AMZ [Drp] |
4 |
'trojan.shell/smlbr', 'trojan.smlbr/shell' |
ELF:Mirai-AAJ [Trj] |
3 |
'trojan.mirai/linux' |
Perl:Shellbot-O [Trj] |
2 |
'trojan.perl/shellbot' |
ELF:Mirai-BXS [Trj] |
2 |
'trojan.mirai/linux' |
ELF:MiraiDownloader-MX [Trj] |
1 |
'trojan.linux/mirai' |
ELF:Goldfishgang-A [Bot] |
1 |
'trojan.mirai/linux' |
ELF:Mirai-APD [Trj] |
1 |
'trojan.mirai/linux' |
ELF:MiraiDownloader-MR [Drp] |
1 |
'downloader.linux/mirai' |
Avast and AVG have the same results and numbers, although this is likely due to Avast acquiring AVG in 2016 [6].
GData Result |
Count |
VirusTotal Suggested Threats |
Trojan.Shell.Agent.V |
452 |
'trojan.shell/linux', 'trojan.shell/malkey' |
Trojan.Shell.Agent.U |
100 |
'trojan.shell/linux', 'trojan.linux/shell', 'trojan.ircbot/shell', 'trojan.ircbot/linux', 'trojan.linux/ircbot', 'trojan.shell/ircbot' |
Script.Trojan.Agent.Q2DN10 |
73 |
'downloader.', 'downloader.shell', 'downloader.shell/linux' |
Trojan.GenericKD.39794855 |
56 |
'trojan.shell' |
Trojan.GenericKD.50084125 |
32 |
'trojan.', 'trojan.linux/bruteforce', 'trojan.linux/shell', 'trojan.linux/sshbru', 'trojan.linux' |
Linux.Trojan.Mirai.B |
29 |
'trojan.mirai/linux', 'trojan.linux/mirai' |
Linux.Application.CoinMiner.AH (2x) |
20 |
'trojan.linux/shell', 'trojan.linux/bash' |
Script.Trojan.Agent.SLJ1UA |
20 |
'trojan.shell', 'trojan.shell/gen2' |
Trojan.Linux.GenericKD.39722060 |
15 |
'trojan.linux/multiverze', 'trojan.linux/tygpz' |
Trojan.Downloader.JVHI |
13 |
'downloader.jvhi/shell' |
Trojan.Linux.Generic.208033 |
12 |
'trojan.linux/xorddos' |
Generic.Bash.MiraiA.30F5F415 |
11 |
'downloader.bash/miraia' |
Trojan.Linux.GenericA.73252 |
11 |
'trojan.linux/xorddos' |
Generic.Bash.MiraiB.CB1F6D93 |
10 |
'downloader.miraib/bash' |
Script.Trojan.Agent.Z0E85G |
10 |
'downloader.shell/bashdlod', 'trojan.linux/shell' |
Generic.Bash.MiraiA.1042638E |
9 |
'downloader.miraia/bash' |
Trojan.Linux.Generic.261801 |
8 |
'trojan.linux/shell' |
Generic.Bash.MiraiA.FC226613 |
8 |
'downloader.bash/linux' |
Trojan.Linux.GenericKD.40003689 |
8 |
'trojan.linux', 'trojan.linux/uselvhs22' |
Generic.Bash.MiraiA.37E69EBB |
7 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.9FE00F4A |
7 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.F71C9D36 |
7 |
'downloader.bash/miraia' |
Generic.Bash.MiraiB.43209CEF |
7 |
'downloader.miraib/bash' |
Generic.Bash.MiraiA.C840B7CF |
6 |
'downloader.bash/miraia', 'downloader.bash/linux' |
Generic.Bash.MiraiA.B7AF6546 |
6 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.76F02707 |
6 |
'downloader.bash/miraia' |
Trojan.GenericKD.61105047 |
6 |
'trojan.linux/shell' |
Trojan.Linux.Agent.IOS |
5 |
'trojan.linux/mirai' |
Backdoor.Perl.Shellbot.F |
5 |
'trojan.perl/shellbot' |
Generic.Bash.MiraiA.F31D7395 |
5 |
'downloader.bash/miraia' |
Trojan.GenericKD.50646874 |
5 |
'trojan.' |
Trojan.Linux.GenericKD.49342126 |
5 |
'trojan.linux/mirai' |
Generic.Bash.MiraiA.53DA044C |
5 |
'downloader.bash/miraia', 'downloader.bash/linux' |
Generic.Bash.MiraiA.CDE0B287 |
5 |
'downloader.bash/linux' |
Generic.Bash.MiraiA.5A5455F1 |
5 |
'downloader.bash/miraia' |
Trojan.GenericKD.46067161 |
4 |
'trojan.linux' |
Trojan.GenericKD.46077164 |
4 |
'trojan.linux/shell' |
Trojan.GenericKD.48821331 |
4 |
'trojan.' |
Trojan.GenericKD.39722073 |
4 |
'trojan.linux' |
Application.Linux.Generic.9905 |
4 |
'trojan.linux/gafgyt' |
Generic.Bash.MiraiA.2B19920F |
4 |
'downloader.miraia/bash' |
Generic.Bash.MiraiA.AB3356B6 |
4 |
'downloader.linux/bash' |
Generic.Bash.MiraiA.90D485C3 |
4 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.1BB22156 |
4 |
'downloader.bash/miraia', 'downloader.bash/linux' |
Generic.Bash.MiraiA.77A820C1 |
4 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.9F225672 |
4 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.C00C7246 |
4 |
'downloader.bash/linux' |
Generic.Bash.MiraiA.261F2800 |
4 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.91B96D6D |
4 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.8525AE6B |
4 |
'downloader.bash/miraia' |
Generic.Bash.MiraiB.81B3B899 |
4 |
'trojan.miraib/bash' |
Generic.Bash.MiraiA.42A992E0 |
4 |
'downloader.bash/miraia', 'downloader.linux/bash' |
Linux.Trojan.Agent.FRYE0V |
3 |
'trojan.mirai/linux' |
Generic.Bash.MiraiB.EB588E65 |
3 |
'downloader.miraib/bash' |
Generic.Bash.MiraiA.F4E0D44D |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.9FAC84B8 |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.42844671 |
3 |
'downloader.bash/miraia' |
Trojan.GenericKD.50084126 |
3 |
'trojan.linux/shell' |
Linux.Trojan.Mirai.E |
3 |
'trojan.mirai/linux' |
Trojan.Linux.Mirai.GDC |
3 |
'trojan.linux/mirai' |
Generic.Bash.MiraiA.49306ADF |
3 |
'downloader.linux/bash' |
Generic.Bash.MiraiA.F9E49AE2 |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.87330CC0 |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.A6961F86 |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.29E60E32 |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.1DCA368B |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.32EA1F82 |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.370A6145 |
3 |
'downloader.bash/linux' |
Generic.Bash.MiraiA.88F9FED5 |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.A6CEE47A |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.6215B474 |
3 |
'downloader.miraia/bash' |
Generic.Bash.MiraiA.BF170979 |
3 |
'downloader.linux/bash', 'downloader.bash/linux' |
Linux.Application.CoinMiner.AH |
3 |
'trojan.linux/sshbru' |
Generic.Bash.MiraiA.8991856A |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.D4BA1004 |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.EE96A6CC |
3 |
'downloader.bash/miraia' |
Generic.Bash.MiraiB.C122DEF0 |
2 |
'trojan.miraib/bash' |
Linux.Trojan.Agent.21WIPQ |
2 |
'trojan.linux/mirai' |
Script.Trojan.Agent.D34HUR |
2 |
'downloader.linux' |
Backdoor.Perl.Shellbot.B |
2 |
'trojan.perl/shellbot' |
Generic.Bash.MiraiA.19B73922 |
2 |
'downloader.miraia/bash' |
Generic.Bash.MiraiA.F9CC4608 |
2 |
'downloader.linux/bash', 'downloader.bash/linux' |
Generic.Bash.MiraiA.E2FF41E4 |
2 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.F384FF05 |
2 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.03BF947A |
2 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.D2936D49 |
2 |
'downloader.bash/miraia' |
Script.Trojan.Agent.XQDCBP |
2 |
'downloader.linux/shell' |
Trojan.Linux.GenericKD.49319781 |
2 |
'trojan.linux/mirai' |
Generic.Bash.MiraiA.AFC860A3 |
2 |
'downloader.bash/miraia' |
Linux.Trojan.Agent.71ZXJT |
2 |
'trojan.linux/mirai' |
Generic.Bash.MiraiA.0A4B5647 |
2 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.3085EB19 |
2 |
'downloader.bash/linux' |
Generic.Bash.MiraiA.C8C8B46F |
2 |
'downloader.linux/bash' |
Generic.Bash.MiraiA.E0206CAA |
2 |
'downloader.miraia/bash' |
Generic.Bash.MiraiA.AFD545E8 |
2 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.9DFBA98D |
2 |
'downloader.bash/linux' |
Generic.Bash.MiraiA.77508253 |
2 |
'downloader.bash/miraia' |
Trojan.Linux.Generic.266531 |
2 |
'trojan.linux/shell' |
Generic.Bash.MiraiA.999DC364 |
2 |
'downloader.bash/miraia' |
Generic.Bash.MiraiB.C388CEE8 |
1 |
'downloader.miraib/bash' |
Trojan.Linux.Generic.258109 |
1 |
'trojan.linux/mirai' |
Generic.Bash.MiraiB.9F77C950 |
1 |
'downloader.miraib/bash' |
Gen:Variant.Trojan.Linux.Mirai.8 |
1 |
'trojan.mirai/linux' |
Trojan.GenericKD.48821326 |
1 |
'trojan.linux' |
Trojan.Linux.Generic.207109 |
1 |
'trojan.linux/shell' |
Generic.Bash.MiraiA.F7E66D30 |
1 |
'downloader.bash/miraia' |
Linux.Trojan.Agent.0JQTA6 |
1 |
'trojan.linux/mirai' |
Generic.Bash.MiraiA.6AB1054A |
1 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.E4FF83F6 |
1 |
'downloader.bash/miraia' |
Linux.Trojan.Mirai.J |
1 |
'trojan.mirai/linux' |
Generic.Bash.MiraiA.06015B18 |
1 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.716695BA |
1 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.CA694A08 |
1 |
'downloader.bash/linux' |
Generic.Bash.MiraiA.7D12497D |
1 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.24330190 |
1 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.7AD1CA92 |
1 |
'downloader.bash/linux' |
Generic.Bash.MiraiA.9A967DD3 |
1 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.A3F75002 |
1 |
'downloader.linux/bash' |
Generic.Bash.MiraiB.83D16FFF |
1 |
'downloader.bash/miraib' |
Generic.Bash.MiraiA.7176EFCA |
1 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.BBDDAFB3 |
1 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.9C2BFED6 |
1 |
'downloader.bash/miraia' |
Generic.Bash.MiraiA.27A5FB7E |
1 |
'downloader.bash/miraia' |
Generic.Bash.MiraiB.A8550CC8 |
1 |
'downloader.bash/miraib' |
Script.Trojan.Agent.SSSDZG |
1 |
trojan.shell/smlbr' |
Microsoft Result |
Count |
VirusTotal Suggested Threats |
TrojanDownloader:Linux/Morila!MTB |
118 |
'trojan.linux/shell', 'downloader.bash/linux', 'downloader.bash/miraia', 'downloader.linux/bash', 'downloader.linux/shell' |
Backdoor:Linux/IRCbot.YA!MTB |
95 |
'trojan.shell/linux', 'trojan.linux/shell', 'trojan.ircbot/shell', 'trojan.ircbot/linux', 'trojan.linux/ircbot', 'trojan.shell/ircbot' |
Trojan:Linux/Multiverze |
58 |
'trojan.linux/uselvhs22', 'trojan.linux/mirai', 'trojan.linux/tygpz', 'trojan.mirai/linux', 'trojan.linux/multiverze' |
TrojanDownloader:Linux/Morila.B!MTB |
57 |
'downloader.bash/miraia', 'downloader.bash/linux' |
TrojanDownloader:Linux/ShWg.YB!MTB |
54 |
'downloader.bash/miraia', 'trojan.linux/shell', 'downloader.bash/linux' |
Trojan:Script/Wacatac.B!ml |
40 |
'downloader.bash/miraib', 'trojan.miraib/bash', 'trojan.mirai/linux', 'downloader.miraib/bash' |
HackTool:Linux/Sshbru!MTB |
26 |
'trojan.linux/shell', 'trojan.linux', 'trojan.linux/sshbru' |
DoS:Linux/Xorddos.A |
23 |
'trojan.linux/xorddos' |
Trojan:Linux/CoinMiner!rfn |
16 |
'trojan.linux/shell' |
Trojan:Linux/CoinMiner.N!MTB |
9 |
'miner.linux/camelot' |
HackTool:Linux/Sshbru!rfn |
8 |
'trojan.linux/shell', 'trojan.linux/sshbru', 'trojan.linux/bruteforce' |
Backdoor:Linux/Mirai.BO!MTB |
6 |
'trojan.linux/mirai', 'linux' |
Trojan:Win32/Occamy.CAD |
4 |
'trojan.linux' |
Backdoor:HTML/Derflop.A |
4 |
'trojan.perl/shellbot' |
Backdoor:Linux/Gafgyt.A!MTB |
4 |
'trojan.linux/gafgyt' |
Trojan:Unix/Multiverze |
3 |
'trojan.linux/shell' |
Trojan:Linux/Mirai.AB!MTB |
2 |
'downloader.bash/miraia' |
Trojan:Linux/Downldr.AE!MTB |
2 |
'downloader.bash/miraia' |
Backdoor:Linux/Mirai.AN!xp |
1 |
'trojan.mirai/linux' |
Trojan:Linux/ZkarletFlash |
1 |
'trojan.mirai/linux' |
Backdoor:Linux/Mirai.AW!MTB |
1 |
'trojan.mirai/linux' |
TrojanDownloader:Linux/Mirai.C!MTB |
1 |
'downloader.linux/mirai' |
Summarized and detailed hash data can be downloaded from here [7].
When using tools like VirusTotal it is important to be aware of name changes over time and that vendors have their own naming schemes. Make sure that you’re using the latest available results and using the “Reanalyse File” option within VirusTotal to update analysis information.
[1] https://www.virustotal.com
[2] https://isc.sans.edu/honeypot.html
[3] https://github.com/jslagrew/cowrieprocessor/blob/main/submit_vtfiles.py
[4] https://en.wikipedia.org/wiki/Mirai_(malware)
[5] https://exceljet.net/formula/xlookup-latest-by-date
[6] https://www.comparitech.com/antivirus/avast-vs-avg/
[7] https://www.dropbox.com/sh/jswjv5mlvku0ep7/AADm5vyoR8Jwil7_BgqXjz7ra?dl=0
Comments