user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:Linux/Mirai.A!AMTB
Backdoor:Linux/Mirai.A!AMTB - Windows Defender threat signature analysis

Backdoor:Linux/Mirai.A!AMTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:Linux/Mirai.A!AMTB
Classification:
Type:Backdoor
Platform:Linux
Family:Mirai
Detection Type:Concrete
Known malware family with identified signatures
Variant:A
Specific signature variant within the malware family
Suffix:!AMTB
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai

VDM Static Detection:
Relevant strings associated with this threat:
 - /ver.txt (PEHSTR_EXT)
 - /update.txt (PEHSTR_EXT)
 - http://%s:8888/ (PEHSTR_EXT)
 - \msinfo.exe (PEHSTR_EXT)
 - /delete /f /tn msinfo (PEHSTR_EXT)
 - |#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - }#d1e49aac-8f56-4280-b9ba-993a6d77406c (NID)
 - &|#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - &}#b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 (NID)
 - y*|#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - y*}#56a863a9-875e-4185-98a7-b882c64b5ce5 (NID)
 - C|#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - C}#be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 (NID)
 - L|#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - L}#3b576869-a4ec-4529-8536-b80a7769e899 (NID)
 - |#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - }#5beb7efe-fd9a-4556-801d-275e5ffc04cc (NID)
 - |#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - }#01443614-cd74-433a-b99e-2ecdc07bfc25 (NID)
 - |#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - }#d3e037e1-3eb8-44c8-a917-57927947596d (NID)
 - |#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - }#7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c (NID)
 - |#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)
 - }#92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b (NID)
YARA Rule:
rule Backdoor_Linux_Mirai_A_2147956508_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.A!AMTB"
        threat_id = "2147956508"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "AMTB: an internal category used to refer to some threats"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "106.248.251.189" ascii //weight: 1
        $x_1_2 = "/tmp/.bot_lock" ascii //weight: 1
        $x_1_3 = "cd /root wget http://%s/cat.sh" ascii //weight: 1
        $x_1_4 = "0mPassword" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}
Known malware which is associated with this threat:
Filename: arc
2ba9867cb4afb54449579199a7807d6c1271403b42574acd9afc7ca2055de06c
19/01/2026
Filename: aarch64
9b0bea2c5a68110da8e326c51ca8367d994f2561830ee1c9dbf99c5d5a97b5ef
19/01/2026
Filename: csky
eb8da60a4f8286a6b52f1f8f73b7dbe4d90821688f97dece6e3879066b9b9952
19/01/2026
Filename: armv7l
99835626483601bb7a82624323c6ef41fbdcc11b1656d9f8def602192a558c40
19/01/2026
Filename: armv6l
b2bddb2c0c285c3d5a04c014c9e8d6c3876eb4135c954b49a6896b398214b232
19/01/2026
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 19/01/2026. Do you want to analyze it again?
$ ls available-commands/
user@threatcheck.sh:~$