Backdoor:Linux/Mirai.FS!MTB

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Backdoor:Linux/Mirai.FS!MTB

Backdoor:Linux/Mirai.FS!MTB - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Backdoor:Linux/Mirai.FS!MTB

Classification:

Type:Backdoor

Platform:Linux

Family:Mirai

Detection Type:Concrete

Known malware family with identified signatures

Variant:FS

Specific signature variant within the malware family

Suffix:!MTB

Detected via machine learning and behavioral analysis

Detection Method:Behavioral

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai

Summary:

This detection identifies a backdoor from the Mirai malware family on a Linux system, likely within the Windows Subsystem for Linux (WSL). The malware adds the compromised host to a botnet, which then scans for other vulnerable systems and participates in large-scale DDoS attacks.

Severity:

Medium

VDM Static Detection:

No specific strings found for this threat

YARA Rule:

rule Backdoor_Linux_Mirai_FS_2147906074_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.FS!MTB"
        threat_id = "2147906074"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "2"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = {95 31 20 08 9a 10 40 0d 99 36 20 08 92 53 40 1a 91 40 00 00 85 3e a0 1f 96 82 40 0a 82 5b 00 1a 84 58 80 0d 82 00 40 02 ?? 00 40 08 03 00 3f ff 94 42 20 00 82 10 63 ff 80 a2 80 01}  //weight: 1, accuracy: Low
        $x_1_2 = {d4 22 60 08 80 a2 a0 00 02 ?? ?? ?? d6 22 60 04 10 ?? ?? ?? d2 22 a0 04 d2 22 00 00}  //weight: 1, accuracy: Low
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Known malware which is associated with this threat:

Filename: spc

9556672eaf1573720fe806ce034899a820d1eb9799fae9733e8673c639c214da

15/11/2025

→VirusTotal ↓Download Sample

Filename: spc

1bbc2546e4dbd1b9c37d32ad43a8d81f3a077d01141aae13f77aa334709c9f2a

13/11/2025

→VirusTotal ↓Download Sample

Filename: spc

8e34051509727e85abb11d3bf90891b24948de11759fe3302ef5bf915d7ce7e3

13/11/2025

→VirusTotal ↓Download Sample

Filename: spc

7c5873069caf360023e37be06ffa9fbe52cb4d55f626b98a3ef32cae934b4376

11/11/2025

→VirusTotal ↓Download Sample

fc5f410ff368910037e8ca73cd9024694eea4083af51990892a44b57938c6bf5

10/11/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Isolate the host from the network. Investigate running processes within any Linux environments (WSL, containers) to identify and terminate the threat. Remove the associated malware files and change all credentials to strong, unique passwords to prevent reinfection.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 08/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Backdoor:Linux/Mirai.FS!MTB - Windows Defender Threat Analysis