user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Backdoor:Linux/Mirai.GA!MTB
Backdoor:Linux/Mirai.GA!MTB - Windows Defender threat signature analysis

Backdoor:Linux/Mirai.GA!MTB - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Backdoor:Linux/Mirai.GA!MTB
Classification:
Type:Backdoor
Platform:Linux
Family:Mirai
Detection Type:Concrete
Known malware family with identified signatures
Variant:GA
Specific signature variant within the malware family
Suffix:!MTB
Detected via machine learning and behavioral analysis
Detection Method:Behavioral
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai

Summary:

This threat is a backdoor from the Mirai botnet family, which targets Linux-based systems and IoT devices. Once infected, the device is used to scan for other vulnerable systems and participate in large-scale Distributed Denial-of-Service (DDoS) attacks. The '!MTB' suffix indicates this detection was made by a machine learning model based on the file's behavior.

Severity:
Medium
VDM Static Detection:
No specific strings found for this threat
YARA Rule:
rule Backdoor_Linux_Mirai_GA_2147906203_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.GA!MTB"
        threat_id = "2147906203"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "7"
        strings_accuracy = "High"
    strings:
        $x_5_1 = "tmp/condinetwork" ascii //weight: 5
        $x_1_2 = "condibot" ascii //weight: 1
        $x_1_3 = "var/zxcr9999" ascii //weight: 1
        $x_1_4 = "trytocrack" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (
            ((1 of ($x_5_*) and 2 of ($x_1_*))) or
            (all of ($x*))
        )
}
Known malware which is associated with this threat:
Filename: executor.arm64
485321a8e549cea7557bf78e3cc09de298050f0df4c1f9dd5bbff094031d395a
20/11/2025
VirusTotalDownload Sample
Filename: executor.arm64
148ddb73e5415fcb6564679c37c9361615d6d9c1650a1060e076b25ce28fc1d2
16/11/2025
VirusTotalDownload Sample
Filename: executor.arm64
58190f56d490fbc0277648dda25653eb42a60eb4b661ad5edc4f12b1b25021ac
16/11/2025
VirusTotalDownload Sample
Filename: executor.arm64
69121b5f21dc54a12a7dd44388db6e56844735564bc327572c04f4c76333cfb4
12/11/2025
VirusTotalDownload Sample
Filename: executor.arm64
b41f8ccce98bed95e65368ad4f8a7ef35b5902689c7c3408f4e7cfbfed67b5db
12/11/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected Linux device from the network immediately. Re-flash the device's firmware or restore from a known-good backup to ensure complete removal. Change all default credentials to strong, unique passwords and apply the latest security patches.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 08/11/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$