MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05214760c9dce0552a3ea3e11f131fbd2b6c0de7f2e8810ab15fa2aa41cea436. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05214760c9dce0552a3ea3e11f131fbd2b6c0de7f2e8810ab15fa2aa41cea436
SHA3-384 hash: be91b999fac046d60eb8248c09ff9f912db4d186b8ddf5d7716da7c154528e553efb5d2925d0f3d79ae71ec69244cef2
SHA1 hash: e383552174fcf5057a71fdda5e8de996d01f19d3
MD5 hash: f2bf2234e8e5101bb668aa7b53f356ab
humanhash: oklahoma-wisconsin-eighteen-xray
File name:bins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'626 bytes
First seen:2025-05-16 17:14:32 UTC
Last seen:2025-05-17 07:23:18 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 24:vCHyEChrCyMvPWHsCdrCBHCWUC9CZ/CCWJCRCXmu3CHRTC7m:vnE+rE+Mir0zUccnUQgAP
TLSH T1483184CB21E239786C65D97B32FA4C0475E1E08605D76F986DEC38F9418EE08B844FA3
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://92.112.125.62/ntpd8a1e435d22380ee883e7fc0d7d337771b54194b815b13744d7730de18b3972c4 Gafgytgafgyt
http://92.112.125.62/sshdd7afb98c35ec610e16da1be7684b4b3d985292f6748c43b0c7542675a45c1199 Gafgytgafgyt
http://92.112.125.62/openssh9b4227ff665e9b4eea39c7caf78e4794088d6c169e16e1f94c28ac2ec31e8c9f Gafgytgafgyt
http://92.112.125.62/bash853815e7da82450680c579b4a3b13f1d641d60789f2a4ee20137dc034b8f9174 Gafgytgafgyt
http://92.112.125.62/tftpb2101344569bec4e017727f5441f0f10db51ea76fd9b12964461258d55b18259 Gafgytgafgyt
http://92.112.125.62/wget0ac2567262a3f260c0f819f23d2a935fa2c29c0e32656d4d8886baee6886b8c8 Gafgytgafgyt
http://92.112.125.62/cron009103f202a3c932a6d49e6f626d99b3f5ff6b1f436551dfd9bd133db64f830e Gafgytgafgyt
http://92.112.125.62/ftpab29b43c16b25111de8df6370313d889953f3e4980012fd619eaa7cf451c287f Gafgytgafgyt
http://92.112.125.62/pftpbb952dbaedf36a02728c6318e9f055b89cf6ad361e2930c5758d6589e41d619d Gafgytgafgyt
http://92.112.125.62/shdd15d909e1e4958f884daf93571e59dc25970e5031208627680e68b91abc1a20 Gafgytgafgyt
http://92.112.125.62/n/an/an/a
http://92.112.125.62/apache2482eace4132761f4a0111b4273466f6ba090c014690dc1ac8ffb7ab41e7f32f8 Gafgytgafgyt
http://92.112.125.62/telnetdn/an/an/a

Intelligence

File Origin
# of uploads :
2
# of downloads :
70
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader.CP-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682772b4e16384d6a7050a0blinux22vpnfull_triage
Tags:
trojandownloader trojware agent
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive lolbin remote
Link:
https://www.filescan.io/uploads/682772a81de1514c6873bd4f/reports/4eda714e-e23c-4b92-b951-10d9488a810a/overview
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/05214760c9dce0552a3ea3e11f131fbd2b6c0de7f2e8810ab15fa2aa41cea436
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05214760c9dce0552a3ea3e11f131fbd2b6c0de7f2e8810ab15fa2aa41cea436/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-05-16 17:15:31 UTC
File Type:
Text (Shell)
AV detection:
25 of 37 (67.57%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=auquoygj3tqfkkr6upqr6ey7xuvwydph6luiccvrl6rkuqoouq3a._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt botnet defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250516-vsrmhayky3/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Reads system network configuration
Creates/modifies Cron job
Reads system routing table
Write file to user bin folder
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Malware Config
C2 Extraction:
92.112.125.62:1111
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 05214760c9dce0552a3ea3e11f131fbd2b6c0de7f2e8810ab15fa2aa41cea436

(this sample)

Gafgyt

elf 8a1e435d22380ee883e7fc0d7d337771b54194b815b13744d7730de18b3972c4

  
URLhaus
https://urlhaus.abuse.ch/url/3544568/
  
Delivery method
Distributed via web download
  
Dropping
MD5 c8a029742902dee60f724423c5efd106
  
Dropping
SHA256 8a1e435d22380ee883e7fc0d7d337771b54194b815b13744d7730de18b3972c4

Comments