MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07e264784f1de87ed958d458251a3810dc1a6fc7437cf234fcb0c574d261cee9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07e264784f1de87ed958d458251a3810dc1a6fc7437cf234fcb0c574d261cee9
SHA3-384 hash: 8daf3fb14029ba2dffdbb8da4e78fe3b2fd79f1c90b10bf488e77c0fd4abed997c048ef2631d75214ba84d2373cf78fd
SHA1 hash: 4b0127340cbf98827c00f3fa28f651f45c8a2db4
MD5 hash: a074ac485a1f04af0e9a0726fc0d164a
humanhash: eleven-bravo-nebraska-jersey
File name:bins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'689 bytes
First seen:2025-05-17 18:28:53 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:vaoUaLTcsa4Gav2cJaTlaSad3aCyaZ/acwaafsaP2Oa01Qayh:vUmTcs5GcJIlaSQsEwoQ2O11Qz
TLSH T1CC3156CB33670A782CA1ED67B2BA485474D8E58A54C6AF4DACDC38ED42CDE047149F83
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://45.125.33.82/earyzq2650570b3f9286d0dada93b01a0d5be74735b590d73d0f0b6943236e0cc1e989 Miraicensys elf mirai ua-wget
http://45.125.33.82/cemtop184a6d8dac7f2719abbb39d888453e42f834ff172db83a4997f57f3d2cac4351 Miraicensys elf mirai ua-wget
http://45.125.33.82/vtyhat2e1b54ce80a5ca272b5ed607f35fdf071fbe8b0257a6ce190a0385e9a4f8cf1a Miraicensys elf mirai ua-wget
http://45.125.33.82/vvglma92ea125d92bb8191457fabea568170f143d09f8ddccff75093e576417f6fa1af Miraicensys elf mirai ua-wget
http://45.125.33.82/nvitpjbf959a6b83db5ba4f2ec694b20ca0bbaa489d4603cf51ebb596203fe4b052b95 Miraicensys elf mirai ua-wget
http://45.125.33.82/razdznc84a19ba5bb1fd9f29b54f1cc1ecab116df32878cfc1e34decd45843c600e509 Miraicensys elf mirai ua-wget
http://45.125.33.82/lnkfmx19d86c9c0b88d5a8c1f13e15d57710d18cad0c8d066e5ff97a8dbb38ba50461c Miraicensys elf mirai ua-wget
http://45.125.33.82/qvmxvlc49c22a5cb746f35f4b8400924ee9503000054fa9735bad3494057f93d92f3bf Miraicensys elf mirai ua-wget
http://45.125.33.82/ajoomkbb04e0d98d0c27c7d2473fec7b653c9d8412521831cfa104b7c84a7febe5bf73 Gafgytcensys elf gafgyt ua-wget
http://45.125.33.82/fwdfvf300f7039af0a84811c0ef129b786ff6e81c5cb8919b8835a8811cfd890b6d5a8 Gafgytcensys elf gafgyt ua-wget
http://45.125.33.82/atxhua62a7f33cc488d904fda77f607144cc4c1026048e9ff51416ddd4d4da8f5d6584 Miraicensys elf mirai ua-wget
http://45.125.33.82/qtmzbn3860596776f1c725f16d45c36a04e916b29a68f06c75f7efd44942c5bf9c177b Miraicensys elf mirai ua-wget
http://45.125.33.82/adcvdsn/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6828d27ee5aa44ec2e1a4286linux22vpnfull_triage
Tags:
trojandownloader trojware tsunami agent
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive lolbin remote
Link:
https://www.filescan.io/uploads/6828d57b0de036ed65aaa74f/reports/a911fd19-77c7-4362-a285-96e11e04a2c3/overview
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/07e264784f1de87ed958d458251a3810dc1a6fc7437cf234fcb0c574d261cee9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07e264784f1de87ed958d458251a3810dc1a6fc7437cf234fcb0c574d261cee9/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-05-17 18:16:32 UTC
File Type:
Text (Shell)
AV detection:
25 of 37 (67.57%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7rgi6cpdxuh5wky2rmckgrycdobu36hin6penh4wdcxjutbz3uq._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt botnet defense_evasion discovery linux privilege_escalation
Link:
https://tria.ge/reports/250517-w42saaynz9/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads CPU attributes
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Deletes log files
Enumerates running processes
File and Directory Permissions Modification
Deletes Audit logs
Deletes journal logs
Deletes system logs
Executes dropped EXE
Flushes firewall rules
Writes DNS configuration
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Malware Config
C2 Extraction:
45.125.33.82:23966
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BASHLITE
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/07e264784f1de87ed958d458251a3810dc1a6fc7437cf234fcb0c574d261cee9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 07e264784f1de87ed958d458251a3810dc1a6fc7437cf234fcb0c574d261cee9

(this sample)

Mirai

elf 2650570b3f9286d0dada93b01a0d5be74735b590d73d0f0b6943236e0cc1e989

  
URLhaus
https://urlhaus.abuse.ch/url/3545840/
  
Delivery method
Distributed via web download
  
Dropping
MD5 c864153bed0bb6a924cb702c4ca5e707
  
Dropping
SHA256 2650570b3f9286d0dada93b01a0d5be74735b590d73d0f0b6943236e0cc1e989

Comments