MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09e4f7821407b5ab5129ddda4fc15462bb9ccf8353c03dafd206fb464ec0cb91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	09e4f7821407b5ab5129ddda4fc15462bb9ccf8353c03dafd206fb464ec0cb91
SHA3-384 hash:	f0fb0076b323d5ae0adc3b62cb03370e738cfaef1ba1a4f103064230bd3679c7f078490528ecc0fe7a968c30b42e1137
SHA1 hash:	f45f205db20cec4864bfb3af293d7899d965ad91
MD5 hash:	6dc274394bdc5a3c1cbe89ef03ca4e79
humanhash:	muppet-sink-jig-rugby
File name:	bb.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	1'140 bytes
First seen:	2025-06-20 23:18:27 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:2GxnGDkV7IG7RGwEGVNI1FIGEUGFG+uGJS8GAIGFGc6GXKWGcaoaTao5v:2iyJqRKxIquWmrRImf605iZ2ox
TLSH	T1EC214ADAA0E846034411CE1AB2A9D8D874F4E7FF527F5F6D7CEC04E9529AA48701CEE4
Magika	shell
Reporter	abuse_ch
Tags:	gafgyt sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://31.56.39.249/D.mips	134d4d68baa03e4c7f3a32f5c02e728c1e2d05d6fe654efdce0c3eca60f3b0a9	Mirai	mirai opendir
http://31.56.39.249/D.mpsl	8dd53502cdd743c4070b92920edfc5690a2fded42100d6d49a2a5ef201b3ab88	Mirai	mirai opendir
http://31.56.39.249/D.sh4	d85eaea3a5dd3160878d5c270cc9b3615cb12239d1928f6598230d7c326e0bf7	Mirai	mirai opendir
http://31.56.39.249/D.x86	2e3eb8ae3aa8d76aa7c83f84f3ac81f30992a3de4019223c1f0c6931c9c1c279	Mirai	mirai opendir
http://31.56.39.249/D.arm6	8e3dc5ac028d168e5945e4b476393e3ba7d16eef6eb94c80ad6424a5fe7da8d0	Mirai	mirai opendir
http://31.56.39.249/D.i686	e8f77574c12c1a6da6b2e82b64bf173f3631a12b8757d61d8e4be62a5a9298aa	Mirai	mirai opendir
http://31.56.39.249/D.ppc	cefb739ab85e4fb068ab093f0a234c67df4a4e8aaab3eb4da3877e39377c8eb3	Mirai	mirai opendir
http://31.56.39.249/D.i586	d43271f4ab46dc29f86386e0cc8804279ad96c7ba05232e8822a263d90390da4	Mirai	mirai opendir
http://31.56.39.249/D.m68k	bb213cbe556628ed7cf44c93e8146e84102c6e5ba97cab4051ebcd4aad6061dd	Mirai	mirai opendir
http://31.56.39.249/D.sparc	d0e4e37094d31751b41d3330af4e7323120aee83cc48753491a26ab0c4e2593f	Mirai	mirai opendir
http://31.56.39.249/D.arm4	2b052507f5b20d839b8f14b4fa906b205c38a90b7e4f02c01011c6a02064a3ec	Gafgyt	gafgyt opendir
http://31.56.39.249/D.arm5	db905b9f8900c31136c9c975cbd347574f8d5adfc227766f3e2bb2d1b7adb0b1	Gafgyt	gafgyt opendir
http://31.56.39.249/D.arm7	8da89673b756bad9c10f9e4058aa732247d9c2f6d39bdd703f5621aa2bf3c758	Mirai	mirai opendir
http://31.56.39.249/D.ppc440fp	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6855ec5b64ba7f79fb673344linux22vpnfull_triage

Tags:

downloader trojan agent

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/50dad5f1-7473-4214-8030-bfa7c70a5ce6

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/09e4f7821407b5ab5129ddda4fc15462bb9ccf8353c03dafd206fb464ec0cb91

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/09e4f7821407b5ab5129ddda4fc15462bb9ccf8353c03dafd206fb464ec0cb91/

Threat name:

Script-Shell.Trojan.ShellLoader

Status:

Malicious

First seen:

2025-06-20 23:19:35 UTC

File Type:

Text (Shell)

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bhsppaqua622wujj3xne7qkumk5zzt4dkpad3l6sa35umtwazoiq._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/250620-3al83avlz3/

Behaviour

System Network Configuration Discovery

Reads system network configuration

Reads system routing table

File and Directory Permissions Modification

Executes dropped EXE

Detected Gafgyt variant

Gafgyt family

Gafgyt/Bashlite

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

BASHLITE

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/09e4f7821407b5ab5129ddda4fc15462bb9ccf8353c03dafd206fb464ec0cb91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.