MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a47760cc5ae692eb0cea3699d2756879322cd4bd2b172fb92ae57b7e83a3850. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	0a47760cc5ae692eb0cea3699d2756879322cd4bd2b172fb92ae57b7e83a3850
SHA3-384 hash:	154ca8ce896c634f6f4825cee75cd2b6c4d62228163b9e008a211599b158e0835e3e9c2f111957c2deff6593b39c49e8
SHA1 hash:	67a99eaa27a11122477b1618122fcd9655149da9
MD5 hash:	127108bd88335d24cd4308aa3620e7eb
humanhash:	bulldog-three-texas-iowa
File name:	EkSgbins.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	1'516 bytes
First seen:	2026-02-16 04:27:30 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	12:q0FmV0Fk0Flac43fX0FUOeekX0F2+k0FzoX0FcJ91FZ0FjEX0Fuh0F9gV8po0FRi:vm+tcc4kUOas1zoscJ9+jEsd/Jde
TLSH	T1453153CB22A20A74ACB1E967326A980475D9F5D725CE6F9DBCDC3AF5418DE047001BE3
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	adliwahid
Tags:	gafgyt

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://45.131.64.121/mips	07a156c9004e3272f3e2c8120fc2718b5ea2d593c702124dcf1d6fb3d0648d65	Mirai	mirai
http://45.131.64.121/mipsel	36c254c98d17a855694486f20bf4051d460ad1f4074e9640f794faf972e0eb91	Mirai	mirai
http://45.131.64.121/sh4	12b4d70d65c78aa9de125ad3be2e4f1bf6d7c334ecc852149850d6deffe258c4	Mirai	mirai
http://45.131.64.121/x86	211ed980a5a75ce9313e8d8d516ee4971879b50a6784a062bb13811af238f947	Mirai	mirai
http://45.131.64.121/armv6l	730c6e697e944c9672cb65dda33c805e5c328ebfe28da9e192b6ebba30446ed8	Mirai	mirai
http://45.131.64.121/i686	1131e55f0bdbda12686176c4eda52a5dc6d1922aa583aa2425753f244c7b6c20	Mirai	mirai
http://45.131.64.121/powerpc	0ed824177d7348c404f5986417c7e97ef8a141c487b4fbf60778d0934eb43e33	Mirai	mirai
http://45.131.64.121/i586	c94101b076da0aa2d8336b24656c55bc4635c80a128ba2c256d006a3625e5b0c	Mirai	mirai
http://45.131.64.121/m68k	0ab90e49a9e1b2bae6235ba43eefc44adaf0a5a9c1df510793ea085ea65c2baf	Mirai	mirai
http://45.131.64.121/sparc	8eae216a61bf4193c65632d7ca79bd1fbda62bc80e57861d255b45ebc8811489	Mirai	mirai
http://45.131.64.121/armv4l	94101c7ed73e72ae300a81c9dafc41ccabb613c9871ee05e5594ee09f8d82216	Mirai	gafgyt
http://45.131.64.121/armv5l	a1deea1b1897cf4b44520e87575db4b24bcbde8c112c0c789427a6aa8a4c6c60	Mirai	mirai

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive medusa mirai virus

Link:

https://www.filescan.io/uploads/69929e45981ff1d38a5704d0/reports/c299c306-b47e-420e-847b-9cac186a5a2c/overview

Verdict:

Malicious

File Type:

unix shell

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.cx HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/0a47760cc5ae692eb0cea3699d2756879322cd4bd2b172fb92ae57b7e83a3850/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/1bc2d588-16d1-4bbb-8d33-cc5238f0d994

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/0a47760cc5ae692eb0cea3699d2756879322cd4bd2b172fb92ae57b7e83a3850

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a47760cc5ae692eb0cea3699d2756879322cd4bd2b172fb92ae57b7e83a3850/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/0a47760cc5ae692eb0cea3699d2756879322cd4bd2b172fb92ae57b7e83a3850

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-02-16 02:53:25 UTC

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bjdxmdgfvzus5mgounuz2j2wq6jsftkl2kyxf64svzl3p2b2hbia._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260216-e3q6qads7g/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Reads system routing table

File and Directory Permissions Modification

Executes dropped EXE

Modifies Watchdog functionality

Detected Gafgyt variant

Gafgyt family

Gafgyt/Bashlite

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.96

Link:

https://yomi.yoroi.company/submissions/0a47760cc5ae692eb0cea3699d2756879322cd4bd2b172fb92ae57b7e83a3850

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh