MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bbba545ef1e456b0b4c91905a51275d05ef34a3cbe1607208ab26acb7551103. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bbba545ef1e456b0b4c91905a51275d05ef34a3cbe1607208ab26acb7551103
SHA3-384 hash: 7b43b4b780819162f0460cd9a171fe85432105ad46180c95fc09222e0883d6078bf325638cdb8ad09d63245ae231685d
SHA1 hash: 1d814c52a059503aebb26cd34a06c99866969201
MD5 hash: 5b4534872d9a9706eee855dd0ad3b504
humanhash: mobile-earth-finch-tango
File name:bins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'804 bytes
First seen:2026-02-06 13:59:30 UTC
Last seen:2026-02-06 18:49:53 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vxNLDxxwHKhdJld3Nn5d3wsysRswsswI32d:vxlDxxwHKhrl9Nn59w1ofBwI32d
TLSH T1AB3106EBD4914D7EBFA4A91731A5480430E0D89A58EFDF77E8DC38D5418DE4CA4C1A93
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.210.187/yakuza.mipsd20be7c765a896244b138ba18354cf68834871fc4a9345c1dcd322eda96e7378 Gafgytelf gafgyt ua-wget
http://158.94.210.187/yakuza.mpsl86f51064bfc12132f7e10d7e5e3cfa895086d32249d71d2bb8b7ac747949203e Gafgytelf gafgyt ua-wget
http://158.94.210.187/yakuza.sh425d1bf916e49bc1907c909e28366741760f7ec6a733345742333d03614245ba9 Gafgytelf gafgyt ua-wget
http://158.94.210.187/yakuza.x8691d6da06b5d9ae41f7d730777dbc98f9a06967cc8df9ca857ad280fb9ffc409c Gafgytcensys elf gafgyt ua-wget
http://158.94.210.187/yakuza.arm6n/an/aelf ua-wget
http://158.94.210.187/yakuza.x32365cd3282b3432cc647b460b5dc5339f71bf984803273f56f750e3b0f3df5355 Gafgytelf gafgyt ua-wget
http://158.94.210.187/yakuza.ppcf2ba5744fa6342c8b6858a420efb06ca31e0126e82d574dcc4ed0f603e4e2066 Gafgytelf gafgyt ua-wget
http://158.94.210.187/yakuza.i586fc306d13987da53e3359c2a823dd5c629fb04f7969937afb6c482d58f6a13166 Gafgytelf gafgyt ua-wget
http://158.94.210.187/yakuza.m68ke487b73c3b244906e80add4409a00f727300a8f9e00488e8a69fa19f42a57cef Gafgytelf gafgyt ua-wget
http://158.94.210.187/yakuza.arm45665e76bde5c245f25c950f8f1d6186e7ab70428dd19a0c89a23457f2ffa9283 Gafgytelf gafgyt ua-wget
http://158.94.210.187/yakuza.arm5n/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
3
# of downloads :
26
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive medusa mirai
Link:
https://www.filescan.io/uploads/6985f403c9bfb60ece1c4d68/reports/68df7fec-3b82-403e-8811-64fe5b8f4b64/overview
Result
Gathering data
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0bbba545ef1e456b0b4c91905a51275d05ef34a3cbe1607208ab26acb7551103
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bbba545ef1e456b0b4c91905a51275d05ef34a3cbe1607208ab26acb7551103/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/0bbba545ef1e456b0b4c91905a51275d05ef34a3cbe1607208ab26acb7551103
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bo52krppdzcwwc2msgifuujhluc66nfdzpqwa4qivmtkzn2vcebq._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/260206-rbaqwahv3d/
Behaviour
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
File and Directory Permissions Modification
Executes dropped EXE
Writes DNS configuration
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Malware Config
C2 Extraction:
158.94.210.187:23
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 0bbba545ef1e456b0b4c91905a51275d05ef34a3cbe1607208ab26acb7551103

(this sample)

Gafgyt

elf 91d6da06b5d9ae41f7d730777dbc98f9a06967cc8df9ca857ad280fb9ffc409c

  
URLhaus
https://urlhaus.abuse.ch/url/3773088/
  
Delivery method
Distributed via web download
  
Dropping
MD5 2981df1fc5ec43ab7e1aecdc15eb1783
  
Dropping
SHA256 91d6da06b5d9ae41f7d730777dbc98f9a06967cc8df9ca857ad280fb9ffc409c

Comments