MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cbca43f0b524cd4e31efb11889c4282ef3458b94e5645aacea68e0bba285688. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cbca43f0b524cd4e31efb11889c4282ef3458b94e5645aacea68e0bba285688
SHA3-384 hash: 2dc78421accc1ad068c2e37b08f15abb18542bf83fac45c6b8b1d24475cd56636a4d09f86d6e77c6d0ef824769c768b6
SHA1 hash: 3a68c4ced396c297166304c7a64fb27d2e5db407
MD5 hash: 8b1a4d37929afc56a55341907d12da7b
humanhash: vegan-seventeen-sodium-october
File name:logsbins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:4'522 bytes
First seen:2025-08-26 20:40:16 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vI2rI0IYIQzIlxMlFIEIQIoIu3IUIoI4IFZc2bBeQXclxMl1dZguZx7XyU2bUOUf:vxR1dJJ9thBFtG3mp51dhBNj5Jn51dk
TLSH T12191FDCBB1721B312A90E99F3276451875E4A0C644D7CFD468ED39F980CCE887826EB7
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://78.142.229.12/sshd93d40417b1a60b8807eb9933218f71086601be047b341c779577bc21b8f0fc64 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/telnetdf611f21467ae2f4f9cbc671e6f60022237821ba8771c8808962e5b03c1ea6258 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/system4add06fd7831a8f85ac0fadb1f97c6a36848a6b1107d5551e3a570eed7ea366a Miraielf gafgyt mirai ua-wget
http://78.142.229.12/ssh37040becf8aa5878cf183ad4dc8adb408175628c59b5828cd5b9d3cc99a60b85 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/dbus-daemon6fe013d0ceec620ce9e20c10c9041c67c8f9238cbf5132b456b74335eed03076 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/cronfc928ba3b7fb408a933c9e4854e0e74bf7de5a815818fd085e53d8b7247e5705 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/rsyslogdc5251e252d8b94dac5b525ded92b0777acad9120cbf9111b76fe982d1f22370c Gafgytelf gafgyt mirai ua-wget
http://78.142.229.12/getty0c06e226c8ed6b8ea93b8c6c25b336d0f00a19d908378ee51b57b2a7abc313c5 Gafgytelf gafgyt mirai ua-wget
http://78.142.229.12/katrina253323f9c6e8f52917123fff333aeb7740e249a642a444a8c30484eae5236ab3 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/agetty6adac86bf0a67c68c36d72e1e5216da5ac92062f4c51ed20afc72f2d86bf385e Gafgytelf gafgyt mirai ua-wget
http://78.142.229.12/klogddfb966237322190a59784b6e5d2a1e2fa477db2f79ed1567c51fc6e9ed1588f5 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/shd75cd4210b50f78eb246762b9bb8d83a5fcdd1aac47cbddda5af123fd55781b8 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/sd77dfc766af0616f59fef98f8bc82767f4b76dabc3b24cbdabd4c5d3cbd70e3f Miraielf gafgyt mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
Link:
https://opentip.kaspersky.com/0cbca43f0b524cd4e31efb11889c4282ef3458b94e5645aacea68e0bba285688/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/5d2edaf6-7854-4a70-80a0-63f630e7a613
Behavior Graph:
Download SVG
%3 guuid=91053ed8-1900-0000-9893-2a3fa10c0000 pid=3233 /usr/bin/sudo guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239 /tmp/sample.bin guuid=91053ed8-1900-0000-9893-2a3fa10c0000 pid=3233->guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239 execve guuid=18b3a6da-1900-0000-9893-2a3fa90c0000 pid=3241 /usr/bin/wget net send-data write-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=18b3a6da-1900-0000-9893-2a3fa90c0000 pid=3241 execve guuid=f8354be3-1900-0000-9893-2a3fb70c0000 pid=3255 /usr/bin/chmod guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=f8354be3-1900-0000-9893-2a3fb70c0000 pid=3255 execve guuid=eef1b3e3-1900-0000-9893-2a3fb80c0000 pid=3256 /usr/bin/bash guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=eef1b3e3-1900-0000-9893-2a3fb80c0000 pid=3256 clone guuid=b5028ae4-1900-0000-9893-2a3fba0c0000 pid=3258 /usr/bin/rm delete-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=b5028ae4-1900-0000-9893-2a3fba0c0000 pid=3258 execve guuid=05cbe7e4-1900-0000-9893-2a3fbb0c0000 pid=3259 /usr/bin/wget net send-data write-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=05cbe7e4-1900-0000-9893-2a3fbb0c0000 pid=3259 execve guuid=8e1a75eb-1900-0000-9893-2a3fc30c0000 pid=3267 /usr/bin/chmod guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=8e1a75eb-1900-0000-9893-2a3fc30c0000 pid=3267 execve guuid=ec8eeeeb-1900-0000-9893-2a3fc50c0000 pid=3269 /usr/bin/bash guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=ec8eeeeb-1900-0000-9893-2a3fc50c0000 pid=3269 clone guuid=c43ca6ec-1900-0000-9893-2a3fc90c0000 pid=3273 /usr/bin/rm delete-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=c43ca6ec-1900-0000-9893-2a3fc90c0000 pid=3273 execve guuid=1575f8ec-1900-0000-9893-2a3fcb0c0000 pid=3275 /usr/bin/wget net send-data write-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=1575f8ec-1900-0000-9893-2a3fcb0c0000 pid=3275 execve guuid=2d0b9df3-1900-0000-9893-2a3fdd0c0000 pid=3293 /usr/bin/chmod guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=2d0b9df3-1900-0000-9893-2a3fdd0c0000 pid=3293 execve guuid=1c16fbf3-1900-0000-9893-2a3fdf0c0000 pid=3295 /usr/bin/bash guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=1c16fbf3-1900-0000-9893-2a3fdf0c0000 pid=3295 clone guuid=ce968df4-1900-0000-9893-2a3fe30c0000 pid=3299 /usr/bin/rm delete-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=ce968df4-1900-0000-9893-2a3fe30c0000 pid=3299 execve guuid=cc24d5f4-1900-0000-9893-2a3fe50c0000 pid=3301 /usr/bin/wget net send-data write-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=cc24d5f4-1900-0000-9893-2a3fe50c0000 pid=3301 execve guuid=f0ee6cfa-1900-0000-9893-2a3ff10c0000 pid=3313 /usr/bin/chmod guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=f0ee6cfa-1900-0000-9893-2a3ff10c0000 pid=3313 execve guuid=f79dccfa-1900-0000-9893-2a3ff30c0000 pid=3315 /tmp/ssh net guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=f79dccfa-1900-0000-9893-2a3ff30c0000 pid=3315 execve guuid=91b426fb-1900-0000-9893-2a3ff90c0000 pid=3321 /usr/bin/rm delete-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=91b426fb-1900-0000-9893-2a3ff90c0000 pid=3321 execve guuid=4cad75fb-1900-0000-9893-2a3ffa0c0000 pid=3322 /usr/bin/wget net send-data write-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=4cad75fb-1900-0000-9893-2a3ffa0c0000 pid=3322 execve guuid=3c312f01-1a00-0000-9893-2a3f0b0d0000 pid=3339 /usr/bin/chmod guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=3c312f01-1a00-0000-9893-2a3f0b0d0000 pid=3339 execve guuid=5500a301-1a00-0000-9893-2a3f0f0d0000 pid=3343 /usr/bin/bash guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=5500a301-1a00-0000-9893-2a3f0f0d0000 pid=3343 clone guuid=be407d02-1a00-0000-9893-2a3f150d0000 pid=3349 /usr/bin/rm delete-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=be407d02-1a00-0000-9893-2a3f150d0000 pid=3349 execve guuid=eb65dd02-1a00-0000-9893-2a3f180d0000 pid=3352 /usr/bin/wget net send-data write-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=eb65dd02-1a00-0000-9893-2a3f180d0000 pid=3352 execve guuid=cf722907-1a00-0000-9893-2a3f290d0000 pid=3369 /usr/bin/chmod guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=cf722907-1a00-0000-9893-2a3f290d0000 pid=3369 execve guuid=26bb7c07-1a00-0000-9893-2a3f2a0d0000 pid=3370 /usr/bin/bash guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=26bb7c07-1a00-0000-9893-2a3f2a0d0000 pid=3370 clone guuid=032c8b07-1a00-0000-9893-2a3f2c0d0000 pid=3372 /usr/bin/rm delete-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=032c8b07-1a00-0000-9893-2a3f2c0d0000 pid=3372 execve guuid=5dd5e307-1a00-0000-9893-2a3f2d0d0000 pid=3373 /usr/bin/wget net send-data write-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=5dd5e307-1a00-0000-9893-2a3f2d0d0000 pid=3373 execve guuid=8b729c0d-1a00-0000-9893-2a3f2e0d0000 pid=3374 /usr/bin/chmod guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=8b729c0d-1a00-0000-9893-2a3f2e0d0000 pid=3374 execve guuid=a56fff0d-1a00-0000-9893-2a3f2f0d0000 pid=3375 /usr/bin/bash guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=a56fff0d-1a00-0000-9893-2a3f2f0d0000 pid=3375 clone guuid=fd94bc0e-1a00-0000-9893-2a3f310d0000 pid=3377 /usr/bin/rm delete-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=fd94bc0e-1a00-0000-9893-2a3f310d0000 pid=3377 execve guuid=cd6e180f-1a00-0000-9893-2a3f320d0000 pid=3378 /usr/bin/wget net send-data write-file guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=cd6e180f-1a00-0000-9893-2a3f320d0000 pid=3378 execve guuid=64be8c14-1a00-0000-9893-2a3f400d0000 pid=3392 /usr/bin/chmod guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=64be8c14-1a00-0000-9893-2a3f400d0000 pid=3392 execve guuid=a046db14-1a00-0000-9893-2a3f420d0000 pid=3394 /tmp/getty net guuid=249f16da-1900-0000-9893-2a3fa70c0000 pid=3239->guuid=a046db14-1a00-0000-9893-2a3f420d0000 pid=3394 execve fa5e6e18-6423-542e-b688-04184acfc2bd 78.142.229.12:80 guuid=18b3a6da-1900-0000-9893-2a3fa90c0000 pid=3241->fa5e6e18-6423-542e-b688-04184acfc2bd send: 132B guuid=05cbe7e4-1900-0000-9893-2a3fbb0c0000 pid=3259->fa5e6e18-6423-542e-b688-04184acfc2bd send: 135B guuid=1575f8ec-1900-0000-9893-2a3fcb0c0000 pid=3275->fa5e6e18-6423-542e-b688-04184acfc2bd send: 134B guuid=cc24d5f4-1900-0000-9893-2a3fe50c0000 pid=3301->fa5e6e18-6423-542e-b688-04184acfc2bd send: 131B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=f79dccfa-1900-0000-9893-2a3ff30c0000 pid=3315->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=f174fcfa-1900-0000-9893-2a3ff40c0000 pid=3316 /tmp/ssh write-file zombie guuid=f79dccfa-1900-0000-9893-2a3ff30c0000 pid=3315->guuid=f174fcfa-1900-0000-9893-2a3ff40c0000 pid=3316 clone guuid=702701fb-1900-0000-9893-2a3ff50c0000 pid=3317 /tmp/ssh guuid=f79dccfa-1900-0000-9893-2a3ff30c0000 pid=3315->guuid=702701fb-1900-0000-9893-2a3ff50c0000 pid=3317 clone guuid=f7a503fb-1900-0000-9893-2a3ff70c0000 pid=3319 /tmp/ssh guuid=f79dccfa-1900-0000-9893-2a3ff30c0000 pid=3315->guuid=f7a503fb-1900-0000-9893-2a3ff70c0000 pid=3319 clone guuid=9559b5fc-1900-0000-9893-2a3ffc0c0000 pid=3324 /usr/bin/dash guuid=f174fcfa-1900-0000-9893-2a3ff40c0000 pid=3316->guuid=9559b5fc-1900-0000-9893-2a3ffc0c0000 pid=3324 execve guuid=d065edff-1900-0000-9893-2a3f060d0000 pid=3334 /usr/bin/dash guuid=f174fcfa-1900-0000-9893-2a3ff40c0000 pid=3316->guuid=d065edff-1900-0000-9893-2a3f060d0000 pid=3334 execve guuid=61046201-1a00-0000-9893-2a3f0d0d0000 pid=3341 /usr/bin/dash guuid=f174fcfa-1900-0000-9893-2a3ff40c0000 pid=3316->guuid=61046201-1a00-0000-9893-2a3f0d0d0000 pid=3341 execve guuid=086ce102-1a00-0000-9893-2a3f190d0000 pid=3353 /usr/bin/dash guuid=f174fcfa-1900-0000-9893-2a3ff40c0000 pid=3316->guuid=086ce102-1a00-0000-9893-2a3f190d0000 pid=3353 execve guuid=8ac50104-1a00-0000-9893-2a3f1c0d0000 pid=3356 /usr/bin/dash guuid=f174fcfa-1900-0000-9893-2a3ff40c0000 pid=3316->guuid=8ac50104-1a00-0000-9893-2a3f1c0d0000 pid=3356 execve guuid=070e2305-1a00-0000-9893-2a3f1f0d0000 pid=3359 /usr/bin/dash guuid=f174fcfa-1900-0000-9893-2a3ff40c0000 pid=3316->guuid=070e2305-1a00-0000-9893-2a3f1f0d0000 pid=3359 execve guuid=27cd0206-1a00-0000-9893-2a3f250d0000 pid=3365 /usr/bin/dash guuid=f174fcfa-1900-0000-9893-2a3ff40c0000 pid=3316->guuid=27cd0206-1a00-0000-9893-2a3f250d0000 pid=3365 execve guuid=d9a01c07-1a00-0000-9893-2a3f280d0000 pid=3368 /usr/bin/dash guuid=f174fcfa-1900-0000-9893-2a3ff40c0000 pid=3316->guuid=d9a01c07-1a00-0000-9893-2a3f280d0000 pid=3368 execve guuid=16ad0afb-1900-0000-9893-2a3ff80c0000 pid=3320 /tmp/ssh net send-data zombie guuid=f7a503fb-1900-0000-9893-2a3ff70c0000 pid=3319->guuid=16ad0afb-1900-0000-9893-2a3ff80c0000 pid=3320 clone 92730bb6-2e46-5651-a865-df6b1a22043a 206.123.145.140:65481 guuid=16ad0afb-1900-0000-9893-2a3ff80c0000 pid=3320->92730bb6-2e46-5651-a865-df6b1a22043a send: 9B guuid=4cad75fb-1900-0000-9893-2a3ffa0c0000 pid=3322->fa5e6e18-6423-542e-b688-04184acfc2bd send: 139B guuid=efaef5fc-1900-0000-9893-2a3ffd0c0000 pid=3325 /usr/bin/pgrep guuid=9559b5fc-1900-0000-9893-2a3ffc0c0000 pid=3324->guuid=efaef5fc-1900-0000-9893-2a3ffd0c0000 pid=3325 execve guuid=d9221700-1a00-0000-9893-2a3f070d0000 pid=3335 /usr/bin/killall guuid=d065edff-1900-0000-9893-2a3f060d0000 pid=3334->guuid=d9221700-1a00-0000-9893-2a3f070d0000 pid=3335 execve guuid=d507a301-1a00-0000-9893-2a3f100d0000 pid=3344 /usr/bin/killall guuid=61046201-1a00-0000-9893-2a3f0d0d0000 pid=3341->guuid=d507a301-1a00-0000-9893-2a3f100d0000 pid=3344 execve guuid=eb65dd02-1a00-0000-9893-2a3f180d0000 pid=3352->fa5e6e18-6423-542e-b688-04184acfc2bd send: 132B guuid=201c0a03-1a00-0000-9893-2a3f1a0d0000 pid=3354 /usr/bin/killall guuid=086ce102-1a00-0000-9893-2a3f190d0000 pid=3353->guuid=201c0a03-1a00-0000-9893-2a3f1a0d0000 pid=3354 execve guuid=76bb3d04-1a00-0000-9893-2a3f1d0d0000 pid=3357 /usr/bin/killall guuid=8ac50104-1a00-0000-9893-2a3f1c0d0000 pid=3356->guuid=76bb3d04-1a00-0000-9893-2a3f1d0d0000 pid=3357 execve guuid=5f2f4905-1a00-0000-9893-2a3f210d0000 pid=3361 /usr/bin/killall guuid=070e2305-1a00-0000-9893-2a3f1f0d0000 pid=3359->guuid=5f2f4905-1a00-0000-9893-2a3f210d0000 pid=3361 execve guuid=74372c06-1a00-0000-9893-2a3f260d0000 pid=3366 /usr/bin/killall guuid=27cd0206-1a00-0000-9893-2a3f250d0000 pid=3365->guuid=74372c06-1a00-0000-9893-2a3f260d0000 pid=3366 execve guuid=82ac7d07-1a00-0000-9893-2a3f2b0d0000 pid=3371 /usr/bin/killall guuid=d9a01c07-1a00-0000-9893-2a3f280d0000 pid=3368->guuid=82ac7d07-1a00-0000-9893-2a3f2b0d0000 pid=3371 execve guuid=5dd5e307-1a00-0000-9893-2a3f2d0d0000 pid=3373->fa5e6e18-6423-542e-b688-04184acfc2bd send: 136B guuid=cd6e180f-1a00-0000-9893-2a3f320d0000 pid=3378->fa5e6e18-6423-542e-b688-04184acfc2bd send: 133B 3e6bb00d-cb88-5485-9775-206952dbb893 0.0.0.0:43465 guuid=a046db14-1a00-0000-9893-2a3f420d0000 pid=3394->3e6bb00d-cb88-5485-9775-206952dbb893 con
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0cbca43f0b524cd4e31efb11889c4282ef3458b94e5645aacea68e0bba285688
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cbca43f0b524cd4e31efb11889c4282ef3458b94e5645aacea68e0bba285688/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-08-26 20:41:42 UTC
File Type:
Text (Shell)
AV detection:
22 of 36 (61.11%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bs6kipylkjgnjyy67miyrhccqlxtiwfzjzlelkwou2haxorik2ea._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/250826-zgb5wssxgs/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads system network configuration
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Malware family:
Xorbot
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0cbca43f0b52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.59
Link:
https://yomi.yoroi.company/submissions/0cbca43f0b524cd4e31efb11889c4282ef3458b94e5645aacea68e0bba285688

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 0cbca43f0b524cd4e31efb11889c4282ef3458b94e5645aacea68e0bba285688

(this sample)

Mirai

elf b63c273ae02c39024b2b690bd6ba4f4099682f12a2f3550ac50a0848e7d2c5f4

  
URLhaus
https://urlhaus.abuse.ch/url/3576542/
  
Delivery method
Distributed via web download
  
Dropping
MD5 e0fc8e0e4e3a10e0b93bd0175f3d25fb
  
Dropping
SHA256 b63c273ae02c39024b2b690bd6ba4f4099682f12a2f3550ac50a0848e7d2c5f4

Comments