MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13f166bc0c57ed6f23acf5613c8366e0d4cfab1ca97b2689a841d48b9f237a14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Gafgyt


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments

SHA256 hash: 13f166bc0c57ed6f23acf5613c8366e0d4cfab1ca97b2689a841d48b9f237a14
SHA3-384 hash: da02cfba597ce87a23eb4c832475bdb1338fa4c1535a972dd682b3824ebf42adabee535ad137b082f2414bf1affec5f8
SHA1 hash: a94a9e0e90b7fdc248400367d8d7abefdcd866ac
MD5 hash: fb765baa0546207256251312de8ed2eb
humanhash: triple-carpet-speaker-indigo
File name:ionetworks.arm6
Download: download sample
Signature Gafgyt
File size:138'878 bytes
First seen:2025-12-13 02:35:05 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:A5upxw7bIfTzhm32x8E9laJE2thjq3BHoFdGP5hMH2A0DXfgwjWlmyhQaS+pg7J:ACeE9laJE2PNGP5hMH2EwqlmyhQaSGgl
TLSH T152D30905D4508B23C2D2677AFF9E474F37225BA89B9B332256296EB02FC179D2E3D510
telfhash t1be213003a5b98a192fb79d64ac7c06f11261a623b3417eb0ef1ec1848d37002b839c9b
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence


File Origin
# of uploads :
1
# of downloads :
56
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-12-12T08:49:00Z UTC
Last seen:
2025-12-14T23:48:00Z UTC
Hits:
~10
Result
Threat name:
Mirai, Gafgyt, Xmrig
Detection:
malicious
Classification:
spre.troj.evad.mine
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Mirai
Detected Stratum mining protocol
Found malware configuration
Found strings related to Crypto-Mining
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Stdout / stderr contain strings indicative of a mining client
Suricata IDS alerts for network traffic
Tries to load the MSR kernel module used for reading/writing to CPUs model specific register
Uses known network protocols on non-standard ports
Writes identical ELF files to multiple locations
Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)
Yara detected Gafgyt
Yara detected Mirai
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1831952 Sample: ionetworks.arm6.elf Startdate: 13/12/2025 Architecture: LINUX Score: 100 145 us-qrl.miningocean.org 15.204.240.197, 3333, 34598 HP-INTERNET-ASUS United States 2->145 147 193.35.154.205, 282, 3344, 43318 AS43260TR Bulgaria 2->147 149 3 other IPs or domains 2->149 153 Suricata IDS alerts for network traffic 2->153 155 Found malware configuration 2->155 157 Malicious sample detected (through community Yara rule) 2->157 161 10 other signatures 2->161 15 ionetworks.arm6.elf 2->15         started        18 dash rm 2->18         started        20 dash grep 2->20         started        22 2 other processes 2->22 signatures3 159 Detected Stratum mining protocol 145->159 process4 signatures5 167 Opens /proc/net/* files useful for finding connected devices and routers 15->167 169 Sample deletes itself 15->169 24 ionetworks.arm6.elf 15->24         started        process6 process7 26 ionetworks.arm6.elf 24->26         started        process8 28 ionetworks.arm6.elf sh 26->28         started        30 ionetworks.arm6.elf sh 26->30         started        32 ionetworks.arm6.elf sh 26->32         started        34 49 other processes 26->34 process9 36 sh xmrigDaemon 28->36         started        46 7 other processes 28->46 38 sh xmrigDaemon 30->38         started        50 7 other processes 30->50 40 sh xmrigDaemon 32->40         started        52 7 other processes 32->52 42 sh xmrigDaemon 34->42         started        44 sh xmrigDaemon 34->44         started        54 108 other processes 34->54 file10 56 xmrigDaemon sh 36->56         started        58 xmrigDaemon sh 38->58         started        60 xmrigDaemon sh 40->60         started        62 xmrigDaemon sh 42->62         started        64 xmrigDaemon sh 44->64         started        133 /xmrigMiner.2, ELF 46->133 dropped 135 /xmrigDaemon.2, ELF 46->135 dropped 137 /xmrigMiner, ELF 50->137 dropped 139 /xmrigMiner.1, ELF 52->139 dropped 141 /xmrigDaemon.1, ELF 52->141 dropped 171 Writes identical ELF files to multiple locations 52->171 143 /xmrigDaemon, ELF 54->143 dropped 66 xmrigDaemon sh 54->66         started        68 xmrigDaemon sh 54->68         started        70 xmrigDaemon sh 54->70         started        72 44 other processes 54->72 signatures11 process12 process13 74 sh xmrigMiner 56->74         started        77 sh xmrigMiner 58->77         started        79 sh xmrigMiner 60->79         started        81 sh xmrigMiner 62->81         started        83 sh xmrigMiner 64->83         started        85 sh xmrigMiner 66->85         started        87 sh xmrigMiner 68->87         started        89 sh xmrigMiner 70->89         started        91 19 other processes 72->91 signatures14 93 xmrigMiner 74->93         started        163 Sample reads /proc/mounts (often used for finding a writable filesystem) 77->163 96 xmrigMiner 77->96         started        98 xmrigMiner 79->98         started        100 xmrigMiner 81->100         started        102 xmrigMiner 83->102         started        104 xmrigMiner 85->104         started        106 xmrigMiner 87->106         started        108 xmrigMiner 89->108         started        110 xmrigMiner 91->110         started        process15 signatures16 112 xmrigMiner sh 93->112         started        165 Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher) 96->165 114 xmrigMiner sh 96->114         started        116 xmrigMiner sh 98->116         started        118 xmrigMiner sh 100->118         started        120 xmrigMiner sh 102->120         started        122 xmrigMiner sh 104->122         started        124 xmrigMiner sh 106->124         started        126 xmrigMiner sh 108->126         started        128 xmrigMiner sh 110->128         started        process17 process18 130 sh modprobe 114->130         started        signatures19 151 Tries to load the MSR kernel module used for reading/writing to CPUs model specific register 130->151
Threat name:
Linux.Network.LightAidra
Status:
Malicious
First seen:
2025-12-12 11:09:12 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  3/5
Result
Malware family:
Score:
  10/10
Tags:
family:gafgyt family:xmrig antivm credential_access defense_evasion discovery miner persistence
Behaviour
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Checks CPU configuration
Reads system network configuration
Adds a user to the system
Reads system routing table
File and Directory Permissions Modification
Indicator Removal: Clear Command History
Deletes itself
Executes dropped EXE
Flushes firewall rules
OS Credential Dumping
Writes DNS configuration
Modifies password files for system users/ groups
XMRig Miner payload
Xmrig family
xmrig
Malware Config
C2 Extraction:
193.35.154.205:282
Verdict:
Malicious
Tags:
trojan gafgyt Unix.Dropper.Mirai-7139229-0
YARA:
Linux_Trojan_Gafgyt_28a2fe0c Linux_Gafgyt_May_2024
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Linux_Gafgyt_Generic
Author:albertzsigovits
Description:Generic Approach to Mirai/Gafgyt samples
Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Generic_Threat_d2dca9e7
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_28a2fe0c
Author:Elastic Security
Rule name:Mal_LNX_Gafgyt_Botnet_ELF
Author:Phatcharadol Thangplub
Description:Use to detect Gafgyt botnet, and there variants.
Rule name:NET
Author:malware-lu
Rule name:setsockopt
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf 13f166bc0c57ed6f23acf5613c8366e0d4cfab1ca97b2689a841d48b9f237a14

(this sample)

  
Delivery method
Distributed via web download

Comments