MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16fe582641f2fdc51c4dcffc184486eaf214b722b049ff16d5dc4abf0f747eb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16fe582641f2fdc51c4dcffc184486eaf214b722b049ff16d5dc4abf0f747eb6
SHA3-384 hash: db2ea5e89230e9718831de5b8f92e95826ab01210839a8426273413105cc6ff6efe864508cd6b135c51d7c80f8b6afbe
SHA1 hash: 22d2997c0c49904e0e22b9fe4e35510178d2f68f
MD5 hash: fd24e61f06ffb8ba759da7c920db263e
humanhash: butter-gee-india-freddie
File name:sex.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'574 bytes
First seen:2026-04-11 08:39:23 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 12:q0FS8V0FSG0FS2c43fX0FSsAeekX0FSG0FS5UX0FSze0FS0fX0FSzi0FSol0FSJO:vt+ITc4kfAasYHs8bXsY35OZaFRKDb
TLSH T1773132CF22E20EB0EC91A93732AA884475D4E1C754CA5F597CED39F6469CE157440BE3
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter BlinkzSec
Tags:gafgyt
URLMalware sample (SHA256 hash)SignatureTags
http://45.156.87.140/mips6f7aaf9ac08bce8fff788051d55116a7917c0cf3a69dd32ffff86d3cfa09bf4f Gafgytelf gafgyt ua-wget
http://45.156.87.140/mipselbd0af9b9371a9930a414019edacd73fffe2cd985567c2b35db137fbd9bde4cf5 Gafgytelf gafgyt ua-wget
http://45.156.87.140/sh4c502d9e1791943b3090170a45de5e278d275c5ed1b58cf1b3be5059c6e36f3c6 Gafgytelf gafgyt ua-wget
http://45.156.87.140/x863aa5d9b6715d22c5acf22182475df66becfd4b5943efd887b4be784189aafd03 Gafgytelf gafgyt ua-wget
http://45.156.87.140/arm61fd3c466180447feeb0794564da5083be45a6ffafcd0423067bfe83062b4f0a11 Gafgytelf gafgyt ua-wget
http://45.156.87.140/i6867f289f4031b5f7026895b5e5d6355a3debf2bff536a4d3ba1b64b971a01fd0b3 Gafgytelf gafgyt ua-wget
http://45.156.87.140/ppcc847d8cebe44eec7ae9c476391aa2a0d1fdf03a699e0b56552e8074cca3cf6fb Gafgytelf gafgyt ua-wget
http://45.156.87.140/5863263f4af3ca3da90bb43debc46e02109e955b41f9244eb26da28c5b635c6d99f Gafgytelf gafgyt ua-wget
http://45.156.87.140/m68k3bfe374843d21f804ca0c3b18f609696896ceb01262fb3a6869a8322993de4f7 Gafgytelf gafgyt ua-wget
http://45.156.87.140/dcc4e9c7e8ddf9d950f60d5b59b6d3258959ea3346e4b1c3ea335950dbf3024dc2 Gafgyt45-156-87-140 elf gafgyt ua-wget
http://45.156.87.140/dss754e10f6ca0416cb56486737707c4451910bd0ec84022fcb2156330bd6a317e3 Gafgytelf gafgyt ua-wget
http://45.156.87.140/co947789ee1dcabb73e7e8ac95da4ea1b890261f3486a1344fe4abbf87cac53030 Gafgytelf gafgyt ua-wget
http://45.156.87.140/scarn/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
GB GB
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive medusa mirai
Link:
https://www.filescan.io/uploads/69da09a4799d5bf325f74eec/reports/8aaa6fee-53b8-45d5-8331-6fd84ec6ad5f/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-04-11T05:51:00Z UTC
Last seen:
2026-04-13T02:50:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.cx
Link:
https://opentip.kaspersky.com/16fe582641f2fdc51c4dcffc184486eaf214b722b049ff16d5dc4abf0f747eb6/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/18850967-6095-404e-b0c2-a7e347542852
Behavior Graph:
Download SVG
%3 guuid=0a39cd0d-1900-0000-e4fc-1bb9cc080000 pid=2252 /usr/bin/sudo guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259 /tmp/sample.bin guuid=0a39cd0d-1900-0000-e4fc-1bb9cc080000 pid=2252->guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259 execve guuid=0e0b9910-1900-0000-e4fc-1bb9d4080000 pid=2260 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=0e0b9910-1900-0000-e4fc-1bb9d4080000 pid=2260 execve guuid=35454c19-1900-0000-e4fc-1bb9de080000 pid=2270 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=35454c19-1900-0000-e4fc-1bb9de080000 pid=2270 execve guuid=4c4f9119-1900-0000-e4fc-1bb9df080000 pid=2271 /usr/bin/bash guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=4c4f9119-1900-0000-e4fc-1bb9df080000 pid=2271 clone guuid=1d7c811a-1900-0000-e4fc-1bb9e4080000 pid=2276 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=1d7c811a-1900-0000-e4fc-1bb9e4080000 pid=2276 execve guuid=5039db1a-1900-0000-e4fc-1bb9e5080000 pid=2277 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=5039db1a-1900-0000-e4fc-1bb9e5080000 pid=2277 execve guuid=45dd4720-1900-0000-e4fc-1bb9f1080000 pid=2289 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=45dd4720-1900-0000-e4fc-1bb9f1080000 pid=2289 execve guuid=c698c120-1900-0000-e4fc-1bb9f2080000 pid=2290 /usr/bin/bash guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=c698c120-1900-0000-e4fc-1bb9f2080000 pid=2290 clone guuid=5650cd21-1900-0000-e4fc-1bb9f5080000 pid=2293 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=5650cd21-1900-0000-e4fc-1bb9f5080000 pid=2293 execve guuid=6b453d22-1900-0000-e4fc-1bb9f7080000 pid=2295 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=6b453d22-1900-0000-e4fc-1bb9f7080000 pid=2295 execve guuid=47cfe027-1900-0000-e4fc-1bb900090000 pid=2304 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=47cfe027-1900-0000-e4fc-1bb900090000 pid=2304 execve guuid=ebb73728-1900-0000-e4fc-1bb902090000 pid=2306 /usr/bin/bash guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=ebb73728-1900-0000-e4fc-1bb902090000 pid=2306 clone guuid=995ef628-1900-0000-e4fc-1bb904090000 pid=2308 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=995ef628-1900-0000-e4fc-1bb904090000 pid=2308 execve guuid=4e978429-1900-0000-e4fc-1bb905090000 pid=2309 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=4e978429-1900-0000-e4fc-1bb905090000 pid=2309 execve guuid=dee3792f-1900-0000-e4fc-1bb910090000 pid=2320 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=dee3792f-1900-0000-e4fc-1bb910090000 pid=2320 execve guuid=3575e52f-1900-0000-e4fc-1bb912090000 pid=2322 /tmp/x86 guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=3575e52f-1900-0000-e4fc-1bb912090000 pid=2322 execve guuid=1d881630-1900-0000-e4fc-1bb917090000 pid=2327 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=1d881630-1900-0000-e4fc-1bb917090000 pid=2327 execve guuid=c4d5a630-1900-0000-e4fc-1bb919090000 pid=2329 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=c4d5a630-1900-0000-e4fc-1bb919090000 pid=2329 execve guuid=a7728036-1900-0000-e4fc-1bb926090000 pid=2342 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=a7728036-1900-0000-e4fc-1bb926090000 pid=2342 execve guuid=0185e636-1900-0000-e4fc-1bb927090000 pid=2343 /usr/bin/bash guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=0185e636-1900-0000-e4fc-1bb927090000 pid=2343 clone guuid=d4c08138-1900-0000-e4fc-1bb92a090000 pid=2346 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=d4c08138-1900-0000-e4fc-1bb92a090000 pid=2346 execve guuid=1d360c39-1900-0000-e4fc-1bb92b090000 pid=2347 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=1d360c39-1900-0000-e4fc-1bb92b090000 pid=2347 execve guuid=d826eb3d-1900-0000-e4fc-1bb933090000 pid=2355 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=d826eb3d-1900-0000-e4fc-1bb933090000 pid=2355 execve guuid=c4fc7c3e-1900-0000-e4fc-1bb934090000 pid=2356 /tmp/i686 guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=c4fc7c3e-1900-0000-e4fc-1bb934090000 pid=2356 execve guuid=c798d53e-1900-0000-e4fc-1bb938090000 pid=2360 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=c798d53e-1900-0000-e4fc-1bb938090000 pid=2360 execve guuid=7649773f-1900-0000-e4fc-1bb939090000 pid=2361 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=7649773f-1900-0000-e4fc-1bb939090000 pid=2361 execve guuid=0373d645-1900-0000-e4fc-1bb949090000 pid=2377 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=0373d645-1900-0000-e4fc-1bb949090000 pid=2377 execve guuid=65a55346-1900-0000-e4fc-1bb94b090000 pid=2379 /usr/bin/bash guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=65a55346-1900-0000-e4fc-1bb94b090000 pid=2379 clone guuid=cee84547-1900-0000-e4fc-1bb94f090000 pid=2383 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=cee84547-1900-0000-e4fc-1bb94f090000 pid=2383 execve guuid=bbd3f447-1900-0000-e4fc-1bb951090000 pid=2385 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=bbd3f447-1900-0000-e4fc-1bb951090000 pid=2385 execve guuid=0f35834d-1900-0000-e4fc-1bb958090000 pid=2392 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=0f35834d-1900-0000-e4fc-1bb958090000 pid=2392 execve guuid=26e8d44d-1900-0000-e4fc-1bb95a090000 pid=2394 /tmp/586 guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=26e8d44d-1900-0000-e4fc-1bb95a090000 pid=2394 execve guuid=f7f3104e-1900-0000-e4fc-1bb95e090000 pid=2398 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=f7f3104e-1900-0000-e4fc-1bb95e090000 pid=2398 execve guuid=aae57b4e-1900-0000-e4fc-1bb95f090000 pid=2399 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=aae57b4e-1900-0000-e4fc-1bb95f090000 pid=2399 execve guuid=a3121954-1900-0000-e4fc-1bb96d090000 pid=2413 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=a3121954-1900-0000-e4fc-1bb96d090000 pid=2413 execve guuid=b12e8754-1900-0000-e4fc-1bb96f090000 pid=2415 /usr/bin/bash guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=b12e8754-1900-0000-e4fc-1bb96f090000 pid=2415 clone guuid=24c46955-1900-0000-e4fc-1bb972090000 pid=2418 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=24c46955-1900-0000-e4fc-1bb972090000 pid=2418 execve guuid=9d9bed55-1900-0000-e4fc-1bb973090000 pid=2419 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=9d9bed55-1900-0000-e4fc-1bb973090000 pid=2419 execve guuid=02f6bd5b-1900-0000-e4fc-1bb97f090000 pid=2431 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=02f6bd5b-1900-0000-e4fc-1bb97f090000 pid=2431 execve guuid=94b5285c-1900-0000-e4fc-1bb980090000 pid=2432 /usr/bin/bash guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=94b5285c-1900-0000-e4fc-1bb980090000 pid=2432 clone guuid=306ef85c-1900-0000-e4fc-1bb982090000 pid=2434 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=306ef85c-1900-0000-e4fc-1bb982090000 pid=2434 execve guuid=54ec605d-1900-0000-e4fc-1bb983090000 pid=2435 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=54ec605d-1900-0000-e4fc-1bb983090000 pid=2435 execve guuid=c94cb062-1900-0000-e4fc-1bb98f090000 pid=2447 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=c94cb062-1900-0000-e4fc-1bb98f090000 pid=2447 execve guuid=e340f962-1900-0000-e4fc-1bb990090000 pid=2448 /usr/bin/bash guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=e340f962-1900-0000-e4fc-1bb990090000 pid=2448 clone guuid=3dcecc63-1900-0000-e4fc-1bb992090000 pid=2450 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=3dcecc63-1900-0000-e4fc-1bb992090000 pid=2450 execve guuid=70687b64-1900-0000-e4fc-1bb993090000 pid=2451 /usr/bin/wget net send-data write-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=70687b64-1900-0000-e4fc-1bb993090000 pid=2451 execve guuid=acb0ee69-1900-0000-e4fc-1bb99e090000 pid=2462 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=acb0ee69-1900-0000-e4fc-1bb99e090000 pid=2462 execve guuid=2cea866a-1900-0000-e4fc-1bb99f090000 pid=2463 /usr/bin/bash guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=2cea866a-1900-0000-e4fc-1bb99f090000 pid=2463 clone guuid=f8fc826b-1900-0000-e4fc-1bb9a2090000 pid=2466 /usr/bin/rm delete-file guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=f8fc826b-1900-0000-e4fc-1bb9a2090000 pid=2466 execve guuid=33bc0e6c-1900-0000-e4fc-1bb9a3090000 pid=2467 /usr/bin/wget net send-data guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=33bc0e6c-1900-0000-e4fc-1bb9a3090000 pid=2467 execve guuid=36a4f66e-1900-0000-e4fc-1bb9aa090000 pid=2474 /usr/bin/chmod guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=36a4f66e-1900-0000-e4fc-1bb9aa090000 pid=2474 execve guuid=9079826f-1900-0000-e4fc-1bb9ad090000 pid=2477 /usr/bin/bash guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=9079826f-1900-0000-e4fc-1bb9ad090000 pid=2477 clone guuid=4d3ea56f-1900-0000-e4fc-1bb9ae090000 pid=2478 /usr/bin/rm guuid=f2c62110-1900-0000-e4fc-1bb9d3080000 pid=2259->guuid=4d3ea56f-1900-0000-e4fc-1bb9ae090000 pid=2478 execve 41321485-f79f-571d-811b-4eff60cdc8f8 45.156.87.140:80 guuid=0e0b9910-1900-0000-e4fc-1bb9d4080000 pid=2260->41321485-f79f-571d-811b-4eff60cdc8f8 send: 132B guuid=5039db1a-1900-0000-e4fc-1bb9e5080000 pid=2277->41321485-f79f-571d-811b-4eff60cdc8f8 send: 134B guuid=6b453d22-1900-0000-e4fc-1bb9f7080000 pid=2295->41321485-f79f-571d-811b-4eff60cdc8f8 send: 131B guuid=4e978429-1900-0000-e4fc-1bb905090000 pid=2309->41321485-f79f-571d-811b-4eff60cdc8f8 send: 131B guuid=25e7f92f-1900-0000-e4fc-1bb913090000 pid=2323 /tmp/x86 guuid=3575e52f-1900-0000-e4fc-1bb912090000 pid=2322->guuid=25e7f92f-1900-0000-e4fc-1bb913090000 pid=2323 clone guuid=647e0030-1900-0000-e4fc-1bb914090000 pid=2324 /tmp/x86 guuid=25e7f92f-1900-0000-e4fc-1bb913090000 pid=2323->guuid=647e0030-1900-0000-e4fc-1bb914090000 pid=2324 clone guuid=a5740630-1900-0000-e4fc-1bb915090000 pid=2325 /tmp/x86 net send-data zombie guuid=647e0030-1900-0000-e4fc-1bb914090000 pid=2324->guuid=a5740630-1900-0000-e4fc-1bb915090000 pid=2325 clone 5937bdbc-fd58-5a7d-8239-ac5005962b3e 45.156.87.140:1111 guuid=a5740630-1900-0000-e4fc-1bb915090000 pid=2325->5937bdbc-fd58-5a7d-8239-ac5005962b3e send: 95B guuid=b54c1831-1900-0000-e4fc-1bb91a090000 pid=2330 /tmp/x86 guuid=a5740630-1900-0000-e4fc-1bb915090000 pid=2325->guuid=b54c1831-1900-0000-e4fc-1bb91a090000 pid=2330 clone guuid=c4d5a630-1900-0000-e4fc-1bb919090000 pid=2329->41321485-f79f-571d-811b-4eff60cdc8f8 send: 133B guuid=1d360c39-1900-0000-e4fc-1bb92b090000 pid=2347->41321485-f79f-571d-811b-4eff60cdc8f8 send: 132B guuid=6470a83e-1900-0000-e4fc-1bb935090000 pid=2357 /tmp/i686 guuid=c4fc7c3e-1900-0000-e4fc-1bb934090000 pid=2356->guuid=6470a83e-1900-0000-e4fc-1bb935090000 pid=2357 clone guuid=9324b13e-1900-0000-e4fc-1bb936090000 pid=2358 /tmp/i686 guuid=6470a83e-1900-0000-e4fc-1bb935090000 pid=2357->guuid=9324b13e-1900-0000-e4fc-1bb936090000 pid=2358 clone guuid=c307cd3e-1900-0000-e4fc-1bb937090000 pid=2359 /tmp/i686 net send-data zombie guuid=9324b13e-1900-0000-e4fc-1bb936090000 pid=2358->guuid=c307cd3e-1900-0000-e4fc-1bb937090000 pid=2359 clone guuid=c307cd3e-1900-0000-e4fc-1bb937090000 pid=2359->5937bdbc-fd58-5a7d-8239-ac5005962b3e send: 95B guuid=d73fe33f-1900-0000-e4fc-1bb93a090000 pid=2362 /tmp/i686 guuid=c307cd3e-1900-0000-e4fc-1bb937090000 pid=2359->guuid=d73fe33f-1900-0000-e4fc-1bb93a090000 pid=2362 clone guuid=7649773f-1900-0000-e4fc-1bb939090000 pid=2361->41321485-f79f-571d-811b-4eff60cdc8f8 send: 131B guuid=bbd3f447-1900-0000-e4fc-1bb951090000 pid=2385->41321485-f79f-571d-811b-4eff60cdc8f8 send: 131B guuid=ce23ed4d-1900-0000-e4fc-1bb95b090000 pid=2395 /tmp/586 guuid=26e8d44d-1900-0000-e4fc-1bb95a090000 pid=2394->guuid=ce23ed4d-1900-0000-e4fc-1bb95b090000 pid=2395 clone guuid=09dcfa4d-1900-0000-e4fc-1bb95c090000 pid=2396 /tmp/586 guuid=ce23ed4d-1900-0000-e4fc-1bb95b090000 pid=2395->guuid=09dcfa4d-1900-0000-e4fc-1bb95c090000 pid=2396 clone guuid=c7b3064e-1900-0000-e4fc-1bb95d090000 pid=2397 /tmp/586 net send-data zombie guuid=09dcfa4d-1900-0000-e4fc-1bb95c090000 pid=2396->guuid=c7b3064e-1900-0000-e4fc-1bb95d090000 pid=2397 clone guuid=c7b3064e-1900-0000-e4fc-1bb95d090000 pid=2397->5937bdbc-fd58-5a7d-8239-ac5005962b3e send: 95B guuid=558c304f-1900-0000-e4fc-1bb961090000 pid=2401 /tmp/586 guuid=c7b3064e-1900-0000-e4fc-1bb95d090000 pid=2397->guuid=558c304f-1900-0000-e4fc-1bb961090000 pid=2401 clone guuid=aae57b4e-1900-0000-e4fc-1bb95f090000 pid=2399->41321485-f79f-571d-811b-4eff60cdc8f8 send: 132B guuid=9d9bed55-1900-0000-e4fc-1bb973090000 pid=2419->41321485-f79f-571d-811b-4eff60cdc8f8 send: 130B guuid=54ec605d-1900-0000-e4fc-1bb983090000 pid=2435->41321485-f79f-571d-811b-4eff60cdc8f8 send: 131B guuid=70687b64-1900-0000-e4fc-1bb993090000 pid=2451->41321485-f79f-571d-811b-4eff60cdc8f8 send: 130B guuid=33bc0e6c-1900-0000-e4fc-1bb9a3090000 pid=2467->41321485-f79f-571d-811b-4eff60cdc8f8 send: 132B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/16fe582641f2fdc51c4dcffc184486eaf214b722b049ff16d5dc4abf0f747eb6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16fe582641f2fdc51c4dcffc184486eaf214b722b049ff16d5dc4abf0f747eb6/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/16fe582641f2fdc51c4dcffc184486eaf214b722b049ff16d5dc4abf0f747eb6
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2026-04-11 08:37:41 UTC
File Type:
Text (Shell)
AV detection:
17 of 24 (70.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c37fqjsb6l64khcnz76bqreg5lzbjnzcwbe76fwv3rfl6d3up23a._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/260411-kkjxksaz9j/
Behaviour
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Malware Config
C2 Extraction:
45.156.87.140:1111
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/16fe582641f2fdc51c4dcffc184486eaf214b722b049ff16d5dc4abf0f747eb6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 16fe582641f2fdc51c4dcffc184486eaf214b722b049ff16d5dc4abf0f747eb6

(this sample)

Gafgyt

elf bc5b11bb3c869b9a0d4daf066660a34521869f5a955b44d1f58e683039eedb79

  
URLhaus
https://urlhaus.abuse.ch/url/3816086/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3816113/
  
URLhaus
https://urlhaus.abuse.ch/url/3816114/
  
Dropping
MD5 cd8a6eeb9a5bbc6360e1d162d175a323
  
Dropping
SHA256 bc5b11bb3c869b9a0d4daf066660a34521869f5a955b44d1f58e683039eedb79

Comments