MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19df9599c35847d7ebd4aeccbce3f26a4fee6a782b62eb48e62177c4c373922d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	19df9599c35847d7ebd4aeccbce3f26a4fee6a782b62eb48e62177c4c373922d
SHA3-384 hash:	66a2fbcf811229c998122322343d0b7d247bbc8908f04fd0451340009d1e43ebf98bd199540d3529eac8d7a96caec7a0
SHA1 hash:	b031c61794a0fe73a7ae32462f087e4a08e8233f
MD5 hash:	6f38ea958266bde0b81a1869ea10adf1
humanhash:	september-nevada-happy-lithium
File name:	tlr
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	142 bytes
First seen:	2024-12-25 11:41:18 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	3:LMFAURZjeFGBzOdFLTUWV72zgMFAURZUe8BzOdIUrZ1:LMFAUfNqt2zgMFAUoNC1
TLSH	T146C08CD520102A01C8407D1C3227899E60EBC3C4A2800B0F98C80612A8AC431F00EA80
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://64.49.14.19/mips	4fc73b02bd0cc4d44ee8da03ce5ab8b74fb67409fb223c3f36b06dc22dc0dd74	Gafgyt	32-bit elf gafgyt
http://64.49.14.19/mpsl	18c99e6db38118a4d50a0bca8dd475f700d3ff172a73fb6a48bdd599d4abae95	Gafgyt	elf gafgyt

Intelligence

File Origin

# of uploads :

1

# of downloads :

81

Origin country :

DE

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-34.UNOFFICIAL

Verdict:

Clean

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=676bf0be75bf3268d2fe6376linux22vpnfull_triage

Tags:

mirai agent hype sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug

Link:

https://www.filescan.io/uploads/676befa0d986a2005f8c3d5c/reports/e74237f8-d0f8-4734-a8fc-dbee25586c06/overview

Result

Verdict:

UNKNOWN

Score:

53%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/19df9599c35847d7ebd4aeccbce3f26a4fee6a782b62eb48e62177c4c373922d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/19df9599c35847d7ebd4aeccbce3f26a4fee6a782b62eb48e62177c4c373922d/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dhpzlgodlbd5p26uv3glzy7snjh642tyfnrowshgef34jq3tsiwq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/241225-nxvrdsspbj/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/19df9599c35847d7ebd4aeccbce3f26a4fee6a782b62eb48e62177c4c373922d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 19df9599c35847d7ebd4aeccbce3f26a4fee6a782b62eb48e62177c4c373922d

(this sample)

elf 4fc73b02bd0cc4d44ee8da03ce5ab8b74fb67409fb223c3f36b06dc22dc0dd74

URLhaus

https://urlhaus.abuse.ch/url/3376081/

Delivery method

Distributed via web download

Dropping

MD5 ebaf6768ac8705e48d2403468bf8df74

Dropping

SHA256 4fc73b02bd0cc4d44ee8da03ce5ab8b74fb67409fb223c3f36b06dc22dc0dd74

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample