MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1eb2d667642518243b790f55f61971ad769cad620f434bb8320d62118415d79f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1eb2d667642518243b790f55f61971ad769cad620f434bb8320d62118415d79f
SHA3-384 hash: 893504e93d35166241f2c9f23b4b1afad7390bc13db32c72e6dc06e1df419917245b2ec90112bc05d3c6429a133dc2d4
SHA1 hash: 0dba3d457e0bbc64a11b5178dc8f36b8f8533ed3
MD5 hash: 13f6d78a4839f8a4c98ce359bfcf5dd2
humanhash: hydrogen-comet-nevada-muppet
File name:toto
Download: download sample
Signature Gafgyt
Create hunting rule
File size:343 bytes
First seen:2025-07-28 20:22:09 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 6:5DBlvmxqSK5l6mPalLLIPly/gaOlV8iAKu:5jMqPf6W+vIdyoa6V+Ku
TLSH T1E2E04FDD51D3E0FE88294D40B3619636D505F5D02170AFCDEA4974B1CCD9641312CF47
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://103.176.20.59/lmips6412011a49cc5f96c04fca7df6a71fa7ed0b9eddaa2eb8703cc8daab646d14b4 Gafgytcensys elf gafgyt mirai ua-wget
http://103.176.20.59/lmpsln/an/acensys elf gafgyt mirai ua-wget
http://103.176.20.59/larm43b9fb643ee107c4fdc321425bf8801dae55aa9e5c392b6062e463ec8dde0cb9d Miraicensys elf mirai ua-wget
http://103.176.20.59/larm56490586ab557e772c4ddb5d0bdc469118f5af4997831d32273b2a219ef871791 Miraicensys elf mirai ua-wget
http://103.176.20.59/larm77f9023fdbd0951650d408f62a2eb70dbaadd424d725957ee3d3a7780aa25c853 Miraicensys elf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Labled as:
TrojanDownloader/Linux.Agent
Link:
https://www.hybrid-analysis.com/sample/1eb2d667642518243b790f55f61971ad769cad620f434bb8320d62118415d79f
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b029e0c0-28b3-4b1e-ba8d-7d3aac8d39fa
Behavior Graph:
Download SVG
%3 guuid=a4f187a7-1e00-0000-a065-400db60c0000 pid=3254 /usr/bin/sudo guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260 /tmp/sample.bin guuid=a4f187a7-1e00-0000-a065-400db60c0000 pid=3254->guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260 execve guuid=e6d595a9-1e00-0000-a065-400dbe0c0000 pid=3262 /usr/bin/wget net send-data write-file guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=e6d595a9-1e00-0000-a065-400dbe0c0000 pid=3262 execve guuid=96d5c5df-1e00-0000-a065-400d2c0d0000 pid=3372 /usr/bin/chmod guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=96d5c5df-1e00-0000-a065-400d2c0d0000 pid=3372 execve guuid=a88217e0-1e00-0000-a065-400d2e0d0000 pid=3374 /usr/bin/dash guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=a88217e0-1e00-0000-a065-400d2e0d0000 pid=3374 clone guuid=0ff1bfe0-1e00-0000-a065-400d320d0000 pid=3378 /usr/bin/wget net send-data write-file guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=0ff1bfe0-1e00-0000-a065-400d320d0000 pid=3378 execve guuid=491abc22-1f00-0000-a065-400ddd0d0000 pid=3549 /usr/bin/chmod guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=491abc22-1f00-0000-a065-400ddd0d0000 pid=3549 execve guuid=45d6f722-1f00-0000-a065-400dde0d0000 pid=3550 /usr/bin/dash guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=45d6f722-1f00-0000-a065-400dde0d0000 pid=3550 clone guuid=e9840824-1f00-0000-a065-400de20d0000 pid=3554 /usr/bin/wget net send-data write-file guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=e9840824-1f00-0000-a065-400de20d0000 pid=3554 execve guuid=b803415c-1f00-0000-a065-400d590e0000 pid=3673 /usr/bin/chmod guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=b803415c-1f00-0000-a065-400d590e0000 pid=3673 execve guuid=915aa75c-1f00-0000-a065-400d5c0e0000 pid=3676 /usr/bin/dash guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=915aa75c-1f00-0000-a065-400d5c0e0000 pid=3676 clone guuid=b624d95d-1f00-0000-a065-400d610e0000 pid=3681 /usr/bin/wget net send-data write-file guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=b624d95d-1f00-0000-a065-400d610e0000 pid=3681 execve guuid=50c0cf90-1f00-0000-a065-400d130f0000 pid=3859 /usr/bin/chmod guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=50c0cf90-1f00-0000-a065-400d130f0000 pid=3859 execve guuid=51953b91-1f00-0000-a065-400d160f0000 pid=3862 /usr/bin/dash guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=51953b91-1f00-0000-a065-400d160f0000 pid=3862 clone guuid=8fe13e92-1f00-0000-a065-400d1c0f0000 pid=3868 /usr/bin/wget net send-data write-file guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=8fe13e92-1f00-0000-a065-400d1c0f0000 pid=3868 execve guuid=b029c7d2-1f00-0000-a065-400d09100000 pid=4105 /usr/bin/chmod guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=b029c7d2-1f00-0000-a065-400d09100000 pid=4105 execve guuid=bceb07d3-1f00-0000-a065-400d0a100000 pid=4106 /usr/bin/dash guuid=c44c5aa9-1e00-0000-a065-400dbc0c0000 pid=3260->guuid=bceb07d3-1f00-0000-a065-400d0a100000 pid=4106 clone 58517d70-7b02-5fe6-86d3-049c9f17a9ed 103.176.20.59:80 guuid=e6d595a9-1e00-0000-a065-400dbe0c0000 pid=3262->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 133B guuid=0ff1bfe0-1e00-0000-a065-400d320d0000 pid=3378->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 133B guuid=e9840824-1f00-0000-a065-400de20d0000 pid=3554->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 133B guuid=b624d95d-1f00-0000-a065-400d610e0000 pid=3681->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 133B guuid=8fe13e92-1f00-0000-a065-400d1c0f0000 pid=3868->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 133B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1eb2d667642518243b790f55f61971ad769cad620f434bb8320d62118415d79f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1eb2d667642518243b790f55f61971ad769cad620f434bb8320d62118415d79f/
Threat name:
Script.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-07-28 21:48:30 UTC
File Type:
Text (Shell)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d2znmz3eeumcio3zb5k7mglrvv3jzllcb5buxobsbvrbdbav26pq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1eb2d667642518243b790f55f61971ad769cad620f434bb8320d62118415d79f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 1eb2d667642518243b790f55f61971ad769cad620f434bb8320d62118415d79f

(this sample)

Gafgyt

elf 4cc60746df828d8a6d7bc51881a1078a4f8854a5b7ebd7df9ac3855e8b10817f

  
URLhaus
https://urlhaus.abuse.ch/url/3591802/
  
Delivery method
Distributed via web download
  
Dropping
MD5 288c8a7778cf3991b093c609aca1b851
  
Dropping
SHA256 4cc60746df828d8a6d7bc51881a1078a4f8854a5b7ebd7df9ac3855e8b10817f

Comments