MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ebf139fe8271dd0c5ee67ae22e4d4269115508c089fb2f31143c3778ae3b193. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ebf139fe8271dd0c5ee67ae22e4d4269115508c089fb2f31143c3778ae3b193
SHA3-384 hash: 518cc7d74f4a9fbc26044aa35ef1e3a47409549e83cb9424f7af53e6456ec72cde8cfd7cc10bd2680e8042b5312735d9
SHA1 hash: e74398c344065ef28bb83fe4bfee1fd82f639141
MD5 hash: ddb48274f64d81e1a2c8faf6b1ec9ca6
humanhash: dakota-summer-missouri-pasta
File name:sex.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'600 bytes
First seen:2025-06-10 13:53:17 UTC
Last seen:2025-06-11 09:30:48 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 12:q0FSV0Fg0FIc43fX0FYOeekX0FI0FwX0FQWe0F6fX0Fg0FEJhl0FEfaM0FOWK0FC:vS+RIc4kYOaspwsQWbYsRGhOuaFOKC
TLSH T15B3171CA21A60978BCA0E96733BF890536D8E5CB14D62F192DFD3DF9588CE087000B97
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://205.185.124.206/mipsca2db102f55e8c12aff82755030667628ad8224b56dfa337d0a535bec3640674 Gafgytelf gafgyt ua-wget
http://205.185.124.206/mipsel43a9a4285640214c573e393dcfc47d1060a7e9eccaf3f2f441ae5ec127a698bd Gafgytelf gafgyt ua-wget
http://205.185.124.206/sh4ff0d431529bc6108190aaa10bb99e12e8f5c823b318a397cc39273c43ff77a49 Gafgytelf gafgyt ua-wget
http://205.185.124.206/x869c82e0f493cad4a98afee297cec21e67c5274712a840bf1d98bccba983dc5ece Gafgytelf gafgyt ua-wget
http://205.185.124.206/arm61fcb31c49e5999e34641413c6789b8fb018deb257059f36262a73b145c3632577 Gafgytelf gafgyt ua-wget
http://205.185.124.206/i686cdd96a30176d5b9a885411ce5717e9c9df0d89ac2033d5e3aed9e647b378574d Gafgytelf gafgyt ua-wget
http://205.185.124.206/ppcfb40446caa9a65a3aff4407e682cbb0547e0e39fa29244c2d2dac734933fb0e8 Gafgytelf gafgyt ua-wget
http://205.185.124.206/586f7a0ccfabba299709e2fdb691b56de355a9f244c6cdf74a86617ba3d6710758b Gafgytelf gafgyt ua-wget
http://205.185.124.206/m68k165888614bf0e954ab298cb35285f2d74b3daeb07b851f28fa84de4ce22bb97e Gafgytelf gafgyt ua-wget
http://205.185.124.206/dcn/an/aelf ua-wget
http://205.185.124.206/dssc313b77160ea4f1aa126711d15a5075a505c0881b000345bb90c971bf9eb72b9 Gafgytelf gafgyt ua-wget
http://205.185.124.206/cobb2e1808d2391cef4cb85e06c35df52ae60e20ef95ea0410e7683d9058752245 Gafgytelf gafgyt ua-wget
http://205.185.124.206/scarn/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
4
# of downloads :
65
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6848390607b5e8c1cfe62175linux22vpnfull_triage
Tags:
trojandownloader trojan agent
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1ebf139fe8271dd0c5ee67ae22e4d4269115508c089fb2f31143c3778ae3b193
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ebf139fe8271dd0c5ee67ae22e4d4269115508c089fb2f31143c3778ae3b193/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-06-10 17:42:24 UTC
AV detection:
25 of 38 (65.79%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d27rhh7ie4o5brpom6xcfzgue2irkuembcp3f4yripbxpcxdwgjq._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/250610-q7kqaav1ez/
Behaviour
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
File and Directory Permissions Modification
Executes dropped EXE
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Malware Config
C2 Extraction:
5.252.177.70:23
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BASHLITE
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/1ebf139fe8271dd0c5ee67ae22e4d4269115508c089fb2f31143c3778ae3b193

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 1ebf139fe8271dd0c5ee67ae22e4d4269115508c089fb2f31143c3778ae3b193

(this sample)

Gafgyt

elf 6c2ee8d063cef58ee749b49720bedd2118caf76814984543f7d597a75a89aaa5

  
URLhaus
https://urlhaus.abuse.ch/url/3560297/
  
Delivery method
Distributed via web download
  
Dropping
MD5 3c7d8a59a0df6141e3f7a8b377781d35
  
Dropping
SHA256 6c2ee8d063cef58ee749b49720bedd2118caf76814984543f7d597a75a89aaa5

Comments