MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24368a39bc657f616e03a3a25fb3de3e33fe5901e582bf6b39ed7bd532fca87a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24368a39bc657f616e03a3a25fb3de3e33fe5901e582bf6b39ed7bd532fca87a
SHA3-384 hash: 4ca0e37c35b89e4071f73878dc9d70dfce2470c1f9e0ad1e7e3470d98ead02cc952364277eb6f25e3d389f600d8c18de
SHA1 hash: 75b0ce2917a43c2934cb7dd36c80202feebd55c9
MD5 hash: d0810fc96bdf811a0adfb7dca26ccf3f
humanhash: iowa-hydrogen-chicken-iowa
File name:wget.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'209 bytes
First seen:2025-08-23 08:56:21 UTC
Last seen:2025-08-24 05:05:21 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 24:ThBh9Mk8QoGh4h26fhnheLevhtpcatkkzACrivj:ThL8QoGh4h2ohnhrvhoat/znyj
TLSH T1F821C1CD81C0A73C49E5C918B2C39E3A705B42DD41E42AD8BC5F2D66F39CD5170A0F25
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://103.176.20.59/skid.arm8a235a9336092da5a5fd75dc7c04bf109a796cab8cbe52666f972c2c5f3ff285 Miraielf mirai ua-wget
http://103.176.20.59/skid.arm516877e8cab68f6d6a557b0bee1e41a6d938997cb31a62cfe017ed21867b41801 Miraielf mirai ua-wget
http://103.176.20.59/skid.arm70fd1878b69312fbf748d3be8ba65b3431083985fcfe65a3b32a74a8ef69cdf89 Miraielf mirai ua-wget
http://103.176.20.59/mips7cd5fb5b6d94ac2acf16f8904f6f307f47710df1d51129d55e70590a52dcf823 Miraielf gafgyt mips mirai ua-wget
http://103.176.20.59/mpsle4acbf0a1448e928ea7714cf90692001c454b37d78b13a955f475568b36bbaec Miraielf mips mirai ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
39
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Downloader-36.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-08-23T02:17:00Z UTC
Last seen:
2025-08-23T02:17:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/24368a39bc657f616e03a3a25fb3de3e33fe5901e582bf6b39ed7bd532fca87a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f3e359cc-5723-418d-b9c0-060587bbec18
Behavior Graph:
Download SVG
%3 guuid=5fc2e981-1800-0000-bac5-3979040e0000 pid=3588 /usr/bin/sudo guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594 /tmp/sample.bin guuid=5fc2e981-1800-0000-bac5-3979040e0000 pid=3588->guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594 execve guuid=91605788-1800-0000-bac5-3979190e0000 pid=3609 /usr/bin/cp guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=91605788-1800-0000-bac5-3979190e0000 pid=3609 execve guuid=442fc48d-1800-0000-bac5-39792e0e0000 pid=3630 /usr/bin/busybox net send-data write-file guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=442fc48d-1800-0000-bac5-39792e0e0000 pid=3630 execve guuid=b2a2f801-1900-0000-bac5-3979640f0000 pid=3940 /usr/bin/chmod guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=b2a2f801-1900-0000-bac5-3979640f0000 pid=3940 execve guuid=baae7702-1900-0000-bac5-3979660f0000 pid=3942 /usr/bin/dash guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=baae7702-1900-0000-bac5-3979660f0000 pid=3942 clone guuid=0cfdc803-1900-0000-bac5-39796a0f0000 pid=3946 /usr/bin/cp guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=0cfdc803-1900-0000-bac5-39796a0f0000 pid=3946 execve guuid=ddfdc404-1900-0000-bac5-39796c0f0000 pid=3948 /usr/bin/busybox net send-data write-file guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=ddfdc404-1900-0000-bac5-39796c0f0000 pid=3948 execve guuid=b54bf936-1900-0000-bac5-3979f30f0000 pid=4083 /usr/bin/chmod guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=b54bf936-1900-0000-bac5-3979f30f0000 pid=4083 execve guuid=0e903737-1900-0000-bac5-3979f60f0000 pid=4086 /usr/bin/dash guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=0e903737-1900-0000-bac5-3979f60f0000 pid=4086 clone guuid=488dc137-1900-0000-bac5-3979fb0f0000 pid=4091 /usr/bin/cp guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=488dc137-1900-0000-bac5-3979fb0f0000 pid=4091 execve guuid=6cd35f38-1900-0000-bac5-3979fe0f0000 pid=4094 /usr/bin/busybox net send-data write-file guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=6cd35f38-1900-0000-bac5-3979fe0f0000 pid=4094 execve guuid=435329b4-1900-0000-bac5-397993110000 pid=4499 /usr/bin/chmod guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=435329b4-1900-0000-bac5-397993110000 pid=4499 execve guuid=cf7066b4-1900-0000-bac5-397994110000 pid=4500 /usr/bin/dash guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=cf7066b4-1900-0000-bac5-397994110000 pid=4500 clone guuid=d33939b5-1900-0000-bac5-397996110000 pid=4502 /usr/bin/cp guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=d33939b5-1900-0000-bac5-397996110000 pid=4502 execve guuid=2244ddb5-1900-0000-bac5-397997110000 pid=4503 /usr/bin/busybox net send-data write-file guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=2244ddb5-1900-0000-bac5-397997110000 pid=4503 execve guuid=d7b13af4-1900-0000-bac5-397913120000 pid=4627 /usr/bin/chmod guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=d7b13af4-1900-0000-bac5-397913120000 pid=4627 execve guuid=6bfb95f4-1900-0000-bac5-397914120000 pid=4628 /usr/bin/dash guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=6bfb95f4-1900-0000-bac5-397914120000 pid=4628 clone guuid=875446f5-1900-0000-bac5-397918120000 pid=4632 /usr/bin/cp guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=875446f5-1900-0000-bac5-397918120000 pid=4632 execve guuid=c9f626f6-1900-0000-bac5-39791a120000 pid=4634 /usr/bin/busybox net send-data write-file guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=c9f626f6-1900-0000-bac5-39791a120000 pid=4634 execve guuid=591af735-1a00-0000-bac5-3979ca120000 pid=4810 /usr/bin/chmod guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=591af735-1a00-0000-bac5-3979ca120000 pid=4810 execve guuid=bcf12e36-1a00-0000-bac5-3979cb120000 pid=4811 /usr/bin/dash guuid=fc007983-1800-0000-bac5-39790a0e0000 pid=3594->guuid=bcf12e36-1a00-0000-bac5-3979cb120000 pid=4811 clone 58517d70-7b02-5fe6-86d3-049c9f17a9ed 103.176.20.59:80 guuid=442fc48d-1800-0000-bac5-39792e0e0000 pid=3630->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 84B guuid=ddfdc404-1900-0000-bac5-39796c0f0000 pid=3948->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 85B guuid=6cd35f38-1900-0000-bac5-3979fe0f0000 pid=4094->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 85B guuid=2244ddb5-1900-0000-bac5-397997110000 pid=4503->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 80B guuid=c9f626f6-1900-0000-bac5-39791a120000 pid=4634->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 80B
Score:
47%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/24368a39bc657f616e03a3a25fb3de3e33fe5901e582bf6b39ed7bd532fca87a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24368a39bc657f616e03a3a25fb3de3e33fe5901e582bf6b39ed7bd532fca87a/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/24368a39bc657f616e03a3a25fb3de3e33fe5901e582bf6b39ed7bd532fca87a
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-08-23 06:47:25 UTC
File Type:
Text (Shell)
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eq3iuon4mv7wc3qduorf7m66hyz74wib4wbl62zz5v55kmx4vb5a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/250823-kwdjyabj7w/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Enumerates running processes
Reads MAC address of network interface
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Renames itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.06
Link:
https://yomi.yoroi.company/submissions/24368a39bc657f616e03a3a25fb3de3e33fe5901e582bf6b39ed7bd532fca87a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 24368a39bc657f616e03a3a25fb3de3e33fe5901e582bf6b39ed7bd532fca87a

(this sample)

Gafgyt

elf 6412011a49cc5f96c04fca7df6a71fa7ed0b9eddaa2eb8703cc8daab646d14b4

  
URLhaus
https://urlhaus.abuse.ch/url/3591804/
  
Delivery method
Distributed via web download
  
Dropping
MD5 44b8d531c504555c370c0b4cc154d53e
  
Dropping
SHA256 6412011a49cc5f96c04fca7df6a71fa7ed0b9eddaa2eb8703cc8daab646d14b4

Comments