MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24ee8d37eaeb351759f813c72a08d6e5a1545d5b01fbc7f6d3763c2277cceef8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24ee8d37eaeb351759f813c72a08d6e5a1545d5b01fbc7f6d3763c2277cceef8
SHA3-384 hash: 23cd75fb637f390f096689d9d89774dc6d61e364db1d33246d9d03987fbc3b4103ba7a37d7cdeb2142961fc4ec53d996
SHA1 hash: a436dc7911780aa5ed47ab91b9196a1894fa0d12
MD5 hash: 12bbd377209049584c30cbe2bf0b3bf8
humanhash: georgia-indigo-east-black
File name:tplink.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'241 bytes
First seen:2025-08-25 20:38:43 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:boWBGhBh9Mk8QoOwle7eJHH28H1sUiUeIfKw2M5Kpatkk0:boGGhL8Qo1WsH28H1sUiUeIfv/5Iat/0
TLSH T118213BDEA6D1B27D9D588D40F2928937F41F5BD42090BED8F54B38A5A85EC127025F23
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://103.176.20.59/mips7cd5fb5b6d94ac2acf16f8904f6f307f47710df1d51129d55e70590a52dcf823 Miraielf gafgyt mips mirai ua-wget
http://103.176.20.59/mpsle4acbf0a1448e928ea7714cf90692001c454b37d78b13a955f475568b36bbaec Miraielf mips mirai ua-wget
http://103.176.20.59/arm8a235a9336092da5a5fd75dc7c04bf109a796cab8cbe52666f972c2c5f3ff285 Miraiarm elf geofenced mirai ua-wget USA
http://103.176.20.59/arm516877e8cab68f6d6a557b0bee1e41a6d938997cb31a62cfe017ed21867b41801 Miraiarm elf mirai ua-wget
http://103.176.20.59/arm70fd1878b69312fbf748d3be8ba65b3431083985fcfe65a3b32a74a8ef69cdf89 Miraiarm elf mirai ua-wget
http://103.176.20.59/x8681a6645f942191bc2793f956acfc8fa2b80501171f8fc8bb0518ddddb050f649 Miraicensys elf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
39
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
File Type:
Script
Detections:
HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/24ee8d37eaeb351759f813c72a08d6e5a1545d5b01fbc7f6d3763c2277cceef8/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/d72ceb92-6851-402d-a43e-4a1cc814de1a
Behavior Graph:
Download SVG
%3 guuid=b3138cc0-1900-0000-dad0-dfbb470c0000 pid=3143 /usr/bin/sudo guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154 /tmp/sample.bin guuid=b3138cc0-1900-0000-dad0-dfbb470c0000 pid=3143->guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154 execve guuid=a969a4ca-1900-0000-dad0-dfbb5a0c0000 pid=3162 /usr/bin/rm guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=a969a4ca-1900-0000-dad0-dfbb5a0c0000 pid=3162 execve guuid=6f3fe0ca-1900-0000-dad0-dfbb5c0c0000 pid=3164 /usr/bin/wget net send-data write-file guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=6f3fe0ca-1900-0000-dad0-dfbb5c0c0000 pid=3164 execve guuid=f184984b-1a00-0000-dad0-dfbbeb0c0000 pid=3307 /usr/bin/chmod guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=f184984b-1a00-0000-dad0-dfbbeb0c0000 pid=3307 execve guuid=cab00e4c-1a00-0000-dad0-dfbbed0c0000 pid=3309 /usr/bin/dash guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=cab00e4c-1a00-0000-dad0-dfbbed0c0000 pid=3309 clone guuid=4a40e64c-1a00-0000-dad0-dfbbf10c0000 pid=3313 /usr/bin/wget net send-data guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=4a40e64c-1a00-0000-dad0-dfbbf10c0000 pid=3313 execve guuid=7ca78f68-1a00-0000-dad0-dfbb140d0000 pid=3348 /usr/bin/busybox net send-data guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=7ca78f68-1a00-0000-dad0-dfbb140d0000 pid=3348 execve guuid=963087c3-1a00-0000-dad0-dfbbb90d0000 pid=3513 /usr/bin/chmod guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=963087c3-1a00-0000-dad0-dfbbb90d0000 pid=3513 execve guuid=5867c0c3-1a00-0000-dad0-dfbbba0d0000 pid=3514 /usr/bin/dash guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=5867c0c3-1a00-0000-dad0-dfbbba0d0000 pid=3514 clone guuid=387ccfc3-1a00-0000-dad0-dfbbbc0d0000 pid=3516 /usr/bin/wget net send-data write-file guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=387ccfc3-1a00-0000-dad0-dfbbbc0d0000 pid=3516 execve guuid=c025d0f8-1a00-0000-dad0-dfbb040e0000 pid=3588 /usr/bin/chmod guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=c025d0f8-1a00-0000-dad0-dfbb040e0000 pid=3588 execve guuid=a5e72cf9-1a00-0000-dad0-dfbb060e0000 pid=3590 /usr/bin/dash guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=a5e72cf9-1a00-0000-dad0-dfbb060e0000 pid=3590 clone guuid=46f1f3f9-1a00-0000-dad0-dfbb090e0000 pid=3593 /usr/bin/wget net send-data write-file guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=46f1f3f9-1a00-0000-dad0-dfbb090e0000 pid=3593 execve guuid=cdd0112f-1b00-0000-dad0-dfbb6b0e0000 pid=3691 /usr/bin/chmod guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=cdd0112f-1b00-0000-dad0-dfbb6b0e0000 pid=3691 execve guuid=5f7f2030-1b00-0000-dad0-dfbb6d0e0000 pid=3693 /usr/bin/dash guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=5f7f2030-1b00-0000-dad0-dfbb6d0e0000 pid=3693 clone guuid=81c0cf30-1b00-0000-dad0-dfbb710e0000 pid=3697 /usr/bin/wget net send-data write-file guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=81c0cf30-1b00-0000-dad0-dfbb710e0000 pid=3697 execve guuid=aeb68172-1b00-0000-dad0-dfbb270f0000 pid=3879 /usr/bin/chmod guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=aeb68172-1b00-0000-dad0-dfbb270f0000 pid=3879 execve guuid=f4c33f73-1b00-0000-dad0-dfbb2b0f0000 pid=3883 /usr/bin/dash guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=f4c33f73-1b00-0000-dad0-dfbb2b0f0000 pid=3883 clone guuid=a597a275-1b00-0000-dad0-dfbb310f0000 pid=3889 /usr/bin/wget net send-data guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=a597a275-1b00-0000-dad0-dfbb310f0000 pid=3889 execve guuid=2f8acc90-1b00-0000-dad0-dfbb6c0f0000 pid=3948 /usr/bin/busybox net send-data guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=2f8acc90-1b00-0000-dad0-dfbb6c0f0000 pid=3948 execve guuid=03763faa-1b00-0000-dad0-dfbbc40f0000 pid=4036 /usr/bin/chmod guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=03763faa-1b00-0000-dad0-dfbbc40f0000 pid=4036 execve guuid=7bc6c7aa-1b00-0000-dad0-dfbbc70f0000 pid=4039 /usr/bin/dash guuid=e1421fc3-1900-0000-dad0-dfbb520c0000 pid=3154->guuid=7bc6c7aa-1b00-0000-dad0-dfbbc70f0000 pid=4039 clone 58517d70-7b02-5fe6-86d3-049c9f17a9ed 103.176.20.59:80 guuid=6f3fe0ca-1900-0000-dad0-dfbb5c0c0000 pid=3164->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 132B guuid=4a40e64c-1a00-0000-dad0-dfbbf10c0000 pid=3313->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 132B guuid=7ca78f68-1a00-0000-dad0-dfbb140d0000 pid=3348->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 80B guuid=387ccfc3-1a00-0000-dad0-dfbbbc0d0000 pid=3516->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 131B guuid=46f1f3f9-1a00-0000-dad0-dfbb090e0000 pid=3593->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 132B guuid=81c0cf30-1b00-0000-dad0-dfbb710e0000 pid=3697->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 132B guuid=a597a275-1b00-0000-dad0-dfbb310f0000 pid=3889->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 131B guuid=2f8acc90-1b00-0000-dad0-dfbb6c0f0000 pid=3948->58517d70-7b02-5fe6-86d3-049c9f17a9ed send: 79B
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/24ee8d37eaeb351759f813c72a08d6e5a1545d5b01fbc7f6d3763c2277cceef8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24ee8d37eaeb351759f813c72a08d6e5a1545d5b01fbc7f6d3763c2277cceef8/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/24ee8d37eaeb351759f813c72a08d6e5a1545d5b01fbc7f6d3763c2277cceef8
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2025-08-25 20:39:33 UTC
File Type:
Text (Shell)
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etxi2n7k5m2rowpycpdsucgw4wqvixk3ah54p5wtoy6ce56m534a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/250825-zfjtca1vhw/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Enumerates running processes
Reads MAC address of network interface
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Renames itself
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/24ee8d37eaeb351759f813c72a08d6e5a1545d5b01fbc7f6d3763c2277cceef8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 24ee8d37eaeb351759f813c72a08d6e5a1545d5b01fbc7f6d3763c2277cceef8

(this sample)

Gafgyt

elf 77e287d8d0967bffac544be47fd8afc8da9ac67052e41e2595d0b8d8fe794f2c

  
URLhaus
https://urlhaus.abuse.ch/url/3591799/
  
Delivery method
Distributed via web download
  
Dropping
MD5 64d1d1c472a432850ecafd54191eb6e3
  
Dropping
SHA256 77e287d8d0967bffac544be47fd8afc8da9ac67052e41e2595d0b8d8fe794f2c

Comments