MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2759a1bc0be90cca057cbf9a76cd4d7cb50a8c052e4d9896d2c69e7ae11adc8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Gafgyt


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash: 2759a1bc0be90cca057cbf9a76cd4d7cb50a8c052e4d9896d2c69e7ae11adc8b
SHA3-384 hash: 6e916e7468f95da154fe5390e0d61e5cdd51a1794e9cb37076c0eca37a2147cfcaa2973bf00630078c1f085b7e8c1226
SHA1 hash: 033744f650d6f7ea32049d145bc8853cdc867b9c
MD5 hash: 8dfb4c14c8510f77bb4e04d0407a1330
humanhash: five-summer-hawaii-helium
File name:i686.ghost
Download: download sample
Signature Gafgyt
File size:123'664 bytes
First seen:2026-07-03 00:47:56 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 3072:baNv2L8VfSL99oIW403a6VQjQDoCTTS7XFHrHlorjXbLf:2Nv2NoD/nDU79rMn
TLSH T14EC34B46F792C4B3E1C301335053C7A55771EA32014ACE0BF7087E759D6678A8A6BBAD
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence


File Origin
# of uploads :
1
# of downloads :
75
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 gcc rust
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-07-03T01:49:00Z UTC
Last seen:
2026-07-03T02:05:00Z UTC
Hits:
~10
Status:
terminated
Behavior Graph:
%3 guuid=10f0db4b-1900-0000-a470-58e22b140000 pid=5163 /usr/bin/sudo guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5164 /tmp/sample.bin net send-data guuid=10f0db4b-1900-0000-a470-58e22b140000 pid=5163->guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5164 execve a003fbbd-4bbf-5f54-b278-6aeca5c7df7d 94.154.43.158:2323 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5164->a003fbbd-4bbf-5f54-b278-6aeca5c7df7d send: 133B guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165 /tmp/sample.bin net guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5164->guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165 clone guuid=d9c2a156-1900-0000-a470-58e22e140000 pid=5166 /usr/bin/dash guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5164->guuid=d9c2a156-1900-0000-a470-58e22e140000 pid=5166 execve guuid=0d835d57-1900-0000-a470-58e230140000 pid=5168 /usr/bin/dash guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5164->guuid=0d835d57-1900-0000-a470-58e230140000 pid=5168 execve 74047d8d-b0b3-5fa3-9ad1-5f6726d17e1b 74.216.88.77:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->74047d8d-b0b3-5fa3-9ad1-5f6726d17e1b con 0724a7ad-d8f2-57b3-b9b7-f371b0338936 60.128.251.247:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->0724a7ad-d8f2-57b3-b9b7-f371b0338936 con e1370966-2ecd-59a0-ac2c-5f06b86ac10b 59.246.229.65:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->e1370966-2ecd-59a0-ac2c-5f06b86ac10b con 12d3edf2-8c18-5514-a1ca-cc43170d518e 200.158.58.249:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->12d3edf2-8c18-5514-a1ca-cc43170d518e con 68468426-15fb-5f26-a2e0-f4b2bca24207 6.252.157.45:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->68468426-15fb-5f26-a2e0-f4b2bca24207 con 222570f6-1217-55a1-8e04-9e1aeac1e46b 59.92.18.235:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->222570f6-1217-55a1-8e04-9e1aeac1e46b con adf282e4-d445-57e5-bd46-288b74669f8f 162.206.221.69:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->adf282e4-d445-57e5-bd46-288b74669f8f con 0048f567-1c61-531e-8ff1-1ed69708d539 133.111.131.96:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->0048f567-1c61-531e-8ff1-1ed69708d539 con 4d1ce4b9-3a38-5162-8bdb-3beb750d726e 220.87.3.208:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->4d1ce4b9-3a38-5162-8bdb-3beb750d726e con 861bada3-48bd-516e-b30e-2a7b43d25bab 39.109.229.141:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->861bada3-48bd-516e-b30e-2a7b43d25bab con 2b2d0f5a-35b8-52d6-8549-9ed5a69c5b18 211.86.110.70:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->2b2d0f5a-35b8-52d6-8549-9ed5a69c5b18 con a543951e-7c49-529d-9b91-3cba383b6a41 73.128.159.54:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->a543951e-7c49-529d-9b91-3cba383b6a41 con 5b891ebb-f5ce-5773-a41d-4b77c19efb21 16.17.66.118:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->5b891ebb-f5ce-5773-a41d-4b77c19efb21 con 8a0b389b-60c9-5c6b-ba52-4ea014f016ae 40.147.144.162:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->8a0b389b-60c9-5c6b-ba52-4ea014f016ae con f6e3ce85-75c9-5925-a673-be71084a506a 30.77.174.161:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->f6e3ce85-75c9-5925-a673-be71084a506a con baccf5aa-ad02-5791-b3c6-f7c46537c3d2 8.85.147.242:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->baccf5aa-ad02-5791-b3c6-f7c46537c3d2 con 398c7a46-3e9d-5896-9aea-7a76ab0b5e6f 18.47.148.93:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->398c7a46-3e9d-5896-9aea-7a76ab0b5e6f con 77f68abb-45c3-587f-b61a-a613ae808ec7 147.204.223.167:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->77f68abb-45c3-587f-b61a-a613ae808ec7 con 1a6c07e5-67d3-5e4a-b915-dbd6ebcb2128 173.249.216.214:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->1a6c07e5-67d3-5e4a-b915-dbd6ebcb2128 con 8c5b8257-9900-5f95-97f0-726e56847462 111.112.219.19:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->8c5b8257-9900-5f95-97f0-726e56847462 con 44b8407d-5017-5cad-9bf7-0d398587aee8 53.63.153.157:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->44b8407d-5017-5cad-9bf7-0d398587aee8 con 57c25d23-f573-5410-9ea6-46d1a53fea06 139.123.174.118:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->57c25d23-f573-5410-9ea6-46d1a53fea06 con c3b445de-f537-5a2e-8a62-6a92b3999f08 160.227.7.128:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->c3b445de-f537-5a2e-8a62-6a92b3999f08 con 08186123-9ca0-515d-8c3b-3d189782af78 17.181.183.180:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->08186123-9ca0-515d-8c3b-3d189782af78 con 0b22ce94-6398-5b76-b435-dd20c198fb82 108.109.200.145:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->0b22ce94-6398-5b76-b435-dd20c198fb82 con b285d5fd-106f-5d83-b642-e62137cc46db 24.130.43.86:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->b285d5fd-106f-5d83-b642-e62137cc46db con 998e14ce-c689-56b5-b532-141c6c706e70 177.46.227.17:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->998e14ce-c689-56b5-b532-141c6c706e70 con 3b1d6c76-dc07-5a8c-a795-bf9b82b69e0f 93.249.13.6:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->3b1d6c76-dc07-5a8c-a795-bf9b82b69e0f con 4db7a440-c9ce-59f5-a223-a861e888c80a 163.93.241.196:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->4db7a440-c9ce-59f5-a223-a861e888c80a con bd51c926-fae1-5ea1-9441-bd7cf75a0bce 21.233.76.164:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->bd51c926-fae1-5ea1-9441-bd7cf75a0bce con 20c4c8a8-e0f7-5ed0-9b15-162f6d33d584 30.36.63.198:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->20c4c8a8-e0f7-5ed0-9b15-162f6d33d584 con f8897bde-e14e-58c8-bd45-c57cf39d78fc 23.135.215.199:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->f8897bde-e14e-58c8-bd45-c57cf39d78fc con 10526ab0-a1a4-547e-bcb3-ffc45844843b 146.137.204.209:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->10526ab0-a1a4-547e-bcb3-ffc45844843b con 73e57eb1-1bc1-58a7-9d4f-0f0ff51a51f9 173.96.170.150:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->73e57eb1-1bc1-58a7-9d4f-0f0ff51a51f9 con f29a07a6-3c74-5725-9dab-50735bc2a462 1.249.182.226:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->f29a07a6-3c74-5725-9dab-50735bc2a462 con 55c5cd2b-1bfc-56b8-8332-cee0285e9c0d 86.84.199.34:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->55c5cd2b-1bfc-56b8-8332-cee0285e9c0d con 6737ee4d-e6c3-5026-93cf-336be4e36282 26.252.104.91:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->6737ee4d-e6c3-5026-93cf-336be4e36282 con 86a8019b-731a-562c-94be-602c7dd8a355 187.74.121.156:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->86a8019b-731a-562c-94be-602c7dd8a355 con 796faa80-8bbc-5eb5-ab95-5b99dd599e64 183.67.135.108:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->796faa80-8bbc-5eb5-ab95-5b99dd599e64 con b1b44252-7fbc-5f44-b74f-11c02b873de1 148.148.100.155:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->b1b44252-7fbc-5f44-b74f-11c02b873de1 con e05921c3-4df9-5250-8667-e1654c2a445f 104.81.24.51:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->e05921c3-4df9-5250-8667-e1654c2a445f con fce193b4-e919-54fd-991a-a100c3bb7ed7 30.67.160.72:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->fce193b4-e919-54fd-991a-a100c3bb7ed7 con 3e6ed028-2bcd-5b29-aa0b-9d6c07fce47f 128.246.244.228:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->3e6ed028-2bcd-5b29-aa0b-9d6c07fce47f con 1f3cc867-68af-5e55-9c30-c9ac7767baf5 47.88.240.123:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->1f3cc867-68af-5e55-9c30-c9ac7767baf5 con 4705a4c6-75dc-53fd-8344-8d73816f7cfa 212.36.251.177:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->4705a4c6-75dc-53fd-8344-8d73816f7cfa con 514a43d6-59fe-5300-81e4-ebe8e784c1fc 204.92.184.93:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->514a43d6-59fe-5300-81e4-ebe8e784c1fc con e4edfdd6-4b69-5287-8ed2-620f73341c1d 28.109.11.170:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->e4edfdd6-4b69-5287-8ed2-620f73341c1d con 591f3f15-964c-5a39-9b5a-bf964b4186b2 123.25.209.161:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->591f3f15-964c-5a39-9b5a-bf964b4186b2 con da7c7f9c-b4a1-5e57-ac56-6e2f9d82e91a 9.43.66.120:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->da7c7f9c-b4a1-5e57-ac56-6e2f9d82e91a con fad9ed63-f8ba-57ac-b3e5-1bd3018adb13 115.189.44.114:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->fad9ed63-f8ba-57ac-b3e5-1bd3018adb13 con e8ae6297-e9d7-5f65-b0d6-d9d840cc5947 50.108.136.211:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->e8ae6297-e9d7-5f65-b0d6-d9d840cc5947 con 7c6e268f-877f-5e70-9380-c792b7e8815e 38.170.190.247:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->7c6e268f-877f-5e70-9380-c792b7e8815e con ef4cdc29-d247-5ff9-af0d-0eebd531b6d7 113.26.28.115:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->ef4cdc29-d247-5ff9-af0d-0eebd531b6d7 con 092e04c3-13da-5893-a9e7-9dcc2ff9bf7d 91.189.238.179:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->092e04c3-13da-5893-a9e7-9dcc2ff9bf7d con be79e6a7-626e-53b0-b932-fcf813852734 203.42.81.1:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->be79e6a7-626e-53b0-b932-fcf813852734 con eaece93d-c058-5011-91ef-090b7ba6f10d 149.73.51.99:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->eaece93d-c058-5011-91ef-090b7ba6f10d con 4a8b9646-7b86-5fa6-9f66-0c300e7ee57b 180.127.210.193:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->4a8b9646-7b86-5fa6-9f66-0c300e7ee57b con 5b23eb2c-7bd8-5623-bfe0-191ed645d19a 7.34.49.10:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->5b23eb2c-7bd8-5623-bfe0-191ed645d19a con 21d19168-63b9-53d1-8c30-0f9622be24b5 59.88.126.185:8080 guuid=cb40f94d-1900-0000-a470-58e22c140000 pid=5165->21d19168-63b9-53d1-8c30-0f9622be24b5 con guuid=b9060257-1900-0000-a470-58e22f140000 pid=5167 /usr/bin/uname guuid=d9c2a156-1900-0000-a470-58e22e140000 pid=5166->guuid=b9060257-1900-0000-a470-58e22f140000 pid=5167 execve guuid=c5968f57-1900-0000-a470-58e231140000 pid=5169 /usr/bin/cat guuid=0d835d57-1900-0000-a470-58e230140000 pid=5168->guuid=c5968f57-1900-0000-a470-58e231140000 pid=5169 execve guuid=f3899b57-1900-0000-a470-58e232140000 pid=5170 /usr/bin/grep guuid=0d835d57-1900-0000-a470-58e230140000 pid=5168->guuid=f3899b57-1900-0000-a470-58e232140000 pid=5170 execve guuid=6f7cb257-1900-0000-a470-58e233140000 pid=5171 /usr/bin/cut guuid=0d835d57-1900-0000-a470-58e230140000 pid=5168->guuid=6f7cb257-1900-0000-a470-58e233140000 pid=5171 execve guuid=48afc357-1900-0000-a470-58e234140000 pid=5172 /usr/bin/tr guuid=0d835d57-1900-0000-a470-58e230140000 pid=5168->guuid=48afc357-1900-0000-a470-58e234140000 pid=5172 execve
Result
Threat name:
Detection:
malicious
Classification:
troj
Score:
76 / 100
Signature
Antivirus / Scanner detection for submitted sample
Contains symbols with names commonly found in malware
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1937043 Sample: i686.ghost.elf Startdate: 03/07/2026 Architecture: LINUX Score: 76 30 94.154.43.158, 2323, 33502 CDNEXTGB Turkey 2->30 32 220.42.198.207, 8080 ZSCALER-SJC1-ZSCALERINCUS United States 2->32 34 49 other IPs or domains 2->34 36 Found malware configuration 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 2 other signatures 2->42 8 i686.ghost.elf 2->8         started        10 dash rm 2->10         started        12 dash rm 2->12         started        14 python3.8 dpkg 2->14         started        signatures3 process4 process5 16 i686.ghost.elf sh 8->16         started        18 i686.ghost.elf sh 8->18         started        process6 20 sh cat 16->20         started        22 sh grep 16->22         started        24 sh cut 16->24         started        26 sh tr 16->26         started        28 sh uname 18->28         started       
Threat name:
Linux.Trojan.Multiverze
Status:
Malicious
First seen:
2026-07-03 00:48:24 UTC
File Type:
ELF32 Little (SO)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_dayzddos
Author:NDA0E
Description:dayzddos botnet
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:setsockopt
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf 2759a1bc0be90cca057cbf9a76cd4d7cb50a8c052e4d9896d2c69e7ae11adc8b

(this sample)

  
Delivery method
Distributed via web download

Comments