MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bb94741a7895cda8fc140564b8ab55cd27e52fd424f85d272c301765e7bf4f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bb94741a7895cda8fc140564b8ab55cd27e52fd424f85d272c301765e7bf4f5
SHA3-384 hash: 3d90542bc52828ca6da05bca628f6da7f939c611601215646114a60f7b7f5ce3862a4cb5f67e61167ac1182c4ffd9846
SHA1 hash: 6c8a81f23515513284875696cea2fae4b6493ee9
MD5 hash: e5f972e73f3c016bffb7a0b86e05bffa
humanhash: eighteen-kentucky-happy-twelve
File name:i.mips
Download: download sample
Signature Gafgyt
Create hunting rule
File size:167'173 bytes
First seen:2025-12-25 08:04:10 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:3qd1+SZkc0S6GQMhSsz9l5hRJ60LmK13itKbJ:E4SZkhS6GXL9l5hR5LmK136KbJ
TLSH T1D4F3846A3711AB7DD26CC2320BFB6B70E35521D236E1CB55E1ACD7181EA038D9C4EB60
telfhash t1e4215203a1b98a192fb79d64ac7c06f11261a623b3417eb0ef1ec1c48d37002b83dc9b
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.29325.LC.Pl.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Mirai-81.UNOFFICIAL
Create hunting rule

Unix.Dropper.Mirai-7139229-0
Create hunting rule

Unix.Trojan.Mirai-9864781-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bashlite exploit gafgyt gcc masquerade mirai
Link:
https://www.filescan.io/uploads/694cefff3f8fdbf8e951bc33/reports/feac122e-714a-4502-861f-fcff0b92f3d4/overview
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2025-12-25T05:24:00Z UTC
Last seen:
2025-12-25T12:48:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/2bb94741a7895cda8fc140564b8ab55cd27e52fd424f85d272c301765e7bf4f5/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/b2aab75a-713e-47c7-856d-e958e194ce09
Behavior Graph:
Download SVG
%3 guuid=5a0487dd-1700-0000-68ef-8786e00a0000 pid=2784 /usr/bin/sudo guuid=2abc8ee0-1700-0000-68ef-8786e20a0000 pid=2786 /tmp/sample.bin guuid=5a0487dd-1700-0000-68ef-8786e00a0000 pid=2784->guuid=2abc8ee0-1700-0000-68ef-8786e20a0000 pid=2786 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/22881059-17f1-484d-b0cc-a0b66d4a369d
Result
Threat name:
Mirai, Gafgyt, Xmrig
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1839255
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Mirai
Detected Stratum mining protocol
Found malware configuration
Found strings related to Crypto-Mining
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Stdout / stderr contain strings indicative of a mining client
Suricata IDS alerts for network traffic
Tries to load the MSR kernel module used for reading/writing to CPUs model specific register
Writes identical ELF files to multiple locations
Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)
Yara detected Gafgyt
Yara detected Mirai
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1839255 Sample: i.mips.elf Startdate: 25/12/2025 Architecture: LINUX Score: 100 141 us-qrl.miningocean.org 15.204.240.197, 3333, 57290 HP-INTERNET-ASUS United States 2->141 143 193.35.154.205, 2822, 3344, 38032 AS43260TR Bulgaria 2->143 145 2 other IPs or domains 2->145 147 Suricata IDS alerts for network traffic 2->147 149 Found malware configuration 2->149 151 Malicious sample detected (through community Yara rule) 2->151 155 9 other signatures 2->155 15 i.mips.elf 2->15         started        18 python3.8 dpkg 2->18         started        signatures3 153 Detected Stratum mining protocol 141->153 process4 signatures5 165 Opens /proc/net/* files useful for finding connected devices and routers 15->165 167 Sample deletes itself 15->167 20 i.mips.elf 15->20         started        process6 process7 22 i.mips.elf 20->22         started        process8 24 i.mips.elf sh 22->24         started        26 i.mips.elf sh 22->26         started        28 i.mips.elf sh 22->28         started        30 55 other processes 22->30 process9 32 sh xmrigDaemon 24->32         started        42 7 other processes 24->42 34 sh xmrigDaemon 26->34         started        46 7 other processes 26->46 36 sh xmrigDaemon 28->36         started        48 7 other processes 28->48 38 sh xmrigDaemon 30->38         started        40 sh xmrigDaemon 30->40         started        50 122 other processes 30->50 file10 52 xmrigDaemon sh 32->52         started        54 xmrigDaemon sh 34->54         started        56 xmrigDaemon sh 36->56         started        58 xmrigDaemon sh 38->58         started        60 xmrigDaemon sh 40->60         started        129 /xmrigMiner.1, ELF 42->129 dropped 131 /xmrigDaemon.1, ELF 42->131 dropped 133 /xmrigMiner.2, ELF 46->133 dropped 135 /xmrigDaemon.2, ELF 46->135 dropped 137 /xmrigMiner, ELF 48->137 dropped 161 Writes identical ELF files to multiple locations 48->161 139 /xmrigDaemon, ELF 50->139 dropped 62 xmrigDaemon sh 50->62         started        64 xmrigDaemon sh 50->64         started        66 xmrigDaemon sh 50->66         started        68 45 other processes 50->68 signatures11 process12 process13 70 sh xmrigMiner 52->70         started        73 sh xmrigMiner 54->73         started        75 sh xmrigMiner 56->75         started        77 sh xmrigMiner 58->77         started        79 sh xmrigMiner 60->79         started        81 sh xmrigMiner 62->81         started        83 sh xmrigMiner 64->83         started        85 sh xmrigMiner 66->85         started        87 20 other processes 68->87 signatures14 89 xmrigMiner 70->89         started        92 xmrigMiner 73->92         started        157 Sample reads /proc/mounts (often used for finding a writable filesystem) 75->157 94 xmrigMiner 75->94         started        96 xmrigMiner 77->96         started        98 xmrigMiner 79->98         started        100 xmrigMiner 81->100         started        102 xmrigMiner 83->102         started        104 xmrigMiner 85->104         started        106 2 other processes 87->106 process15 signatures16 159 Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher) 89->159 108 xmrigMiner sh 89->108         started        110 xmrigMiner sh 92->110         started        112 xmrigMiner sh 94->112         started        114 xmrigMiner sh 96->114         started        116 xmrigMiner sh 98->116         started        118 xmrigMiner sh 100->118         started        120 xmrigMiner sh 102->120         started        122 xmrigMiner sh 104->122         started        124 2 other processes 106->124 process17 process18 126 sh modprobe 112->126         started        signatures19 163 Tries to load the MSR kernel module used for reading/writing to CPUs model specific register 126->163
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/2bb94741a7895cda8fc140564b8ab55cd27e52fd424f85d272c301765e7bf4f5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bb94741a7895cda8fc140564b8ab55cd27e52fd424f85d272c301765e7bf4f5/
Threat name:
Linux.Trojan.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2025-12-25 07:15:36 UTC
File Type:
ELF32 Big (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fo4uoqnhrfonvd6biblexcvvltjh4ux5ijhylutsymaxmxt36t2q._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt family:xmrig credential_access defense_evasion discovery miner persistence
Link:
https://tria.ge/reports/251225-jyhe8s1lgl/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Reads system network configuration
Adds a user to the system
Reads system routing table
File and Directory Permissions Modification
Indicator Removal: Clear Command History
Deletes itself
Executes dropped EXE
Flushes firewall rules
OS Credential Dumping
Writes DNS configuration
Modifies password files for system users/ groups
XMRig Miner payload
Xmrig family
xmrig
Malware Config
C2 Extraction:
193.35.154.205:2822
Verdict:
Malicious
Tags:
trojan gafgyt Unix.Dropper.Mirai-7139229-0
YARA:
Linux_Trojan_Gafgyt_28a2fe0c Linux_Gafgyt_May_2024
Link:
https://app.threat.zone/submission/80be9347-6cdc-44d0-b3b4-c02e3343924c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/2bb94741a7895cda8fc140564b8ab55cd27e52fd424f85d272c301765e7bf4f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Linux_Gafgyt_Generic
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Mirai/Gafgyt samples
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_28a2fe0c
Create hunting rule
Author:Elastic Security
Rule name:Mal_LNX_Gafgyt_Botnet_ELF
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect Gafgyt botnet, and there variants.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 062f19f3c8f948c4d88ed7a163207f02014708635f57ac17c77e4aabfb10d264

Gafgyt

elf 2bb94741a7895cda8fc140564b8ab55cd27e52fd424f85d272c301765e7bf4f5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3743117/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 062f19f3c8f948c4d88ed7a163207f02014708635f57ac17c77e4aabfb10d264
  
Dropped by
MD5 b1c2894691c65d0926d9673ee55591f2
  
URLhaus
https://urlhaus.abuse.ch/url/3732808/

Comments