MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dbf3a5ac4b18c5b11c1755a816c18b54c90a51565d8467e2e19cdc602c8b98d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2dbf3a5ac4b18c5b11c1755a816c18b54c90a51565d8467e2e19cdc602c8b98d
SHA3-384 hash: 7c1d57b96e4336e387654c927ebc10375c6451da9f75b4c3a40b1e114572434300dcea71960d48ac9c14746e5f31392b
SHA1 hash: f312f2855f640461549ddee3549f753943ddc305
MD5 hash: 16a050de371b62e430c0a0eb5466bfcf
humanhash: friend-salami-utah-seven
File name:weed
Download: download sample
Signature Gafgyt
Create hunting rule
File size:4'064 bytes
First seen:2025-04-05 22:32:08 UTC
Last seen:2025-04-07 09:20:48 UTC
File type: sh
MIME type:text/plain
ssdeep 96:1bsE/tzc7MxNTr44jpfgHw/nx3NB6CDLTFv:NLrvjp4Hwp/p/TFv
TLSH T1A5816EE839315F7FCD99DF54E2208872787E509529E18F44A0BE34BAB6BFD04E1A0617
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://185.39.207.117/nimips5b339544ba55c78bff25dbd5e737cd854d6c61d5ed3b1866d6d5fe110a8a9d7e Miraiddos elf mirai
http://185.39.207.117/mpsl77adfd58c50986b6d252a69e969fc4155ae57c9e5a7fe4e90e93526755a4ccde Gafgytddos elf gafgyt mirai
http://185.39.207.117/arm8856683950f423745d59b13c343024508084de08361fda0d42cdf9129e556d18 Miraiddos elf mirai
http://185.39.207.117/arm53a5c86a7631f29a6f599ef74a218dfcc9291aa525cd36fd06d2650364dd1b8d2 Gafgytddos elf gafgyt mirai
http://185.39.207.117/arm65f42803eab74d911c451ba243f92fa339781b0abb7c2cd77fe7840d087ce84f2 Gafgytgafgyt mirai ua-wget
http://185.39.207.117/arm74609c07c381e508ccdaf2ade1709ded444c168ca7333144d5cf91784b77b1b6b Miraimirai ua-wget
ftp://5.39.207.117:8021/nimipsn/an/an/a
ftp://5.39.207.117:8021/mpsln/an/an/a
ftp://5.39.207.117:8021/armn/an/an/a
ftp://5.39.207.117:8021/arm5n/an/an/a
ftp://5.39.207.117:8021/arm7n/an/an/a
ftp://5.39.207.117:8021/arm6n/an/an/a

Intelligence

File Origin
# of uploads :
12
# of downloads :
110
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f20988a695a0cd1fab45b2linux22vpnfull_triage
Tags:
trojan agent virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive expand lolbin remote
Link:
https://www.filescan.io/uploads/67f1af7640adfb5162b9dbe6/reports/a31c626d-8e0a-411b-8926-4344e0385132/overview
Verdict:
Malicious
Labled as:
Linux.Medusa.C.Generic
Link:
https://www.hybrid-analysis.com/sample/2dbf3a5ac4b18c5b11c1755a816c18b54c90a51565d8467e2e19cdc602c8b98d
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2dbf3a5ac4b18c5b11c1755a816c18b54c90a51565d8467e2e19cdc602c8b98d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2dbf3a5ac4b18c5b11c1755a816c18b54c90a51565d8467e2e19cdc602c8b98d/
Threat name:
Script-Shell.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-04-05 23:30:22 UTC
File Type:
Text (Shell)
AV detection:
15 of 38 (39.47%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fw7tuwwewggfweobovnic3aywvgjbjivmxmem7rodhg4mawixggq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2dbf3a5ac4b18c5b11c1755a816c18b54c90a51565d8467e2e19cdc602c8b98d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 2dbf3a5ac4b18c5b11c1755a816c18b54c90a51565d8467e2e19cdc602c8b98d

(this sample)

Mirai

elf 5b339544ba55c78bff25dbd5e737cd854d6c61d5ed3b1866d6d5fe110a8a9d7e

  
URLhaus
https://urlhaus.abuse.ch/url/3502227/
  
Delivery method
Distributed via web download
  
Dropping
MD5 833feb0df15c75d09fd2f10ffbd7b5e0
  
Dropping
SHA256 5b339544ba55c78bff25dbd5e737cd854d6c61d5ed3b1866d6d5fe110a8a9d7e
  
URLhaus
https://urlhaus.abuse.ch/url/3502598/
  
URLhaus
https://urlhaus.abuse.ch/url/3502608/
  
URLhaus
https://urlhaus.abuse.ch/url/3502605/
  
URLhaus
https://urlhaus.abuse.ch/url/3502607/
  
URLhaus
https://urlhaus.abuse.ch/url/3502633/
  
URLhaus
https://urlhaus.abuse.ch/url/3502636/
  
URLhaus
https://urlhaus.abuse.ch/url/3502641/
  
URLhaus
https://urlhaus.abuse.ch/url/3502664/
  
URLhaus
https://urlhaus.abuse.ch/url/3502665/
  
URLhaus
https://urlhaus.abuse.ch/url/3502666/
  
URLhaus
https://urlhaus.abuse.ch/url/3502667/
  
URLhaus
https://urlhaus.abuse.ch/url/3502670/
  
URLhaus
https://urlhaus.abuse.ch/url/3502676/
  
URLhaus
https://urlhaus.abuse.ch/url/3502680/
  
URLhaus
https://urlhaus.abuse.ch/url/3502687/
  
URLhaus
https://urlhaus.abuse.ch/url/3502693/
  
URLhaus
https://urlhaus.abuse.ch/url/3502706/
  
URLhaus
https://urlhaus.abuse.ch/url/3502711/
  
URLhaus
https://urlhaus.abuse.ch/url/3502712/
  
URLhaus
https://urlhaus.abuse.ch/url/3502725/
  
URLhaus
https://urlhaus.abuse.ch/url/3502728/
  
URLhaus
https://urlhaus.abuse.ch/url/3502732/
  
URLhaus
https://urlhaus.abuse.ch/url/3502733/
  
URLhaus
https://urlhaus.abuse.ch/url/3502738/
  
URLhaus
https://urlhaus.abuse.ch/url/3502742/
  
URLhaus
https://urlhaus.abuse.ch/url/3502744/
  
URLhaus
https://urlhaus.abuse.ch/url/3502754/
  
URLhaus
https://urlhaus.abuse.ch/url/3502755/
  
URLhaus
https://urlhaus.abuse.ch/url/3502758/
  
URLhaus
https://urlhaus.abuse.ch/url/3502764/
  
URLhaus
https://urlhaus.abuse.ch/url/3502765/
  
URLhaus
https://urlhaus.abuse.ch/url/3502768/
  
URLhaus
https://urlhaus.abuse.ch/url/3502798/
  
URLhaus
https://urlhaus.abuse.ch/url/3502799/

Comments