MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ddb59e2b1ee01d1ecf05d0caff3e7df6d6725aeb534fd9285a729d9430cba91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ddb59e2b1ee01d1ecf05d0caff3e7df6d6725aeb534fd9285a729d9430cba91
SHA3-384 hash: 8360bac4281aed10432b59647343116c55e3f83e69dda8f03ee7fd34967251f4b94ead43c60ef8a8faf2b2a9772a104a
SHA1 hash: 3ff59127599cfdb7ec43bafda5e8e855a8f83304
MD5 hash: eeb0a635f35ccb9e3d42084859fb0cbd
humanhash: seven-cold-kansas-queen
File name:skid.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'179 bytes
First seen:2025-04-26 13:53:27 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:16mchF6mohue6uw6tntgU6bFbWq36uS6Df6fNIlT:16mchF6mohue6uw6tntgU6ZbJ36uS6Df
TLSH T10D21608A21B6C934ADE2BF1371A4864875D2D0A620E7EF35EDFE34D644CDD183441EA3
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://156.253.227.62/skid.mips28ce56a168985c3375ed53b8c17ab6e5765d0d0401e9f24c909ca8cce6461197 Gafgytcensys elf gafgyt ua-wget
http://156.253.227.62/skid.mpsl6312f0dc5ea847291c60edb1c0845964f1a291256ce09113669cf774d6323e2d Gafgytcensys elf gafgyt ua-wget
http://156.253.227.62/skid.x86e67544760c81f5b5b874e428a0d5b631470066bd757359b05c63d4bc71106df7 Gafgytcensys elf gafgyt ua-wget
http://156.253.227.62/skid.ppc9c63e35c3a5933e4189dc3521ad736b12fd01a942e262269830ccbb8c1f60a93 Gafgytcensys elf gafgyt ua-wget
http://156.253.227.62/skid.sparc8abfebad11738b76dd629cff9457e359ad9f52312910de884dea0ab5777d5f4f Gafgytcensys elf gafgyt ua-wget
http://156.253.227.62/skid.arm48846f1a7b6e55ab85c8200edff2be3ebc07719f36190989894ab0dca41bea0ba Gafgytcensys elf gafgyt ua-wget
http://156.253.227.62/skid.arm51441a7361a7ca17c6ccfe9f0f33a5354f0a9d99547be2b3c40bf320712df2ed8 Gafgytcensys elf gafgyt ua-wget
http://156.253.227.62/skid.arm635b03af85d4d7dfb5c063cfcd60c5465d107d057ea4a9ed5a9225d4ecc1df1ab Gafgytcensys elf gafgyt ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680ce630c8b2e86d0ac2aaf2linux22vpnfull_triage
Tags:
downloader mirai agent hype
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin remote
Link:
https://www.filescan.io/uploads/680ce58da8d43a4dd611c457/reports/9fdf1a4e-f0cc-4f1b-857c-789fa22d6807/overview
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2ddb59e2b1ee01d1ecf05d0caff3e7df6d6725aeb534fd9285a729d9430cba91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ddb59e2b1ee01d1ecf05d0caff3e7df6d6725aeb534fd9285a729d9430cba91/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-04-26 13:54:27 UTC
File Type:
Text (Shell)
AV detection:
17 of 24 (70.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxnvtyvr5ya5d3hqlugk747h35wwojnowu2p3eufu4u5sqymxkiq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250426-q7mvmsxmz2/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/2ddb59e2b1ee01d1ecf05d0caff3e7df6d6725aeb534fd9285a729d9430cba91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 2ddb59e2b1ee01d1ecf05d0caff3e7df6d6725aeb534fd9285a729d9430cba91

(this sample)

Gafgyt

elf ab369a66b229282cde3c403eb2dfe7e086c1db209c06fafffa40b135f82c2add

  
URLhaus
https://urlhaus.abuse.ch/url/3526468/
  
Delivery method
Distributed via web download
  
Dropping
MD5 dce2e724cb9a1cd229dbea9d4299f68f
  
Dropping
SHA256 ab369a66b229282cde3c403eb2dfe7e086c1db209c06fafffa40b135f82c2add

Comments