MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36be96091ea97fbd76065aeae7c3c328dee355588d01b9bf2732ebefb40ad068. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36be96091ea97fbd76065aeae7c3c328dee355588d01b9bf2732ebefb40ad068
SHA3-384 hash: f5535a7a8e7c68a9a1f707e6fd405f893088769b9325506fe98b5dd185287a1955ad2af60185ab338bb346a98b7e5407
SHA1 hash: 29153eb9742d9c073c673a7a4ebd375681b2428b
MD5 hash: 7f850fe20a2103edc9556e1c851d51d4
humanhash: illinois-avocado-robert-blossom
File name:36be96091ea97fbd76065aeae7c3c328dee355588d01b9bf2732ebefb40ad068.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:519 bytes
First seen:2025-09-29 08:02:04 UTC
Last seen:2025-11-09 11:30:16 UTC
File type: sh
MIME type:text/plain
ssdeep 12:UEmMSxRQanyGdVwanyKA3NgGkkRQanyGESanyn:U8Hany0wanylNITanyeanyn
TLSH T1C0F089AA35553C30E424783B295745DC291F808BF967CF86BD7C9579C89FC24B8A0D44
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.94.209.216/emipsfba5f81d83f00d094c55233e6364d14adc07de15a4b48c52c505cf324487d30e Gafgytelf gafgyt
ftp://8.94.209.216:21/emipsn/an/an/a

Intelligence

File Origin
# of uploads :
2
# of downloads :
54
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive mirai
Link:
https://www.filescan.io/uploads/68da3d116c140e5b35ff2e14/reports/4c2dca50-1350-4ca9-92e4-5b4da309aca3/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-09-14T10:16:00Z UTC
Last seen:
2025-09-14T10:16:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/36be96091ea97fbd76065aeae7c3c328dee355588d01b9bf2732ebefb40ad068/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/e98696b1-0636-4950-9acc-47edbcebf73d
Behavior Graph:
Download SVG
%3 guuid=da927b4c-1900-0000-4702-fbf63d140000 pid=5181 /usr/bin/sudo guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194 /tmp/sample.bin guuid=da927b4c-1900-0000-4702-fbf63d140000 pid=5181->guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194 execve guuid=31c6804e-1900-0000-4702-fbf64b140000 pid=5195 /usr/sbin/xtables-nft-multi guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=31c6804e-1900-0000-4702-fbf64b140000 pid=5195 execve guuid=02b7e259-1900-0000-4702-fbf662140000 pid=5218 /usr/sbin/xtables-nft-multi guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=02b7e259-1900-0000-4702-fbf662140000 pid=5218 execve guuid=8e37d461-1900-0000-4702-fbf665140000 pid=5221 /usr/bin/rm guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=8e37d461-1900-0000-4702-fbf665140000 pid=5221 execve guuid=24ea1262-1900-0000-4702-fbf666140000 pid=5222 /usr/bin/dash guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=24ea1262-1900-0000-4702-fbf666140000 pid=5222 clone guuid=94762362-1900-0000-4702-fbf667140000 pid=5223 /usr/bin/chmod guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=94762362-1900-0000-4702-fbf667140000 pid=5223 execve guuid=2bf37362-1900-0000-4702-fbf668140000 pid=5224 /usr/bin/dash guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=2bf37362-1900-0000-4702-fbf668140000 pid=5224 clone guuid=315d8162-1900-0000-4702-fbf669140000 pid=5225 /usr/bin/rm guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=315d8162-1900-0000-4702-fbf669140000 pid=5225 execve guuid=0be1cc62-1900-0000-4702-fbf66a140000 pid=5226 /usr/bin/chmod guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=0be1cc62-1900-0000-4702-fbf66a140000 pid=5226 execve guuid=dd011663-1900-0000-4702-fbf66b140000 pid=5227 /usr/bin/dash guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=dd011663-1900-0000-4702-fbf66b140000 pid=5227 clone guuid=08bc2463-1900-0000-4702-fbf66c140000 pid=5228 /usr/bin/cp guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=08bc2463-1900-0000-4702-fbf66c140000 pid=5228 execve guuid=35ba9a63-1900-0000-4702-fbf66d140000 pid=5229 /usr/bin/cp guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=35ba9a63-1900-0000-4702-fbf66d140000 pid=5229 execve guuid=cebd1764-1900-0000-4702-fbf66e140000 pid=5230 /usr/bin/rm guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=cebd1764-1900-0000-4702-fbf66e140000 pid=5230 execve guuid=7ebc5d64-1900-0000-4702-fbf66f140000 pid=5231 /usr/bin/dash guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=7ebc5d64-1900-0000-4702-fbf66f140000 pid=5231 clone guuid=fbf46b64-1900-0000-4702-fbf670140000 pid=5232 /usr/bin/chmod guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=fbf46b64-1900-0000-4702-fbf670140000 pid=5232 execve guuid=99c7ab64-1900-0000-4702-fbf671140000 pid=5233 /usr/bin/dash guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=99c7ab64-1900-0000-4702-fbf671140000 pid=5233 clone guuid=a27cbc64-1900-0000-4702-fbf672140000 pid=5234 /usr/bin/rm guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=a27cbc64-1900-0000-4702-fbf672140000 pid=5234 execve guuid=837f0465-1900-0000-4702-fbf673140000 pid=5235 /usr/bin/dash guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=837f0465-1900-0000-4702-fbf673140000 pid=5235 clone guuid=f9981265-1900-0000-4702-fbf674140000 pid=5236 /usr/bin/chmod guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=f9981265-1900-0000-4702-fbf674140000 pid=5236 execve guuid=35795b65-1900-0000-4702-fbf675140000 pid=5237 /usr/bin/dash guuid=d9e1354e-1900-0000-4702-fbf64a140000 pid=5194->guuid=35795b65-1900-0000-4702-fbf675140000 pid=5237 clone
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/36be96091ea97fbd76065aeae7c3c328dee355588d01b9bf2732ebefb40ad068
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36be96091ea97fbd76065aeae7c3c328dee355588d01b9bf2732ebefb40ad068/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/36be96091ea97fbd76065aeae7c3c328dee355588d01b9bf2732ebefb40ad068
Threat name:
Script-Shell.Browser.Tsunami
Create hunting rule
Status:
Malicious
First seen:
2025-09-14 12:52:18 UTC
File Type:
Text (Shell)
AV detection:
6 of 37 (16.22%)
Threat level:
  4/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g27jmci6vf7325qgllvopq6dfdpogvkyrua3tpzhglv67nak2bua._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250929-jxac8sytdt/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/36be96091ea97fbd76065aeae7c3c328dee355588d01b9bf2732ebefb40ad068

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 36be96091ea97fbd76065aeae7c3c328dee355588d01b9bf2732ebefb40ad068

(this sample)

Gafgyt

elf fba5f81d83f00d094c55233e6364d14adc07de15a4b48c52c505cf324487d30e

  
URLhaus
https://urlhaus.abuse.ch/url/3633480/
  
Delivery method
Distributed via web download
  
Dropping
MD5 0b7d299e9e60e152c430f8cd3f1e5ae8
  
Dropping
SHA256 fba5f81d83f00d094c55233e6364d14adc07de15a4b48c52c505cf324487d30e

Comments