MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38eef08452fe412b5ced2064695aaca1cc8510a5d73e9260621c88fee1527f47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 10


Intelligence 10 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38eef08452fe412b5ced2064695aaca1cc8510a5d73e9260621c88fee1527f47
SHA3-384 hash: 13aceea867c8c55a21b66e080b806b0b01f7005fd8f5582fa78b648b0421d792e6aa4fbb66c9ce5b39fc5facfc00c141
SHA1 hash: 373753471609905aad502fd7372ad7d50597a357
MD5 hash: 329b912d9d59ba023894793474f46a58
humanhash: indigo-snake-uniform-march
File name:586
Download: download sample
Signature Gafgyt
Create hunting rule
File size:96'268 bytes
First seen:2026-01-13 16:32:07 UTC
Last seen:2026-01-13 19:06:38 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:mmqmWTbw7U+OU0Cf5UI8E8WwP6kHzgk81VwcG2emzGMUNLe5um7WAgcVjmZIcBI:mms2UVUtBUI8GwPfHkk8rpeLesmqAgcr
TLSH T164933A56A780D5B3D14305B316979B620033FE7B1A5EAE0AE35E7CF18F3A0987221B5D
telfhash t1ad210246a1f68a685ff368205dbc46b5199217273351af70af1984c01c7b002a939ecb
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
2
# of downloads :
44
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.29052.TSource.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Siggen.2205.UNOFFICIAL
Create hunting rule

Unix.Trojan.Gafgyt-6981154-0
Create hunting rule

Unix.Trojan.Tsunami-6981155-0
Create hunting rule

Unix.Dropper.Mirai-7138857-0
Create hunting rule

Unix.Trojan.Mirai-9853183-0
Create hunting rule

Unix.Trojan.Mirai-9907057-0
Create hunting rule

Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
gcc
Link:
https://www.filescan.io/uploads/696673a93827c9e1249b865d/reports/7b6da21e-e734-4658-ba97-fc633fad91f3/overview
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-01-13T14:44:00Z UTC
Last seen:
2026-01-13T23:44:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/38eef08452fe412b5ced2064695aaca1cc8510a5d73e9260621c88fee1527f47/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/e1f3e765-a0b2-4573-9ee6-7d3952c1cc1d
Behavior Graph:
Download SVG
%3 guuid=390681e5-1900-0000-4c89-79977b070000 pid=1915 /usr/bin/sudo guuid=e60291e7-1900-0000-4c89-79977d070000 pid=1917 /tmp/sample.bin guuid=390681e5-1900-0000-4c89-79977b070000 pid=1915->guuid=e60291e7-1900-0000-4c89-79977d070000 pid=1917 execve guuid=ca59b2e7-1900-0000-4c89-79977f070000 pid=1919 /tmp/sample.bin guuid=e60291e7-1900-0000-4c89-79977d070000 pid=1917->guuid=ca59b2e7-1900-0000-4c89-79977f070000 pid=1919 clone guuid=1735b7e7-1900-0000-4c89-799780070000 pid=1920 /tmp/sample.bin guuid=ca59b2e7-1900-0000-4c89-79977f070000 pid=1919->guuid=1735b7e7-1900-0000-4c89-799780070000 pid=1920 clone guuid=2aecc2e7-1900-0000-4c89-799781070000 pid=1921 /tmp/sample.bin net send-data zombie guuid=1735b7e7-1900-0000-4c89-799780070000 pid=1920->guuid=2aecc2e7-1900-0000-4c89-799781070000 pid=1921 clone b44c1cb7-4249-5277-94c4-faa018c8ed40 64.227.48.87:23 guuid=2aecc2e7-1900-0000-4c89-799781070000 pid=1921->b44c1cb7-4249-5277-94c4-faa018c8ed40 send: 95B guuid=a5af5df0-1900-0000-4c89-799795070000 pid=1941 /tmp/sample.bin guuid=2aecc2e7-1900-0000-4c89-799781070000 pid=1921->guuid=a5af5df0-1900-0000-4c89-799795070000 pid=1941 clone
Malware family:
Gafgyt
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14aa2e46-97a8-4b6f-809d-8ccfb2e4f202
Result
Threat name:
Gafgyt, Mirai
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1850010
Signature
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Gafgyt
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1850010 Sample: 586.elf Startdate: 13/01/2026 Architecture: LINUX Score: 96 22 64.227.48.87, 23, 48048 DIGITALOCEAN-ASNUS United States 2->22 24 169.254.169.254, 80 USDOSUS Reserved 2->24 26 daisy.ubuntu.com 2->26 28 Suricata IDS alerts for network traffic 2->28 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 3 other signatures 2->34 10 586.elf 2->10         started        12 python3.8 dpkg 2->12         started        signatures3 process4 process5 14 586.elf 10->14         started        process6 16 586.elf 14->16         started        process7 18 586.elf 16->18         started        process8 20 586.elf 18->20         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/38eef08452fe412b5ced2064695aaca1cc8510a5d73e9260621c88fee1527f47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38eef08452fe412b5ced2064695aaca1cc8510a5d73e9260621c88fee1527f47/
Threat name:
Linux.Trojan.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2026-01-13 16:20:17 UTC
File Type:
ELF32 Little (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdxpbbcs7zaswxhnebsgswvmuhgikeff247jeydcdsep5yksp5dq._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt defense_evasion linux
Link:
https://tria.ge/reports/260113-t16kyscx2b/
Behaviour
Changes its process name
Modifies Watchdog functionality
Malware Config
C2 Extraction:
64.227.48.87:23
Verdict:
Malicious
Tags:
trojan mirai gafgyt Unix.Trojan.Gafgyt-6981154-0
YARA:
Linux_Trojan_Gafgyt_c573932b Linux_Trojan_Gafgyt_5bf62ce4 Linux_Trojan_Gafgyt_6122acdf Linux_Trojan_Gafgyt_7167d08f Linux_Trojan_Mirai_389ee3e9 elf_bashlite_auto
Link:
https://app.threat.zone/submission/21be7bca-77b3-4347-9312-63105730ab3f
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/38eef08452fe412b5ced2064695aaca1cc8510a5d73e9260621c88fee1527f47

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:Linux_Gafgyt_Generic
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Mirai/Gafgyt samples
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_5bf62ce4
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_6122acdf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_7167d08f
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_c573932b
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_389ee3e9
Create hunting rule
Author:Elastic Security
Rule name:Mal_LNX_Gafgyt_Botnet_ELF
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect Gafgyt botnet, and there variants.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf 38eef08452fe412b5ced2064695aaca1cc8510a5d73e9260621c88fee1527f47

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3757348/
  
Delivery method
Distributed via web download

Comments