MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 396f4d346bac8bf9f5aea36155ff55980a9528f1c57b0a6d76107cd6e8d3ad6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 396f4d346bac8bf9f5aea36155ff55980a9528f1c57b0a6d76107cd6e8d3ad6d
SHA3-384 hash: 3b2c37d0168ebd1b025820ce317a33a6e30a67e869ea7f24d50a84b6b0a24fbfedb39e0ad31dafa55e834e64cba6b204
SHA1 hash: 1008753e78668587c8cbdb44599ab7105cc26cb2
MD5 hash: bf8fef6ba57195ebc0b6b5c1ba5c8e25
humanhash: nevada-zebra-november-earth
File name:SnOoPy.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'357 bytes
First seen:2025-12-06 19:33:36 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 12:q0FZQAeJo0FZQAlZJo0FZQAU1ZJo0FZQAW+ZJo0FZQsTHJo0FZQAkuJo0FZQAGZT:vyXyk9yd9ya9ysDy7kyF9y9ySyt
TLSH T1302107DA19B309F7ECA7D4173379C81934D4A99A18CAAFBDE8DC75E5058CD087821B83
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://172.86.89.172/arm.SNOOPYf53a6ecf45d009101914b646413510925dbbb4186f33674233ba0dbd489df581 Miraimirai opendir
http://172.86.89.172/armv5l.SNOOPYf53a6ecf45d009101914b646413510925dbbb4186f33674233ba0dbd489df581 Miraimirai opendir
http://172.86.89.172/armv6l.SNOOPY56329ee73b38cd017eee61b1264610c5394be719543117aa8e11286b1519a143 Miraimirai opendir
http://172.86.89.172/armv7l.SNOOPY56329ee73b38cd017eee61b1264610c5394be719543117aa8e11286b1519a143 Miraimirai opendir
http://172.86.89.172/aarch64.SNOOPYbe12e8cbfb19907e617d4c2651b561587f833dfb041dda9dd2aec9249b29a7e3 Gafgytgafgyt mirai opendir
http://172.86.89.172/mips.SNOOPY014d7e3eabbbb90a62d9a7a74553ad7a854683818acddd0e13a7072ed5f98fe6 Miraimirai opendir
http://172.86.89.172/mipsel.SNOOPYc180de0721fa4ed13c416404dcd56f6cb8b0485c4a993df3089c049e5a2e7e0d Miraimirai opendir
http://172.86.89.172/powerpc.SNOOPYba6b9c8f6b19ccaa3bfeaca1c5bf5925beeb69cb31726f46208d423c1bb4466c Gafgytgafgyt mirai opendir
http://172.86.89.172/x86_64.SNOOPYcec1b93759a23a46eb6d36816420eba15f33afbefe92a3f7495415e27bd548a8 Miraimirai opendir
http://172.86.89.172/i686.SNOOPYcec1b93759a23a46eb6d36816420eba15f33afbefe92a3f7495415e27bd548a8 Miraimirai opendir

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-12-06T17:23:00Z UTC
Last seen:
2025-12-07T17:16:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/396f4d346bac8bf9f5aea36155ff55980a9528f1c57b0a6d76107cd6e8d3ad6d/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/396f4d346bac8bf9f5aea36155ff55980a9528f1c57b0a6d76107cd6e8d3ad6d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/396f4d346bac8bf9f5aea36155ff55980a9528f1c57b0a6d76107cd6e8d3ad6d/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-12-06 19:34:14 UTC
File Type:
Text (Shell)
AV detection:
15 of 24 (62.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hfxu2ndlvsf7t5nounqvl72vtafjkkhryv5qu3lwcb6nn2gtvvwq._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/251206-x96tvsdl8x/
Behaviour
System Network Configuration Discovery
Writes file to tmp directory
Reads system network configuration
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Malware Config
C2 Extraction:
172.86.89.172:839
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/396f4d346bac8bf9f5aea36155ff55980a9528f1c57b0a6d76107cd6e8d3ad6d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 396f4d346bac8bf9f5aea36155ff55980a9528f1c57b0a6d76107cd6e8d3ad6d

(this sample)

Mirai

elf f53a6ecf45d009101914b646413510925dbbb4186f33674233ba0dbd489df581

  
URLhaus
https://urlhaus.abuse.ch/url/3728031/
  
Delivery method
Distributed via web download
  
Dropping
MD5 e22bbaa1d1bc3b810ae92c81d29b0c71
  
Dropping
SHA256 f53a6ecf45d009101914b646413510925dbbb4186f33674233ba0dbd489df581

Comments