MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39b3a360c62dab5c94ee9774cc4d50aac3d0db8abd329f222f75312cb2c1700d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39b3a360c62dab5c94ee9774cc4d50aac3d0db8abd329f222f75312cb2c1700d
SHA3-384 hash: c82cf3881394b994c2be771397f6e2fd3f3867cfe64ff6c6e8537414669e9872c477956af6cfe3eff543a6e9678b11a6
SHA1 hash: 912ecf5bed2d49b82f9f8c6d8679680a7e6a1897
MD5 hash: 2f6c603f3b8443f8acf4d8381ca18b84
humanhash: golf-twelve-kentucky-floor
File name:tplink
Download: download sample
Signature Gafgyt
Create hunting rule
File size:7'028 bytes
First seen:2025-05-15 02:21:56 UTC
Last seen:2025-05-16 02:30:21 UTC
File type: sh
MIME type:text/plain
ssdeep 96:NNJeC9F99P5Fhy3QaNpeKNlF93jTNTryHL27ywt4ouJ:4+c3QDA3kHLYywt4ouJ
TLSH T1CEE134CC3D914BBA0E1ADFE9E621C85AA44ED4C364908F192ABE20F8E9FDF047D14557
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://185.142.53.233/mips63e5d4c2ac320aa49bfc1c23e1a253c00ec5e51b4b64f0fb304c34f4d0a6fa56 Gafgytddos elf gafgyt mirai
http://185.142.53.233/mpsl1f20bd51306a7cd754a0d6864311ca2a4fc8def258607ba35285216eb39e6891 Gafgytddos elf gafgyt mirai
http://185.142.53.233/x8605e5afb5cf3997973ad7701749efddcc5876dcf7069d398c95c3e8dda1b2d088 Miraiddos elf mirai
http://185.142.53.233/i68618649e80c64bc1b3c27f82fb5b86424ac7d8b2c910dc10d888cdc1d4bd4db2bc Miraiddos elf mirai
http://185.142.53.233/sh4b2aae96dfe77848425790b7370da4c15fa7de04d3cb2c6469470c751bce0eb09 Gafgytgafgyt mirai ua-wget
http://185.142.53.233/ppc17277a6d4918a77790c1492d4595367a53249ad3e646589083488bba619b6fd3 Miraimirai ua-wget
http://185.142.53.233/arcn/an/amirai ua-wget
http://185.142.53.233/arm4e630d71a3ebf5faede6525d46ec1ce4880c2276b941e71f03fea47189efcbe4 Miraiddos elf mirai
http://185.142.53.233/arm571922b4599572f865e6446137409eddcca93ef567eeded9c2684c5adf9d33c72 Miraiddos elf mirai
http://185.142.53.233/arm6b1d10651ccda9afdfb1876f967df8b4f2971283e928dfcbc6f867abc58581dcb Miraiddos elf mirai
http://185.142.53.233/arm7b530d6edb5659f75331fac721a888aaae428a06d6b3f658b1b0c9d23c4b75ba0 Miraimirai ua-wget
ftp://5.142.53.233:8021/mipsn/an/an/a
ftp://5.142.53.233:8021/mpsln/an/an/a
ftp://5.142.53.233:8021/x86n/an/an/a
ftp://5.142.53.233:8021/i686n/an/an/a
ftp://5.142.53.233:8021/sh4n/an/an/a
ftp://5.142.53.233:8021/ppcn/an/an/a
ftp://5.142.53.233:8021/arcn/an/an/a
ftp://5.142.53.233:8021/armn/an/an/a
ftp://5.142.53.233:8021/arm5n/an/an/a
ftp://5.142.53.233:8021/arm6n/an/an/a
ftp://5.142.53.233:8021/arm7n/an/an/a

Intelligence

File Origin
# of uploads :
11
# of downloads :
102
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68257c4f4a59e5a2ce04b4aflinux22vpnfull_triage
Tags:
trojan agent hype
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive
Link:
https://www.filescan.io/uploads/68254fcd15ed82cd53d76480/reports/93e9beed-1d09-45a1-bb76-8e6c4f8d14a5/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/Linux.Agent
Link:
https://www.hybrid-analysis.com/sample/39b3a360c62dab5c94ee9774cc4d50aac3d0db8abd329f222f75312cb2c1700d
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/39b3a360c62dab5c94ee9774cc4d50aac3d0db8abd329f222f75312cb2c1700d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39b3a360c62dab5c94ee9774cc4d50aac3d0db8abd329f222f75312cb2c1700d/
Threat name:
Script-Shell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-15 05:26:47 UTC
File Type:
Text (Shell)
AV detection:
12 of 37 (32.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hgz2gyggfwvvzfhos52mytkqvlb5bw4kxuzj6irpouyszmwboagq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250515-f472asgl7z/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39b3a360c62dab5c94ee9774cc4d50aac3d0db8abd329f222f75312cb2c1700d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UNK_install_script
Create hunting rule
Author:evilcel3ri
Description:Detects a suspicious behaviour in an bash installation script

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 39b3a360c62dab5c94ee9774cc4d50aac3d0db8abd329f222f75312cb2c1700d

(this sample)

Gafgyt

elf 1115f758d81297173822b6403732150d67679c78959e03e4ca859337be0821f0

  
URLhaus
https://urlhaus.abuse.ch/url/3491779/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3491718/
  
URLhaus
https://urlhaus.abuse.ch/url/3491734/
  
URLhaus
https://urlhaus.abuse.ch/url/3491800/
  
URLhaus
https://urlhaus.abuse.ch/url/3491798/
  
URLhaus
https://urlhaus.abuse.ch/url/3491730/
  
URLhaus
https://urlhaus.abuse.ch/url/3491728/
  
URLhaus
https://urlhaus.abuse.ch/url/3491778/
  
URLhaus
https://urlhaus.abuse.ch/url/3491765/
  
URLhaus
https://urlhaus.abuse.ch/url/3491770/
  
URLhaus
https://urlhaus.abuse.ch/url/3491732/
  
URLhaus
https://urlhaus.abuse.ch/url/3491764/
  
URLhaus
https://urlhaus.abuse.ch/url/3491724/
  
URLhaus
https://urlhaus.abuse.ch/url/3491766/
  
URLhaus
https://urlhaus.abuse.ch/url/3491777/
  
URLhaus
https://urlhaus.abuse.ch/url/3491723/
  
URLhaus
https://urlhaus.abuse.ch/url/3491763/
  
URLhaus
https://urlhaus.abuse.ch/url/3491775/
  
URLhaus
https://urlhaus.abuse.ch/url/3491719/
  
URLhaus
https://urlhaus.abuse.ch/url/3491731/
  
URLhaus
https://urlhaus.abuse.ch/url/3491735/
  
URLhaus
https://urlhaus.abuse.ch/url/3491758/
  
URLhaus
https://urlhaus.abuse.ch/url/3491776/
  
URLhaus
https://urlhaus.abuse.ch/url/3491774/
  
URLhaus
https://urlhaus.abuse.ch/url/3491757/
  
URLhaus
https://urlhaus.abuse.ch/url/3491756/
  
URLhaus
https://urlhaus.abuse.ch/url/3491733/
  
URLhaus
https://urlhaus.abuse.ch/url/3491737/
  
URLhaus
https://urlhaus.abuse.ch/url/3491740/
  
URLhaus
https://urlhaus.abuse.ch/url/3491772/
  
URLhaus
https://urlhaus.abuse.ch/url/3491729/
  
URLhaus
https://urlhaus.abuse.ch/url/3491780/
  
URLhaus
https://urlhaus.abuse.ch/url/3491717/
  
URLhaus
https://urlhaus.abuse.ch/url/3491739/
  
URLhaus
https://urlhaus.abuse.ch/url/3491762/
  
URLhaus
https://urlhaus.abuse.ch/url/3491760/
  
Dropping
MD5 637ed2bcb915d94fc550ea0b656d8cfd
  
Dropping
SHA256 1115f758d81297173822b6403732150d67679c78959e03e4ca859337be0821f0

Comments