MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a31dc354cf5a3ff20032959cc070c75fa1506a5ada81813959ce1a5e61142dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a31dc354cf5a3ff20032959cc070c75fa1506a5ada81813959ce1a5e61142dd
SHA3-384 hash: 8678548da3a63ab5969391ca9327ee170b860958fb9ef01f8627a9e46f9a2417d236aa9a150945a13cbd4dcfcad7c340
SHA1 hash: 5a74faa85436a66e23f67c5b65b5ad22b60b2bde
MD5 hash: afdecca0cda60850e8217f456e4cf114
humanhash: april-triple-fanta-charlie
File name:afdecca0cda60850e8217f456e4cf114
Download: download sample
Signature Gafgyt
Create hunting rule
File size:121'560 bytes
First seen:2023-12-24 07:37:39 UTC
Last seen:2023-12-28 13:50:05 UTC
File type: elf
MIME type:application/x-executable
ssdeep 3072:a67sDpv5SYQ6mPHCChfK7VtwFvC3RwbZnp:X7sDpv5SYQjZhy5tt3RwRp
TLSH T15CC35A46B6C188FDC09AD1780AEEB037F860F1FD526C766727C0BE261C9DDA10F2A655
telfhash t15a31ad701dda35e4a0e3e715730ee9e9d9b515110ee0b9a86f3bbed19e01b4c0dc2893
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter zbetcheckin
Tags:64 elf gafgyt

Intelligence

File Origin
# of uploads :
2
# of downloads :
149
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28880.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29325.LC.Pl.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Mirai-81.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29524.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28878.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28877.LC.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Dropper.Mirai-7135868-0
Create hunting rule

Unix.Dropper.Mirai-7135891-0
Create hunting rule

Unix.Dropper.Mirai-7135892-0
Create hunting rule

Unix.Dropper.Mirai-7136013-0
Create hunting rule

Unix.Dropper.Mirai-7136034-0
Create hunting rule

Unix.Dropper.Mirai-7136057-0
Create hunting rule

Unix.Dropper.Mirai-7540662-0
Create hunting rule

Unix.Dropper.Mirai-7540663-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Unix.Trojan.Mirai-9858729-0
Create hunting rule

Unix.Trojan.Mirai-9945193-0
Create hunting rule

Unix.Trojan.Mirai-9946826-0
Create hunting rule

Unix.Dropper.Mirai-9977145-0
Create hunting rule

Unix.Dropper.Mirai-10008433-0
Create hunting rule

Unix.Trojan.Mirai-10011027-0
Create hunting rule

Unix.Trojan.Mirai-10011918-0
Create hunting rule

Unix.Packed.Botnet-6566031-0
Create hunting rule

Unix.Dropper.Botnet-6566040-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug botnet gafgyt lolbin mirai obfuscated remote
Link:
https://www.filescan.io/uploads/6587dfe0b855eb3693f1e318/reports/dde6959b-48eb-4aa2-b2c2-4c52b8f340dd/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
4
Number of processes launched:
2055
Processes remaning?
true
Remote TCP ports scanned:
37215,2323,23,8080,80,52869,7574,81,49152,8443,5555
Full report:
https://elfdigest.com/brief/3a31dc354cf5a3ff20032959cc070c75fa1506a5ada81813959ce1a5e61142dd
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d794a399-1ad8-44a9-acd5-5d450462170b
Result
Threat name:
Mirai, Moobot
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366624
Signature
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Detected Mirai
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Mirai
Yara detected Moobot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366624 Sample: bn0b3xlHFZ.elf Startdate: 24/12/2023 Architecture: LINUX Score: 100 47 197.190.12.38 zain-asGH Ghana 2->47 49 83.160.97.3 XS4ALL-NLAmsterdamNL Netherlands 2->49 51 98 other IPs or domains 2->51 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 6 other signatures 2->59 9 bn0b3xlHFZ.elf 2->9         started        signatures3 process4 process5 11 bn0b3xlHFZ.elf 9->11         started        13 bn0b3xlHFZ.elf sh 9->13         started        process6 15 bn0b3xlHFZ.elf 11->15         started        17 bn0b3xlHFZ.elf 11->17         started        19 bn0b3xlHFZ.elf 11->19         started        29 2 other processes 11->29 21 sh rm 13->21         started        23 sh mkdir 13->23         started        25 sh mv 13->25         started        27 sh chmod 13->27         started        process7 31 bn0b3xlHFZ.elf 15->31         started        33 bn0b3xlHFZ.elf 15->33         started        35 bn0b3xlHFZ.elf 15->35         started        43 1067 other processes 15->43 37 bn0b3xlHFZ.elf 17->37         started        39 bn0b3xlHFZ.elf 17->39         started        41 bn0b3xlHFZ.elf 17->41         started        45 1066 other processes 17->45
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/3a31dc354cf5a3ff20032959cc070c75fa1506a5ada81813959ce1a5e61142dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a31dc354cf5a3ff20032959cc070c75fa1506a5ada81813959ce1a5e61142dd/
Threat name:
Linux.Trojan.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2023-12-24 03:23:49 UTC
File Type:
ELF64 Little (Exe)
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hiy5ynkm6wr76iadffm4ybymox5bkbvfvwubqe4vttq2lzqriloq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:mirai linux
Link:
https://tria.ge/reports/231224-jgdqqaahaq/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a31dc354cf5a3ff20032959cc070c75fa1506a5ada81813959ce1a5e61142dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf 3a31dc354cf5a3ff20032959cc070c75fa1506a5ada81813959ce1a5e61142dd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2744133/

Comments


Avatar
zbet commented on 2023-12-24 07:37:40 UTC

url : hxxp://37.44.238.75/mont/.nekoisdaddy.x86