MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ac38c1708e7221ee617c9f80273d1d6dac3c2591f59b72bb9c1e9df1a87eff6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	3ac38c1708e7221ee617c9f80273d1d6dac3c2591f59b72bb9c1e9df1a87eff6
SHA3-384 hash:	f4e2ea2f0c59a89a7af487353ab2c0ae12be36c62487f9031f89f7d8de1a9154d265d6c44a2148307b91d6139acf59f3
SHA1 hash:	8b1b5ede0cd12983082e4afe78e3059da3f5f796
MD5 hash:	ad9c3d380bb9d2a0380db85b572ebd8b
humanhash:	pluto-queen-hamper-skylark
File name:	bb.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	2'050 bytes
First seen:	2025-06-17 18:44:25 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:vGwKjeGWt3JGgFGZsGwNImksG5sGeGtsGxUGcJGeGYLGNKNGjaPaoaoGv:v5Kjeb/JFHlJfbLoUFJDjL+4lyZo4
TLSH	T1A34114CA71E209727C60D917726F648435F0A69650F99F1AFCDD3CE941DED887008E93
Magika	shell
Reporter	abuse_ch
Tags:	gafgyt sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://31.56.39.249/Demon.mips	823509b26a440736f00f76a3c627f6e472d183ecbf25cc5641dc1f22aef6f2be	Mirai	mirai opendir
http://31.56.39.249/Demon.mpsl	923ed9145bd6766f389229d43e3c195ed9df67de696ead3aa51f0df44e3429d8	Mirai	mirai opendir
http://31.56.39.249/Demon.sh4	4e02226f33804c4ad4ebbc2eaae1dff4c7efe8fb42f30e5ecd6a3380890a4308	Mirai	mirai opendir
http://31.56.39.249/Demon.x86	507134ffeb79bcf993258948e08ed276cf25d5aa81896371c0bae3a4e884dfc5	Mirai	mirai opendir
http://31.56.39.249/Demon.arm6	n/a	n/a	mirai opendir
http://31.56.39.249/Demon.i686	103799224b5959e025e3c1adc674e29c6945848161bdb086bfb67e786ea0b136	Mirai	mirai opendir
http://31.56.39.249/Demon.ppc	e3140efa0122523ea82d0dc0be5a8eacc92a8e5a2972400d0095dc7fddbfb193	Mirai	mirai opendir
http://31.56.39.249/Demon.i586	bd792b6302ec18d1dda59e5554bb719f2bc0de653bb02591922e19f30ab4f374	Mirai	mirai opendir
http://31.56.39.249/Demon.m68k	d7f2b5605991a843979f97f585e5cd78659a07847acf10926a48bbfc8b14b7d4	Mirai	mirai opendir
http://31.56.39.249/Demon.sparc	1a19b52722d1422f2e501a40b97f1bf9f73afd4d3261ec329c36e37a83b8af42	Mirai	mirai opendir
http://31.56.39.249/Demon.arm4	c688bc41fdea54b2bc80ac803fc74949f4ac27304fb29d364b57d177afbed417	Gafgyt	gafgyt opendir
http://31.56.39.249/Demon.arm5	9169794a0fe58f80f6045d8773201538815956952c001a9abb22ad980e5e3987	Gafgyt	gafgyt opendir
http://31.56.39.249/Demon.arm7	836a2bd687f6820e26017b30f011864f4b7274a53166e78d52c116757e37b998	Mirai	mirai opendir
http://31.56.39.249/Demon.ppc440fp	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

132

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6851b8b7ead9bba2060dc515linux22vpnfull_triage

Tags:

downloader trojan agent

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/80345326-e28b-46fa-9fe9-f323e51b549b

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/3ac38c1708e7221ee617c9f80273d1d6dac3c2591f59b72bb9c1e9df1a87eff6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ac38c1708e7221ee617c9f80273d1d6dac3c2591f59b72bb9c1e9df1a87eff6/

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2025-06-17 18:46:20 UTC

File Type:

Text (Shell)

AV detection:

25 of 38 (65.79%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hlbyyfyi44rb5zqxzh4ae46r23nmhqszd5m3ok5zyhu56guh573a._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/250617-xetwtaszh1/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Reads system network configuration

Reads system routing table

File and Directory Permissions Modification

Executes dropped EXE

Detected Gafgyt variant

Gafgyt family

Gafgyt/Bashlite

Malware Config

C2 Extraction:

31.56.39.249:666

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/3ac38c1708e7221ee617c9f80273d1d6dac3c2591f59b72bb9c1e9df1a87eff6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.