MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d60b99dcb9736484ff7e6d2bf831f05e36ff94819ccf8d5bd16d1d2e24d3ffc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	3d60b99dcb9736484ff7e6d2bf831f05e36ff94819ccf8d5bd16d1d2e24d3ffc
SHA3-384 hash:	23188f7edd639f9c2d4524c3b8b6b4789712e20b6cadbfc4f3a0a760277fd33ae4ae43a5e3472ba68136f0ff2b9ee010
SHA1 hash:	b9c7121b5346b0ef9ef9daa29c14965f87ea0c5b
MD5 hash:	a83ee62337e4218437d35daa84961324
humanhash:	hawaii-oxygen-sierra-shade
File name:	cat.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	1'845 bytes
First seen:	2026-01-29 16:43:36 UTC
Last seen:	2026-01-30 03:45:37 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:TKYicDdBzKtcr1CTlWZPZBM/hfjuj1bCj2j2wa9D6fFIho7jJ0gKJicJbz94BESd:6u1OhNo7Sc
TLSH	T16231EECEA1B8D249C598EE00B0F54DCA7336B69075B5463AFCC11EE780C9E543C1DABA
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://31.56.120.29/iran.x86_64	f7d18c9a789c65d5be7001a24fc85bcb08ea9e50a6edd99bf93acb0243b5cc2b	Gafgyt	elf gafgyt ua-wget
http://31.56.120.29/iran.aarch64	b149da965dbf8b6569de53bd3c05764ca55eade11630ada7aa492ffd8dc11bf2	Mirai	elf mirai ua-wget
http://31.56.120.29/iran.m68k	b37244ac0b144b38fcd1436a02e4fc200c63ef92bb6be35dc00de641629c5c78	Mirai	elf mirai ua-wget
http://31.56.120.29/iran.mips	ef3acaa9f6394dbd124a1e8d587ebdb72f0b09f5da63759383e3f7ccf4d5b1ac	Mirai	elf mirai ua-wget
http://31.56.120.29/iran.mipsel	b9f855b8e459e5f585609d26e0c4053a07cb65b4ba14dc6d2617b86598359218	Mirai	elf ua-wget
http://31.56.120.29/iran.powerpc	n/a	n/a	elf ua-wget
http://31.56.120.29/iran.sparc	d4c471bb5cc7749991c9844a2bdd2f711ae4456c9ec70a6a31e1a6e9d5da35a4	Mirai	elf ua-wget
http://31.56.120.29/iran.sh4	8cf9dfac47679c5c4bd67c100fcbdeb14e8783bf8ef3fae52dbd64a187e67a9e	Mirai	elf mirai ua-wget
http://31.56.120.29/iran.arc	2745f0ee553aa16064179362d20650ca143fdd8560888778c4b5bc65b33f9e30	Mirai	elf mirai ua-wget
http://31.56.120.29/iran.i486	c8aa6c553351d412e620c3921013fa88662f5e05be5ed09391f4c1c1a53d7bed	Mirai	elf mirai ua-wget
http://31.56.120.29/iran.armv4l	0705956d1a7d22017b5f374134ff92b8588123cbe27c61b9e049a2bd35550001	Mirai	elf mirai ua-wget
http://31.56.120.29/iran.armv5l	f43bde96f95443a3f2af30fc5efaf5d6ec7f3bcc61d189fee6da1457d62d55a1	Mirai	elf mirai ua-wget
http://31.56.120.29/iran.armv6l	ca81960eef221ec9773cdecb56c60998fd89381884b5242538e716ec5f8422bd	Mirai	elf mirai ua-wget
http://31.56.120.29/iran.armv7l	a0bd37ac0f19124b4aef184e55be1c7e38ab7b607c8bb2b134ed7a942c4b283d	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

mirai

Link:

https://www.filescan.io/uploads/697b8e6b552d46acbfef82e8/reports/8327091c-580d-46d3-85c2-31e54e252720/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-29T13:56:00Z UTC

Last seen:

2026-01-30T12:53:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/3d60b99dcb9736484ff7e6d2bf831f05e36ff94819ccf8d5bd16d1d2e24d3ffc/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/47a9af2b-20ce-41a1-83ef-4e11c427d22a

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/3d60b99dcb9736484ff7e6d2bf831f05e36ff94819ccf8d5bd16d1d2e24d3ffc

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3d60b99dcb9736484ff7e6d2bf831f05e36ff94819ccf8d5bd16d1d2e24d3ffc/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/3d60b99dcb9736484ff7e6d2bf831f05e36ff94819ccf8d5bd16d1d2e24d3ffc

Threat name:

Document-HTML.Trojan.Vigorf

Status:

Malicious

First seen:

2026-01-29 16:35:43 UTC

File Type:

Text (Shell)

AV detection:

13 of 24 (54.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hvqlthols43eqt7x43jl7ay7axrw76kidhgprvn5c3i5fysnh76a._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260129-t83h9sh16f/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

UPX packed file

Enumerates running processes

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.37

Link:

https://yomi.yoroi.company/submissions/3d60b99dcb9736484ff7e6d2bf831f05e36ff94819ccf8d5bd16d1d2e24d3ffc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh