MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46e88d623410569a42e4d21f0b52d57de4fbe201b3164fb2f4d73b03ba8fdc6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46e88d623410569a42e4d21f0b52d57de4fbe201b3164fb2f4d73b03ba8fdc6b
SHA3-384 hash: f6e94f0b51229798a999a9a2c713089ab8e4d7b8495bbfce1fe1513c3221a31e691df64fbb3f64a27f81c0a8fd710240
SHA1 hash: 2b4caf84b2b4ffc031d8d0ce9c22abc6e5b99609
MD5 hash: 0a375cb828745f1a33938136693f84a1
humanhash: oven-nevada-one-network
File name:bins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:2'030 bytes
First seen:2025-02-05 19:46:22 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 48:1DaFiGeKwFxUquL1eswZwGGKExqbX4CZsiCrA6cOpJenJstGJ3UptkntsnKOUXEw:1MwUp0E0X7qtr4QwUzkts8XESa9e
TLSH T1D7416C9E52924974ECA0B61B7665C840BDCCE5CB30C95FC56DDC3CF9348EE08742AA93
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://103.130.214.198/jackmymipse88b9e4bf263da826ab1092a2ca78c8c44443daa77ba60f3665843196dd75b31 Miraielf gafgyt mirai
http://103.130.214.198/jackmymipselebff2d3d7e12ee71ad7bf63c2a6790f068dff22755e394c4291d2e12e247bced Gafgytelf gafgyt
http://103.130.214.198/jackmysh41d270c64fc23a0c44fcdd08acd254c380a319299dc92b7759965baa37e0b0015 Gafgytelf gafgyt mirai
http://103.130.214.198/jackmyx868877ce055688f8cf77a1ef610b4eae5dc7ec7bb42fc7fb4f87514570039c18e1 Miraielf gafgyt mirai
http://103.130.214.198/jackmyarmv6000a61bda7deb777f50d33a4157c19af75bf6ba5ef378400f85fdc2c3c5f98c0 Gafgytelf gafgyt
http://103.130.214.198/jackmyi686a73322db71130be3321de46089b5ff02180f81ef74ced56be48dfbdd84beb6d8 Gafgytelf gafgyt
http://103.130.214.198/jackmypowerpcaee015f99b6ef72bdf5760c5df68ea912b210c2ea6b60449053b7f5d07d2ac88 Gafgytelf gafgyt
http://103.130.214.198/jackmyi58669647111ada35fe7ecbcf98db0bb9c247a2ed15f7d327d76509c987b7625d5dc Miraielf gafgyt mirai
http://103.130.214.198/jackmym86k841ca3173f0eee4920d42cb45cdc5787e0973af886b7f840fce566b7fea97f8f Gafgytelf gafgyt
http://103.130.214.198/jackmysparc12ddfbb33d1a468c86d7a040f4138cb76624925c04b58b89abb53062f380b697 Gafgytelf gafgyt
http://103.130.214.198/jackmyarmv4a6083fb02112a07f1e808d8a5e2132aab3e2df5030dfd7ce4bf5576cb8d722e5 Gafgytelf gafgyt
http://103.130.214.198/jackmyarmv50d20db4935b078b06b8b941df541a7e9c0449d2ce65f39fbdaa268acd2be5bef Gafgytelf gafgyt
http://103.130.214.198/jackmypowerpc4400d20db4935b078b06b8b941df541a7e9c0449d2ce65f39fbdaa268acd2be5bef Gafgytelf

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a3c14b2dcee78dd8199d60linux22vpnfull_triage
Tags:
medusa agent virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin remote
Link:
https://www.filescan.io/uploads/67a3c03fba420adaa784611e/reports/a1e62005-d201-4434-a215-bcf71affc5fb/overview
Result
Verdict:
MALICIOUS
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/46e88d623410569a42e4d21f0b52d57de4fbe201b3164fb2f4d73b03ba8fdc6b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46e88d623410569a42e4d21f0b52d57de4fbe201b3164fb2f4d73b03ba8fdc6b/
Threat name:
Win32.Trojan.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2025-01-26 07:59:30 UTC
File Type:
Text (Shell)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i3ui2yrucbljuqxe2ipqwuwvpxspxyqbwmle7mxu245qhoup3rvq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250205-yhjqpaskcq/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46e88d623410569a42e4d21f0b52d57de4fbe201b3164fb2f4d73b03ba8fdc6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 46e88d623410569a42e4d21f0b52d57de4fbe201b3164fb2f4d73b03ba8fdc6b

(this sample)

Gafgyt

elf cd2da26c319c9d5ea3a06ad834cd8f0ccfcd03e4b68524e5b9f2716c059c1952

  
URLhaus
https://urlhaus.abuse.ch/url/3419853/
  
Delivery method
Distributed via web download
  
Dropping
MD5 cd2a9bfab48a04785e08706859837a1f
  
Dropping
SHA256 cd2da26c319c9d5ea3a06ad834cd8f0ccfcd03e4b68524e5b9f2716c059c1952

Comments