MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4714a6681225bd25e3c9eee967bf9305f655f61fecc502270fbc177acd0ebc1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	4714a6681225bd25e3c9eee967bf9305f655f61fecc502270fbc177acd0ebc1c
SHA3-384 hash:	bff16488d22ed7de16118abd06436e8211a7685e1960dd26ac12b32f8481173664424d2fe6f421c25679a7fb589ca6d9
SHA1 hash:	5c8adc513d614bd87c50f45b7ce0c58e143201b2
MD5 hash:	079688a05e660343a5a701c6342d4a7b
humanhash:	delta-india-fish-rugby
File name:	pXdN91.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	2'036 bytes
First seen:	2026-02-04 01:00:27 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	48:1e9a/seuXErhKAvqZA2YIOUo8oZ3v0biEvvSZXrvNAfE:1U4hKAwYIOUo8oRcI/
TLSH	T1474190CB3360CAB8ACB4696F3229741071F9A0B69BBE9F441BD834D9848DD1C30C5A73
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.242.3.143/pXdN91.mips	b6f913923e9c8845b3c1fa47035e3bd3c0c1cbab3660d01d90fae3ec8801cb37	Gafgyt	elf gafgyt mirai ua-wget
http://185.242.3.143/pXdN91.mipsel	8942eaaac37811aed637c9f8b194cc3764e5d37c34b94e00ba7b9352bb631cb5	Mirai	elf mirai ua-wget
http://185.242.3.143/pXdN91.sh4	8b279ece21d38c7ced805d3d96d4a67b884216ab3b8c6ea7ecdca79d17d3e643	Gafgyt	elf gafgyt ua-wget
http://185.242.3.143/pXdN91.x68	52f0a4ad4cb268800c821a2d9626f3848986e5947dc607ecaa222a2d0922186e	Mirai	elf mirai ua-wget
http://185.242.3.143/pXdN91.armv6l	58b186d458c28353bef4661768d909c659f7f399406f3a22a43e900166463fa3	Mirai	elf gafgyt ua-wget
http://185.242.3.143/pXdN91.i686	n/a	n/a	elf ua-wget
http://185.242.3.143/pXdN91.ppc	9034bc65224fcaebe0eed6e460129e23a038ecafcc6ee2ed86938fb785586fc6	Mirai	elf gafgyt mirai ua-wget
http://185.242.3.143/pXdN91.i586	b10272ad6b129e7409a245a60e596b45194c848fb0985461bad94a65d3db4651	Mirai	elf mirai ua-wget
http://185.242.3.143/pXdN91.m68k	66388b5108fef8ce48a788723ccdc59b69112c0a9c0ab5f19c3f44cb75175176	Gafgyt	elf gafgyt ua-wget
http://185.242.3.143/pXdN91.sparc	f429f2987bad04075b042146bcdae14ab002c637be93b31fe39b0964217e2332	Mirai	elf gafgyt mirai ua-wget
http://185.242.3.143/pXdN91.armv4l	72357f3bf1627b2b45df7e337454af60aa6f87a4e28544308b598df4d0fa4fdd	Mirai	elf gafgyt mirai ua-wget
http://185.242.3.143/pXdN91.armv5l	1d410cfe96b84f1b52da3d8c4627e022226cd1aa34d37a50d56ce8e7cd4aa592	Mirai	elf gafgyt mirai ua-wget
http://185.242.3.143/pXdN91.armv7l	6d23aa17a30f7c9e07485171ab0f5b81719cd824789e3be39ddfe51f388a9636	Gafgyt	elf gafgyt ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive medusa mirai virus

Link:

https://www.filescan.io/uploads/69829a60981ff1d38a474dcb/reports/52b280f4-5143-49b5-810d-8031eb1211a2/overview

Result

Gathering data

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/bd634d2b-93f2-4004-b120-9f34c6778149

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/4714a6681225bd25e3c9eee967bf9305f655f61fecc502270fbc177acd0ebc1c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4714a6681225bd25e3c9eee967bf9305f655f61fecc502270fbc177acd0ebc1c/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/4714a6681225bd25e3c9eee967bf9305f655f61fecc502270fbc177acd0ebc1c

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-02-04 01:01:51 UTC

File Type:

Text (Shell)

AV detection:

21 of 36 (58.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i4kkm2asew6sly6j53uwpp4tax3fl5q75tcqejypxqlxvtioxqoa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260204-bddbsaf15b/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/4714a6681225bd25e3c9eee967bf9305f655f61fecc502270fbc177acd0ebc1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh