MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47b6dfc07a4ce2522a338e98ee97946f5cd74e92ea376b12105707f30d372ac8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47b6dfc07a4ce2522a338e98ee97946f5cd74e92ea376b12105707f30d372ac8
SHA3-384 hash: 8979ceb399f5791c539620bc112f35749d21a168147c0be4103fae39ac537d1b84c335fd74b917a2951501057892480b
SHA1 hash: 624c5653bca79a9d65746c2d7502c7fa2d7aab45
MD5 hash: 67e94b9b6bdd9c65196fb67d8831d385
humanhash: item-mississippi-whiskey-johnny
File name:dvr.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:657 bytes
First seen:2026-01-28 16:30:19 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:t9ILJoZDSLJhHWFLsySLshHWFLPBzvSLPBzMHWFLPnIjDSLPnIMHWFLPiDSLPDH5:t9ICZeTWFw5wRWF9z69zGWFzJzhWFGeJ
TLSH T1D8019AEF01A44C6D1184FA4EF9F24E75A80A7ADD64C50F4C5A8F2C39398D918B835F59
Magika batch
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://109.104.155.24/mipsbc2c976b2c941af732b52616213c6a7f458b01da347584130d21311081ef16ba Gafgyt32-bit elf gafgyt Mozi
http://109.104.155.24/mpsl98557cec055651f889da1f26702c44fa50f0e5642989952da27d773aff772378 Miraielf mirai ua-wget
http://109.104.155.24/arm42d7ce7864ad741bb5f3a19f76d764a28d2c9bf91105f1ca3ed07cd8237c0ad9f Miraielf mirai ua-wget
http://109.104.155.24/arm57b9b305cbab120d4588f812655f1820437d32722d640719df33a98518f15015d Miraielf mirai ua-wget
http://109.104.155.24/arm7501e45d500b14839b759dffb7a80e6a549f4274a75cbceb074b19ca60341dd96 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bash busybox evasive lolbin mirai
Link:
https://www.filescan.io/uploads/697a39bca57b6af70d10d016/reports/372ac670-ca88-49f0-bcd2-25903df7dd32/overview
Verdict:
Malicious
File Type:
text
First seen:
2026-01-28T13:37:00Z UTC
Last seen:
2026-01-28T23:31:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a
Link:
https://opentip.kaspersky.com/47b6dfc07a4ce2522a338e98ee97946f5cd74e92ea376b12105707f30d372ac8/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/253de804-8663-4b7b-8c57-113c62900aac
Behavior Graph:
Download SVG
%3 guuid=f39ed7b6-1a00-0000-9fe5-9cd7350b0000 pid=2869 /usr/bin/sudo guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881 /tmp/sample.bin guuid=f39ed7b6-1a00-0000-9fe5-9cd7350b0000 pid=2869->guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881 execve guuid=4b3401ba-1a00-0000-9fe5-9cd7430b0000 pid=2883 /usr/bin/mkdir guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=4b3401ba-1a00-0000-9fe5-9cd7430b0000 pid=2883 execve guuid=bba452ba-1a00-0000-9fe5-9cd7450b0000 pid=2885 /usr/bin/dash guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=bba452ba-1a00-0000-9fe5-9cd7450b0000 pid=2885 clone guuid=0b2bbffa-1a00-0000-9fe5-9cd79a0b0000 pid=2970 /usr/bin/chmod guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=0b2bbffa-1a00-0000-9fe5-9cd79a0b0000 pid=2970 execve guuid=fc116cfb-1a00-0000-9fe5-9cd79b0b0000 pid=2971 /usr/bin/dash guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=fc116cfb-1a00-0000-9fe5-9cd79b0b0000 pid=2971 clone guuid=5ddb19fc-1a00-0000-9fe5-9cd79d0b0000 pid=2973 /usr/bin/rm delete-file guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=5ddb19fc-1a00-0000-9fe5-9cd79d0b0000 pid=2973 execve guuid=f3207dfc-1a00-0000-9fe5-9cd79e0b0000 pid=2974 /usr/bin/dash guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=f3207dfc-1a00-0000-9fe5-9cd79e0b0000 pid=2974 clone guuid=eba3915f-1b00-0000-9fe5-9cd7790c0000 pid=3193 /usr/bin/chmod guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=eba3915f-1b00-0000-9fe5-9cd7790c0000 pid=3193 execve guuid=b7a11c60-1b00-0000-9fe5-9cd77a0c0000 pid=3194 /usr/bin/dash guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=b7a11c60-1b00-0000-9fe5-9cd77a0c0000 pid=3194 clone guuid=02263761-1b00-0000-9fe5-9cd77c0c0000 pid=3196 /usr/bin/rm delete-file guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=02263761-1b00-0000-9fe5-9cd77c0c0000 pid=3196 execve guuid=6537c161-1b00-0000-9fe5-9cd77d0c0000 pid=3197 /usr/bin/dash guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=6537c161-1b00-0000-9fe5-9cd77d0c0000 pid=3197 clone guuid=4e2d68a4-1b00-0000-9fe5-9cd7cd0c0000 pid=3277 /usr/bin/chmod guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=4e2d68a4-1b00-0000-9fe5-9cd7cd0c0000 pid=3277 execve guuid=904fb3a4-1b00-0000-9fe5-9cd7ce0c0000 pid=3278 /usr/bin/dash guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=904fb3a4-1b00-0000-9fe5-9cd7ce0c0000 pid=3278 clone guuid=c04766a6-1b00-0000-9fe5-9cd7d00c0000 pid=3280 /usr/bin/rm delete-file guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=c04766a6-1b00-0000-9fe5-9cd7d00c0000 pid=3280 execve guuid=a8ccc0a6-1b00-0000-9fe5-9cd7d10c0000 pid=3281 /usr/bin/dash guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=a8ccc0a6-1b00-0000-9fe5-9cd7d10c0000 pid=3281 clone guuid=78455ef9-1b00-0000-9fe5-9cd7730d0000 pid=3443 /usr/bin/chmod guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=78455ef9-1b00-0000-9fe5-9cd7730d0000 pid=3443 execve guuid=3572bbf9-1b00-0000-9fe5-9cd7750d0000 pid=3445 /usr/bin/dash guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=3572bbf9-1b00-0000-9fe5-9cd7750d0000 pid=3445 clone guuid=89da9ffa-1b00-0000-9fe5-9cd77a0d0000 pid=3450 /usr/bin/rm delete-file guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=89da9ffa-1b00-0000-9fe5-9cd77a0d0000 pid=3450 execve guuid=c3fa0afb-1b00-0000-9fe5-9cd77c0d0000 pid=3452 /usr/bin/dash guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=c3fa0afb-1b00-0000-9fe5-9cd77c0d0000 pid=3452 clone guuid=cb2ee438-1c00-0000-9fe5-9cd70b0e0000 pid=3595 /usr/bin/chmod guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=cb2ee438-1c00-0000-9fe5-9cd70b0e0000 pid=3595 execve guuid=93704339-1c00-0000-9fe5-9cd70d0e0000 pid=3597 /usr/bin/dash guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=93704339-1c00-0000-9fe5-9cd70d0e0000 pid=3597 clone guuid=5860f139-1c00-0000-9fe5-9cd7110e0000 pid=3601 /usr/bin/rm delete-file guuid=307ba3b9-1a00-0000-9fe5-9cd7410b0000 pid=2881->guuid=5860f139-1c00-0000-9fe5-9cd7110e0000 pid=3601 execve guuid=b53964ba-1a00-0000-9fe5-9cd7460b0000 pid=2886 /usr/bin/wget net send-data write-file guuid=bba452ba-1a00-0000-9fe5-9cd7450b0000 pid=2885->guuid=b53964ba-1a00-0000-9fe5-9cd7460b0000 pid=2886 execve 385d8803-1747-5868-8d2c-7f0b0905a0a5 109.104.155.24:80 guuid=b53964ba-1a00-0000-9fe5-9cd7460b0000 pid=2886->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=47938afc-1a00-0000-9fe5-9cd79f0b0000 pid=2975 /usr/bin/wget net send-data write-file guuid=f3207dfc-1a00-0000-9fe5-9cd79e0b0000 pid=2974->guuid=47938afc-1a00-0000-9fe5-9cd79f0b0000 pid=2975 execve guuid=47938afc-1a00-0000-9fe5-9cd79f0b0000 pid=2975->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=70f6d461-1b00-0000-9fe5-9cd77e0c0000 pid=3198 /usr/bin/wget net send-data write-file guuid=6537c161-1b00-0000-9fe5-9cd77d0c0000 pid=3197->guuid=70f6d461-1b00-0000-9fe5-9cd77e0c0000 pid=3198 execve guuid=70f6d461-1b00-0000-9fe5-9cd77e0c0000 pid=3198->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=edddcba6-1b00-0000-9fe5-9cd7d20c0000 pid=3282 /usr/bin/wget net send-data write-file guuid=a8ccc0a6-1b00-0000-9fe5-9cd7d10c0000 pid=3281->guuid=edddcba6-1b00-0000-9fe5-9cd7d20c0000 pid=3282 execve guuid=edddcba6-1b00-0000-9fe5-9cd7d20c0000 pid=3282->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=1cb819fb-1b00-0000-9fe5-9cd77d0d0000 pid=3453 /usr/bin/wget net send-data write-file guuid=c3fa0afb-1b00-0000-9fe5-9cd77c0d0000 pid=3452->guuid=1cb819fb-1b00-0000-9fe5-9cd77d0d0000 pid=3453 execve guuid=1cb819fb-1b00-0000-9fe5-9cd77d0d0000 pid=3453->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/47b6dfc07a4ce2522a338e98ee97946f5cd74e92ea376b12105707f30d372ac8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47b6dfc07a4ce2522a338e98ee97946f5cd74e92ea376b12105707f30d372ac8/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/47b6dfc07a4ce2522a338e98ee97946f5cd74e92ea376b12105707f30d372ac8
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2026-01-28 16:24:17 UTC
File Type:
Text (Shell)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i63n7qd2jtrfekrtr2mo5f4un5onotus5i3wweqqk4d7gdjxflea._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260128-t1b2cafz2f/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/47b6dfc07a4ce2522a338e98ee97946f5cd74e92ea376b12105707f30d372ac8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 47b6dfc07a4ce2522a338e98ee97946f5cd74e92ea376b12105707f30d372ac8

(this sample)

Gafgyt

elf e21b7bea60a9530514cc047e69acc0a4f8fcd4aa0b0b740b44420536df8db05d

  
URLhaus
https://urlhaus.abuse.ch/url/3765137/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3765150/
  
URLhaus
https://urlhaus.abuse.ch/url/3765154/
  
Dropping
MD5 8526b44220e0c103f843854638746dcc
  
Dropping
SHA256 e21b7bea60a9530514cc047e69acc0a4f8fcd4aa0b0b740b44420536df8db05d

Comments