MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 481723abbe7eb8ca1891d7210ab4f798adeffcc304bc81ccf5065dd9dc342683. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 481723abbe7eb8ca1891d7210ab4f798adeffcc304bc81ccf5065dd9dc342683
SHA3-384 hash: 27e65c2b04e152f3c40d6eb8c51da8dcad8be578a7b54f8b8fe51b73111bc991d565e86dd66478b63562330f7760f5f7
SHA1 hash: 133c73c4b5ed04456c35a68192a9aeb94a497a00
MD5 hash: 53f817650d3819a9769760b236c34f0f
humanhash: ink-pennsylvania-mexico-edward
File name:53f817650d3819a9769760b236c34f0f
Download: download sample
Signature Gafgyt
Create hunting rule
File size:76'432 bytes
First seen:2022-01-13 14:02:10 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:o/w6nOCmMyx6aN9Zft9H/HZV6uYKYpFugu+W8SMmHCSe:o46OBz6aN9JtBH2qgbXSMm
TLSH T12C73AE72E5880E95C652C038F294DC310F33A44DA26BAEF25A9387A3545BE9CF415FF6
Reporter zbetcheckin
Tags:32 elf gafgyt mirai renesas

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Mirai-63.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Mirai-81.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-6976991-0
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Trojan.Mirai-7135916-0
Create hunting rule

Unix.Dropper.Mirai-7136016-0
Create hunting rule

Unix.Dropper.Mirai-7136057-0
Create hunting rule

Unix.Dropper.Mirai-7136288-0
Create hunting rule

Unix.Trojan.Mirai-7138377-0
Create hunting rule

Unix.Trojan.Mirai-7674518-0
Create hunting rule

Unix.Trojan.Generic-9910198-0
Create hunting rule

Unix.Trojan.Generic-9910199-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug botnet mirai obfuscated
Link:
https://www.filescan.io/uploads/61e030efe997359713e65b8d/reports/056d1806-73ef-4470-ba4a-596c40fe4951/overview
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e249aa8-fdbe-4592-bd54-a7fe8e2c688a
Result
Threat name:
Gafgyt Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920151
Signature
Connects to many ports of the same IP (likely port scanning)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses known network protocols on non-standard ports
Yara detected Gafgyt
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552637 Sample: dbGGZC68ff Startdate: 13/01/2022 Architecture: LINUX Score: 100 98 97.66.69.180 WINDSTREAMUS United States 2->98 100 136.27.244.91 WEBPASSUS United States 2->100 102 99 other IPs or domains 2->102 108 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 Multi AV Scanner detection for submitted file 2->112 114 4 other signatures 2->114 11 systemd gdm3 2->11         started        13 systemd gdm3 2->13         started        15 systemd gpu-manager 2->15         started        17 77 other processes 2->17 signatures3 process4 file5 21 gdm3 gdm-session-worker 11->21         started        32 3 other processes 11->32 23 gdm3 gdm-session-worker 13->23         started        34 3 other processes 13->34 36 8 other processes 15->36 96 /var/log/wtmp, data 17->96 dropped 104 Sample reads /proc/mounts (often used for finding a writable filesystem) 17->104 106 Reads system files that contain records of logged in users 17->106 25 dbGGZC68ff 17->25         started        27 dbGGZC68ff 17->27         started        30 accounts-daemon language-validate 17->30         started        38 25 other processes 17->38 signatures6 process7 signatures8 40 gdm-session-worker gdm-wayland-session 21->40         started        42 gdm-session-worker gdm-wayland-session 23->42         started        44 dbGGZC68ff 25->44         started        53 3 other processes 25->53 116 Sample tries to kill multiple processes (SIGKILL) 27->116 47 language-validate language-options 30->47         started        55 8 other processes 36->55 49 language-validate language-options 38->49         started        51 language-validate language-options 38->51         started        57 17 other processes 38->57 process9 signatures10 59 gdm-wayland-session dbus-daemon 40->59         started        62 gdm-wayland-session dbus-run-session 40->62         started        64 gdm-wayland-session dbus-daemon 42->64         started        66 gdm-wayland-session dbus-run-session 42->66         started        120 Sample tries to kill multiple processes (SIGKILL) 44->120 68 language-options sh 47->68         started        70 language-options sh 49->70         started        72 language-options sh 51->72         started        process11 signatures12 118 Sample reads /proc/mounts (often used for finding a writable filesystem) 59->118 74 dbus-daemon 59->74         started        76 dbus-run-session dbus-daemon 62->76         started        78 dbus-daemon 64->78         started        80 sh locale 68->80         started        82 sh grep 68->82         started        84 sh locale 70->84         started        86 sh grep 70->86         started        88 sh locale 72->88         started        90 sh grep 72->90         started        process13 process14 92 dbus-daemon false 74->92         started        94 dbus-daemon false 78->94         started       
Detection:
mirai
Create hunting rule
Link:
https://mwdb.cert.pl/sample/481723abbe7eb8ca1891d7210ab4f798adeffcc304bc81ccf5065dd9dc342683/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2022-01-13 14:02:19 UTC
File Type:
ELF32 Little (Exe)
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai
Link:
https://tria.ge/reports/220113-rb8mxaagcq/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/481723abbe7eb8ca1891d7210ab4f798adeffcc304bc81ccf5065dd9dc342683

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:MAL_ELF_LNX_Mirai_Oct10_2
Create hunting rule
Author:Florian Roth
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:MAL_ELF_LNX_Mirai_Oct10_2_RID2F3A
Create hunting rule
Author:Florian Roth
Description:Detects ELF malware Mirai related
Reference:Internal Research
Rule name:Mirai_Botnet_Malware
Create hunting rule
Author:Florian Roth
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:Mirai_Botnet_Malware_RID2EF6
Create hunting rule
Author:Florian Roth
Description:Detects Mirai Botnet Malware
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:SUSP_XORed_Mozilla_RID2DB4
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf 481723abbe7eb8ca1891d7210ab4f798adeffcc304bc81ccf5065dd9dc342683

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1973909/

Comments


Avatar
zbet commented on 2022-01-13 14:02:11 UTC

url : hxxp://fourloko.xyz/Fourloko/Fourloko.sh4