MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a20dde1108e2bce36366f7cd3841bac7b8f30e7482bc44195ee0a9720b275da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a20dde1108e2bce36366f7cd3841bac7b8f30e7482bc44195ee0a9720b275da
SHA3-384 hash: 89399364189aa0fe80936eec49358996c80ff22870db22b64cdf769ac0793d39aee68a5ea61c1a86fe31e3f13e850e86
SHA1 hash: 440cc2efdc15e59906fee5fcffe10c7accff9474
MD5 hash: fbef3534216eab7ba740787e33ecf41c
humanhash: crazy-whiskey-sierra-tennessee
File name:billjenkinbins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'818 bytes
First seen:2025-10-27 15:03:44 UTC
Last seen:2025-10-27 18:30:26 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 48:v8b8P8lt4k8Tb8D8X8D84+8P8v38l3J8P8D8mbCoR:veS64kybOq22yO3G6GHbCG
TLSH T1AF31B6CB71A14AB06CE5E967326B841878E6E98F15CE5F992DDC3CEE448DE04F400693
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://193.111.78.190/mipsbbe754bdc0007074a6842da135b4a769ec30baa9af19f18c6ff12faf3540cdd7 Gafgyt32-bit elf gafgyt mirai Mozi
http://193.111.78.190/mipselb1eb759a7c7ac1830d8c04946f7740ad900fc3e31870564f83d2aaae36d9d999 Gafgyt32-bit elf gafgyt mirai Mozi
http://193.111.78.190/sh48a3135a31091a9d317fbb536ed94310c307b9b493f4954953dac53d0fe60e9a4 Gafgytelf gafgyt mirai
http://193.111.78.190/x865787bbb99240daa317c72428a3ac67e09b373e330d9ed5ded028dbff0cad433c Gafgyt64-bit elf gafgyt mirai Mozi
http://193.111.78.190/armv7l381a06421c1fac9769bad62ccb5e767213fcf01387b408aceb31f4c0065ed4b2 Miraielf mirai
http://193.111.78.190/armv6l72668ded26057a237c837010f0d418d04181a2b149ef6a930443bb9f54acd23a Miraielf mirai
http://193.111.78.190/i6862ff8c36c9f560f4581cadf36d0c9da4af28c05150ef7708e5f9313cfaa8834c0 Gafgytelf gafgyt mirai
http://193.111.78.190/powerpc5eff391e4cb52d4d3af437e34577454d6e99f0cafc4a24716c1989e3917d3816 Gafgytelf gafgyt mirai
http://193.111.78.190/i586a7c10641952b8d897ff4e9062eb9f039047cbf96cec7e0f91272e9d0575060d9 Gafgytelf gafgyt mirai
http://193.111.78.190/m68k7dae24c931238078062cb04bf1e5da2726ba0a74f6785f229810f28882af03b0 Gafgytelf gafgyt mirai
http://193.111.78.190/sparcn/an/aelf ua-wget
http://193.111.78.190/armv4lc709533669f6d2d61cdeb1e02469621d22c1158897a8bfa2e5bd951f3705b3b6 Gafgytelf gafgyt mirai
http://193.111.78.190/armv5l700976fd32b0e4fcb19b97198897a47d4207591bfd445ea1efa9604f9d07771c Gafgytelf gafgyt mirai
http://193.111.78.190/powerpc-440fpn/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
48
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-27T12:34:00Z UTC
Last seen:
2025-10-28T10:24:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/4a20dde1108e2bce36366f7cd3841bac7b8f30e7482bc44195ee0a9720b275da/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/7c3116fa-703f-4729-af2a-0bc85c720c93
Behavior Graph:
Download SVG
%3 guuid=96a27b8e-1b00-0000-fe39-91cdc6090000 pid=2502 /usr/bin/sudo guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505 /tmp/sample.bin guuid=96a27b8e-1b00-0000-fe39-91cdc6090000 pid=2502->guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505 execve guuid=04089f90-1b00-0000-fe39-91cdcb090000 pid=2507 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=04089f90-1b00-0000-fe39-91cdcb090000 pid=2507 execve guuid=3d7225a0-1b00-0000-fe39-91cdea090000 pid=2538 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=3d7225a0-1b00-0000-fe39-91cdea090000 pid=2538 execve guuid=ebc692a0-1b00-0000-fe39-91cdeb090000 pid=2539 /usr/bin/bash guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=ebc692a0-1b00-0000-fe39-91cdeb090000 pid=2539 clone guuid=12caaca1-1b00-0000-fe39-91cded090000 pid=2541 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=12caaca1-1b00-0000-fe39-91cded090000 pid=2541 execve guuid=d97f1da2-1b00-0000-fe39-91cdee090000 pid=2542 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=d97f1da2-1b00-0000-fe39-91cdee090000 pid=2542 execve guuid=b7c858b3-1b00-0000-fe39-91cd1b0a0000 pid=2587 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=b7c858b3-1b00-0000-fe39-91cd1b0a0000 pid=2587 execve guuid=12b2c8b3-1b00-0000-fe39-91cd1e0a0000 pid=2590 /usr/bin/bash guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=12b2c8b3-1b00-0000-fe39-91cd1e0a0000 pid=2590 clone guuid=867983b4-1b00-0000-fe39-91cd220a0000 pid=2594 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=867983b4-1b00-0000-fe39-91cd220a0000 pid=2594 execve guuid=dfd7d5b4-1b00-0000-fe39-91cd240a0000 pid=2596 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=dfd7d5b4-1b00-0000-fe39-91cd240a0000 pid=2596 execve guuid=a604d9c2-1b00-0000-fe39-91cd4d0a0000 pid=2637 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=a604d9c2-1b00-0000-fe39-91cd4d0a0000 pid=2637 execve guuid=cbe31ac3-1b00-0000-fe39-91cd4f0a0000 pid=2639 /usr/bin/bash guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=cbe31ac3-1b00-0000-fe39-91cd4f0a0000 pid=2639 clone guuid=a5ebacc3-1b00-0000-fe39-91cd530a0000 pid=2643 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=a5ebacc3-1b00-0000-fe39-91cd530a0000 pid=2643 execve guuid=f70cfec3-1b00-0000-fe39-91cd550a0000 pid=2645 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=f70cfec3-1b00-0000-fe39-91cd550a0000 pid=2645 execve guuid=b2702fd5-1b00-0000-fe39-91cd810a0000 pid=2689 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=b2702fd5-1b00-0000-fe39-91cd810a0000 pid=2689 execve guuid=a27b9cd5-1b00-0000-fe39-91cd830a0000 pid=2691 /tmp/x86 net guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=a27b9cd5-1b00-0000-fe39-91cd830a0000 pid=2691 execve guuid=ff317cd6-1b00-0000-fe39-91cd8a0a0000 pid=2698 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=ff317cd6-1b00-0000-fe39-91cd8a0a0000 pid=2698 execve guuid=f501d0d8-1b00-0000-fe39-91cd8e0a0000 pid=2702 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=f501d0d8-1b00-0000-fe39-91cd8e0a0000 pid=2702 execve guuid=799e93ea-1b00-0000-fe39-91cdb30a0000 pid=2739 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=799e93ea-1b00-0000-fe39-91cdb30a0000 pid=2739 execve guuid=ec48d6eb-1b00-0000-fe39-91cdb70a0000 pid=2743 /usr/bin/bash guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=ec48d6eb-1b00-0000-fe39-91cdb70a0000 pid=2743 clone guuid=1e20b0ec-1b00-0000-fe39-91cdbc0a0000 pid=2748 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=1e20b0ec-1b00-0000-fe39-91cdbc0a0000 pid=2748 execve guuid=55661ded-1b00-0000-fe39-91cdbe0a0000 pid=2750 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=55661ded-1b00-0000-fe39-91cdbe0a0000 pid=2750 execve guuid=58b0af16-1c00-0000-fe39-91cd190b0000 pid=2841 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=58b0af16-1c00-0000-fe39-91cd190b0000 pid=2841 execve guuid=333fed16-1c00-0000-fe39-91cd1b0b0000 pid=2843 /usr/bin/bash guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=333fed16-1c00-0000-fe39-91cd1b0b0000 pid=2843 clone guuid=1e236f17-1c00-0000-fe39-91cd1d0b0000 pid=2845 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=1e236f17-1c00-0000-fe39-91cd1d0b0000 pid=2845 execve guuid=c835af17-1c00-0000-fe39-91cd1f0b0000 pid=2847 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=c835af17-1c00-0000-fe39-91cd1f0b0000 pid=2847 execve guuid=c1e8382f-1c00-0000-fe39-91cd680b0000 pid=2920 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=c1e8382f-1c00-0000-fe39-91cd680b0000 pid=2920 execve guuid=b9ba9e2f-1c00-0000-fe39-91cd6a0b0000 pid=2922 /tmp/i686 net guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=b9ba9e2f-1c00-0000-fe39-91cd6a0b0000 pid=2922 execve guuid=58ca0231-1c00-0000-fe39-91cd730b0000 pid=2931 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=58ca0231-1c00-0000-fe39-91cd730b0000 pid=2931 execve guuid=096f5931-1c00-0000-fe39-91cd770b0000 pid=2935 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=096f5931-1c00-0000-fe39-91cd770b0000 pid=2935 execve guuid=9a5f1e4b-1c00-0000-fe39-91cda50b0000 pid=2981 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=9a5f1e4b-1c00-0000-fe39-91cda50b0000 pid=2981 execve guuid=ce616d4b-1c00-0000-fe39-91cda60b0000 pid=2982 /usr/bin/bash guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=ce616d4b-1c00-0000-fe39-91cda60b0000 pid=2982 clone guuid=0aa6704c-1c00-0000-fe39-91cda80b0000 pid=2984 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=0aa6704c-1c00-0000-fe39-91cda80b0000 pid=2984 execve guuid=9537cb4c-1c00-0000-fe39-91cda90b0000 pid=2985 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=9537cb4c-1c00-0000-fe39-91cda90b0000 pid=2985 execve guuid=31b62365-1c00-0000-fe39-91cddf0b0000 pid=3039 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=31b62365-1c00-0000-fe39-91cddf0b0000 pid=3039 execve guuid=248a7965-1c00-0000-fe39-91cde10b0000 pid=3041 /tmp/i586 net guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=248a7965-1c00-0000-fe39-91cde10b0000 pid=3041 execve guuid=da2c8266-1c00-0000-fe39-91cde80b0000 pid=3048 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=da2c8266-1c00-0000-fe39-91cde80b0000 pid=3048 execve guuid=9b10f966-1c00-0000-fe39-91cdea0b0000 pid=3050 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=9b10f966-1c00-0000-fe39-91cdea0b0000 pid=3050 execve guuid=7fdbfb7f-1c00-0000-fe39-91cd270c0000 pid=3111 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=7fdbfb7f-1c00-0000-fe39-91cd270c0000 pid=3111 execve guuid=a8144680-1c00-0000-fe39-91cd280c0000 pid=3112 /usr/bin/bash guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=a8144680-1c00-0000-fe39-91cd280c0000 pid=3112 clone guuid=2bd62581-1c00-0000-fe39-91cd2d0c0000 pid=3117 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=2bd62581-1c00-0000-fe39-91cd2d0c0000 pid=3117 execve guuid=e55a7081-1c00-0000-fe39-91cd2f0c0000 pid=3119 /usr/bin/wget net send-data guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=e55a7081-1c00-0000-fe39-91cd2f0c0000 pid=3119 execve guuid=984f3f88-1c00-0000-fe39-91cd420c0000 pid=3138 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=984f3f88-1c00-0000-fe39-91cd420c0000 pid=3138 execve guuid=a286c788-1c00-0000-fe39-91cd430c0000 pid=3139 /usr/bin/bash guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=a286c788-1c00-0000-fe39-91cd430c0000 pid=3139 clone guuid=09aae388-1c00-0000-fe39-91cd440c0000 pid=3140 /usr/bin/rm guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=09aae388-1c00-0000-fe39-91cd440c0000 pid=3140 execve guuid=c31f3689-1c00-0000-fe39-91cd450c0000 pid=3141 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=c31f3689-1c00-0000-fe39-91cd450c0000 pid=3141 execve guuid=453b82a6-1c00-0000-fe39-91cd880c0000 pid=3208 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=453b82a6-1c00-0000-fe39-91cd880c0000 pid=3208 execve guuid=b3ba13a7-1c00-0000-fe39-91cd890c0000 pid=3209 /usr/bin/bash guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=b3ba13a7-1c00-0000-fe39-91cd890c0000 pid=3209 clone guuid=bf3e3aa8-1c00-0000-fe39-91cd8c0c0000 pid=3212 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=bf3e3aa8-1c00-0000-fe39-91cd8c0c0000 pid=3212 execve guuid=9356b4a8-1c00-0000-fe39-91cd8e0c0000 pid=3214 /usr/bin/wget net send-data write-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=9356b4a8-1c00-0000-fe39-91cd8e0c0000 pid=3214 execve guuid=21141cc4-1c00-0000-fe39-91cdac0c0000 pid=3244 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=21141cc4-1c00-0000-fe39-91cdac0c0000 pid=3244 execve guuid=8ee381c4-1c00-0000-fe39-91cdad0c0000 pid=3245 /usr/bin/bash guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=8ee381c4-1c00-0000-fe39-91cdad0c0000 pid=3245 clone guuid=88ac76c5-1c00-0000-fe39-91cdaf0c0000 pid=3247 /usr/bin/rm delete-file guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=88ac76c5-1c00-0000-fe39-91cdaf0c0000 pid=3247 execve guuid=e32acec8-1c00-0000-fe39-91cdb00c0000 pid=3248 /usr/bin/wget net send-data guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=e32acec8-1c00-0000-fe39-91cdb00c0000 pid=3248 execve guuid=f8a215d0-1c00-0000-fe39-91cdb60c0000 pid=3254 /usr/bin/chmod guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=f8a215d0-1c00-0000-fe39-91cdb60c0000 pid=3254 execve guuid=20a066d0-1c00-0000-fe39-91cdb80c0000 pid=3256 /usr/bin/bash guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=20a066d0-1c00-0000-fe39-91cdb80c0000 pid=3256 clone guuid=329c84d0-1c00-0000-fe39-91cdb90c0000 pid=3257 /usr/bin/rm guuid=20dd4690-1b00-0000-fe39-91cdc9090000 pid=2505->guuid=329c84d0-1c00-0000-fe39-91cdb90c0000 pid=3257 execve 091584ee-6f7d-58a5-ac15-c5ba690c3a56 193.111.78.190:80 guuid=04089f90-1b00-0000-fe39-91cdcb090000 pid=2507->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 133B guuid=d97f1da2-1b00-0000-fe39-91cdee090000 pid=2542->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 135B guuid=dfd7d5b4-1b00-0000-fe39-91cd240a0000 pid=2596->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 132B guuid=f70cfec3-1b00-0000-fe39-91cd550a0000 pid=2645->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 132B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=a27b9cd5-1b00-0000-fe39-91cd830a0000 pid=2691->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=cec915d6-1b00-0000-fe39-91cd850a0000 pid=2693 /tmp/x86 guuid=a27b9cd5-1b00-0000-fe39-91cd830a0000 pid=2691->guuid=cec915d6-1b00-0000-fe39-91cd850a0000 pid=2693 clone guuid=7e801ed6-1b00-0000-fe39-91cd860a0000 pid=2694 /tmp/x86 net net-scan send-data zombie guuid=a27b9cd5-1b00-0000-fe39-91cd830a0000 pid=2691->guuid=7e801ed6-1b00-0000-fe39-91cd860a0000 pid=2694 clone guuid=9e6121d6-1b00-0000-fe39-91cd870a0000 pid=2695 /tmp/x86 guuid=a27b9cd5-1b00-0000-fe39-91cd830a0000 pid=2691->guuid=9e6121d6-1b00-0000-fe39-91cd870a0000 pid=2695 clone guuid=7e801ed6-1b00-0000-fe39-91cd860a0000 pid=2694->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=7e801ed6-1b00-0000-fe39-91cd860a0000 pid=2694|send-data send-data to 4097 IP addresses review logs to see them all guuid=7e801ed6-1b00-0000-fe39-91cd860a0000 pid=2694->guuid=7e801ed6-1b00-0000-fe39-91cd860a0000 pid=2694|send-data send guuid=a3b44bd6-1b00-0000-fe39-91cd880a0000 pid=2696 /tmp/x86 net zombie guuid=9e6121d6-1b00-0000-fe39-91cd870a0000 pid=2695->guuid=a3b44bd6-1b00-0000-fe39-91cd880a0000 pid=2696 clone 460d7e94-118d-5813-a0e6-8f92435dd491 192.111.78.190:4554 guuid=a3b44bd6-1b00-0000-fe39-91cd880a0000 pid=2696->460d7e94-118d-5813-a0e6-8f92435dd491 con guuid=f501d0d8-1b00-0000-fe39-91cd8e0a0000 pid=2702->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 135B guuid=55661ded-1b00-0000-fe39-91cdbe0a0000 pid=2750->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 135B guuid=c835af17-1c00-0000-fe39-91cd1f0b0000 pid=2847->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 133B guuid=b9ba9e2f-1c00-0000-fe39-91cd6a0b0000 pid=2922->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=82edcf30-1c00-0000-fe39-91cd6f0b0000 pid=2927 /tmp/i686 guuid=b9ba9e2f-1c00-0000-fe39-91cd6a0b0000 pid=2922->guuid=82edcf30-1c00-0000-fe39-91cd6f0b0000 pid=2927 clone guuid=824cd830-1c00-0000-fe39-91cd700b0000 pid=2928 /tmp/i686 net net-scan send-data zombie guuid=b9ba9e2f-1c00-0000-fe39-91cd6a0b0000 pid=2922->guuid=824cd830-1c00-0000-fe39-91cd700b0000 pid=2928 clone guuid=a650de30-1c00-0000-fe39-91cd710b0000 pid=2929 /tmp/i686 guuid=b9ba9e2f-1c00-0000-fe39-91cd6a0b0000 pid=2922->guuid=a650de30-1c00-0000-fe39-91cd710b0000 pid=2929 clone guuid=824cd830-1c00-0000-fe39-91cd700b0000 pid=2928->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=824cd830-1c00-0000-fe39-91cd700b0000 pid=2928|send-data send-data to 4097 IP addresses review logs to see them all guuid=824cd830-1c00-0000-fe39-91cd700b0000 pid=2928->guuid=824cd830-1c00-0000-fe39-91cd700b0000 pid=2928|send-data send guuid=b7f6e630-1c00-0000-fe39-91cd720b0000 pid=2930 /tmp/i686 net zombie guuid=a650de30-1c00-0000-fe39-91cd710b0000 pid=2929->guuid=b7f6e630-1c00-0000-fe39-91cd720b0000 pid=2930 clone guuid=b7f6e630-1c00-0000-fe39-91cd720b0000 pid=2930->460d7e94-118d-5813-a0e6-8f92435dd491 con guuid=096f5931-1c00-0000-fe39-91cd770b0000 pid=2935->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 136B guuid=9537cb4c-1c00-0000-fe39-91cda90b0000 pid=2985->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 133B guuid=248a7965-1c00-0000-fe39-91cde10b0000 pid=3041->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=a0975966-1c00-0000-fe39-91cde40b0000 pid=3044 /tmp/i586 guuid=248a7965-1c00-0000-fe39-91cde10b0000 pid=3041->guuid=a0975966-1c00-0000-fe39-91cde40b0000 pid=3044 clone guuid=6d295d66-1c00-0000-fe39-91cde50b0000 pid=3045 /tmp/i586 net net-scan send-data zombie guuid=248a7965-1c00-0000-fe39-91cde10b0000 pid=3041->guuid=6d295d66-1c00-0000-fe39-91cde50b0000 pid=3045 clone guuid=9c8d6066-1c00-0000-fe39-91cde60b0000 pid=3046 /tmp/i586 guuid=248a7965-1c00-0000-fe39-91cde10b0000 pid=3041->guuid=9c8d6066-1c00-0000-fe39-91cde60b0000 pid=3046 clone guuid=6d295d66-1c00-0000-fe39-91cde50b0000 pid=3045->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=6d295d66-1c00-0000-fe39-91cde50b0000 pid=3045|send-data send-data to 4097 IP addresses review logs to see them all guuid=6d295d66-1c00-0000-fe39-91cde50b0000 pid=3045->guuid=6d295d66-1c00-0000-fe39-91cde50b0000 pid=3045|send-data send guuid=66e56966-1c00-0000-fe39-91cde70b0000 pid=3047 /tmp/i586 net zombie guuid=9c8d6066-1c00-0000-fe39-91cde60b0000 pid=3046->guuid=66e56966-1c00-0000-fe39-91cde70b0000 pid=3047 clone guuid=66e56966-1c00-0000-fe39-91cde70b0000 pid=3047->460d7e94-118d-5813-a0e6-8f92435dd491 con guuid=9b10f966-1c00-0000-fe39-91cdea0b0000 pid=3050->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 133B guuid=e55a7081-1c00-0000-fe39-91cd2f0c0000 pid=3119->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 134B guuid=c31f3689-1c00-0000-fe39-91cd450c0000 pid=3141->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 135B guuid=9356b4a8-1c00-0000-fe39-91cd8e0c0000 pid=3214->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 135B guuid=e32acec8-1c00-0000-fe39-91cdb00c0000 pid=3248->091584ee-6f7d-58a5-ac15-c5ba690c3a56 send: 142B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4a20dde1108e2bce36366f7cd3841bac7b8f30e7482bc44195ee0a9720b275da
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a20dde1108e2bce36366f7cd3841bac7b8f30e7482bc44195ee0a9720b275da/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-10-27 14:56:56 UTC
File Type:
Text (Shell)
AV detection:
25 of 38 (65.79%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jiqn3yiqryv44nrwn56nhba3vr5y6mhhjav4iqmv5yfjoifsoxna._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/251027-sggbaafy5b/
Behaviour
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Contacts a large (70509) amount of remote hosts
Creates a large amount of network flows
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.36
Link:
https://yomi.yoroi.company/submissions/4a20dde1108e2bce36366f7cd3841bac7b8f30e7482bc44195ee0a9720b275da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 4a20dde1108e2bce36366f7cd3841bac7b8f30e7482bc44195ee0a9720b275da

(this sample)

Mirai

elf db0261205abe69132eec97a6132b214f6a67dc71c152aa435ed626cd29b519ba

  
URLhaus
https://urlhaus.abuse.ch/url/3688719/
  
Delivery method
Distributed via web download
  
Dropping
MD5 f41e60fbee24d9721894c57e5d0f9e82
  
Dropping
SHA256 db0261205abe69132eec97a6132b214f6a67dc71c152aa435ed626cd29b519ba

Comments