MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b36a87f1cf4d953e6ab87ec7a33d875564e3669574ce5e9ebcd281523a09cd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	4b36a87f1cf4d953e6ab87ec7a33d875564e3669574ce5e9ebcd281523a09cd1
SHA3-384 hash:	24379570708971f8c23c6c22930e16ecc3936d5a1f44f4662590d3f592d3ff8dfd059e32ff9881147165f06f2a6c9e76
SHA1 hash:	87ad7b2c3b2e3f9d464ab2d44ba9178929a00572
MD5 hash:	3cc54d96ed956d9a230ea3512a2551ba
humanhash:	six-seven-friend-stream
File name:	Cia.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	1'825 bytes
First seen:	2026-06-11 02:49:10 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:I9LoBBtg7PZgLgMghTgEbDYN4pGC1r/oHhCNIZw/Nkg/wKRoPEDvuPX9:ScB8GR0xbcc17oHo/N5YUoMD2F
TLSH	T1E93114DB3011A833B57DEA5FB7BAE5985010C5F63297FB53ED894975CC89B183389A00
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	gafgyt sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://150.40.127.154/FBI.x86_64	18be43df55ff6bd73ba34df1fcb08132a40a98de1cc4365be335f4a1cdfed0d9	Gafgyt	elf gafgyt mirai ua-wget x86
http://150.40.127.154/FBI.x86	8dcc6d4480266b140eb989d6cbe68cb58352710933cd0b735366cf00644c44f0	Gafgyt	elf gafgyt mirai ua-wget x86
http://150.40.127.154/FBI.i686	8d808fb89a9f9b6428090e4b371715bc552e4db4ef4e09c814b0b8be374b729c	Gafgyt	elf gafgyt mirai ua-wget x86
http://150.40.127.154/FBI.mips	a60e41c57e3931dcee1520e1401e404302b643e43cb72470e8e79cf351f5852b	Gafgyt	elf gafgyt mips mirai ua-wget
http://150.40.127.154/FBI.mipsel	b6b0dccf402d349d93ed1220675be4d63fd506e1a207732924a98caea8813ce9	Gafgyt	elf gafgyt mips mirai ua-wget
http://150.40.127.154/FBI.arm	f398e8417f7f1d5fde48772b954abf2c13c186ebf315f44627b9a9f804613191	Gafgyt	arm elf gafgyt mirai ua-wget
http://150.40.127.154/FBI.arm5	3e85e94ea0fc1e9eb741c123cdbff847ca194a6964e611acb715f22dc705298b	Gafgyt	arm elf gafgyt mirai ua-wget
http://150.40.127.154/FBI.arm6	3b02909d869aa642bc90ed51a9b45331d49bd66316a96e41ff63d75a1bffdc96	Gafgyt	arm elf gafgyt mirai ua-wget
http://150.40.127.154/FBI.arm7	02b4a57b68781020a57ff60e673617ee23f1a0b85b46bfc390e9608db27a3501	Gafgyt	arm elf gafgyt mirai ua-wget
http://150.40.127.154/FBI.ppc	05c778187ff079456fead10405ab911f31fa40a6a501178f34245c13ae737f09	Gafgyt	elf gafgyt mirai PowerPC ua-wget
http://150.40.127.154/FBI.m68k	3704c29dbde14a3daa1c739197e4c0ae5ebbf91594f686a1be3dbaf5a95ff00d	Gafgyt	elf gafgyt m68k mirai ua-wget
http://150.40.127.154/FBI.sh4	793e22e2643231deab714c4c4a309d6ba9c0424fa41a320bfa72f42aad3fa5a7	Gafgyt	elf gafgyt mirai SuperH ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-06-11T00:01:00Z UTC

Last seen:

2026-06-12T18:38:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/4b36a87f1cf4d953e6ab87ec7a33d875564e3669574ce5e9ebcd281523a09cd1/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/32a1cb71-1c2b-42a8-85f3-039f7d7272a8

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/4b36a87f1cf4d953e6ab87ec7a33d875564e3669574ce5e9ebcd281523a09cd1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b36a87f1cf4d953e6ab87ec7a33d875564e3669574ce5e9ebcd281523a09cd1/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/4b36a87f1cf4d953e6ab87ec7a33d875564e3669574ce5e9ebcd281523a09cd1

Threat name:

Linux.Trojan.Geninst

Status:

Malicious

First seen:

2026-06-11 02:50:42 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jm3kq7y46tmvhzvlq7whum6yovle4ntjk5gol2plzuubki5attiq._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt antivm botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260611-da81dsht5t/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

Checks CPU configuration

Creates a large amount of network flows

File and Directory Permissions Modification

Executes dropped EXE

Writes DNS configuration

Detects Yakuza Botnet, DDoS module

Family: Gafgyt/Bashlite

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.11

Link:

https://yomi.yoroi.company/submissions/4b36a87f1cf4d953e6ab87ec7a33d875564e3669574ce5e9ebcd281523a09cd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh