MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4eb31fecafcac29addc2040a2e89174fd9f44b34444ebe05e14b5590722d5502. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4eb31fecafcac29addc2040a2e89174fd9f44b34444ebe05e14b5590722d5502
SHA3-384 hash: 419a9fd7933e0ae5a4c1946790e8e35d8489a61beef556a4c981e084caabfb0381279a26903cc04954d437fda9069b28
SHA1 hash: 7a007f18354e577d16c37ecffa1cf883c08e0b63
MD5 hash: 25c585dc88d98179ea236c007dec72fa
humanhash: diet-video-twenty-island
File name:logsbins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'666 bytes
First seen:2025-07-11 23:55:19 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vI2rI0IYIQzIlxMlFIEIQIoIu3IUIoI4Iz:vxR1dJJ9thBFtS
TLSH T191318FCB71721B302DE0E96F356A890475E0A08B54C79F956CEC39F940CDF847826EA7
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://78.142.229.12/sshd96190edb53a3deb5e0ce97a9475a53cf446aa7f7bb8a37a33bacea6ff30f4bd4 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/telnetdf2ea260e52a97868ecc2dfd1c65574a190ab25bc7bb7641f5c3ca5a0a5ab5c5c Miraielf gafgyt mirai ua-wget
http://78.142.229.12/systemadb4c2703164ff9a69d57966856075df5b4bc2bf44c61494d569321f0eaa081d Miraielf gafgyt mirai ua-wget
http://78.142.229.12/ssh7efa7782d11f878d92e1973484bd57e957445088218524e255998ed14d57b048 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/dbus-daemona5cf106326ba7ba2c9519ecbe6bff3768a1941339bbdab73136916c8f316da3d Miraielf gafgyt mirai ua-wget
http://78.142.229.12/cron54fbfee5628440578cbc0e4725cf2240d9fe8c90e451b2e75142048c797240c5 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/rsyslogdffecefc4b22349249d29ac28c5244d401c6c17ddaea7bf6f2b8a2a6b7c62f46f Miraielf gafgyt mirai ua-wget
http://78.142.229.12/getty1181b3617d5eb24b9777445bc058e995082bcccb4f443041dc008215975a0398 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/katrinab92987c08d436f6c62ebc2ab0eb48b9d9456bdfae45595d13da8a7430ae1be3a Miraielf gafgyt mirai ua-wget
http://78.142.229.12/agettyea4df0f8313c01810914635cafeab1a72897802a27803723f38aab4b088b7b80 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/klogd2b30bee44bfa2948c971896734b00e6f90ec41aec6502bad1b1c6e0e57bd9894 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/sh0f8a3da7dd25fb2fb1161d08838507a1a100c5940bfbd6c0116d3082bac4dae9 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/s9cbcba280aca1dea6b6458e1a26789e21162e85fdf74a5f70ea16aa84a270fbf Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
28
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6871a4a5900df8e7f86a02d6linux22vpnfull_triage
Tags:
trojandownloader trojware agent
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4eb31fecafcac29addc2040a2e89174fd9f44b34444ebe05e14b5590722d5502
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4eb31fecafcac29addc2040a2e89174fd9f44b34444ebe05e14b5590722d5502/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-07-11 23:56:15 UTC
File Type:
Text (Shell)
AV detection:
17 of 24 (70.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j2zr73fpzlbjvxocaqfc5cixj7m7iszuirhl4bpbjnkza4rnkuba._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/250711-3y4g9atydt/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Reads CPU attributes
Reads system network configuration
Enumerates running processes
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/4eb31fecafcac29addc2040a2e89174fd9f44b34444ebe05e14b5590722d5502

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 4eb31fecafcac29addc2040a2e89174fd9f44b34444ebe05e14b5590722d5502

(this sample)

Mirai

elf f2620287ebf42dcfaa27681720423bbffe383b637e9ad230c3814aaef67f003a

  
URLhaus
https://urlhaus.abuse.ch/url/3576542/
  
Delivery method
Distributed via web download
  
Dropping
MD5 ae65e6eb4978a805e7f77376a3ff3bbd
  
Dropping
SHA256 f2620287ebf42dcfaa27681720423bbffe383b637e9ad230c3814aaef67f003a

Comments