MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 598869183031b582180968c6db4e8f01fc00be2f8a56f9ddae1fcec3d561305a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 598869183031b582180968c6db4e8f01fc00be2f8a56f9ddae1fcec3d561305a
SHA3-384 hash: cf5c865476c536dbacc7f63849c14dec0c412a7b4296c005047e6823d5857d4b1bcd4b5c5301b4bd7fa11d86dd3ca3d5
SHA1 hash: e3840f0d2b33fac434d3e1037236733c4f0c4e43
MD5 hash: ccedfc543f409f1e545ef91cdd7577ef
humanhash: music-one-muppet-illinois
File name:logsbins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:5'198 bytes
First seen:2025-10-05 09:18:48 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:S22nzQelxMlEXrjuaHjTFaI2rI0IYIQzIlxMlFIEIQIoIu3IUIoI4IFZc2bBeQXH:LxR1dJJ9thBFtG3H
TLSH T1A4B1AFCB71B21B302DD0E96B727A490875E4A08654C79FD568EC38F990CCE847866EB7
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://78.142.229.12/sshd93d40417b1a60b8807eb9933218f71086601be047b341c779577bc21b8f0fc64 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/telnetdf611f21467ae2f4f9cbc671e6f60022237821ba8771c8808962e5b03c1ea6258 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/system4add06fd7831a8f85ac0fadb1f97c6a36848a6b1107d5551e3a570eed7ea366a Miraielf gafgyt mirai ua-wget
http://78.142.229.12/ssh37040becf8aa5878cf183ad4dc8adb408175628c59b5828cd5b9d3cc99a60b85 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/dbus-daemon6fe013d0ceec620ce9e20c10c9041c67c8f9238cbf5132b456b74335eed03076 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/cronfc928ba3b7fb408a933c9e4854e0e74bf7de5a815818fd085e53d8b7247e5705 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/rsyslogdc5251e252d8b94dac5b525ded92b0777acad9120cbf9111b76fe982d1f22370c Gafgytelf gafgyt mirai ua-wget
http://78.142.229.12/getty0c06e226c8ed6b8ea93b8c6c25b336d0f00a19d908378ee51b57b2a7abc313c5 Gafgytelf gafgyt mirai ua-wget
http://78.142.229.12/katrina253323f9c6e8f52917123fff333aeb7740e249a642a444a8c30484eae5236ab3 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/agetty6adac86bf0a67c68c36d72e1e5216da5ac92062f4c51ed20afc72f2d86bf385e Gafgytelf gafgyt mirai ua-wget
http://78.142.229.12/klogddfb966237322190a59784b6e5d2a1e2fa477db2f79ed1567c51fc6e9ed1588f5 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/shd75cd4210b50f78eb246762b9bb8d83a5fcdd1aac47cbddda5af123fd55781b8 Miraielf gafgyt mirai ua-wget
http://78.142.229.12/sd77dfc766af0616f59fef98f8bc82767f4b76dabc3b24cbdabd4c5d3cbd70e3f Miraielf gafgyt mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.31067.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-05T07:13:00Z UTC
Last seen:
2025-10-05T09:02:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/598869183031b582180968c6db4e8f01fc00be2f8a56f9ddae1fcec3d561305a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/65c480f8-b543-45dd-b727-b4ff05a01db7
Behavior Graph:
Download SVG
%3 guuid=dbd27566-1900-0000-ee45-25ec92130000 pid=5010 /usr/bin/sudo guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020 /tmp/sample.bin guuid=dbd27566-1900-0000-ee45-25ec92130000 pid=5010->guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020 execve guuid=37425969-1900-0000-ee45-25eca0130000 pid=5024 /usr/bin/busybox net send-data write-file guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=37425969-1900-0000-ee45-25eca0130000 pid=5024 execve guuid=9dc9566f-1900-0000-ee45-25ecb4130000 pid=5044 /usr/bin/chmod guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=9dc9566f-1900-0000-ee45-25ecb4130000 pid=5044 execve guuid=47c10770-1900-0000-ee45-25ecb6130000 pid=5046 /usr/bin/bash guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=47c10770-1900-0000-ee45-25ecb6130000 pid=5046 clone guuid=c4519473-1900-0000-ee45-25ecc0130000 pid=5056 /usr/bin/rm delete-file guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=c4519473-1900-0000-ee45-25ecc0130000 pid=5056 execve guuid=b6abf473-1900-0000-ee45-25ecc2130000 pid=5058 /usr/bin/busybox net send-data write-file guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=b6abf473-1900-0000-ee45-25ecc2130000 pid=5058 execve guuid=00f52f79-1900-0000-ee45-25ecd1130000 pid=5073 /usr/bin/chmod guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=00f52f79-1900-0000-ee45-25ecd1130000 pid=5073 execve guuid=55e4c279-1900-0000-ee45-25ecd2130000 pid=5074 /usr/bin/bash guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=55e4c279-1900-0000-ee45-25ecd2130000 pid=5074 clone guuid=5017be7a-1900-0000-ee45-25ecd8130000 pid=5080 /usr/bin/rm delete-file guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=5017be7a-1900-0000-ee45-25ecd8130000 pid=5080 execve guuid=c516327b-1900-0000-ee45-25ecd9130000 pid=5081 /usr/bin/busybox net send-data write-file guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=c516327b-1900-0000-ee45-25ecd9130000 pid=5081 execve guuid=b91e1680-1900-0000-ee45-25ecea130000 pid=5098 /usr/bin/chmod guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=b91e1680-1900-0000-ee45-25ecea130000 pid=5098 execve guuid=347b4c80-1900-0000-ee45-25ecec130000 pid=5100 /usr/bin/bash guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=347b4c80-1900-0000-ee45-25ecec130000 pid=5100 clone guuid=3441e080-1900-0000-ee45-25ecf0130000 pid=5104 /usr/bin/rm delete-file guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=3441e080-1900-0000-ee45-25ecf0130000 pid=5104 execve guuid=94225381-1900-0000-ee45-25ecf2130000 pid=5106 /usr/bin/busybox net send-data write-file guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=94225381-1900-0000-ee45-25ecf2130000 pid=5106 execve guuid=c9206d93-1900-0000-ee45-25ec07140000 pid=5127 /usr/bin/chmod guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=c9206d93-1900-0000-ee45-25ec07140000 pid=5127 execve guuid=18b2f393-1900-0000-ee45-25ec09140000 pid=5129 /tmp/ssh net guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=18b2f393-1900-0000-ee45-25ec09140000 pid=5129 execve guuid=27706294-1900-0000-ee45-25ec0f140000 pid=5135 /usr/bin/rm delete-file guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=27706294-1900-0000-ee45-25ec0f140000 pid=5135 execve guuid=5d464395-1900-0000-ee45-25ec13140000 pid=5139 /usr/bin/busybox net send-data write-file guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=5d464395-1900-0000-ee45-25ec13140000 pid=5139 execve guuid=d6a04e9a-1900-0000-ee45-25ec17140000 pid=5143 /usr/bin/chmod guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=d6a04e9a-1900-0000-ee45-25ec17140000 pid=5143 execve guuid=36d5df9a-1900-0000-ee45-25ec18140000 pid=5144 /usr/bin/bash guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=36d5df9a-1900-0000-ee45-25ec18140000 pid=5144 clone guuid=8f93019e-1900-0000-ee45-25ec1e140000 pid=5150 /usr/bin/rm delete-file guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=8f93019e-1900-0000-ee45-25ec1e140000 pid=5150 execve guuid=5580539e-1900-0000-ee45-25ec20140000 pid=5152 /usr/bin/busybox net send-data write-file guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=5580539e-1900-0000-ee45-25ec20140000 pid=5152 execve guuid=e05c47a3-1900-0000-ee45-25ec30140000 pid=5168 /usr/bin/chmod guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=e05c47a3-1900-0000-ee45-25ec30140000 pid=5168 execve guuid=7d1ebda3-1900-0000-ee45-25ec34140000 pid=5172 /tmp/cron net guuid=2850f068-1900-0000-ee45-25ec9c130000 pid=5020->guuid=7d1ebda3-1900-0000-ee45-25ec34140000 pid=5172 execve fa5e6e18-6423-542e-b688-04184acfc2bd 78.142.229.12:80 guuid=37425969-1900-0000-ee45-25eca0130000 pid=5024->fa5e6e18-6423-542e-b688-04184acfc2bd send: 80B guuid=b6abf473-1900-0000-ee45-25ecc2130000 pid=5058->fa5e6e18-6423-542e-b688-04184acfc2bd send: 83B guuid=c516327b-1900-0000-ee45-25ecd9130000 pid=5081->fa5e6e18-6423-542e-b688-04184acfc2bd send: 82B guuid=94225381-1900-0000-ee45-25ecf2130000 pid=5106->fa5e6e18-6423-542e-b688-04184acfc2bd send: 79B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=18b2f393-1900-0000-ee45-25ec09140000 pid=5129->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=980f3f94-1900-0000-ee45-25ec0a140000 pid=5130 /tmp/ssh write-file zombie guuid=18b2f393-1900-0000-ee45-25ec09140000 pid=5129->guuid=980f3f94-1900-0000-ee45-25ec0a140000 pid=5130 clone guuid=454e4394-1900-0000-ee45-25ec0b140000 pid=5131 /tmp/ssh zombie guuid=18b2f393-1900-0000-ee45-25ec09140000 pid=5129->guuid=454e4394-1900-0000-ee45-25ec0b140000 pid=5131 clone guuid=869d4994-1900-0000-ee45-25ec0c140000 pid=5132 /tmp/ssh guuid=18b2f393-1900-0000-ee45-25ec09140000 pid=5129->guuid=869d4994-1900-0000-ee45-25ec0c140000 pid=5132 clone guuid=bd23f994-1900-0000-ee45-25ec11140000 pid=5137 /usr/bin/dash guuid=980f3f94-1900-0000-ee45-25ec0a140000 pid=5130->guuid=bd23f994-1900-0000-ee45-25ec11140000 pid=5137 execve guuid=e33929a0-1900-0000-ee45-25ec26140000 pid=5158 /usr/bin/dash guuid=980f3f94-1900-0000-ee45-25ec0a140000 pid=5130->guuid=e33929a0-1900-0000-ee45-25ec26140000 pid=5158 execve guuid=1b7f07a2-1900-0000-ee45-25ec2b140000 pid=5163 /usr/bin/dash guuid=980f3f94-1900-0000-ee45-25ec0a140000 pid=5130->guuid=1b7f07a2-1900-0000-ee45-25ec2b140000 pid=5163 execve guuid=9c676ba3-1900-0000-ee45-25ec31140000 pid=5169 /usr/bin/dash guuid=980f3f94-1900-0000-ee45-25ec0a140000 pid=5130->guuid=9c676ba3-1900-0000-ee45-25ec31140000 pid=5169 execve guuid=786146a4-1900-0000-ee45-25ec37140000 pid=5175 /usr/bin/dash guuid=980f3f94-1900-0000-ee45-25ec0a140000 pid=5130->guuid=786146a4-1900-0000-ee45-25ec37140000 pid=5175 execve guuid=b94e12a5-1900-0000-ee45-25ec3c140000 pid=5180 /usr/bin/dash guuid=980f3f94-1900-0000-ee45-25ec0a140000 pid=5130->guuid=b94e12a5-1900-0000-ee45-25ec3c140000 pid=5180 execve guuid=acb104a6-1900-0000-ee45-25ec40140000 pid=5184 /usr/bin/dash guuid=980f3f94-1900-0000-ee45-25ec0a140000 pid=5130->guuid=acb104a6-1900-0000-ee45-25ec40140000 pid=5184 execve guuid=02c5d8a6-1900-0000-ee45-25ec45140000 pid=5189 /usr/bin/dash guuid=980f3f94-1900-0000-ee45-25ec0a140000 pid=5130->guuid=02c5d8a6-1900-0000-ee45-25ec45140000 pid=5189 execve guuid=32544e94-1900-0000-ee45-25ec0d140000 pid=5133 /tmp/ssh net send-data zombie guuid=869d4994-1900-0000-ee45-25ec0c140000 pid=5132->guuid=32544e94-1900-0000-ee45-25ec0d140000 pid=5133 clone 6f711740-a9cc-5716-b8b7-a732833df8c0 176.65.139.133:65481 guuid=32544e94-1900-0000-ee45-25ec0d140000 pid=5133->6f711740-a9cc-5716-b8b7-a732833df8c0 send: 9B guuid=cff33f95-1900-0000-ee45-25ec12140000 pid=5138 /usr/bin/pgrep guuid=bd23f994-1900-0000-ee45-25ec11140000 pid=5137->guuid=cff33f95-1900-0000-ee45-25ec12140000 pid=5138 execve guuid=5d464395-1900-0000-ee45-25ec13140000 pid=5139->fa5e6e18-6423-542e-b688-04184acfc2bd send: 87B guuid=5580539e-1900-0000-ee45-25ec20140000 pid=5152->fa5e6e18-6423-542e-b688-04184acfc2bd send: 80B guuid=524b78a0-1900-0000-ee45-25ec27140000 pid=5159 /usr/bin/killall guuid=e33929a0-1900-0000-ee45-25ec26140000 pid=5158->guuid=524b78a0-1900-0000-ee45-25ec27140000 pid=5159 execve guuid=c4d85da2-1900-0000-ee45-25ec2d140000 pid=5165 /usr/bin/killall guuid=1b7f07a2-1900-0000-ee45-25ec2b140000 pid=5163->guuid=c4d85da2-1900-0000-ee45-25ec2d140000 pid=5165 execve guuid=fc9694a3-1900-0000-ee45-25ec33140000 pid=5171 /usr/bin/killall guuid=9c676ba3-1900-0000-ee45-25ec31140000 pid=5169->guuid=fc9694a3-1900-0000-ee45-25ec33140000 pid=5171 execve 51a46072-ca05-5ef4-a6ba-28d0e14febf8 0.0.0.0:65480 guuid=7d1ebda3-1900-0000-ee45-25ec34140000 pid=5172->51a46072-ca05-5ef4-a6ba-28d0e14febf8 con guuid=cd6f6fa4-1900-0000-ee45-25ec39140000 pid=5177 /usr/bin/killall guuid=786146a4-1900-0000-ee45-25ec37140000 pid=5175->guuid=cd6f6fa4-1900-0000-ee45-25ec39140000 pid=5177 execve guuid=733c55a5-1900-0000-ee45-25ec3d140000 pid=5181 /usr/bin/killall guuid=b94e12a5-1900-0000-ee45-25ec3c140000 pid=5180->guuid=733c55a5-1900-0000-ee45-25ec3d140000 pid=5181 execve guuid=d88228a6-1900-0000-ee45-25ec42140000 pid=5186 /usr/bin/killall guuid=acb104a6-1900-0000-ee45-25ec40140000 pid=5184->guuid=d88228a6-1900-0000-ee45-25ec42140000 pid=5186 execve guuid=6b5bffa6-1900-0000-ee45-25ec47140000 pid=5191 /usr/bin/killall guuid=02c5d8a6-1900-0000-ee45-25ec45140000 pid=5189->guuid=6b5bffa6-1900-0000-ee45-25ec47140000 pid=5191 execve
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/598869183031b582180968c6db4e8f01fc00be2f8a56f9ddae1fcec3d561305a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/598869183031b582180968c6db4e8f01fc00be2f8a56f9ddae1fcec3d561305a/
Threat name:
Linux.Trojan.Geninst
Create hunting rule
Status:
Malicious
First seen:
2025-10-05 09:19:33 UTC
File Type:
Text (Shell)
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgegsgbqgg2yegajnddnwtupah6abprprjlptxnod7hmhvlbgbna._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/251005-ladhgsdp6y/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads CPU attributes
Reads system network configuration
Enumerates running processes
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Writes memory of remote process
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/598869183031b582180968c6db4e8f01fc00be2f8a56f9ddae1fcec3d561305a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 598869183031b582180968c6db4e8f01fc00be2f8a56f9ddae1fcec3d561305a

(this sample)

Mirai

elf 96190edb53a3deb5e0ce97a9475a53cf446aa7f7bb8a37a33bacea6ff30f4bd4

  
URLhaus
https://urlhaus.abuse.ch/url/3576542/
  
Delivery method
Distributed via web download
  
Dropping
MD5 534c7a8fdf800990393740dcf4fd4a36
  
Dropping
SHA256 96190edb53a3deb5e0ce97a9475a53cf446aa7f7bb8a37a33bacea6ff30f4bd4

Comments