MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bd97bf65e5c6c34efdb38f3ea2617370b663125e89979d93b581b7ed7c593dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5bd97bf65e5c6c34efdb38f3ea2617370b663125e89979d93b581b7ed7c593dc
SHA3-384 hash: e1b8d17ead52cd1a18cd42b2b3dbe080f25562b23795f969085539ad19850b6d2f38afd71eb4482f7357450a45d57567
SHA1 hash: 5c83da9a425bc2d89c0b589eed4c8dbbe5d9509c
MD5 hash: f40781c9cb0aeda8cbb43fd16bb42498
humanhash: golf-beer-oscar-hawaii
File name:redis-daemon
Download: download sample
Signature Gafgyt
Create hunting rule
File size:104'532 bytes
First seen:2026-04-26 13:19:41 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:NzbqrIGlpY/u4QKIkHudZTvc2WCWNl9ggG6:NzbGlYvQWHStLID9ggG6
TLSH T1D1A3121F69640F79CEB039F9A0B277AC682DD4DD4DE473DFEAA21BA411EB08100C5728
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter BlinkzSec
Tags:gafgyt

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
SK SK
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Changes access rights for a written file
Deleting a recently created file
Kills processes
Launching a process
Creating a file in the %temp% directory
Collects information on the CPU
Manages services
Creating a file
Sets a written file as executable
Changes the time when the file was created, accessed, or modified
Opens a port
Creates or modifies files in /cron to set up autorun
Deleting of the original file
Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
custom
Botnet:
unknown
Number of open files:
1
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/5bd97bf65e5c6c34efdb38f3ea2617370b663125e89979d93b581b7ed7c593dc
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Clean
File Type:
elf.64.le
First seen:
2026-04-26T11:22:00Z UTC
Last seen:
2026-04-26T11:37:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/5bd97bf65e5c6c34efdb38f3ea2617370b663125e89979d93b581b7ed7c593dc/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/6b9cf9f4-b4ac-482f-bffa-ae81bfd8e3cd
Behavior Graph:
Download SVG
%3 guuid=efe73c8f-1900-0000-19e3-cd7126080000 pid=2086 /usr/bin/sudo guuid=e3c6ad91-1900-0000-19e3-cd712c080000 pid=2092 /tmp/sample.bin delete-file net write-config write-file guuid=efe73c8f-1900-0000-19e3-cd7126080000 pid=2086->guuid=e3c6ad91-1900-0000-19e3-cd712c080000 pid=2092 execve ffee5cfb-bb94-52c2-8935-ae3a87e774db 127.0.0.1:42780 guuid=e3c6ad91-1900-0000-19e3-cd712c080000 pid=2092->ffee5cfb-bb94-52c2-8935-ae3a87e774db con d1396421-b225-5028-b23a-a9ff948f3579 176.65.148.160:443 guuid=e3c6ad91-1900-0000-19e3-cd712c080000 pid=2092->d1396421-b225-5028-b23a-a9ff948f3579 con guuid=520fa393-1900-0000-19e3-cd712f080000 pid=2095 /tmp/sample.bin guuid=e3c6ad91-1900-0000-19e3-cd712c080000 pid=2092->guuid=520fa393-1900-0000-19e3-cd712f080000 pid=2095 clone guuid=1a610c94-1900-0000-19e3-cd7132080000 pid=2098 /usr/bin/dash guuid=e3c6ad91-1900-0000-19e3-cd712c080000 pid=2092->guuid=1a610c94-1900-0000-19e3-cd7132080000 pid=2098 execve guuid=180fc2d7-1900-0000-19e3-cd71f1080000 pid=2289 /usr/bin/dash guuid=e3c6ad91-1900-0000-19e3-cd712c080000 pid=2092->guuid=180fc2d7-1900-0000-19e3-cd71f1080000 pid=2289 execve guuid=f9c3eca5-1a00-0000-19e3-cd71840a0000 pid=2692 /usr/bin/dash guuid=e3c6ad91-1900-0000-19e3-cd712c080000 pid=2092->guuid=f9c3eca5-1a00-0000-19e3-cd71840a0000 pid=2692 execve guuid=0a4c3aa6-1a00-0000-19e3-cd71870a0000 pid=2695 /usr/bin/dash guuid=e3c6ad91-1900-0000-19e3-cd712c080000 pid=2092->guuid=0a4c3aa6-1a00-0000-19e3-cd71870a0000 pid=2695 execve guuid=b91daa93-1900-0000-19e3-cd7130080000 pid=2096 /tmp/sample.bin guuid=520fa393-1900-0000-19e3-cd712f080000 pid=2095->guuid=b91daa93-1900-0000-19e3-cd7130080000 pid=2096 clone guuid=9fb791a6-1a00-0000-19e3-cd71890a0000 pid=2697 /tmp/sample.bin guuid=520fa393-1900-0000-19e3-cd712f080000 pid=2095->guuid=9fb791a6-1a00-0000-19e3-cd71890a0000 pid=2697 clone guuid=a1c65f94-1900-0000-19e3-cd7134080000 pid=2100 /usr/bin/systemctl guuid=1a610c94-1900-0000-19e3-cd7132080000 pid=2098->guuid=a1c65f94-1900-0000-19e3-cd7134080000 pid=2100 execve guuid=118ee7d7-1900-0000-19e3-cd71f2080000 pid=2290 /usr/bin/systemctl guuid=180fc2d7-1900-0000-19e3-cd71f1080000 pid=2289->guuid=118ee7d7-1900-0000-19e3-cd71f2080000 pid=2290 execve guuid=23ec19a6-1a00-0000-19e3-cd71850a0000 pid=2693 /usr/bin/dash guuid=f9c3eca5-1a00-0000-19e3-cd71840a0000 pid=2692->guuid=23ec19a6-1a00-0000-19e3-cd71850a0000 pid=2693 clone guuid=c8c172a6-1a00-0000-19e3-cd71880a0000 pid=2696 /usr/bin/dash guuid=0a4c3aa6-1a00-0000-19e3-cd71870a0000 pid=2695->guuid=c8c172a6-1a00-0000-19e3-cd71880a0000 pid=2696 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/595549d5-ec43-47b5-986c-72fd6dcd8f6a
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/5bd97bf65e5c6c34efdb38f3ea2617370b663125e89979d93b581b7ed7c593dc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5bd97bf65e5c6c34efdb38f3ea2617370b663125e89979d93b581b7ed7c593dc/
Verdict:
Malicious
Threat:
Family.GAFGYT
Link:
https://tip.neiki.dev/file/5bd97bf65e5c6c34efdb38f3ea2617370b663125e89979d93b581b7ed7c593dc
Threat name:
Linux.Backdoor.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2026-04-26 13:16:43 UTC
File Type:
ELF64 Little (Exe)
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lpmxx5s6lrwdj363hdz6ujqxg4fwmmjf5cmxtwj3lanx5v6fspoa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260426-qlgfqsft6y/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to tmp directory
Checks CPU configuration
Creates/modifies Cron job
Enumerates running processes
Modifies systemd
Reads MAC address of network interface
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:upx_antiunpack_elf64
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:UPX Anti-Unpacking technique to magic renamed for ELF64

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf 5bd97bf65e5c6c34efdb38f3ea2617370b663125e89979d93b581b7ed7c593dc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3832105/
  
Delivery method
Distributed via web download

Comments