MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ca0bed06b06c3555cb25f1ec8cdfe06a06d073c8b61ab2fcefbbb87d3dcdbb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ca0bed06b06c3555cb25f1ec8cdfe06a06d073c8b61ab2fcefbbb87d3dcdbb0
SHA3-384 hash: 71f7e9ac0b04ddae80d7c2d8418e2c622098dc62b1713bfa05ba76bc523f911530f47361eca033dfbf8c9447c48da788
SHA1 hash: f938b86162daf0a3f85d41ba0ed073cfd75ed88c
MD5 hash: 36c56611b353cedb7458044214183cec
humanhash: jersey-gee-neptune-july
File name:beacon.x86_64_musl
Download: download sample
Signature Gafgyt
Create hunting rule
File size:639'568 bytes
First seen:2026-02-20 16:33:47 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 12288:hD0ck7CXRVA8S55ft7YyuLtOfpRYmedilnGG:hDY7CXRO8SvtcyuLMplnZ
TLSH T1CDD47D17B35164ACE59EC03487CF82B2DA6AF86502153B7B3BE4A7302E35CA15B5E713
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Unix.Trojan.Mirai-10004218-0
Create hunting rule

Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
0
Number of processes launched:
2
Processes remaning?
false
Remote TCP ports scanned:
8080,23,2323
Full report:
https://elfdigest.com/brief/5ca0bed06b06c3555cb25f1ec8cdfe06a06d073c8b61ab2fcefbbb87d3dcdbb0
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
File Type:
elf.64.le
Link:
https://opentip.kaspersky.com/5ca0bed06b06c3555cb25f1ec8cdfe06a06d073c8b61ab2fcefbbb87d3dcdbb0/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/8a3544f5-0766-4d7a-b3b3-c09f7c700f03
Behavior Graph:
Download SVG
%3 guuid=5417e5f4-1700-0000-0a1a-0153660c0000 pid=3174 /usr/bin/sudo guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3180 /tmp/sample.bin delete-file write-file guuid=5417e5f4-1700-0000-0a1a-0153660c0000 pid=3174->guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3180 execve guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181 /tmp/sample.bin net guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3180->guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181 clone c9fdee69-0d8c-5f34-8357-026e49b4a50c 217.23.137.98:80 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->c9fdee69-0d8c-5f34-8357-026e49b4a50c con 4e4da7de-2547-58cc-987a-f4a8c40f44f5 217.23.137.98:8080 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->4e4da7de-2547-58cc-987a-f4a8c40f44f5 con 01dea3b8-9e53-525a-9fef-8191676e3785 217.23.137.98:23 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->01dea3b8-9e53-525a-9fef-8191676e3785 con f2a2acd5-3ed1-5050-adf9-72af89948f90 217.23.137.98:2323 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->f2a2acd5-3ed1-5050-adf9-72af89948f90 con d79789d3-5d9c-5e34-b1ff-5f1beb581b6c 182.211.158.231:80 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->d79789d3-5d9c-5e34-b1ff-5f1beb581b6c con 81961b41-2d23-537d-8c26-0a895ed867db 182.211.158.231:8080 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->81961b41-2d23-537d-8c26-0a895ed867db con 3842dd7d-0264-5496-8416-f1bd5e014ce1 182.211.158.231:23 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->3842dd7d-0264-5496-8416-f1bd5e014ce1 con b7b47513-7ab4-5060-a054-2c8ffa26542a 182.211.158.231:2323 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->b7b47513-7ab4-5060-a054-2c8ffa26542a con 84614e41-8ea5-510a-81df-e065aa08af20 145.195.177.92:80 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->84614e41-8ea5-510a-81df-e065aa08af20 con 9b86bcc3-d4ca-5829-9236-01693d04aa67 145.195.177.92:8080 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->9b86bcc3-d4ca-5829-9236-01693d04aa67 con 52bf9d21-3ddc-5f9b-af58-ef2033b77c12 145.195.177.92:23 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->52bf9d21-3ddc-5f9b-af58-ef2033b77c12 con bed8c9d1-d2e9-5141-9d21-26c68bdd8841 145.195.177.92:2323 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->bed8c9d1-d2e9-5141-9d21-26c68bdd8841 con 7b31cee7-7c50-50ab-9156-06735852dfda 86.100.166.182:80 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->7b31cee7-7c50-50ab-9156-06735852dfda con 7af0b396-49ab-57cd-b7c3-09e232aa68e7 86.100.166.182:8080 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->7af0b396-49ab-57cd-b7c3-09e232aa68e7 con ca676a2f-6c3c-5816-bca5-6f0b6022a503 86.100.166.182:23 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->ca676a2f-6c3c-5816-bca5-6f0b6022a503 con 105a0ecf-81cc-5a8f-8197-c82f3e0084a1 86.100.166.182:2323 guuid=052032f7-1700-0000-0a1a-01536c0c0000 pid=3181->105a0ecf-81cc-5a8f-8197-c82f3e0084a1 con
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/91ca4060-ccbf-4cea-acaf-6bb87877e04b
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1872596
Signature
Connects to many ports of the same IP (likely port scanning)
Sample deletes itself
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/5ca0bed06b06c3555cb25f1ec8cdfe06a06d073c8b61ab2fcefbbb87d3dcdbb0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ca0bed06b06c3555cb25f1ec8cdfe06a06d073c8b61ab2fcefbbb87d3dcdbb0/
Threat name:
Linux.Backdoor.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2026-02-20 16:28:12 UTC
File Type:
ELF64 Little (SO)
AV detection:
8 of 23 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lsql5udla3bvkxfsl4pmrtp6a2qg2bz4rnq2wl6o7o5ypu643oya._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion linux
Link:
https://tria.ge/reports/260220-t3aajafv6d/
Behaviour
Deletes itself
Modifies Watchdog functionality
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/5ca0bed06b06c3555cb25f1ec8cdfe06a06d073c8b61ab2fcefbbb87d3dcdbb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf 5ca0bed06b06c3555cb25f1ec8cdfe06a06d073c8b61ab2fcefbbb87d3dcdbb0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3781872/
  
Delivery method
Distributed via web download

Comments