MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e243485479cd1bbbf85df2415ecf4f8daec7d4c3d5db980da1cb2394e4d8c42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e243485479cd1bbbf85df2415ecf4f8daec7d4c3d5db980da1cb2394e4d8c42
SHA3-384 hash: e99ff2da2b6be615c25f6184cb3c50417fac5053c41778e7adb507f1715a416fb44f35aff8e28de3c4e574f4864f37f0
SHA1 hash: 6cf12f01cf640fe7bfadadf3ad2743ec8f536582
MD5 hash: 655328426e6ec080ca67376bf0a907c1
humanhash: lion-don-hot-magnesium
File name:adb.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:846 bytes
First seen:2025-07-09 05:05:45 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:NLGEULHnWKDbnPZu7Lx7oDNkp73Nvx73NMDNkp73WyTx73WygDNkp7pZDx7gDNkj:sEULWIbchOkpZpZmkp1ikp1Z1WkpU7kj
TLSH T1740125CF21528890D84198D936924818F04EF7D536CF8E8CEBCF4532E96ED143542F69
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.51.126.131/aarch640c766c4045cae778660942afa27b463f948994e92628ac80a8b872d40c48909c Miraielf gafgyt mirai ua-wget
http://158.51.126.131/armv5l506a3e39a46d0e6d13ba89dd5a6fe2aa81c5122db15742d4ce509a3c0738ff01 Miraielf gafgyt mirai ua-wget
http://158.51.126.131/armv7l69c12ce6f569adfaa217f1ebd365b727e3d2f882f22ef10169c8dc7ad3a05f4e Miraielf gafgyt mirai ua-wget
http://158.51.126.131/mipsn/an/aelf gafgyt mirai ua-wget
http://158.51.126.131/mipsel68b7a90ca3d6b4034d4428ee1483178d9a69171090087523ecd8d2314aa60603 Miraielf gafgyt mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686df8d4900df8e7f868d5b5linux22vpnfull_triage
Tags:
trojan agent hype
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/29dc0fba-5500-479c-85a0-8b5d6bae5d37
Behavior Graph:
Download SVG
%3 guuid=9d146c68-1a00-0000-25b9-0535a60a0000 pid=2726 /usr/bin/sudo guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732 /tmp/sample.bin guuid=9d146c68-1a00-0000-25b9-0535a60a0000 pid=2726->guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732 execve guuid=eae1436a-1a00-0000-25b9-0535ae0a0000 pid=2734 /usr/bin/su guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=eae1436a-1a00-0000-25b9-0535ae0a0000 pid=2734 execve guuid=e7320c6b-1a00-0000-25b9-0535b10a0000 pid=2737 /usr/bin/dash guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=e7320c6b-1a00-0000-25b9-0535b10a0000 pid=2737 clone guuid=43a75d9f-1a00-0000-25b9-0535060b0000 pid=2822 /usr/bin/chmod guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=43a75d9f-1a00-0000-25b9-0535060b0000 pid=2822 execve guuid=7df79d9f-1a00-0000-25b9-0535080b0000 pid=2824 /usr/bin/dash guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=7df79d9f-1a00-0000-25b9-0535080b0000 pid=2824 clone guuid=9c8dbda1-1a00-0000-25b9-05350f0b0000 pid=2831 /usr/bin/dash guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=9c8dbda1-1a00-0000-25b9-05350f0b0000 pid=2831 clone guuid=a5b15ed3-1a00-0000-25b9-05356d0b0000 pid=2925 /usr/bin/chmod guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=a5b15ed3-1a00-0000-25b9-05356d0b0000 pid=2925 execve guuid=8206b8d3-1a00-0000-25b9-05356e0b0000 pid=2926 /usr/bin/dash guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=8206b8d3-1a00-0000-25b9-05356e0b0000 pid=2926 clone guuid=cf7b6dd4-1a00-0000-25b9-0535710b0000 pid=2929 /usr/bin/dash guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=cf7b6dd4-1a00-0000-25b9-0535710b0000 pid=2929 clone guuid=81fdf908-1b00-0000-25b9-0535c40b0000 pid=3012 /usr/bin/chmod guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=81fdf908-1b00-0000-25b9-0535c40b0000 pid=3012 execve guuid=444e4009-1b00-0000-25b9-0535c60b0000 pid=3014 /usr/bin/dash guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=444e4009-1b00-0000-25b9-0535c60b0000 pid=3014 clone guuid=e57bd309-1b00-0000-25b9-0535c90b0000 pid=3017 /usr/bin/dash guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=e57bd309-1b00-0000-25b9-0535c90b0000 pid=3017 clone guuid=5cd8c43c-1b00-0000-25b9-0535590c0000 pid=3161 /usr/bin/chmod guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=5cd8c43c-1b00-0000-25b9-0535590c0000 pid=3161 execve guuid=0877553d-1b00-0000-25b9-05355a0c0000 pid=3162 /usr/bin/dash guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=0877553d-1b00-0000-25b9-05355a0c0000 pid=3162 clone guuid=d2b14d3f-1b00-0000-25b9-05355f0c0000 pid=3167 /usr/bin/dash guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=d2b14d3f-1b00-0000-25b9-05355f0c0000 pid=3167 clone guuid=bd58fa71-1b00-0000-25b9-0535970c0000 pid=3223 /usr/bin/chmod guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=bd58fa71-1b00-0000-25b9-0535970c0000 pid=3223 execve guuid=03819972-1b00-0000-25b9-0535980c0000 pid=3224 /usr/bin/dash guuid=eea7126a-1a00-0000-25b9-0535ac0a0000 pid=2732->guuid=03819972-1b00-0000-25b9-0535980c0000 pid=3224 clone guuid=aefe146b-1a00-0000-25b9-0535b20a0000 pid=2738 /usr/bin/wget net send-data write-file guuid=e7320c6b-1a00-0000-25b9-0535b10a0000 pid=2737->guuid=aefe146b-1a00-0000-25b9-0535b20a0000 pid=2738 execve 2beca644-24da-5e18-bc49-c06b8c4a111d 158.51.126.131:80 guuid=aefe146b-1a00-0000-25b9-0535b20a0000 pid=2738->2beca644-24da-5e18-bc49-c06b8c4a111d send: 136B guuid=7553c5a1-1a00-0000-25b9-0535100b0000 pid=2832 /usr/bin/wget net send-data write-file guuid=9c8dbda1-1a00-0000-25b9-05350f0b0000 pid=2831->guuid=7553c5a1-1a00-0000-25b9-0535100b0000 pid=2832 execve guuid=7553c5a1-1a00-0000-25b9-0535100b0000 pid=2832->2beca644-24da-5e18-bc49-c06b8c4a111d send: 135B guuid=87ed78d4-1a00-0000-25b9-0535720b0000 pid=2930 /usr/bin/wget net send-data write-file guuid=cf7b6dd4-1a00-0000-25b9-0535710b0000 pid=2929->guuid=87ed78d4-1a00-0000-25b9-0535720b0000 pid=2930 execve guuid=87ed78d4-1a00-0000-25b9-0535720b0000 pid=2930->2beca644-24da-5e18-bc49-c06b8c4a111d send: 135B guuid=4a0ce309-1b00-0000-25b9-0535ca0b0000 pid=3018 /usr/bin/wget net send-data write-file guuid=e57bd309-1b00-0000-25b9-0535c90b0000 pid=3017->guuid=4a0ce309-1b00-0000-25b9-0535ca0b0000 pid=3018 execve guuid=4a0ce309-1b00-0000-25b9-0535ca0b0000 pid=3018->2beca644-24da-5e18-bc49-c06b8c4a111d send: 133B guuid=fd34563f-1b00-0000-25b9-0535600c0000 pid=3168 /usr/bin/wget net send-data write-file guuid=d2b14d3f-1b00-0000-25b9-05355f0c0000 pid=3167->guuid=fd34563f-1b00-0000-25b9-0535600c0000 pid=3168 execve guuid=fd34563f-1b00-0000-25b9-0535600c0000 pid=3168->2beca644-24da-5e18-bc49-c06b8c4a111d send: 135B
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5e243485479cd1bbbf85df2415ecf4f8daec7d4c3d5db980da1cb2394e4d8c42
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e243485479cd1bbbf85df2415ecf4f8daec7d4c3d5db980da1cb2394e4d8c42/
Threat name:
Script-Shell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-07-09 04:30:29 UTC
File Type:
Text (Shell)
AV detection:
12 of 38 (31.58%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lysdjbkhtti3xp4f34sbl3hu7dnoy7kmhvo3tag2dszdstsnrrba._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250709-frjg6svnx8/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/5e243485479cd1bbbf85df2415ecf4f8daec7d4c3d5db980da1cb2394e4d8c42

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 5e243485479cd1bbbf85df2415ecf4f8daec7d4c3d5db980da1cb2394e4d8c42

(this sample)

Gafgyt

elf d59f1612522cc19ff48b2289fa40981b88a4b5efe448be7481c0fafa96b113a3

  
URLhaus
https://urlhaus.abuse.ch/url/3579323/
  
Delivery method
Distributed via web download
  
Dropping
MD5 51dec10255c8901646d3e81da83d759d
  
Dropping
SHA256 d59f1612522cc19ff48b2289fa40981b88a4b5efe448be7481c0fafa96b113a3

Comments