MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6039b90a4c53fbdcdc69be41e0041e737f317ee1e017eff68c9b1bddb83bdaa8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	6039b90a4c53fbdcdc69be41e0041e737f317ee1e017eff68c9b1bddb83bdaa8
SHA3-384 hash:	19d2d00080e968a260dcb68a262e0aed8efece1594c4107f76c4c2aae7faab043d3d1850d6d74160ac7813dc882a2dcf
SHA1 hash:	07cf57e1a5e1e3313364801d7232abe16d761a92
MD5 hash:	54d9fb489d61275838824f249f7a596d
humanhash:	spring-seventeen-enemy-cardinal
File name:	b
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	927 bytes
First seen:	2025-08-30 13:34:52 UTC
Last seen:	2025-08-31 08:28:24 UTC
File type:	sh
MIME type:	text/plain
ssdeep	24:E22IbO5zOt+MB0h0p0mkIVu5kIV2Z15kIV7ckq:EAO5CEA04kIkkIQZfkIikq
TLSH	T1061157CF53A58C60D8A469CA76538D14B88DC6D439CBCE8CE6CD4535D499D0431B2F69
Magika	txt
Reporter	abuse_ch
Tags:	gafgyt sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://158.51.126.131/n/armv5l	42aea37337e2b2cc306bf363b15f7f7cf962b87db3b4d4449d7e13e31d8f434e	Gafgyt	elf gafgyt ua-wget
http://158.51.126.131/n/armv7l	89e53d182f78499c985edf7e16c4da4d768b090fe685d92f5b7778ff2748f975	Gafgyt	elf gafgyt ua-wget
http://158.51.126.131/n/mips	15c9ec390182a640ee6e36c5ae36f633ea3c76e82a9a0e7b138283c414d15e27	Gafgyt	elf gafgyt mirai ua-wget
http://158.51.126.131/n/mipsel	c14f3c5adc33a437a16c0ad651eb6b0e493c6fbcb2ff5d9fd4624666bd4f9034	Gafgyt	elf gafgyt mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.32150.LX.BOT.UNOFFICIAL

Sanesecurity.Malware.32149.LX.BOT.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox

Link:

https://www.filescan.io/uploads/68b2fe3a8d7e23876184fa88/reports/081e655c-6774-40ae-ab98-f4f808ec13f7/overview

Verdict:

Malicious

File Type:

ps1

First seen:

2025-08-30T14:27:00Z UTC

Last seen:

2025-08-30T14:27:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/6039b90a4c53fbdcdc69be41e0041e737f317ee1e017eff68c9b1bddb83bdaa8/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/52a593c4-1558-41bd-967c-710fcdf30c0f

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6039b90a4c53fbdcdc69be41e0041e737f317ee1e017eff68c9b1bddb83bdaa8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6039b90a4c53fbdcdc69be41e0041e737f317ee1e017eff68c9b1bddb83bdaa8/

Threat name:

Script-Shell.Trojan.Heuristic

Status:

Malicious

First seen:

2025-08-30 13:39:39 UTC

File Type:

Text (Shell)

AV detection:

8 of 24 (33.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ma43scsmkp55zxdjxza6aba6on7tc7xb4al675umtmn53ob33kua._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250830-qx9xeszsaw/

Behaviour

Suspicious use of SetWindowsHookEx

Modifies registry class

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6039b90a4c53fbdcdc69be41e0041e737f317ee1e017eff68c9b1bddb83bdaa8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.