MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60f401afeb6054e531916adb8118df45fcd7d4c1d166ac28197c67ecba2ba60c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	60f401afeb6054e531916adb8118df45fcd7d4c1d166ac28197c67ecba2ba60c
SHA3-384 hash:	d13d50864d0e6de2cfeb6e3db29e9e96e0ca959db10d6f51f9d93aba583374fee05592c86917f77a6429b21fa25a811b
SHA1 hash:	7f53cbcacbc25f28c848cc5e56a4dcafd06c9734
MD5 hash:	319ea341973f79a0767d607302d0fc05
humanhash:	ack-batman-august-stream
File name:	cat.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	1'815 bytes
First seen:	2026-03-27 07:25:50 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:uzjzbssHsMwB8Xxtx+Z0LMTLMwCctGuXusSuX47zfFhQsBPOqGxIY7FDbad6F:CDQDidPS7cd6F
TLSH	T1C63184C9083519D40A579E80A9B186C5B90BE7D0BA948EC7E7C61D7170BCDD434B87DA
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://64.89.163.118/iowa	0dc4d8932b1319965f4639567680d3a1d5f6fd772ae5f154ca6ef1a4b01038d2	Gafgyt	elf ua-wget
http://64.89.163.118/alabama	567407079429b656f934d756da30eb0d1f2b6bf3e0765c67b7095e6ea4ce316e	Gafgyt	elf ua-wget
http://64.89.163.118/alaska	2b6febb43bf9a1eadb08c6910276f7192b3e9c8ffb1fcbdb99770657681a3999	Mirai	elf mirai ua-wget
http://64.89.163.118/arizona	3f9e3b8acf70dc1fc178cdecd755eb9cdb8f8367e2a8ec884aa181932392dce3	Mirai	elf mirai ua-wget
http://64.89.163.118/arkansas	6ab1f75873cc848ba44f0280545bc605dad3631deacac546f8f67da0870b296e	Mirai	elf mirai ua-wget
http://64.89.163.118/california	794aaf6fa3e6e1170fe1ee1ab3ba99836d46753fb00b31564629ef7f18a91160	Mirai	elf mirai ua-wget
http://64.89.163.118/colorado	a7359b810b45f7bb0fcb56a5da5dae41f9c65c7a4c4e5fc0267ffb5a26756c19	Mirai	elf mirai ua-wget
http://64.89.163.118/connecticut	27111421f6310cf286aa062d6f6c296a87345d61fdf8db6238092f1b0751662b	Mirai	elf mirai ua-wget
http://64.89.163.118/delaware	bcda6a09f766b4e12a493da81cd7680296cf2b74b8eb99f45be5e9136fa7b433	Mirai	elf mirai ua-wget
http://64.89.163.118/florida	4bafd0db45b44a978092247b4178e3775ae19153f7c6d981fb7780d9b0d8e82a	Mirai	elf mirai ua-wget
http://64.89.163.118/georgia	46831dae03c26030c63b02df4d7aa4e0bbf403d2a07590fca5bf20d1adeba246	Mirai	elf mirai ua-wget
http://64.89.163.118/hawaii	9c84623c5a9b5f79023eea9b94bba6ac2a2257a15ceb7c2f5f65b8d3cdbea0ea	Mirai	elf mirai ua-wget
http://64.89.163.118/idaho	63ca83fdf2cda2de3b68672cf07128a9ad822c6a255342d0cc1ef1767532569e	Mirai	elf mirai ua-wget
http://64.89.163.118/illinois	98c01d760ac3efcd9994fe893165baf552d7f9ab694557907690864dc263489e	Mirai	elf mirai ua-wget
http://64.89.163.118/indiana	8062f4d71cf4338aa54950270d18fdeb5b3064fa498c2e944f32f5ded6d8f284	Mirai	elf mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Result

Gathering data

Verdict:

Malicious

File Type:

unix shell

Link:

https://opentip.kaspersky.com/60f401afeb6054e531916adb8118df45fcd7d4c1d166ac28197c67ecba2ba60c/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/bf7c7368-0d3c-4d7c-b02d-0893543357fd

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/60f401afeb6054e531916adb8118df45fcd7d4c1d166ac28197c67ecba2ba60c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/60f401afeb6054e531916adb8118df45fcd7d4c1d166ac28197c67ecba2ba60c/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/60f401afeb6054e531916adb8118df45fcd7d4c1d166ac28197c67ecba2ba60c

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2026-03-27 05:32:51 UTC

File Type:

Text (Shell)

AV detection:

6 of 36 (16.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=md2adl7lmbkokmmrnlnycgg7ix6npvgb2ftkykazprt6zorluyga._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux

Link:

https://tria.ge/reports/260327-h9n7gsbz2q/

Behaviour

Reads runtime system information

Writes file to tmp directory

Changes its process name

Deletes log files

Enumerates running processes

File and Directory Permissions Modification

Deletes Audit logs

Deletes itself

Deletes system logs

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/60f401afeb6054e531916adb8118df45fcd7d4c1d166ac28197c67ecba2ba60c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 60f401afeb6054e531916adb8118df45fcd7d4c1d166ac28197c67ecba2ba60c

(this sample)

Gafgyt

elf 0dc4d8932b1319965f4639567680d3a1d5f6fd772ae5f154ca6ef1a4b01038d2

URLhaus

https://urlhaus.abuse.ch/url/3806078/

Delivery method

Distributed via web download

Dropping

MD5 9d405c9278c59c346f59e7f259ff76a4

Dropping

SHA256 0dc4d8932b1319965f4639567680d3a1d5f6fd772ae5f154ca6ef1a4b01038d2

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample