MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63ca49fa64e2b84935330c10d7fefad5783e4ebe3010694f0bc89e9fa6b4146a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63ca49fa64e2b84935330c10d7fefad5783e4ebe3010694f0bc89e9fa6b4146a
SHA3-384 hash: 714acaa572f865d8d0ade599993c05b1eec07a0a458d28de103941bc13919ff870fb35064030515ee72abf40510bfb4f
SHA1 hash: 103b68f18b1045d41a219b34315ade69ee0a1998
MD5 hash: d5519ce53ee3deb028d8a5194d3d348d
humanhash: july-burger-pizza-pennsylvania
File name:Oblivion121.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'667 bytes
First seen:2025-04-01 12:40:35 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vpKyKdp0DpgO1GpFYpSpLp3AJpI3piKpxIp+2:vGM9Gg+LQoJkB
TLSH T1B531A4CA21955A32BCF6D923BAB9C65471C0509398CA7E06EADD7CF8C4DDE04F084B87
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.144.18/FBI.x8661346160a4c3d2f06d9636ea00a498fbf1809e58a6c1c673cc884c0cc66e0380 Gafgytelf gafgyt mirai
http://176.65.144.18/FBI.mipsa210d3c4077e68bf1f8d8ecabd34098352aabc14e993cff345ef58cb473420bd Gafgytelf gafgyt mirai
http://176.65.144.18/FBI.mpsle5240047c2b3d7fd7e1e54f5bd18554f0d22c6f6ecfe06be38e27bffd4efe6e1 Gafgytelf gafgyt mirai
http://176.65.144.18/FBI.armac2556daabcf6c82b1fd1ddb6347bce3760f42cd13bf6a1fcc44f0c1b107406b Gafgytelf gafgyt mirai
http://176.65.144.18/FBI.arm54be5f84fc3d3200c27b3973dda8fd79fa0824fa85c946f01533a2ea287ef55c9 Gafgytelf gafgyt mirai
http://176.65.144.18/FBI.arm644421e849e4e403f3c639b3179f44368b2fe82ea1527939bf65852a6f9ef9a28 Gafgytelf gafgyt mirai
http://176.65.144.18/FBI.arm77d86d8a3c9db41dff194c8183ddab9e662cb990aefdd3ffdd8109d3eb13a474a Gafgytelf gafgyt mirai
http://176.65.144.18//BI.ppc7d86d8a3c9db41dff194c8183ddab9e662cb990aefdd3ffdd8109d3eb13a474a Gafgytelf
http://176.65.144.18/FBI.m68k7d86d8a3c9db41dff194c8183ddab9e662cb990aefdd3ffdd8109d3eb13a474a Gafgytelf mirai
http://176.65.144.18/FBI.sh4217d27019c13c2fa69d6638ad56c345a30dee26a77a3760775dbaa6c4dace15d Gafgytelf gafgyt mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
47
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ebe1dfcfd0a37f830b7bc9linux22vpnfull_triage
Tags:
downloader shellcode agent
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed remote
Link:
https://www.filescan.io/uploads/67ebdee2f274bf2d8e2c59e1/reports/0be65b71-5205-4f70-9262-e69b9580b3b8/overview
Result
Verdict:
MALICIOUS
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/63ca49fa64e2b84935330c10d7fefad5783e4ebe3010694f0bc89e9fa6b4146a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63ca49fa64e2b84935330c10d7fefad5783e4ebe3010694f0bc89e9fa6b4146a/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-04-01 12:41:17 UTC
File Type:
Text (Shell)
AV detection:
17 of 24 (70.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpfet6te4k4esnjtbqinp7x22v4d4tv6gaigstylzcpj7jvucrva._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm defense_evasion discovery linux
Link:
https://tria.ge/reports/250401-pwwsqsyxav/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Creates a large amount of network flows
File and Directory Permissions Modification
Executes dropped EXE
Writes DNS configuration
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/63ca49fa64e2b84935330c10d7fefad5783e4ebe3010694f0bc89e9fa6b4146a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 63ca49fa64e2b84935330c10d7fefad5783e4ebe3010694f0bc89e9fa6b4146a

(this sample)

Gafgyt

elf 61346160a4c3d2f06d9636ea00a498fbf1809e58a6c1c673cc884c0cc66e0380

  
URLhaus
https://urlhaus.abuse.ch/url/3494959/
  
Delivery method
Distributed via web download
  
Dropping
MD5 ed5d64cc0407dfb432e9216ba6432828
  
Dropping
SHA256 61346160a4c3d2f06d9636ea00a498fbf1809e58a6c1c673cc884c0cc66e0380

Comments