MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 646f22b6f811bbf003b7bd0efb3331035dc321eede61a35bf0715c2d8bfa9a2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 646f22b6f811bbf003b7bd0efb3331035dc321eede61a35bf0715c2d8bfa9a2a
SHA3-384 hash: 83d732b522c936e027dccdab3e05354b46ab4b8ad082546daec9a2686b055066cb48b38f4197f611f55b90f3aaf2736b
SHA1 hash: 0c1b060d31702e11b237f10c4a28f753921709ce
MD5 hash: 3415323e514be94b3c24c44b405d8954
humanhash: eleven-yellow-black-delaware
File name:beacon.x86
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'575'492 bytes
First seen:2026-02-20 16:33:48 UTC
Last seen:2026-02-21 11:30:43 UTC
File type: elf
MIME type:application/x-executable
ssdeep 24576:CvxsK0QaOLshCyUSgtkgNJ+fNfl0ztwslRjiA/q7uXQhL9hoeIyATZBY5oIWpFo3:Cv+sshCyUSgtxkU/DSyXQhL9huPAKk
TLSH T19F758D89F78295F1F26300F10A8FE7B7453056254322EAF7DB8D2E66B5367C12E3521A
telfhash t1cd7272344d9db0a263e5d898f3b2f03069321c7a9af879f014217e62dd90d876c6b95f
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
2
# of downloads :
40
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Unix.Trojan.Mirai-10004218-0
Create hunting rule

Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
1
Number of processes launched:
2
Processes remaning?
false
Remote TCP ports scanned:
8080,23,2323
Full report:
https://elfdigest.com/brief/646f22b6f811bbf003b7bd0efb3331035dc321eede61a35bf0715c2d8bfa9a2a
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Unknown
File Type:
elf.32.le
Link:
https://opentip.kaspersky.com/646f22b6f811bbf003b7bd0efb3331035dc321eede61a35bf0715c2d8bfa9a2a/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/a77d5446-a66c-4d7e-bf7e-ab36223006b7
Behavior Graph:
Download SVG
%3 guuid=9153b2e8-1800-0000-9a2a-8b40b40c0000 pid=3252 /usr/bin/sudo guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3253 /tmp/sample.bin delete-file write-file guuid=9153b2e8-1800-0000-9a2a-8b40b40c0000 pid=3252->guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3253 execve guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254 /tmp/sample.bin net guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3253->guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254 clone 9de456de-40f7-54c3-8f5f-f97eeb14e94c 195.27.31.171:80 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->9de456de-40f7-54c3-8f5f-f97eeb14e94c con bf354e22-7bc3-5fdd-a2dc-d275cbe02488 195.27.31.171:8080 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->bf354e22-7bc3-5fdd-a2dc-d275cbe02488 con af77e4e7-b0f9-59b5-bb66-5cb127fdad75 195.27.31.171:23 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->af77e4e7-b0f9-59b5-bb66-5cb127fdad75 con 4f2e977b-aaeb-5225-8d41-5bf1a4220190 195.27.31.171:2323 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->4f2e977b-aaeb-5225-8d41-5bf1a4220190 con f5f65072-f4b4-5335-a72a-7198c303f474 52.181.159.156:80 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->f5f65072-f4b4-5335-a72a-7198c303f474 con 16ffee77-38b8-58a5-b4a8-061f63010fc6 52.181.159.156:8080 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->16ffee77-38b8-58a5-b4a8-061f63010fc6 con 78199885-a3c9-5e13-97d5-5e14159de427 52.181.159.156:23 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->78199885-a3c9-5e13-97d5-5e14159de427 con fdb7c6bb-266a-5c5d-a3c9-eb91771f25e2 52.181.159.156:2323 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->fdb7c6bb-266a-5c5d-a3c9-eb91771f25e2 con cad20b80-ee0e-52e1-9213-d9960299d0d0 94.71.81.156:80 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->cad20b80-ee0e-52e1-9213-d9960299d0d0 con 84d4e568-a6fd-5130-833d-504e295166c2 94.71.81.156:8080 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->84d4e568-a6fd-5130-833d-504e295166c2 con 62333192-f8ce-5131-8627-dbe1d35b7ca1 94.71.81.156:23 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->62333192-f8ce-5131-8627-dbe1d35b7ca1 con c4ba9c9c-86de-51c4-a104-a10ceef6b530 94.71.81.156:2323 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->c4ba9c9c-86de-51c4-a104-a10ceef6b530 con ea9e0758-6acd-5bdf-91f2-4e2fb4711027 80.242.115.131:80 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->ea9e0758-6acd-5bdf-91f2-4e2fb4711027 con 361f8d8c-db26-5595-8db8-6aee2959b779 80.242.115.131:8080 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->361f8d8c-db26-5595-8db8-6aee2959b779 con 218f0e80-7e76-56f2-9a4a-cd565037def2 80.242.115.131:23 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->218f0e80-7e76-56f2-9a4a-cd565037def2 con 1122d3ee-3b83-5efc-818f-ce336e62b6b4 80.242.115.131:2323 guuid=4531b1eb-1800-0000-9a2a-8b40b50c0000 pid=3254->1122d3ee-3b83-5efc-818f-ce336e62b6b4 con
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/51099a6b-19a0-455e-a455-c8c97fceac6c
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1872595
Signature
Connects to many ports of the same IP (likely port scanning)
Sample deletes itself
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1872595 Sample: beacon.x86.elf Startdate: 20/02/2026 Architecture: LINUX Score: 48 15 116.152.223.87, 23, 2323, 80 CNIX-APChinaNetworksInter-ExchangeCN China 2->15 17 68.186.16.105, 23, 2323, 80 CHARTER-20115US United States 2->17 19 7 other IPs or domains 2->19 21 Connects to many ports of the same IP (likely port scanning) 2->21 6 beacon.x86.elf 2->6         started        9 dash rm 2->9         started        11 dash rm 2->11         started        13 python3.8 dpkg 2->13         started        signatures3 process4 signatures5 23 Sample deletes itself 6->23
Score:
98%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/646f22b6f811bbf003b7bd0efb3331035dc321eede61a35bf0715c2d8bfa9a2a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/646f22b6f811bbf003b7bd0efb3331035dc321eede61a35bf0715c2d8bfa9a2a/
Threat name:
Linux.Backdoor.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2026-02-20 16:27:58 UTC
File Type:
ELF32 Little (Exe)
AV detection:
8 of 23 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mrxsfnxycg57aa5xxuhpwmzrano4gipo3zq2gw7qofoc3c72tiva._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/260220-t3aajafv6e/
Behaviour
Reads runtime system information
Deletes itself
Modifies Watchdog functionality
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/646f22b6f811bbf003b7bd0efb3331035dc321eede61a35bf0715c2d8bfa9a2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:malwareelf55503
Create hunting rule
Rule name:ProgramLanguage_Rust
Create hunting rule
Author:albertzsigovits
Description:Application written in Rust programming language
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf 646f22b6f811bbf003b7bd0efb3331035dc321eede61a35bf0715c2d8bfa9a2a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3781873/
  
Delivery method
Distributed via web download

Comments