MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6546db8a603850dac69b0110bcb9a9d54db837e28dfa2cf04da6b6242f65d719. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	6546db8a603850dac69b0110bcb9a9d54db837e28dfa2cf04da6b6242f65d719
SHA3-384 hash:	980b6d6b1e6703759750468825390eb4597a9196a9920126b3619c8be705de3de819f31fc967c7e120608e86c2a0045a
SHA1 hash:	3475e18a44843a507a75200be832d5ac853e4a7f
MD5 hash:	c149f66075c59582d99d869ddd6b1505
humanhash:	nuts-double-minnesota-yellow
File name:	nig.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	1'148 bytes
First seen:	2025-07-28 20:22:05 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:sEUSIbK5zOt+MB0Ei4wghBh9Mk8Qoy3Z1kksepkS:sEUXK5CEA0Ei4wghL8Qo4ZCkVkS
TLSH	T139211ECD9291CC309CA01CDAF2C36405E84BD7D96FD74C84B589A17AB46CD0871A1F7A
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://158.51.126.131/k/mips	dc09b912cad01060375273eb113736c6ad7b8fba16e573d5d1792014cf6b7d04	Gafgyt	elf gafgyt opendir ua-wget
http://158.51.126.131/k/mipsel	d0ec2c47dffa30456847ff6c1ca0c1e3a3666f3c1306775821f8e7891058e731	Gafgyt	elf gafgyt opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.32150.LX.BOT.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

busybox

Link:

https://www.filescan.io/uploads/6887dc10c79df08ef0971a01/reports/238062a0-4378-425d-890b-ddcb2093b5c7/overview

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/8abba0af-def4-4681-9b2a-c3e5ca680d94

Behavior Graph:

Download SVG

Score:

72%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/6546db8a603850dac69b0110bcb9a9d54db837e28dfa2cf04da6b6242f65d719

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6546db8a603850dac69b0110bcb9a9d54db837e28dfa2cf04da6b6242f65d719/

Verdict:

Malicious

Threat:

HEUR:Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/6546db8a603850dac69b0110bcb9a9d54db837e28dfa2cf04da6b6242f65d719

Threat name:

Script.Trojan.Malgent

Status:

Malicious

First seen:

2025-07-28 20:22:24 UTC

File Type:

Text (Shell)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mvdnxctahbinvru3aeilzonj2vg3qn7crx5cz4cnu23cil3f24mq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250728-y5qshshk7z/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/6546db8a603850dac69b0110bcb9a9d54db837e28dfa2cf04da6b6242f65d719

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.