MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66b96c315bb3eb3a8738095004e76b38f112b96d1f1311c3bf810d78ce0296cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 9

Intelligence 9 IOCs YARA 9 File information Comments

SHA256 hash:	66b96c315bb3eb3a8738095004e76b38f112b96d1f1311c3bf810d78ce0296cb
SHA3-384 hash:	a23be48aebf83b868949fff61d26043b8a3952772ce8ae2ed668ef60af26d9e700de11ba021d8acd552a6355be6d902a
SHA1 hash:	d7cd18f01b5ee05bb2a8b7680f869c875661fbab
MD5 hash:	ca708e51500ee5d15ee3800d1cd1eb01
humanhash:	robin-green-utah-ten
File name:	assailant.sparc
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	126'929 bytes
First seen:	2025-10-06 18:34:02 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	3072:/YNa/GLBNPoQrphakpiQ9/nYEP/UnSQf/R:6a/ylosphakp39/nYEP/UnSQf/R
TLSH	T104C32B273B231E23C0C9547102E31331FAB9DB6938B953D7E9D06DAC2F26A943456BD9
telfhash	t17421f14396f68a2c6fb3587468fc0ab11552a5237260bf70af5ec1809d37106b479e8f
Magika	elf
Reporter	abuse_ch
Tags:	elf gafgyt

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30395.LC.UNOFFICIAL

Unix.Trojan.Gafgyt-6981154-0

Unix.Dropper.Mirai-7138855-0

Unix.Dropper.Mirai-7139223-0

Unix.Dropper.Mirai-7139232-0

Unix.Trojan.Mirai-7641631-0

Unix.Proxy.Mirai-7844054-0

Unix.Trojan.Mirai-9864781-0

Verdict:

Unknown

Threat level:

0/10

Confidence:

100%

Tags:

gcc lolbin obfuscated remote threat

Link:

https://www.filescan.io/uploads/68e40d65d4a0085473c1d67f/reports/f6594f48-b2fe-47a9-93b4-860933141a6d/overview

Verdict:

Malicious

File Type:

elf.32.be

First seen:

2025-10-06T15:50:00Z UTC

Last seen:

2025-10-07T10:23:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/66b96c315bb3eb3a8738095004e76b38f112b96d1f1311c3bf810d78ce0296cb/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/6347e7c5-d460-4641-8e1b-709a2c8ce459

Behavior Graph:

Download SVG

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e8c66392-7987-497a-84d2-9216ababd8d6

Result

Threat name:

Gafgyt, Mirai

Detection:

malicious

Classification:

troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1790057

Signature

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Gafgyt

Yara detected Mirai

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/66b96c315bb3eb3a8738095004e76b38f112b96d1f1311c3bf810d78ce0296cb

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66b96c315bb3eb3a8738095004e76b38f112b96d1f1311c3bf810d78ce0296cb/

Verdict:

Malicious

Threat:

Family.GAFGYT

Link:

https://tip.neiki.dev/file/66b96c315bb3eb3a8738095004e76b38f112b96d1f1311c3bf810d78ce0296cb

Threat name:

Linux.Trojan.Gafgyt

Status:

Malicious

First seen:

2025-10-05 16:27:37 UTC

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m24wymk3wpvtvbzybfiajz3lhdyrfolnd4jrdq57qegxrtqcs3fq._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt linux

Link:

https://tria.ge/reports/251006-xb4a3sek5v/

Malware Config

C2 Extraction:

115.167.64.10:42516

Verdict:

Malicious

Tags:

trojan gafgyt Unix.Trojan.Gafgyt-6981154-0

YARA:

Linux_Trojan_Gafgyt_30444846

Link:

https://app.threat.zone/submission/5982c562-ffeb-45ed-9018-91f5f719c425

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	enterpriseapps2 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Enterprise apps

Rule name:	linux_generic_ipv6_catcher Create hunting rule
Author:	@_lubiedo
Description:	ELF samples using IPv6 addresses

Rule name:	Linux_Trojan_Gafgyt_30444846 Create hunting rule
Author:	Elastic Security

Rule name:	Mal_LNX_Gafgyt_Botnet_ELF Create hunting rule
Author:	Phatcharadol Thangplub
Description:	Use to detect Gafgyt botnet, and there variants.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	setsockopt Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for setsockopt() red flags

Rule name:	unixredflags3 Create hunting rule
Author:	Tim Brown @timb_machine
Description:	Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf 66b96c315bb3eb3a8738095004e76b38f112b96d1f1311c3bf810d78ce0296cb

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3660731/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample