MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 675c3f88fa7a967539a883025f1de786ebfe5cbe4d6f24d4b8516fc06eabc660. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	675c3f88fa7a967539a883025f1de786ebfe5cbe4d6f24d4b8516fc06eabc660
SHA3-384 hash:	15e527e7ad891788bf913b8aa504b83bcc88e266c1dcd78bc8275d320710caca621f327c41bdfcbdcf4e20025b0ca141
SHA1 hash:	46aa9471e4d0f911d525051df8ef9caff7481c2b
MD5 hash:	f4901d9748924defb805672e09cfa726
humanhash:	violet-diet-charlie-charlie
File name:	r
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	923 bytes
First seen:	2025-08-16 07:47:35 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:E22IbO5zOt+MB0hGUpGUmkJGOGZkJRZ1akJovkD:EAO5CEA0ekOknZQkukD
TLSH	T1851157DF56A28C21DCA05AEE31524814B48EC5D565C78E8EF6CD0139E899E0830B1FE9
Magika	shell
Reporter	abuse_ch
Tags:	gafgyt sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://158.51.126.131/narmv5l	42aea37337e2b2cc306bf363b15f7f7cf962b87db3b4d4449d7e13e31d8f434e	Gafgyt	elf gafgyt mirai ua-wget
http://158.51.126.131/narmv7l	89e53d182f78499c985edf7e16c4da4d768b090fe685d92f5b7778ff2748f975	Gafgyt	elf gafgyt mirai ua-wget
http://158.51.126.131/nmips	15c9ec390182a640ee6e36c5ae36f633ea3c76e82a9a0e7b138283c414d15e27	Gafgyt	elf gafgyt mirai ua-wget
http://158.51.126.131/nmipsel	c14f3c5adc33a437a16c0ad651eb6b0e493c6fbcb2ff5d9fd4624666bd4f9034	Gafgyt	elf gafgyt mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.32150.LX.BOT.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox

Link:

https://www.filescan.io/uploads/68a037d1a4bdac9f5b997034/reports/d5157fdf-0b98-4d17-bc75-b31c94e1acff/overview

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/605e0d4a-7029-4b51-b756-92c0c22fb9eb

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/675c3f88fa7a967539a883025f1de786ebfe5cbe4d6f24d4b8516fc06eabc660

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/675c3f88fa7a967539a883025f1de786ebfe5cbe4d6f24d4b8516fc06eabc660/

Verdict:

Malicious

Threat:

HEUR:Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/675c3f88fa7a967539a883025f1de786ebfe5cbe4d6f24d4b8516fc06eabc660

Threat name:

Script.Trojan.Multiverze

Status:

Malicious

First seen:

2025-08-16 07:51:28 UTC

File Type:

Text (Shell)

AV detection:

9 of 24 (37.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m5od7ch2pklhkoniqmbf6hphq3v74xf6jvxsjvfykfx4a3vlyzqa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250816-jp2shswtbz/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/675c3f88fa7a967539a883025f1de786ebfe5cbe4d6f24d4b8516fc06eabc660

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.