MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 704bb081c6defacb2fdf2d69990b9c534128c3dfde133ff6005bd79f28926617. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	704bb081c6defacb2fdf2d69990b9c534128c3dfde133ff6005bd79f28926617
SHA3-384 hash:	930724d8ae0f7cb83dff3f5ebdb6ecb6da191e6db8f2e9dc0d5f42206f839296e75955e3bd2a3f9ebcbb3c5034d12aed
SHA1 hash:	e9da6f40eec385e45c98c0d95332c5a1f4b3a2dd
MD5 hash:	a664544587cb81599f2a2969b4495e8a
humanhash:	cat-utah-kilo-table
File name:	l
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	464 bytes
First seen:	2025-05-08 20:07:44 UTC
Last seen:	2025-05-09 12:06:53 UTC
File type:	sh
MIME type:	text/plain
ssdeep	12:oJ/ewmKJ+mMSrPQSJREmMSt7YJREmMSUUsv:oJ/fDJ2cPQUqWuqj
TLSH	T1CEF05CF60A0878F0F2D6A4A8B133DB5AA4ED90C75D110915E8B8D2F59CE4F28BC54E90
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://185.142.53.233/lmips	02ce0f4d95587618c9e31eff136dd0b6f4a1528d514f9f2de9901c5010de8da8	Gafgyt	censys elf gafgyt ua-wget
http://185.142.53.233/lmpsl	82b249d11863311b7d3c841af57c2b2f1fffa6b679c7b9fecfc19c7cf3175345	Gafgyt	censys elf gafgyt ua-wget

Intelligence

File Origin

# of uploads :

2

# of downloads :

89

Origin country :

DE

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=681d958991991ead82b65e36linux22vpnfull_triage

Tags:

hype sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/681d0f2cbab2591d065505e2/reports/76be0c47-b20e-489c-b206-e7b70f707bdb/overview

Verdict:

Malicious

Labled as:

Linux/TrojanDownloader.SH

Link:

https://www.hybrid-analysis.com/sample/704bb081c6defacb2fdf2d69990b9c534128c3dfde133ff6005bd79f28926617

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/704bb081c6defacb2fdf2d69990b9c534128c3dfde133ff6005bd79f28926617/

Threat name:

Linux.Downloader.SAgnt

Status:

Malicious

First seen:

2025-05-08 20:53:25 UTC

File Type:

Text (Shell)

AV detection:

5 of 24 (20.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=obf3baog335mwl67fvuzsc44knasrq673yjt75qalplz6kesmylq._file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/704bb081c6defacb2fdf2d69990b9c534128c3dfde133ff6005bd79f28926617

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 704bb081c6defacb2fdf2d69990b9c534128c3dfde133ff6005bd79f28926617

(this sample)

elf 02ce0f4d95587618c9e31eff136dd0b6f4a1528d514f9f2de9901c5010de8da8

URLhaus

https://urlhaus.abuse.ch/url/3538919/

Delivery method

Distributed via web download

Dropping

MD5 80e5597aecf66c81f81c24f1329a9a2e

Dropping

SHA256 02ce0f4d95587618c9e31eff136dd0b6f4a1528d514f9f2de9901c5010de8da8

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample