MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70763bbaca837b0e8abb77d812a321b86ffc973d95188ef19dbc619d4fb5566f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70763bbaca837b0e8abb77d812a321b86ffc973d95188ef19dbc619d4fb5566f
SHA3-384 hash: 0d6e7b426b063ea76ebef95739580829d93bb717cf557c35eab249090cd5499c9e61440b93eadcab1ecae05142ea1bcb
SHA1 hash: e77ba2d72685d37d229bab5114454a7786476641
MD5 hash: 486410ca2dfec7d4d3983bca658b8036
humanhash: robin-queen-snake-california
File name:sex.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'616 bytes
First seen:2025-11-18 16:50:41 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:Gn0Fmski0Fmg0FBc43Iu0FyeQgv0FqX80FiTs0FyCFv0Fwuv0FmTdEv0FzDfR0FP:1H6mBc4EyJqFiTlyGUyU/Hfy3anveR
TLSH T12031F6CA21A10DB86DE0B96731B5D844B8CDE5E768EA6F5E2CDC38ED448EF0534017A3
Magika csv
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://185.234.75.84/mips4230c6334a3fd6bc06d22358662fd7e524a85b34fa4158e8dd7b751f477b6ebc Gafgytgafgyt mirai opendir
http://185.234.75.84/mipselec2f9ebb085810b858fd173631fb3bd43a74f099a741baa0ca314e1547c321f9 Gafgytgafgyt mirai opendir
http://185.234.75.84/sh4ba12b24ab459724515e2abb908fff8e66c14215c1f3721143b59da9361c68903 Gafgytgafgyt mirai opendir
http://185.234.75.84/x86c5a198365fbe13bcb3d4cfb6bf598645648766d660ec83e940d6b8685ae1b01c Gafgytgafgyt mirai opendir
http://185.234.75.84/arm616e4b70d233e64e46dd3dce7c11d0fda13346ef9b4cfdf53e5a3b9e6197f4e4fb Gafgytgafgyt mirai opendir
http://185.234.75.84/i6866372c28cacd56e4ac90dc48e6521e91707d63c7bb9921868f063037ab968b732 Gafgytgafgyt mirai opendir
http://185.234.75.84/ppcb1a1cec00d3dbde2db4c0c6cc9a21302d0101238427287294f560af77db8c70c Gafgytgafgyt mirai opendir
http://185.234.75.84/5868a13c9adb7720f81701faf589a5a7295b371f90410429ac4f1b94dfd35e70605 Gafgytgafgyt mirai opendir
http://185.234.75.84/m68kc7e22ec9f90b19e1fa23bd0ed394852fdb716024bfc6f609fbe1f3caed85891b Gafgytgafgyt mirai opendir
http://185.234.75.84/dcc2a1e666bdf91ab26b82ab335efcb7b673f13887ef407d36359cf4bc191b75f4 Gafgytgafgyt mirai opendir
http://185.234.75.84/dss5542c8f07bec406035de67c201c77566180a2fb2734e903bb5ac04f12f74dff4 Gafgytgafgyt mirai opendir
http://185.234.75.84/co75f2195425ada227c3032a48923e2a17fd40da3e576b3ae34993c5b272af0277 Gafgytgafgyt mirai opendir
http://185.234.75.84/scar03eb5bc52c397bde5b5c2d01d8ccd7076ec4d10cab98c98f3436840f3244a6d8 Gafgytgafgyt mirai opendir

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive medusa mirai
Link:
https://www.filescan.io/uploads/691ca420fcbc096cc8bfd448/reports/f2f417c5-ad80-4a7c-9e40-7fcbbd84184a/overview
Verdict:
Malicious
File Type:
text
First seen:
2025-11-18T15:21:00Z UTC
Last seen:
2025-11-18T16:36:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/70763bbaca837b0e8abb77d812a321b86ffc973d95188ef19dbc619d4fb5566f/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/7d435b4e-2f33-4ca1-bf4e-73d28b5ae016
Behavior Graph:
Download SVG
%3 guuid=f9c0e82d-1800-0000-c01b-781683090000 pid=2435 /usr/bin/sudo guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446 /tmp/sample.bin guuid=f9c0e82d-1800-0000-c01b-781683090000 pid=2435->guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446 execve guuid=41f5ef31-1800-0000-c01b-781690090000 pid=2448 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=41f5ef31-1800-0000-c01b-781690090000 pid=2448 execve guuid=88a81139-1800-0000-c01b-7816a5090000 pid=2469 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=88a81139-1800-0000-c01b-7816a5090000 pid=2469 execve guuid=92714839-1800-0000-c01b-7816a6090000 pid=2470 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=92714839-1800-0000-c01b-7816a6090000 pid=2470 clone guuid=e87f5239-1800-0000-c01b-7816a8090000 pid=2472 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=e87f5239-1800-0000-c01b-7816a8090000 pid=2472 execve guuid=95a69039-1800-0000-c01b-7816a9090000 pid=2473 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=95a69039-1800-0000-c01b-7816a9090000 pid=2473 execve guuid=85550f3e-1800-0000-c01b-7816b3090000 pid=2483 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=85550f3e-1800-0000-c01b-7816b3090000 pid=2483 execve guuid=04947c3e-1800-0000-c01b-7816b4090000 pid=2484 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=04947c3e-1800-0000-c01b-7816b4090000 pid=2484 clone guuid=0770923e-1800-0000-c01b-7816b5090000 pid=2485 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=0770923e-1800-0000-c01b-7816b5090000 pid=2485 execve guuid=4c23f63e-1800-0000-c01b-7816b6090000 pid=2486 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=4c23f63e-1800-0000-c01b-7816b6090000 pid=2486 execve guuid=5a984344-1800-0000-c01b-7816c3090000 pid=2499 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=5a984344-1800-0000-c01b-7816c3090000 pid=2499 execve guuid=86d7f044-1800-0000-c01b-7816c4090000 pid=2500 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=86d7f044-1800-0000-c01b-7816c4090000 pid=2500 clone guuid=b2f40745-1800-0000-c01b-7816c5090000 pid=2501 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=b2f40745-1800-0000-c01b-7816c5090000 pid=2501 execve guuid=ac5f7545-1800-0000-c01b-7816c7090000 pid=2503 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=ac5f7545-1800-0000-c01b-7816c7090000 pid=2503 execve guuid=724d4a4b-1800-0000-c01b-7816d1090000 pid=2513 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=724d4a4b-1800-0000-c01b-7816d1090000 pid=2513 execve guuid=5fc78a4b-1800-0000-c01b-7816d2090000 pid=2514 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=5fc78a4b-1800-0000-c01b-7816d2090000 pid=2514 clone guuid=69d9984b-1800-0000-c01b-7816d3090000 pid=2515 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=69d9984b-1800-0000-c01b-7816d3090000 pid=2515 execve guuid=916edb4b-1800-0000-c01b-7816d5090000 pid=2517 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=916edb4b-1800-0000-c01b-7816d5090000 pid=2517 execve guuid=3c583752-1800-0000-c01b-7816e2090000 pid=2530 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=3c583752-1800-0000-c01b-7816e2090000 pid=2530 execve guuid=1f5b9752-1800-0000-c01b-7816e3090000 pid=2531 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=1f5b9752-1800-0000-c01b-7816e3090000 pid=2531 clone guuid=b1dba452-1800-0000-c01b-7816e4090000 pid=2532 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=b1dba452-1800-0000-c01b-7816e4090000 pid=2532 execve guuid=89960853-1800-0000-c01b-7816e5090000 pid=2533 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=89960853-1800-0000-c01b-7816e5090000 pid=2533 execve guuid=9ea22857-1800-0000-c01b-7816f0090000 pid=2544 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=9ea22857-1800-0000-c01b-7816f0090000 pid=2544 execve guuid=46a37757-1800-0000-c01b-7816f2090000 pid=2546 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=46a37757-1800-0000-c01b-7816f2090000 pid=2546 clone guuid=511d8857-1800-0000-c01b-7816f3090000 pid=2547 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=511d8857-1800-0000-c01b-7816f3090000 pid=2547 execve guuid=dc85d157-1800-0000-c01b-7816f4090000 pid=2548 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=dc85d157-1800-0000-c01b-7816f4090000 pid=2548 execve guuid=16cb945b-1800-0000-c01b-7816fd090000 pid=2557 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=16cb945b-1800-0000-c01b-7816fd090000 pid=2557 execve guuid=92faf25b-1800-0000-c01b-7816ff090000 pid=2559 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=92faf25b-1800-0000-c01b-7816ff090000 pid=2559 clone guuid=71aaff5b-1800-0000-c01b-7816010a0000 pid=2561 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=71aaff5b-1800-0000-c01b-7816010a0000 pid=2561 execve guuid=4ad3465c-1800-0000-c01b-7816020a0000 pid=2562 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=4ad3465c-1800-0000-c01b-7816020a0000 pid=2562 execve guuid=acac8960-1800-0000-c01b-7816080a0000 pid=2568 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=acac8960-1800-0000-c01b-7816080a0000 pid=2568 execve guuid=56fcca60-1800-0000-c01b-78160a0a0000 pid=2570 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=56fcca60-1800-0000-c01b-78160a0a0000 pid=2570 clone guuid=d32cdb60-1800-0000-c01b-78160c0a0000 pid=2572 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=d32cdb60-1800-0000-c01b-78160c0a0000 pid=2572 execve guuid=ceac1461-1800-0000-c01b-78160d0a0000 pid=2573 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=ceac1461-1800-0000-c01b-78160d0a0000 pid=2573 execve guuid=b28ac664-1800-0000-c01b-7816170a0000 pid=2583 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=b28ac664-1800-0000-c01b-7816170a0000 pid=2583 execve guuid=eee3ff64-1800-0000-c01b-7816190a0000 pid=2585 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=eee3ff64-1800-0000-c01b-7816190a0000 pid=2585 clone guuid=2d7b0a65-1800-0000-c01b-78161a0a0000 pid=2586 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=2d7b0a65-1800-0000-c01b-78161a0a0000 pid=2586 execve guuid=d54c4865-1800-0000-c01b-78161c0a0000 pid=2588 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=d54c4865-1800-0000-c01b-78161c0a0000 pid=2588 execve guuid=dbb65c6a-1800-0000-c01b-78162b0a0000 pid=2603 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=dbb65c6a-1800-0000-c01b-78162b0a0000 pid=2603 execve guuid=5f37b26a-1800-0000-c01b-78162d0a0000 pid=2605 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=5f37b26a-1800-0000-c01b-78162d0a0000 pid=2605 clone guuid=8947c06a-1800-0000-c01b-78162e0a0000 pid=2606 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=8947c06a-1800-0000-c01b-78162e0a0000 pid=2606 execve guuid=01e0076b-1800-0000-c01b-7816300a0000 pid=2608 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=01e0076b-1800-0000-c01b-7816300a0000 pid=2608 execve guuid=ec6c486f-1800-0000-c01b-78163f0a0000 pid=2623 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=ec6c486f-1800-0000-c01b-78163f0a0000 pid=2623 execve guuid=ef7d9f6f-1800-0000-c01b-7816400a0000 pid=2624 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=ef7d9f6f-1800-0000-c01b-7816400a0000 pid=2624 clone guuid=bd0aab6f-1800-0000-c01b-7816420a0000 pid=2626 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=bd0aab6f-1800-0000-c01b-7816420a0000 pid=2626 execve guuid=f3bcf36f-1800-0000-c01b-7816430a0000 pid=2627 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=f3bcf36f-1800-0000-c01b-7816430a0000 pid=2627 execve guuid=4e2c1175-1800-0000-c01b-78164e0a0000 pid=2638 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=4e2c1175-1800-0000-c01b-78164e0a0000 pid=2638 execve guuid=58157075-1800-0000-c01b-7816500a0000 pid=2640 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=58157075-1800-0000-c01b-7816500a0000 pid=2640 clone guuid=b0a97f75-1800-0000-c01b-7816510a0000 pid=2641 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=b0a97f75-1800-0000-c01b-7816510a0000 pid=2641 execve guuid=836fe875-1800-0000-c01b-7816530a0000 pid=2643 /usr/bin/wget net send-data write-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=836fe875-1800-0000-c01b-7816530a0000 pid=2643 execve guuid=dee1717a-1800-0000-c01b-78165d0a0000 pid=2653 /usr/bin/chmod guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=dee1717a-1800-0000-c01b-78165d0a0000 pid=2653 execve guuid=00e7d27a-1800-0000-c01b-78165f0a0000 pid=2655 /usr/bin/dash guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=00e7d27a-1800-0000-c01b-78165f0a0000 pid=2655 clone guuid=215ce57a-1800-0000-c01b-7816600a0000 pid=2656 /usr/bin/rm delete-file guuid=668eb031-1800-0000-c01b-78168e090000 pid=2446->guuid=215ce57a-1800-0000-c01b-7816600a0000 pid=2656 execve ab0564fb-0aea-5d38-8158-dc64b4bc4b60 185.234.75.84:80 guuid=41f5ef31-1800-0000-c01b-781690090000 pid=2448->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 132B guuid=95a69039-1800-0000-c01b-7816a9090000 pid=2473->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 134B guuid=4c23f63e-1800-0000-c01b-7816b6090000 pid=2486->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 131B guuid=ac5f7545-1800-0000-c01b-7816c7090000 pid=2503->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 131B guuid=916edb4b-1800-0000-c01b-7816d5090000 pid=2517->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 133B guuid=89960853-1800-0000-c01b-7816e5090000 pid=2533->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 132B guuid=dc85d157-1800-0000-c01b-7816f4090000 pid=2548->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 131B guuid=4ad3465c-1800-0000-c01b-7816020a0000 pid=2562->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 131B guuid=ceac1461-1800-0000-c01b-78160d0a0000 pid=2573->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 132B guuid=d54c4865-1800-0000-c01b-78161c0a0000 pid=2588->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 130B guuid=01e0076b-1800-0000-c01b-7816300a0000 pid=2608->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 131B guuid=f3bcf36f-1800-0000-c01b-7816430a0000 pid=2627->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 130B guuid=836fe875-1800-0000-c01b-7816530a0000 pid=2643->ab0564fb-0aea-5d38-8158-dc64b4bc4b60 send: 132B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/70763bbaca837b0e8abb77d812a321b86ffc973d95188ef19dbc619d4fb5566f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70763bbaca837b0e8abb77d812a321b86ffc973d95188ef19dbc619d4fb5566f/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-11-18 16:51:44 UTC
File Type:
Text (Shell)
AV detection:
17 of 24 (70.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ob3dxowkqn5q5cv3o7mbfizbxbx7zfz5sumi54m5xrqz2t5vkzxq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/251118-vffdpsgx4b/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/70763bbaca837b0e8abb77d812a321b86ffc973d95188ef19dbc619d4fb5566f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 70763bbaca837b0e8abb77d812a321b86ffc973d95188ef19dbc619d4fb5566f

(this sample)

Gafgyt

elf 4230c6334a3fd6bc06d22358662fd7e524a85b34fa4158e8dd7b751f477b6ebc

  
URLhaus
https://urlhaus.abuse.ch/url/3711382/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3711400/
  
Dropping
MD5 385a2fb6fb37fe642afeafe88ba73e0e
  
Dropping
SHA256 4230c6334a3fd6bc06d22358662fd7e524a85b34fa4158e8dd7b751f477b6ebc

Comments