MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76da9db227ba148182957ab710cc38522c009416a55a3ace939bc1fdf044392b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	76da9db227ba148182957ab710cc38522c009416a55a3ace939bc1fdf044392b
SHA3-384 hash:	7870670d5118bedbd00abe7ab792b2d330653e93a0e6b28df950984b12a135f96608aa54007c44883c36828096c52da9
SHA1 hash:	56a509c91c05e13a27e58afb4703a301e93b68b2
MD5 hash:	33ed4ddea1dfa313cdf8cfc0786197c4
humanhash:	minnesota-juliet-orange-montana
File name:	kill.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	2'829 bytes
First seen:	2025-06-20 08:59:06 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:K1dgOJhPOU6tG3soQPOUVg3sovQzpM3lJh/Er3xSKaEcaX8KC4SOPWYhHEdz8:KbgeWQ5QWr5vQzGErBSKpcaX8KCofOo
TLSH	T1BF517012FE0726B875F283665C095281D60AC2937B211038707EE6B63F344A82AF0BAD
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://104.167.221.114/faith.sh	22835c443bcc0927ad89eb3da673bc4dd8eff38962c9c498dc51e14410de53cc	Gafgyt	gafgyt sh ua-wget
http://176.96.131.92/kill.sh	76da9db227ba148182957ab710cc38522c009416a55a3ace939bc1fdf044392b	Gafgyt	gafgyt sh ua-wget

Intelligence

File Origin

# of uploads :

1

# of downloads :

71

Origin country :

DE

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.76678664.29932.24294.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685522fbbb25757a6a1b1641linux22vpnfull_triage

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/685522f93faf8fcd7d3804ab/reports/9d51cf68-3042-4fd2-9c9b-feb4cb52c471/overview

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/cfc718c0-6870-4816-b615-8d3d1b818377

Behavior Graph:

Score:

0%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/76da9db227ba148182957ab710cc38522c009416a55a3ace939bc1fdf044392b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/76da9db227ba148182957ab710cc38522c009416a55a3ace939bc1fdf044392b/

Threat name:

Text.Trojan.Generic

Status:

Suspicious

First seen:

2025-06-20 08:34:59 UTC

File Type:

Text (Shell)

AV detection:

4 of 24 (16.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o3nj3mrhxikidauvpk3rbtbykiwabfawuvndvtuttpa734cehevq._file

Result

Malware family:

n/a

Score:

1/10

Tags:

linux

Link:

https://tria.ge/reports/250620-kxxzzacn5x/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/76da9db227ba148182957ab710cc38522c009416a55a3ace939bc1fdf044392b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh 76da9db227ba148182957ab710cc38522c009416a55a3ace939bc1fdf044392b

(this sample)

elf fd2f0b1c70e97c3c67ab54ba87a2125fb30e25a6d6050cae36a5f7f14726189c

sh 22835c443bcc0927ad89eb3da673bc4dd8eff38962c9c498dc51e14410de53cc

URLhaus

https://urlhaus.abuse.ch/url/3568534/

Delivery method

Distributed via web download

Dropping

MD5 c4e00ae4e5720ca713d1892c2b02e139

Dropping

SHA256 22835c443bcc0927ad89eb3da673bc4dd8eff38962c9c498dc51e14410de53cc

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample