MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7849a41a7a6c414bc96ddc7df4e6afd20bd0f2237d907522f858bfc53a607f04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7849a41a7a6c414bc96ddc7df4e6afd20bd0f2237d907522f858bfc53a607f04
SHA3-384 hash: ef6299d9dc825cf0cc58907e58c717bd67845e215f958dc408c02d9553957ac30d6619d0c6101ce5e32221931a412d4a
SHA1 hash: 8a96be28742737a616561c76eb5742e930ceffb7
MD5 hash: 1b2f9b0e0d700fab7e3a03e031693d98
humanhash: moon-jig-pizza-xray
File name:tbkdvr.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'880 bytes
First seen:2025-06-14 14:49:44 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:vGDDaMtz7qeNI7Ikstso/aGs6LMEgLNLIjxv+KP:vaWw7qnIJWo/Q6LMEuNLkv+g
TLSH T1A74195DA326219752DE4ED3771EB98183480E1CB61C96F166CED3CF8A4CEE083425687
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://104.167.221.114/mipsfd2f0b1c70e97c3c67ab54ba87a2125fb30e25a6d6050cae36a5f7f14726189c Gafgytelf gafgyt ua-wget
http://104.167.221.114/mipseld8253b55940a3d9f0a47c58ea5e1a37c1149217c7615d4a00bafc21d31035a19 Gafgytelf gafgyt ua-wget
http://104.167.221.114/sh4f43693a946b59f1d132fc620b8fc3683433c87cb046207cb18aad68b4ea091d6 Gafgytelf gafgyt ua-wget
http://104.167.221.114/x86_64d24eb20bdf28154c538be3ad296756f743753886e21a86f84e41482b7a4a45f3 Gafgytelf gafgyt ua-wget
http://104.167.221.114/arm6e89afd876b71345828df07ef82a4e6684a26cd9d8dfe5d0ee139e367de3b7330 Gafgytelf gafgyt ua-wget
http://104.167.221.114/i686476e3c2d0c589ce2372f3d1bbb59bd8f3d800847b545e360eb85a290d675e254 Gafgytelf gafgyt ua-wget
http://104.167.221.114/powerpc880ddb6fcd0ef13b964069147f6b97b8bbd61cbe92feaf20aa25473179c50612 Gafgytelf gafgyt ua-wget
http://104.167.221.114/x86857170c9591cce002273043a6f991f58683ef3bc2be7afcca54be1dc0097b57b Gafgytelf gafgyt ua-wget
http://104.167.221.114/m68k26b8ee688812ddc7257e35c1c071a3b7d9f9487d9638be829b9998ac0894d05d Gafgytelf gafgyt ua-wget
http://104.167.221.114/spc3be913565735d606fc2d64b098763b52ed9a6ba9ca93d89f723409b0348557eb Gafgytelf gafgyt ua-wget
http://104.167.221.114/arm5f83df06a5fd17487df62de3f9b939088dcb1d08d06ac762df888264ec9da0e8 Gafgytelf gafgyt ua-wget
http://104.167.221.114/arm5235733c3b02759f01d846d0333b94b3dbf2fee43d843e46f4ce062c30421b606 Gafgytelf gafgyt ua-wget
http://104.167.221.114/ppc4fpn/an/aelf ua-wget
http://104.167.221.114/arm78d8e03d31f4169577641596c31ab5ab0990ef39aa5ffea486330b230632a737a Gafgytelf gafgyt ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684d8cc88bd5d68a12e8a05blinux22vpnfull_triage
Tags:
trojan agent overt
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/4adf4419-fc1d-4a99-974a-a591c0da5b3a
Behavior Graph:
Download SVG
%3 guuid=444fb979-1800-0000-c86a-640857080000 pid=2135 /usr/bin/sudo guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141 /tmp/sample.bin guuid=444fb979-1800-0000-c86a-640857080000 pid=2135->guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141 execve guuid=c81fb77b-1800-0000-c86a-64085e080000 pid=2142 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=c81fb77b-1800-0000-c86a-64085e080000 pid=2142 execve guuid=d32e0e9f-1800-0000-c86a-6408bd080000 pid=2237 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=d32e0e9f-1800-0000-c86a-6408bd080000 pid=2237 execve guuid=55d0609f-1800-0000-c86a-6408be080000 pid=2238 /usr/bin/bash guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=55d0609f-1800-0000-c86a-6408be080000 pid=2238 clone guuid=d5e6b8a1-1800-0000-c86a-6408c6080000 pid=2246 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=d5e6b8a1-1800-0000-c86a-6408c6080000 pid=2246 execve guuid=61570fa2-1800-0000-c86a-6408c8080000 pid=2248 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=61570fa2-1800-0000-c86a-6408c8080000 pid=2248 execve guuid=04f45dc3-1800-0000-c86a-640806090000 pid=2310 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=04f45dc3-1800-0000-c86a-640806090000 pid=2310 execve guuid=b771a4c3-1800-0000-c86a-640808090000 pid=2312 /usr/bin/bash guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=b771a4c3-1800-0000-c86a-640808090000 pid=2312 clone guuid=94d4c2c4-1800-0000-c86a-64080c090000 pid=2316 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=94d4c2c4-1800-0000-c86a-64080c090000 pid=2316 execve guuid=17635bc5-1800-0000-c86a-64080e090000 pid=2318 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=17635bc5-1800-0000-c86a-64080e090000 pid=2318 execve guuid=3dfaf8e0-1800-0000-c86a-640845090000 pid=2373 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=3dfaf8e0-1800-0000-c86a-640845090000 pid=2373 execve guuid=08f039e1-1800-0000-c86a-640847090000 pid=2375 /usr/bin/bash guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=08f039e1-1800-0000-c86a-640847090000 pid=2375 clone guuid=10c4d2e1-1800-0000-c86a-64084a090000 pid=2378 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=10c4d2e1-1800-0000-c86a-64084a090000 pid=2378 execve guuid=21d85ee2-1800-0000-c86a-64084c090000 pid=2380 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=21d85ee2-1800-0000-c86a-64084c090000 pid=2380 execve guuid=0695e5fd-1800-0000-c86a-640871090000 pid=2417 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=0695e5fd-1800-0000-c86a-640871090000 pid=2417 execve guuid=979231fe-1800-0000-c86a-640873090000 pid=2419 /tmp/x86_64 net guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=979231fe-1800-0000-c86a-640873090000 pid=2419 execve guuid=ca7581fe-1800-0000-c86a-640877090000 pid=2423 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=ca7581fe-1800-0000-c86a-640877090000 pid=2423 execve guuid=55faeffe-1800-0000-c86a-640879090000 pid=2425 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=55faeffe-1800-0000-c86a-640879090000 pid=2425 execve guuid=d183c121-1900-0000-c86a-6408c9090000 pid=2505 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=d183c121-1900-0000-c86a-6408c9090000 pid=2505 execve guuid=7ff31e22-1900-0000-c86a-6408cb090000 pid=2507 /usr/bin/bash guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=7ff31e22-1900-0000-c86a-6408cb090000 pid=2507 clone guuid=51afc122-1900-0000-c86a-6408cf090000 pid=2511 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=51afc122-1900-0000-c86a-6408cf090000 pid=2511 execve guuid=ef2c4323-1900-0000-c86a-6408d2090000 pid=2514 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=ef2c4323-1900-0000-c86a-6408d2090000 pid=2514 execve guuid=7b07bd3e-1900-0000-c86a-64081b0a0000 pid=2587 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=7b07bd3e-1900-0000-c86a-64081b0a0000 pid=2587 execve guuid=55aa353f-1900-0000-c86a-64081d0a0000 pid=2589 /tmp/i686 net guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=55aa353f-1900-0000-c86a-64081d0a0000 pid=2589 execve guuid=fa23a840-1900-0000-c86a-6408230a0000 pid=2595 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=fa23a840-1900-0000-c86a-6408230a0000 pid=2595 execve guuid=fd282041-1900-0000-c86a-6408250a0000 pid=2597 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=fd282041-1900-0000-c86a-6408250a0000 pid=2597 execve guuid=0ade115c-1900-0000-c86a-6408740a0000 pid=2676 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=0ade115c-1900-0000-c86a-6408740a0000 pid=2676 execve guuid=34ad6c5c-1900-0000-c86a-6408770a0000 pid=2679 /usr/bin/bash guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=34ad6c5c-1900-0000-c86a-6408770a0000 pid=2679 clone guuid=4f3e255d-1900-0000-c86a-64087b0a0000 pid=2683 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=4f3e255d-1900-0000-c86a-64087b0a0000 pid=2683 execve guuid=5d0aa25d-1900-0000-c86a-64087e0a0000 pid=2686 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=5d0aa25d-1900-0000-c86a-64087e0a0000 pid=2686 execve guuid=9bd59c7c-1900-0000-c86a-6408cb0a0000 pid=2763 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=9bd59c7c-1900-0000-c86a-6408cb0a0000 pid=2763 execve guuid=56cbf67c-1900-0000-c86a-6408cc0a0000 pid=2764 /tmp/x86 net guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=56cbf67c-1900-0000-c86a-6408cc0a0000 pid=2764 execve guuid=8d32227e-1900-0000-c86a-6408d00a0000 pid=2768 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=8d32227e-1900-0000-c86a-6408d00a0000 pid=2768 execve guuid=0b59857e-1900-0000-c86a-6408d20a0000 pid=2770 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=0b59857e-1900-0000-c86a-6408d20a0000 pid=2770 execve guuid=9e28e399-1900-0000-c86a-6408070b0000 pid=2823 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=9e28e399-1900-0000-c86a-6408070b0000 pid=2823 execve guuid=5d5e4f9a-1900-0000-c86a-6408080b0000 pid=2824 /usr/bin/bash guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=5d5e4f9a-1900-0000-c86a-6408080b0000 pid=2824 clone guuid=f9c6209b-1900-0000-c86a-64080c0b0000 pid=2828 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=f9c6209b-1900-0000-c86a-64080c0b0000 pid=2828 execve guuid=7564699b-1900-0000-c86a-64080e0b0000 pid=2830 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=7564699b-1900-0000-c86a-64080e0b0000 pid=2830 execve guuid=b02468b6-1900-0000-c86a-64085e0b0000 pid=2910 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=b02468b6-1900-0000-c86a-64085e0b0000 pid=2910 execve guuid=c7c2ccb6-1900-0000-c86a-6408600b0000 pid=2912 /usr/bin/bash guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=c7c2ccb6-1900-0000-c86a-6408600b0000 pid=2912 clone guuid=1a9a92b7-1900-0000-c86a-6408650b0000 pid=2917 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=1a9a92b7-1900-0000-c86a-6408650b0000 pid=2917 execve guuid=3ed6dcb7-1900-0000-c86a-6408660b0000 pid=2918 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=3ed6dcb7-1900-0000-c86a-6408660b0000 pid=2918 execve guuid=8608f0d2-1900-0000-c86a-6408aa0b0000 pid=2986 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=8608f0d2-1900-0000-c86a-6408aa0b0000 pid=2986 execve guuid=74c435d3-1900-0000-c86a-6408ac0b0000 pid=2988 /usr/bin/bash guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=74c435d3-1900-0000-c86a-6408ac0b0000 pid=2988 clone guuid=1955f5d3-1900-0000-c86a-6408b10b0000 pid=2993 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=1955f5d3-1900-0000-c86a-6408b10b0000 pid=2993 execve guuid=814d46d4-1900-0000-c86a-6408b30b0000 pid=2995 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=814d46d4-1900-0000-c86a-6408b30b0000 pid=2995 execve guuid=cdbb30ef-1900-0000-c86a-6408fa0b0000 pid=3066 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=cdbb30ef-1900-0000-c86a-6408fa0b0000 pid=3066 execve guuid=6318a3ef-1900-0000-c86a-6408fc0b0000 pid=3068 /usr/bin/bash guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=6318a3ef-1900-0000-c86a-6408fc0b0000 pid=3068 clone guuid=eaf15ff0-1900-0000-c86a-6408000c0000 pid=3072 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=eaf15ff0-1900-0000-c86a-6408000c0000 pid=3072 execve guuid=3524cbf0-1900-0000-c86a-6408020c0000 pid=3074 /usr/bin/wget net send-data guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=3524cbf0-1900-0000-c86a-6408020c0000 pid=3074 execve guuid=7a00d1fe-1900-0000-c86a-6408300c0000 pid=3120 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=7a00d1fe-1900-0000-c86a-6408300c0000 pid=3120 execve guuid=215a36ff-1900-0000-c86a-6408320c0000 pid=3122 /usr/bin/bash guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=215a36ff-1900-0000-c86a-6408320c0000 pid=3122 clone guuid=890e5dff-1900-0000-c86a-6408330c0000 pid=3123 /usr/bin/rm guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=890e5dff-1900-0000-c86a-6408330c0000 pid=3123 execve guuid=3ce5bdff-1900-0000-c86a-6408350c0000 pid=3125 /usr/bin/wget net send-data write-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=3ce5bdff-1900-0000-c86a-6408350c0000 pid=3125 execve guuid=cd891121-1a00-0000-c86a-6408710c0000 pid=3185 /usr/bin/chmod guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=cd891121-1a00-0000-c86a-6408710c0000 pid=3185 execve guuid=46368121-1a00-0000-c86a-6408730c0000 pid=3187 /usr/bin/bash guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=46368121-1a00-0000-c86a-6408730c0000 pid=3187 clone guuid=11444222-1a00-0000-c86a-6408780c0000 pid=3192 /usr/bin/rm delete-file guuid=dee7647b-1800-0000-c86a-64085d080000 pid=2141->guuid=11444222-1a00-0000-c86a-6408780c0000 pid=3192 execve aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 104.167.221.114:80 guuid=c81fb77b-1800-0000-c86a-64085e080000 pid=2142->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B guuid=61570fa2-1800-0000-c86a-6408c8080000 pid=2248->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 136B guuid=17635bc5-1800-0000-c86a-64080e090000 pid=2318->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 133B guuid=21d85ee2-1800-0000-c86a-64084c090000 pid=2380->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 136B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=979231fe-1800-0000-c86a-640873090000 pid=2419->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5efe5dfe-1800-0000-c86a-640874090000 pid=2420 /tmp/x86_64 guuid=979231fe-1800-0000-c86a-640873090000 pid=2419->guuid=5efe5dfe-1800-0000-c86a-640874090000 pid=2420 clone guuid=73e168fe-1800-0000-c86a-640875090000 pid=2421 /tmp/x86_64 net send-data zombie guuid=5efe5dfe-1800-0000-c86a-640874090000 pid=2420->guuid=73e168fe-1800-0000-c86a-640875090000 pid=2421 clone 45fa3bd0-7bb3-5313-9c46-74d7e5964420 207.167.64.24:5058 guuid=73e168fe-1800-0000-c86a-640875090000 pid=2421->45fa3bd0-7bb3-5313-9c46-74d7e5964420 send: 22B guuid=55faeffe-1800-0000-c86a-640879090000 pid=2425->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B guuid=ef2c4323-1900-0000-c86a-6408d2090000 pid=2514->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B guuid=55aa353f-1900-0000-c86a-64081d0a0000 pid=2589->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=011b8540-1900-0000-c86a-6408210a0000 pid=2593 /tmp/i686 guuid=55aa353f-1900-0000-c86a-64081d0a0000 pid=2589->guuid=011b8540-1900-0000-c86a-6408210a0000 pid=2593 clone guuid=cbb28e40-1900-0000-c86a-6408220a0000 pid=2594 /tmp/i686 net send-data zombie guuid=011b8540-1900-0000-c86a-6408210a0000 pid=2593->guuid=cbb28e40-1900-0000-c86a-6408220a0000 pid=2594 clone guuid=cbb28e40-1900-0000-c86a-6408220a0000 pid=2594->45fa3bd0-7bb3-5313-9c46-74d7e5964420 send: 22B guuid=fd282041-1900-0000-c86a-6408250a0000 pid=2597->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 137B guuid=5d0aa25d-1900-0000-c86a-64087e0a0000 pid=2686->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 133B guuid=56cbf67c-1900-0000-c86a-6408cc0a0000 pid=2764->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=23de0a7e-1900-0000-c86a-6408ce0a0000 pid=2766 /tmp/x86 guuid=56cbf67c-1900-0000-c86a-6408cc0a0000 pid=2764->guuid=23de0a7e-1900-0000-c86a-6408ce0a0000 pid=2766 clone guuid=f677137e-1900-0000-c86a-6408cf0a0000 pid=2767 /tmp/x86 net send-data zombie guuid=23de0a7e-1900-0000-c86a-6408ce0a0000 pid=2766->guuid=f677137e-1900-0000-c86a-6408cf0a0000 pid=2767 clone guuid=f677137e-1900-0000-c86a-6408cf0a0000 pid=2767->45fa3bd0-7bb3-5313-9c46-74d7e5964420 send: 22B guuid=0b59857e-1900-0000-c86a-6408d20a0000 pid=2770->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B guuid=7564699b-1900-0000-c86a-64080e0b0000 pid=2830->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 133B guuid=3ed6dcb7-1900-0000-c86a-6408660b0000 pid=2918->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 133B guuid=814d46d4-1900-0000-c86a-6408b30b0000 pid=2995->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B guuid=3524cbf0-1900-0000-c86a-6408020c0000 pid=3074->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 136B guuid=3ce5bdff-1900-0000-c86a-6408350c0000 pid=3125->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7849a41a7a6c414bc96ddc7df4e6afd20bd0f2237d907522f858bfc53a607f04
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7849a41a7a6c414bc96ddc7df4e6afd20bd0f2237d907522f858bfc53a607f04/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-06-13 07:25:36 UTC
File Type:
Text (Shell)
AV detection:
16 of 24 (66.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbe2igt2nrauxsln3r67jzvp2if5b4rdpwihkixylc74kotap4ca._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/250614-r92l9agm5v/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Creates a large amount of network flows
Enumerates running processes
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Contacts a large (809) amount of remote hosts
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/7849a41a7a6c414bc96ddc7df4e6afd20bd0f2237d907522f858bfc53a607f04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:UNK_install_script
Create hunting rule
Author:evilcel3ri
Description:Detects a suspicious behaviour in an bash installation script

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 7849a41a7a6c414bc96ddc7df4e6afd20bd0f2237d907522f858bfc53a607f04

(this sample)

Gafgyt

elf 2d5abf4eb00cc6440b511b260e2db161218f6b40c5ee55e5ddb1b17b7154fcbe

  
URLhaus
https://urlhaus.abuse.ch/url/3561866/
  
Delivery method
Distributed via web download
  
Dropping
MD5 6271efb59bdc76404206f24110346bc9
  
Dropping
SHA256 2d5abf4eb00cc6440b511b260e2db161218f6b40c5ee55e5ddb1b17b7154fcbe

Comments