MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79f15e0000bc5304a92fe9e3c44c535c9a3cdce6152c651bbdc85b71a7c667db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79f15e0000bc5304a92fe9e3c44c535c9a3cdce6152c651bbdc85b71a7c667db
SHA3-384 hash: f7d1bf9e79800f05bc25f811dfa7b9445978396fc7591cd722d14624872bcca00493c325d0c76be9a7d367c2b1f8ac7d
SHA1 hash: 7d9752af7a5fcfd6829ac63db51c59f5c12d88ed
MD5 hash: 79a1e955b057090c4edc21f3f3c59a7b
humanhash: eleven-asparagus-tennessee-mango
File name:utt
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'223 bytes
First seen:2025-07-28 20:22:08 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:sEUSIbK5zOt+MB0hQUQ7k1VOpOmk1VYfk1VDvDgk1VYZ1Hk1VlSkx:sEUXK5CEA0it7k10k1kk1FLgk1eZBk1b
TLSH T1AC2178CF11918861CC6C9DC9B6934818F4CFDAD935CF8E8CE7CD8526D899E083591F69
Magika txt
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.51.126.131/t/armv4l51dbfe5eb3331858e57320a5a2327599fc51d18bab6c76c5d7cb03ca4621078b Gafgytelf gafgyt opendir ua-wget
http://158.51.126.131/t/armv5lde0a93c843a18ba73b472730753ebd5d796d497f4c0b7533872aadce221f5d80 Gafgytelf gafgyt opendir ua-wget
http://158.51.126.131/t/armv7le3f59d94764653bbc6887c32ca43edcb670626c10502195d206f308b0684d428 Gafgytelf gafgyt opendir ua-wget
http://158.51.126.131/t/powerpc1564e24be14f2274b7827ef5ac78e442db334fbdf15e73a171dc6cf5186c3741 Gafgytelf gafgyt opendir ua-wget
http://158.51.126.131/t/mips6039ff1c2c6d9a8675c66655fa98c08b461c5ed90b33de19648689c27a7a7756 Gafgytelf gafgyt ua-wget
http://158.51.126.131/t/mipsel48ec5f07842eb9840058755d90325aa23cdd67dca0f23c08faf79ea67918251d Gafgytelf gafgyt ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32150.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6887dc1313488cfd44dcdab0/reports/67c32093-32b6-47da-bce2-ae4844c5c7b3/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/604a9da4-b083-483d-82e2-32458d7afeb6
Behavior Graph:
Download SVG
%3 guuid=3303a15c-1800-0000-1428-63706c0a0000 pid=2668 /usr/bin/sudo guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674 /tmp/sample.bin guuid=3303a15c-1800-0000-1428-63706c0a0000 pid=2668->guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674 execve guuid=b867d75e-1800-0000-1428-6370740a0000 pid=2676 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=b867d75e-1800-0000-1428-6370740a0000 pid=2676 clone guuid=eff17e60-1800-0000-1428-63707e0a0000 pid=2686 /usr/bin/rm delete-file guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=eff17e60-1800-0000-1428-63707e0a0000 pid=2686 execve guuid=aef4dd60-1800-0000-1428-6370810a0000 pid=2689 /usr/bin/rm delete-file guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=aef4dd60-1800-0000-1428-6370810a0000 pid=2689 execve guuid=109a3d61-1800-0000-1428-6370830a0000 pid=2691 /usr/bin/rm delete-file guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=109a3d61-1800-0000-1428-6370830a0000 pid=2691 execve guuid=fde49361-1800-0000-1428-6370860a0000 pid=2694 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=fde49361-1800-0000-1428-6370860a0000 pid=2694 clone guuid=9e24cd62-1800-0000-1428-63708b0a0000 pid=2699 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=9e24cd62-1800-0000-1428-63708b0a0000 pid=2699 clone guuid=a46d1263-1800-0000-1428-63708f0a0000 pid=2703 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=a46d1263-1800-0000-1428-63708f0a0000 pid=2703 clone guuid=e90eda8e-1800-0000-1428-6370eb0a0000 pid=2795 /usr/bin/chmod guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=e90eda8e-1800-0000-1428-6370eb0a0000 pid=2795 execve guuid=a1d46e8f-1800-0000-1428-6370ec0a0000 pid=2796 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=a1d46e8f-1800-0000-1428-6370ec0a0000 pid=2796 clone guuid=0a4f2891-1800-0000-1428-6370f10a0000 pid=2801 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=0a4f2891-1800-0000-1428-6370f10a0000 pid=2801 clone guuid=b40b11c3-1800-0000-1428-63705d0b0000 pid=2909 /usr/bin/chmod guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=b40b11c3-1800-0000-1428-63705d0b0000 pid=2909 execve guuid=4e6b4fc3-1800-0000-1428-63705f0b0000 pid=2911 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=4e6b4fc3-1800-0000-1428-63705f0b0000 pid=2911 clone guuid=904aecc3-1800-0000-1428-6370620b0000 pid=2914 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=904aecc3-1800-0000-1428-6370620b0000 pid=2914 clone guuid=7c791ff7-1800-0000-1428-6370ac0b0000 pid=2988 /usr/bin/chmod guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=7c791ff7-1800-0000-1428-6370ac0b0000 pid=2988 execve guuid=792a6ff7-1800-0000-1428-6370ae0b0000 pid=2990 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=792a6ff7-1800-0000-1428-6370ae0b0000 pid=2990 clone guuid=002ff8f7-1800-0000-1428-6370b10b0000 pid=2993 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=002ff8f7-1800-0000-1428-6370b10b0000 pid=2993 clone guuid=6e5e972a-1900-0000-1428-6370160c0000 pid=3094 /usr/bin/chmod guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=6e5e972a-1900-0000-1428-6370160c0000 pid=3094 execve guuid=687ffa2a-1900-0000-1428-6370180c0000 pid=3096 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=687ffa2a-1900-0000-1428-6370180c0000 pid=3096 clone guuid=b29f972b-1900-0000-1428-63701c0c0000 pid=3100 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=b29f972b-1900-0000-1428-63701c0c0000 pid=3100 clone guuid=d5f2145f-1900-0000-1428-6370780c0000 pid=3192 /usr/bin/chmod guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=d5f2145f-1900-0000-1428-6370780c0000 pid=3192 execve guuid=7df9745f-1900-0000-1428-63707a0c0000 pid=3194 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=7df9745f-1900-0000-1428-63707a0c0000 pid=3194 clone guuid=5c6d6c60-1900-0000-1428-63707d0c0000 pid=3197 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=5c6d6c60-1900-0000-1428-63707d0c0000 pid=3197 clone guuid=05932595-1900-0000-1428-6370b10c0000 pid=3249 /usr/bin/chmod guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=05932595-1900-0000-1428-6370b10c0000 pid=3249 execve guuid=d16eaf95-1900-0000-1428-6370b20c0000 pid=3250 /usr/bin/dash guuid=1ef46b5e-1800-0000-1428-6370720a0000 pid=2674->guuid=d16eaf95-1900-0000-1428-6370b20c0000 pid=3250 clone guuid=a88af85e-1800-0000-1428-6370750a0000 pid=2677 /usr/bin/cat guuid=b867d75e-1800-0000-1428-6370740a0000 pid=2676->guuid=a88af85e-1800-0000-1428-6370750a0000 pid=2677 execve guuid=f3630e5f-1800-0000-1428-6370760a0000 pid=2678 /usr/bin/grep guuid=b867d75e-1800-0000-1428-6370740a0000 pid=2676->guuid=f3630e5f-1800-0000-1428-6370760a0000 pid=2678 execve guuid=607e195f-1800-0000-1428-6370770a0000 pid=2679 /usr/bin/grep guuid=b867d75e-1800-0000-1428-6370740a0000 pid=2676->guuid=607e195f-1800-0000-1428-6370770a0000 pid=2679 execve guuid=0f64235f-1800-0000-1428-6370790a0000 pid=2681 /usr/bin/grep guuid=b867d75e-1800-0000-1428-6370740a0000 pid=2676->guuid=0f64235f-1800-0000-1428-6370790a0000 pid=2681 execve guuid=1199355f-1800-0000-1428-63707a0a0000 pid=2682 /usr/bin/cut guuid=b867d75e-1800-0000-1428-6370740a0000 pid=2676->guuid=1199355f-1800-0000-1428-63707a0a0000 pid=2682 execve guuid=dcb39a61-1800-0000-1428-6370870a0000 pid=2695 /usr/bin/cp write-file guuid=fde49361-1800-0000-1428-6370860a0000 pid=2694->guuid=dcb39a61-1800-0000-1428-6370870a0000 pid=2695 execve guuid=9602d662-1800-0000-1428-63708d0a0000 pid=2701 /usr/bin/chmod guuid=9e24cd62-1800-0000-1428-63708b0a0000 pid=2699->guuid=9602d662-1800-0000-1428-63708d0a0000 pid=2701 execve guuid=02721b63-1800-0000-1428-6370900a0000 pid=2704 /usr/bin/wget net send-data write-file guuid=a46d1263-1800-0000-1428-63708f0a0000 pid=2703->guuid=02721b63-1800-0000-1428-6370900a0000 pid=2704 execve 2beca644-24da-5e18-bc49-c06b8c4a111d 158.51.126.131:80 guuid=02721b63-1800-0000-1428-6370900a0000 pid=2704->2beca644-24da-5e18-bc49-c06b8c4a111d send: 137B guuid=3b8b2d91-1800-0000-1428-6370f20a0000 pid=2802 /usr/bin/wget net send-data write-file guuid=0a4f2891-1800-0000-1428-6370f10a0000 pid=2801->guuid=3b8b2d91-1800-0000-1428-6370f20a0000 pid=2802 execve guuid=3b8b2d91-1800-0000-1428-6370f20a0000 pid=2802->2beca644-24da-5e18-bc49-c06b8c4a111d send: 137B guuid=a726ffc3-1800-0000-1428-6370630b0000 pid=2915 /usr/bin/wget net send-data write-file guuid=904aecc3-1800-0000-1428-6370620b0000 pid=2914->guuid=a726ffc3-1800-0000-1428-6370630b0000 pid=2915 execve guuid=a726ffc3-1800-0000-1428-6370630b0000 pid=2915->2beca644-24da-5e18-bc49-c06b8c4a111d send: 137B guuid=162009f8-1800-0000-1428-6370b20b0000 pid=2994 /usr/bin/wget net send-data write-file guuid=002ff8f7-1800-0000-1428-6370b10b0000 pid=2993->guuid=162009f8-1800-0000-1428-6370b20b0000 pid=2994 execve guuid=162009f8-1800-0000-1428-6370b20b0000 pid=2994->2beca644-24da-5e18-bc49-c06b8c4a111d send: 138B guuid=4d72a62b-1900-0000-1428-63701d0c0000 pid=3101 /usr/bin/wget net send-data write-file guuid=b29f972b-1900-0000-1428-63701c0c0000 pid=3100->guuid=4d72a62b-1900-0000-1428-63701d0c0000 pid=3101 execve guuid=4d72a62b-1900-0000-1428-63701d0c0000 pid=3101->2beca644-24da-5e18-bc49-c06b8c4a111d send: 135B guuid=b2577560-1900-0000-1428-63707e0c0000 pid=3198 /usr/bin/wget net send-data write-file guuid=5c6d6c60-1900-0000-1428-63707d0c0000 pid=3197->guuid=b2577560-1900-0000-1428-63707e0c0000 pid=3198 execve guuid=b2577560-1900-0000-1428-63707e0c0000 pid=3198->2beca644-24da-5e18-bc49-c06b8c4a111d send: 137B
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/79f15e0000bc5304a92fe9e3c44c535c9a3cdce6152c651bbdc85b71a7c667db
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79f15e0000bc5304a92fe9e3c44c535c9a3cdce6152c651bbdc85b71a7c667db/
Verdict:
Malicious
Threat:
HEUR:Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/79f15e0000bc5304a92fe9e3c44c535c9a3cdce6152c651bbdc85b71a7c667db
Threat name:
Script.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-07-28 20:25:32 UTC
File Type:
Text (Shell)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=phyv4aaaxrjqjkjp5hr4itctlsndzxhgcuwgkg55zbnxdj6gm7nq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250728-y7kdhs1tfw/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/79f15e0000bc5304a92fe9e3c44c535c9a3cdce6152c651bbdc85b71a7c667db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 79f15e0000bc5304a92fe9e3c44c535c9a3cdce6152c651bbdc85b71a7c667db

(this sample)

Gafgyt

elf 8b0589c535004f57cc8a53da2764913ee0ed243a06c5bfafc11ecb6b473b71e0

  
URLhaus
https://urlhaus.abuse.ch/url/3591801/
  
Delivery method
Distributed via web download
  
Dropping
MD5 d07cc40c0bb1761a8961a776b04366f5
  
Dropping
SHA256 8b0589c535004f57cc8a53da2764913ee0ed243a06c5bfafc11ecb6b473b71e0

Comments