MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81da269aff4745ba4e326dd488e4dc4b1031a47cc12c5af3bf2e6164489480ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	81da269aff4745ba4e326dd488e4dc4b1031a47cc12c5af3bf2e6164489480ee
SHA3-384 hash:	6e4ccd9c526d4c5577bb29b9a84dd563ca96a8101d4cf511096f1491fec59a42b09f361a20e837b27627c463d3be0476
SHA1 hash:	c0fd34b9aaa1d782563889e5f475f7ceffb4cb03
MD5 hash:	479feb8fba4aa6a2c999a767b6c31451
humanhash:	nuts-emma-rugby-chicken
File name:	ur0a.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	1'727 bytes
First seen:	2026-04-23 11:37:43 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	48:YpgpGhpgpIpbspM53pG/kypMpC3pspShpQ3pj:YKshCC9sC0fWCWCu3J
TLSH	T1183150C621E198757DF5F52732A88510B8C5A1C752CFAF49AEEC38D484CDD08B415B93
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://176.65.139.143/MIPS	41ae9c9293e3fa20bb467cd3e0551837101ec592f84a12bb3a649dbb79cf7638	Mirai	elf gafgyt mips mirai opendir ua-wget
http://176.65.139.143/MIPSEL	n/a	n/a	elf gafgyt mips opendir ua-wget
http://176.65.139.143/SH4	2c203bf2914035458200a9300783e6a08d624693febf17650e8f8b6b39c18488	Mirai	elf gafgyt mirai opendir SuperH ua-wget
http://176.65.139.143/X86_64	c876cffb991d5916bf5fd3bc4991dabf3e7ee776481f77bfc11bb3d20cf92ada	Mirai	elf gafgyt mirai opendir ua-wget x86
http://176.65.139.143/I686	1608f9c477cd52dd4f36eb9af46cb65d7a719019d7ff60e858446c397cc75bde	Mirai	elf gafgyt mirai opendir ua-wget x86
http://176.65.139.143/POWERPC	2f7d62f92942a794d1bbc33a6447d2665b98538a9c7a49a236b1d1dd2423cc28	Mirai	elf gafgyt mirai opendir PowerPC ua-wget
http://176.65.139.143/I586	bf0df86359d4d81f8e6c752b52824748b5ac223fd6ce5e28891f703cc946e432	Mirai	elf gafgyt mirai opendir ua-wget x86
http://176.65.139.143/M68K	9bfe534e6df528c366b30b62cfffc2b13fe9ceb6a7e49418d58585b4463ca6da	Mirai	elf m68k mirai opendir ua-wget
http://176.65.139.143/SPARC	4c5979118963c5f00fee20087e7ea65f7a07234f6befd17a39b943aa5d294f61	Mirai	elf mirai opendir sparc ua-wget
http://176.65.139.143/ARMV4L	9ad3b2928edfa615d0d19220dfc52c0a176f8d2f55ba3fe129879325840da4d4	Gafgyt	arm elf gafgyt opendir ua-wget
http://176.65.139.143/ARMV5L	e141465a9a44bd03a86e594d80609921771a1f12bcc656e97b39d5bd01c63a56	Gafgyt	arm elf gafgyt geofenced opendir ua-wget USA
http://176.65.139.143/ARMV6L	f4fa39763da0dd7a2b6f2033442fb586557ea23451b797ab5cf9699e2ae4b6f1	Gafgyt	arm elf gafgyt mirai opendir ua-wget
http://176.65.139.143/ARMV7L	cdca813e68da420c7aae63fc7a31f926413c8d24e42c0add78795e339509a3f0	Gafgyt	arm elf gafgyt mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive medusa mirai

Link:

https://www.filescan.io/uploads/69ea04b78a82359247ae395a/reports/910e6030-a3f6-4eec-8bd5-4432b62df438/overview

Verdict:

Malicious

File Type:

text

First seen:

2026-04-23T08:11:00Z UTC

Last seen:

2026-04-24T14:44:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/81da269aff4745ba4e326dd488e4dc4b1031a47cc12c5af3bf2e6164489480ee/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/dba44eac-0904-4b4b-a1ac-a2540b0af3b2

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/81da269aff4745ba4e326dd488e4dc4b1031a47cc12c5af3bf2e6164489480ee

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/81da269aff4745ba4e326dd488e4dc4b1031a47cc12c5af3bf2e6164489480ee/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/81da269aff4745ba4e326dd488e4dc4b1031a47cc12c5af3bf2e6164489480ee

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-04-23 02:33:43 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qhncngx7i5c3utrsnxkirzg4jmiddjd4yewfv457fzqwiseuqdxa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260423-nrywvsbx6r/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/81da269aff4745ba4e326dd488e4dc4b1031a47cc12c5af3bf2e6164489480ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.