MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81ed0d144bb01a39137a9d8c57336ff43f6aa5545c28c8ae0c3b2878aaef71c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81ed0d144bb01a39137a9d8c57336ff43f6aa5545c28c8ae0c3b2878aaef71c3
SHA3-384 hash: 0146196b6a667049c2a56c9707a5bb3f9359e0c0bfc0607459620c47f66f0feb28df1385e20cd00c6eb98a9265276bf1
SHA1 hash: 9e9c901111841a1b0645bfdaa3ee20642c48e820
MD5 hash: 69f00bfdf5808293ec0f27f80624e3f7
humanhash: pasta-may-queen-mockingbird
File name:phi.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:172 bytes
First seen:2025-07-09 05:05:34 UTC
Last seen:2025-07-09 21:58:02 UTC
File type: sh
MIME type:text/plain
ssdeep 3:L6FHSbdkSOHUGIjmf8aGBzOdFLTUW/DRFbdkSOHUGI47If8U3zOd/IUWAbMD:L6FybeEGIjZqHDRFbeEGIEaQnG
TLSH T16DC08CD2721878A0C428FB0439228B24D00CFBD0B1AB1BACABD1E612CE240307C00F05
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.51.126.131/mipsn/an/aelf gafgyt mirai ua-wget
http://158.51.126.131/mipsel68b7a90ca3d6b4034d4428ee1483178d9a69171090087523ecd8d2314aa60603 Miraielf gafgyt mirai ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
27
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Downloader-34.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686df8ce900df8e7f868d5a9linux22vpnfull_triage
Tags:
agent hype sage
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/dcf13d9e-f0bd-4d78-b729-754a0cd940a7
Behavior Graph:
Download SVG
%3 guuid=71bc4e45-1c00-0000-6c64-ae56fb0c0000 pid=3323 /usr/bin/sudo guuid=32a33b48-1c00-0000-6c64-ae56fc0c0000 pid=3324 /tmp/sample.bin guuid=71bc4e45-1c00-0000-6c64-ae56fb0c0000 pid=3323->guuid=32a33b48-1c00-0000-6c64-ae56fc0c0000 pid=3324 execve guuid=f81bb748-1c00-0000-6c64-ae56fd0c0000 pid=3325 /usr/bin/rm delete-file guuid=32a33b48-1c00-0000-6c64-ae56fc0c0000 pid=3324->guuid=f81bb748-1c00-0000-6c64-ae56fd0c0000 pid=3325 execve guuid=0f8a7a49-1c00-0000-6c64-ae56fe0c0000 pid=3326 /usr/bin/wget net send-data write-file guuid=32a33b48-1c00-0000-6c64-ae56fc0c0000 pid=3324->guuid=0f8a7a49-1c00-0000-6c64-ae56fe0c0000 pid=3326 execve guuid=3dcda27e-1c00-0000-6c64-ae56860d0000 pid=3462 /usr/bin/chmod guuid=32a33b48-1c00-0000-6c64-ae56fc0c0000 pid=3324->guuid=3dcda27e-1c00-0000-6c64-ae56860d0000 pid=3462 execve guuid=e1c9fa7e-1c00-0000-6c64-ae56880d0000 pid=3464 /usr/bin/dash guuid=32a33b48-1c00-0000-6c64-ae56fc0c0000 pid=3324->guuid=e1c9fa7e-1c00-0000-6c64-ae56880d0000 pid=3464 clone guuid=153d8e80-1c00-0000-6c64-ae568e0d0000 pid=3470 /usr/bin/wget net send-data write-file guuid=32a33b48-1c00-0000-6c64-ae56fc0c0000 pid=3324->guuid=153d8e80-1c00-0000-6c64-ae568e0d0000 pid=3470 execve guuid=db5eeab3-1c00-0000-6c64-ae56c50d0000 pid=3525 /usr/bin/chmod guuid=32a33b48-1c00-0000-6c64-ae56fc0c0000 pid=3324->guuid=db5eeab3-1c00-0000-6c64-ae56c50d0000 pid=3525 execve guuid=7b2c2cb4-1c00-0000-6c64-ae56c60d0000 pid=3526 /usr/bin/dash guuid=32a33b48-1c00-0000-6c64-ae56fc0c0000 pid=3324->guuid=7b2c2cb4-1c00-0000-6c64-ae56c60d0000 pid=3526 clone 2beca644-24da-5e18-bc49-c06b8c4a111d 158.51.126.131:80 guuid=0f8a7a49-1c00-0000-6c64-ae56fe0c0000 pid=3326->2beca644-24da-5e18-bc49-c06b8c4a111d send: 133B guuid=153d8e80-1c00-0000-6c64-ae568e0d0000 pid=3470->2beca644-24da-5e18-bc49-c06b8c4a111d send: 135B
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/81ed0d144bb01a39137a9d8c57336ff43f6aa5545c28c8ae0c3b2878aaef71c3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81ed0d144bb01a39137a9d8c57336ff43f6aa5545c28c8ae0c3b2878aaef71c3/
Threat name:
Win32.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-09 04:30:31 UTC
File Type:
Text (Batch)
AV detection:
2 of 38 (5.26%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qhwq2fclwandse32twgfom3p6q7wvjkulqumrlqmhmuhrkxpohbq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250709-frh7eavnx7/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/81ed0d144bb01a39137a9d8c57336ff43f6aa5545c28c8ae0c3b2878aaef71c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 81ed0d144bb01a39137a9d8c57336ff43f6aa5545c28c8ae0c3b2878aaef71c3

(this sample)

Gafgyt

elf 22ebe0b232b538048d54777e99412db6b5ae75eb8a5650827ba0093461a448e7

  
URLhaus
https://urlhaus.abuse.ch/url/3579318/
  
Delivery method
Distributed via web download
  
Dropping
MD5 6befb4eb0e067254bc7c9a3c852c76f7
  
Dropping
SHA256 22ebe0b232b538048d54777e99412db6b5ae75eb8a5650827ba0093461a448e7

Comments