MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8649694a0ed35070ac5750375437f8da530c58a894beb886d9cffb5f5a4bb088. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8649694a0ed35070ac5750375437f8da530c58a894beb886d9cffb5f5a4bb088
SHA3-384 hash: 52bac8103f7a3184974a410fce0d84b73bbfa6dc0ecb2957199238c660d03f102b55f4cae78263c031478de73621a3dd
SHA1 hash: 39a342e47085ea8f5959a775990d9cdb3517c782
MD5 hash: c8b5876ac3b262249ba45355b9630627
humanhash: bakerloo-texas-robin-nine
File name:umips
Download: download sample
Signature Gafgyt
Create hunting rule
File size:63'740 bytes
First seen:2025-09-14 11:36:38 UTC
Last seen:2025-09-15 07:10:43 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:SChA9fXInMW6neJC3YPQwc+Te8n9ZMDD1UfepA:SCh/c+Te8boD1Uf
TLSH T18B53B49E2E328FEFF32E83354BB35E719265239A26D1D744D26CE5051E2030E585FB68
telfhash t116016d1c853822f0d7c91d9eabedff75e45181df0a216f338c50e99aab51945ad00c2c
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
4
# of downloads :
59
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Mirai.9075.6440.5432.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
threat
Link:
https://www.filescan.io/uploads/68c6a8f9dbc6f5a29c444157/reports/bf9cff1d-5537-41be-8238-80c307dc40a6/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
0
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/8649694a0ed35070ac5750375437f8da530c58a894beb886d9cffb5f5a4bb088
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.be
First seen:
2025-09-14T08:47:00Z UTC
Last seen:
2025-09-14T08:47:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/8649694a0ed35070ac5750375437f8da530c58a894beb886d9cffb5f5a4bb088/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/90b3dcd8-c21c-4d4f-973e-f99c73cafec1
Behavior Graph:
Download SVG
%3 guuid=b376e9a5-1a00-0000-aef1-c46ce1090000 pid=2529 /usr/bin/sudo guuid=2ad8e5a7-1a00-0000-aef1-c46ce5090000 pid=2533 /tmp/sample.bin guuid=b376e9a5-1a00-0000-aef1-c46ce1090000 pid=2529->guuid=2ad8e5a7-1a00-0000-aef1-c46ce5090000 pid=2533 execve guuid=11f146aa-1a00-0000-aef1-c46ceb090000 pid=2539 /usr/bin/dash guuid=2ad8e5a7-1a00-0000-aef1-c46ce5090000 pid=2533->guuid=11f146aa-1a00-0000-aef1-c46ceb090000 pid=2539 clone
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4b5c928c-e061-4131-9524-76933b0bf5d2
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1777246
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8649694a0ed35070ac5750375437f8da530c58a894beb886d9cffb5f5a4bb088/
Threat name:
Linux.Backdoor.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2025-09-04 04:56:08 UTC
File Type:
ELF32 Big (Exe)
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qzewssqo2nihblcxka3vin7y3jjqywfiss7lrbwzz75v6wslwcea._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250914-nq9lzavwht/
Behaviour
System Network Configuration Discovery
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/27afd2e8-869a-4512-8ae2-fbc09277d908
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8649694a0ed35070ac5750375437f8da530c58a894beb886d9cffb5f5a4bb088

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh d02a342e53cd98fe331a475c772199ca55896d254cf1d39571c2d92721a9705d

Gafgyt

elf 8649694a0ed35070ac5750375437f8da530c58a894beb886d9cffb5f5a4bb088

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3623679/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 d02a342e53cd98fe331a475c772199ca55896d254cf1d39571c2d92721a9705d
  
Dropped by
MD5 4ed7e2d356ef7d2e1ceb9a84012486c8
  
URLhaus
https://urlhaus.abuse.ch/url/3623700/

Comments