MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89aa345b6e71b8bd83a2b72e952a8d932cf892861a45a64c3b45caee8ca3fa28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89aa345b6e71b8bd83a2b72e952a8d932cf892861a45a64c3b45caee8ca3fa28
SHA3-384 hash: 171a9e694a7f7e857177896e5163f24ce185c0ce312a3e3ce88e9f75e22a2c3aa91930bb2197d763ff3ad7cf9b179fdd
SHA1 hash: f22d3f9150ee0c1eae203d0f53a44a5a4f6d7331
MD5 hash: 1a9822e52f5243a5b11cce0b7df39fa5
humanhash: green-bluebird-lake-oregon
File name:jaws.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'852 bytes
First seen:2025-06-14 14:50:26 UTC
Last seen:2025-06-14 18:04:20 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 24:vGlQMtnZKQqeNI7OksEQsodaws6RaRAgLXLIjxp7+Kx:vkQOtqnOJAod26RaRAuXLkp7+O
TLSH T17F3155CA326609752DE5ED2B75EF89143490E28A60C96F5A5CDD38F8A4CDE083461687
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://104.167.221.114/mipsfd2f0b1c70e97c3c67ab54ba87a2125fb30e25a6d6050cae36a5f7f14726189c Gafgytelf gafgyt ua-wget
http://104.167.221.114/mipseld8253b55940a3d9f0a47c58ea5e1a37c1149217c7615d4a00bafc21d31035a19 Gafgytelf gafgyt ua-wget
http://104.167.221.114/sh4f43693a946b59f1d132fc620b8fc3683433c87cb046207cb18aad68b4ea091d6 Gafgytelf gafgyt ua-wget
http://104.167.221.114/x86_64d24eb20bdf28154c538be3ad296756f743753886e21a86f84e41482b7a4a45f3 Gafgytelf gafgyt ua-wget
http://104.167.221.114/arm6e89afd876b71345828df07ef82a4e6684a26cd9d8dfe5d0ee139e367de3b7330 Gafgytelf gafgyt ua-wget
http://104.167.221.114/i686476e3c2d0c589ce2372f3d1bbb59bd8f3d800847b545e360eb85a290d675e254 Gafgytelf gafgyt ua-wget
http://104.167.221.114/powerpc880ddb6fcd0ef13b964069147f6b97b8bbd61cbe92feaf20aa25473179c50612 Gafgytelf gafgyt ua-wget
http://104.167.221.114/x86857170c9591cce002273043a6f991f58683ef3bc2be7afcca54be1dc0097b57b Gafgytelf gafgyt ua-wget
http://104.167.221.114/m68k26b8ee688812ddc7257e35c1c071a3b7d9f9487d9638be829b9998ac0894d05d Gafgytelf gafgyt ua-wget
http://104.167.221.114/spc3be913565735d606fc2d64b098763b52ed9a6ba9ca93d89f723409b0348557eb Gafgytelf gafgyt ua-wget
http://104.167.221.114/arm5f83df06a5fd17487df62de3f9b939088dcb1d08d06ac762df888264ec9da0e8 Gafgytelf gafgyt ua-wget
http://104.167.221.114/arm5235733c3b02759f01d846d0333b94b3dbf2fee43d843e46f4ce062c30421b606 Gafgytelf gafgyt ua-wget
http://104.167.221.114/ppc4fpn/an/aelf ua-wget
http://104.167.221.114/arm78d8e03d31f4169577641596c31ab5ab0990ef39aa5ffea486330b230632a737a Gafgytelf gafgyt ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
35
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684d8d3b8bd5d68a12e8a0a9linux22vpnfull_triage
Tags:
agent overt virus
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/5060e331-9114-4a11-a609-23fe68ddc6d0
Behavior Graph:
Download SVG
%3 guuid=300de1c4-1800-0000-42cb-90a43e090000 pid=2366 /usr/bin/sudo guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372 /tmp/sample.bin guuid=300de1c4-1800-0000-42cb-90a43e090000 pid=2366->guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372 execve guuid=d70fdbc6-1800-0000-42cb-90a446090000 pid=2374 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=d70fdbc6-1800-0000-42cb-90a446090000 pid=2374 execve guuid=1729b4ea-1800-0000-42cb-90a48d090000 pid=2445 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=1729b4ea-1800-0000-42cb-90a48d090000 pid=2445 execve guuid=744e1feb-1800-0000-42cb-90a48f090000 pid=2447 /usr/bin/bash guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=744e1feb-1800-0000-42cb-90a48f090000 pid=2447 clone guuid=11430cec-1800-0000-42cb-90a494090000 pid=2452 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=11430cec-1800-0000-42cb-90a494090000 pid=2452 execve guuid=4aa856ec-1800-0000-42cb-90a496090000 pid=2454 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=4aa856ec-1800-0000-42cb-90a496090000 pid=2454 execve guuid=e3fe990e-1900-0000-42cb-90a4e2090000 pid=2530 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=e3fe990e-1900-0000-42cb-90a4e2090000 pid=2530 execve guuid=163ff70e-1900-0000-42cb-90a4e3090000 pid=2531 /usr/bin/bash guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=163ff70e-1900-0000-42cb-90a4e3090000 pid=2531 clone guuid=7a59880f-1900-0000-42cb-90a4e7090000 pid=2535 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=7a59880f-1900-0000-42cb-90a4e7090000 pid=2535 execve guuid=3f55d60f-1900-0000-42cb-90a4e9090000 pid=2537 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=3f55d60f-1900-0000-42cb-90a4e9090000 pid=2537 execve guuid=4e68b92a-1900-0000-42cb-90a43d0a0000 pid=2621 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=4e68b92a-1900-0000-42cb-90a43d0a0000 pid=2621 execve guuid=73932f2b-1900-0000-42cb-90a4400a0000 pid=2624 /usr/bin/bash guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=73932f2b-1900-0000-42cb-90a4400a0000 pid=2624 clone guuid=271a962c-1900-0000-42cb-90a4450a0000 pid=2629 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=271a962c-1900-0000-42cb-90a4450a0000 pid=2629 execve guuid=0fe6e12c-1900-0000-42cb-90a4470a0000 pid=2631 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=0fe6e12c-1900-0000-42cb-90a4470a0000 pid=2631 execve guuid=7eb2c947-1900-0000-42cb-90a49a0a0000 pid=2714 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=7eb2c947-1900-0000-42cb-90a49a0a0000 pid=2714 execve guuid=43354448-1900-0000-42cb-90a49c0a0000 pid=2716 /tmp/x86_64 net guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=43354448-1900-0000-42cb-90a49c0a0000 pid=2716 execve guuid=d81ba148-1900-0000-42cb-90a4a00a0000 pid=2720 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=d81ba148-1900-0000-42cb-90a4a00a0000 pid=2720 execve guuid=ef1bfa48-1900-0000-42cb-90a4a20a0000 pid=2722 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=ef1bfa48-1900-0000-42cb-90a4a20a0000 pid=2722 execve guuid=4704f76b-1900-0000-42cb-90a4ce0a0000 pid=2766 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=4704f76b-1900-0000-42cb-90a4ce0a0000 pid=2766 execve guuid=84e7556c-1900-0000-42cb-90a4cf0a0000 pid=2767 /usr/bin/bash guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=84e7556c-1900-0000-42cb-90a4cf0a0000 pid=2767 clone guuid=f5200b6d-1900-0000-42cb-90a4d20a0000 pid=2770 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=f5200b6d-1900-0000-42cb-90a4d20a0000 pid=2770 execve guuid=ff0c5f6d-1900-0000-42cb-90a4d30a0000 pid=2771 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=ff0c5f6d-1900-0000-42cb-90a4d30a0000 pid=2771 execve guuid=ab643288-1900-0000-42cb-90a4fe0a0000 pid=2814 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=ab643288-1900-0000-42cb-90a4fe0a0000 pid=2814 execve guuid=774a9a88-1900-0000-42cb-90a4010b0000 pid=2817 /tmp/i686 net guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=774a9a88-1900-0000-42cb-90a4010b0000 pid=2817 execve guuid=9780bb89-1900-0000-42cb-90a4060b0000 pid=2822 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=9780bb89-1900-0000-42cb-90a4060b0000 pid=2822 execve guuid=4acc5d8a-1900-0000-42cb-90a4080b0000 pid=2824 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=4acc5d8a-1900-0000-42cb-90a4080b0000 pid=2824 execve guuid=e040feaf-1900-0000-42cb-90a45f0b0000 pid=2911 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=e040feaf-1900-0000-42cb-90a45f0b0000 pid=2911 execve guuid=9fe763b0-1900-0000-42cb-90a4600b0000 pid=2912 /usr/bin/bash guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=9fe763b0-1900-0000-42cb-90a4600b0000 pid=2912 clone guuid=3a46f9b0-1900-0000-42cb-90a4620b0000 pid=2914 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=3a46f9b0-1900-0000-42cb-90a4620b0000 pid=2914 execve guuid=29c640b1-1900-0000-42cb-90a4630b0000 pid=2915 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=29c640b1-1900-0000-42cb-90a4630b0000 pid=2915 execve guuid=5c3e3ccc-1900-0000-42cb-90a4a10b0000 pid=2977 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=5c3e3ccc-1900-0000-42cb-90a4a10b0000 pid=2977 execve guuid=26e07dcc-1900-0000-42cb-90a4a30b0000 pid=2979 /tmp/x86 net guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=26e07dcc-1900-0000-42cb-90a4a30b0000 pid=2979 execve guuid=b53a76cd-1900-0000-42cb-90a4a90b0000 pid=2985 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=b53a76cd-1900-0000-42cb-90a4a90b0000 pid=2985 execve guuid=2abeebcd-1900-0000-42cb-90a4ab0b0000 pid=2987 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=2abeebcd-1900-0000-42cb-90a4ab0b0000 pid=2987 execve guuid=0aa926e9-1900-0000-42cb-90a4f60b0000 pid=3062 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=0aa926e9-1900-0000-42cb-90a4f60b0000 pid=3062 execve guuid=4bc698e9-1900-0000-42cb-90a4f80b0000 pid=3064 /usr/bin/bash guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=4bc698e9-1900-0000-42cb-90a4f80b0000 pid=3064 clone guuid=03f943ea-1900-0000-42cb-90a4fb0b0000 pid=3067 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=03f943ea-1900-0000-42cb-90a4fb0b0000 pid=3067 execve guuid=15db98ea-1900-0000-42cb-90a4fd0b0000 pid=3069 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=15db98ea-1900-0000-42cb-90a4fd0b0000 pid=3069 execve guuid=d115be05-1a00-0000-42cb-90a44e0c0000 pid=3150 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=d115be05-1a00-0000-42cb-90a44e0c0000 pid=3150 execve guuid=e4db0106-1a00-0000-42cb-90a44f0c0000 pid=3151 /usr/bin/bash guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=e4db0106-1a00-0000-42cb-90a44f0c0000 pid=3151 clone guuid=7508ca06-1a00-0000-42cb-90a4540c0000 pid=3156 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=7508ca06-1a00-0000-42cb-90a4540c0000 pid=3156 execve guuid=669c2407-1a00-0000-42cb-90a4560c0000 pid=3158 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=669c2407-1a00-0000-42cb-90a4560c0000 pid=3158 execve guuid=e9a04d22-1a00-0000-42cb-90a4900c0000 pid=3216 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=e9a04d22-1a00-0000-42cb-90a4900c0000 pid=3216 execve guuid=07fce922-1a00-0000-42cb-90a4910c0000 pid=3217 /usr/bin/bash guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=07fce922-1a00-0000-42cb-90a4910c0000 pid=3217 clone guuid=d5bac123-1a00-0000-42cb-90a4930c0000 pid=3219 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=d5bac123-1a00-0000-42cb-90a4930c0000 pid=3219 execve guuid=0bf12b24-1a00-0000-42cb-90a4940c0000 pid=3220 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=0bf12b24-1a00-0000-42cb-90a4940c0000 pid=3220 execve guuid=122b4640-1a00-0000-42cb-90a4b90c0000 pid=3257 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=122b4640-1a00-0000-42cb-90a4b90c0000 pid=3257 execve guuid=81ece740-1a00-0000-42cb-90a4ba0c0000 pid=3258 /usr/bin/bash guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=81ece740-1a00-0000-42cb-90a4ba0c0000 pid=3258 clone guuid=31db4e43-1a00-0000-42cb-90a4bc0c0000 pid=3260 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=31db4e43-1a00-0000-42cb-90a4bc0c0000 pid=3260 execve guuid=0b0aea43-1a00-0000-42cb-90a4bd0c0000 pid=3261 /usr/bin/wget net send-data guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=0b0aea43-1a00-0000-42cb-90a4bd0c0000 pid=3261 execve guuid=79bacf52-1a00-0000-42cb-90a4cb0c0000 pid=3275 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=79bacf52-1a00-0000-42cb-90a4cb0c0000 pid=3275 execve guuid=fa3e7e53-1a00-0000-42cb-90a4cd0c0000 pid=3277 /usr/bin/bash guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=fa3e7e53-1a00-0000-42cb-90a4cd0c0000 pid=3277 clone guuid=9bfcad53-1a00-0000-42cb-90a4ce0c0000 pid=3278 /usr/bin/rm guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=9bfcad53-1a00-0000-42cb-90a4ce0c0000 pid=3278 execve guuid=11ae1454-1a00-0000-42cb-90a4cf0c0000 pid=3279 /usr/bin/wget net send-data write-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=11ae1454-1a00-0000-42cb-90a4cf0c0000 pid=3279 execve guuid=c64a1a76-1a00-0000-42cb-90a4010d0000 pid=3329 /usr/bin/chmod guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=c64a1a76-1a00-0000-42cb-90a4010d0000 pid=3329 execve guuid=922d6376-1a00-0000-42cb-90a4030d0000 pid=3331 /usr/bin/bash guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=922d6376-1a00-0000-42cb-90a4030d0000 pid=3331 clone guuid=630e2377-1a00-0000-42cb-90a4070d0000 pid=3335 /usr/bin/rm delete-file guuid=f16777c6-1800-0000-42cb-90a444090000 pid=2372->guuid=630e2377-1a00-0000-42cb-90a4070d0000 pid=3335 execve aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 104.167.221.114:80 guuid=d70fdbc6-1800-0000-42cb-90a446090000 pid=2374->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B guuid=4aa856ec-1800-0000-42cb-90a496090000 pid=2454->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 136B guuid=3f55d60f-1900-0000-42cb-90a4e9090000 pid=2537->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 133B guuid=0fe6e12c-1900-0000-42cb-90a4470a0000 pid=2631->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 136B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=43354448-1900-0000-42cb-90a49c0a0000 pid=2716->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=878b8648-1900-0000-42cb-90a49e0a0000 pid=2718 /tmp/x86_64 guuid=43354448-1900-0000-42cb-90a49c0a0000 pid=2716->guuid=878b8648-1900-0000-42cb-90a49e0a0000 pid=2718 clone guuid=72608c48-1900-0000-42cb-90a49f0a0000 pid=2719 /tmp/x86_64 net send-data zombie guuid=878b8648-1900-0000-42cb-90a49e0a0000 pid=2718->guuid=72608c48-1900-0000-42cb-90a49f0a0000 pid=2719 clone 45fa3bd0-7bb3-5313-9c46-74d7e5964420 207.167.64.24:5058 guuid=72608c48-1900-0000-42cb-90a49f0a0000 pid=2719->45fa3bd0-7bb3-5313-9c46-74d7e5964420 send: 20B guuid=ef1bfa48-1900-0000-42cb-90a4a20a0000 pid=2722->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B guuid=ff0c5f6d-1900-0000-42cb-90a4d30a0000 pid=2771->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B guuid=774a9a88-1900-0000-42cb-90a4010b0000 pid=2817->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e2c09889-1900-0000-42cb-90a4040b0000 pid=2820 /tmp/i686 guuid=774a9a88-1900-0000-42cb-90a4010b0000 pid=2817->guuid=e2c09889-1900-0000-42cb-90a4040b0000 pid=2820 clone guuid=40a59f89-1900-0000-42cb-90a4050b0000 pid=2821 /tmp/i686 net send-data zombie guuid=e2c09889-1900-0000-42cb-90a4040b0000 pid=2820->guuid=40a59f89-1900-0000-42cb-90a4050b0000 pid=2821 clone guuid=40a59f89-1900-0000-42cb-90a4050b0000 pid=2821->45fa3bd0-7bb3-5313-9c46-74d7e5964420 send: 20B guuid=4acc5d8a-1900-0000-42cb-90a4080b0000 pid=2824->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 137B guuid=29c640b1-1900-0000-42cb-90a4630b0000 pid=2915->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 133B guuid=26e07dcc-1900-0000-42cb-90a4a30b0000 pid=2979->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=4bf355cd-1900-0000-42cb-90a4a60b0000 pid=2982 /tmp/x86 guuid=26e07dcc-1900-0000-42cb-90a4a30b0000 pid=2979->guuid=4bf355cd-1900-0000-42cb-90a4a60b0000 pid=2982 clone guuid=b8185dcd-1900-0000-42cb-90a4a70b0000 pid=2983 /tmp/x86 net send-data zombie guuid=4bf355cd-1900-0000-42cb-90a4a60b0000 pid=2982->guuid=b8185dcd-1900-0000-42cb-90a4a70b0000 pid=2983 clone guuid=b8185dcd-1900-0000-42cb-90a4a70b0000 pid=2983->45fa3bd0-7bb3-5313-9c46-74d7e5964420 send: 20B guuid=2abeebcd-1900-0000-42cb-90a4ab0b0000 pid=2987->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B guuid=15db98ea-1900-0000-42cb-90a4fd0b0000 pid=3069->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 133B guuid=669c2407-1a00-0000-42cb-90a4560c0000 pid=3158->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 133B guuid=0bf12b24-1a00-0000-42cb-90a4940c0000 pid=3220->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B guuid=0b0aea43-1a00-0000-42cb-90a4bd0c0000 pid=3261->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 136B guuid=11ae1454-1a00-0000-42cb-90a4cf0c0000 pid=3279->aaf3fc6e-925a-5fd7-a8b2-42ce7a93a207 send: 134B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/89aa345b6e71b8bd83a2b72e952a8d932cf892861a45a64c3b45caee8ca3fa28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89aa345b6e71b8bd83a2b72e952a8d932cf892861a45a64c3b45caee8ca3fa28/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-06-13 20:29:17 UTC
File Type:
Text (Shell)
AV detection:
22 of 38 (57.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgvdiw3oog4l3a5cw4xjkkunsmwpreugdjc2mtb3ixfo5dfd7iua._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/250614-scmmhaz1cx/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Creates a large amount of network flows
Enumerates running processes
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Contacts a large (4860) amount of remote hosts
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/89aa345b6e71b8bd83a2b72e952a8d932cf892861a45a64c3b45caee8ca3fa28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:UNK_install_script
Create hunting rule
Author:evilcel3ri
Description:Detects a suspicious behaviour in an bash installation script

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 89aa345b6e71b8bd83a2b72e952a8d932cf892861a45a64c3b45caee8ca3fa28

(this sample)

Gafgyt

elf 2d5abf4eb00cc6440b511b260e2db161218f6b40c5ee55e5ddb1b17b7154fcbe

  
URLhaus
https://urlhaus.abuse.ch/url/3561903/
  
Delivery method
Distributed via web download
  
Dropping
MD5 6271efb59bdc76404206f24110346bc9
  
Dropping
SHA256 2d5abf4eb00cc6440b511b260e2db161218f6b40c5ee55e5ddb1b17b7154fcbe

Comments