MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 915dccaa387bdf81c0f3d87d150b7f626208ddbaf09316f06cf16574bbfd5f94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	915dccaa387bdf81c0f3d87d150b7f626208ddbaf09316f06cf16574bbfd5f94
SHA3-384 hash:	74f64530442c52b36f2036996a4cd113de8f4c706e15d664f542220ecc5692e90fa74d6fc22c254ad197e86201c33742
SHA1 hash:	9ff81ef4321029bbc7b47c25375545c4f9bc8b26
MD5 hash:	a32c76d7ac1b134d807acb9d1146a833
humanhash:	quiet-muppet-mexico-alabama
File name:	mpsl
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	31'008 bytes
First seen:	2025-01-03 06:51:15 UTC
Last seen:	2025-01-04 03:45:16 UTC
File type:	elf
MIME type:	application/x-executable
ssdeep	384:zdtLtTRbznBxop8JI5fSTvKIZdVF+EZk/sughXiHcx8VX+oCe:zdtLFTxoUmfSWY2shXiHcx8VX+o
TLSH	T16DD2FA06AFE21EBBDC5FCD3340E90B9625CCD61971657BA63430D81CB68F45B4AD38A8
TrID	50.1% (.) ELF Executable and Linkable format (Linux) (4022/12) 49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika	elf
Reporter	abuse_ch
Tags:	elf gafgyt

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Mirai.4188.21177.21102.UNOFFICIAL

Verdict:

Clean

Score:

82.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6777891874a2bd296e253fa8linux22vpnfull_triage

Tags:

malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Connection attempt

Sends data to a server

Opens a port

Creating a file

Receives data from a server

Runs as daemon

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug

Link:

https://www.filescan.io/uploads/6777891d5059fd4996bb9ff7/reports/543f25d2-d015-49b2-a3fc-f75120389eed/overview

Verdict:

Malicious

Uses P2P?:

false

Uses anti-vm?:

false

Architecture:

mips

Packer:

not packed

Botnet:

unknown

Number of open files:

Number of processes launched:

Processes remaning?

false

Remote TCP ports scanned:

not identified

Full report:

https://elfdigest.com/brief/915dccaa387bdf81c0f3d87d150b7f626208ddbaf09316f06cf16574bbfd5f94

Behaviour

no suspicious findings

Botnet C2s

TCP botnet C2(s):

not identified

UDP botnet C2(s):

not identified

Result

Verdict:

UNKNOWN

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b9c2c2c3-87c0-4609-9c2e-7c81bff35617

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1583609

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

ELF

Link:

https://malprob.io/report/915dccaa387bdf81c0f3d87d150b7f626208ddbaf09316f06cf16574bbfd5f94

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/915dccaa387bdf81c0f3d87d150b7f626208ddbaf09316f06cf16574bbfd5f94/

Threat name:

Linux.Backdoor.Gafgyt

Status:

Malicious

First seen:

2025-01-03 06:52:07 UTC

File Type:

ELF32 Little (Exe)

AV detection:

9 of 23 (39.13%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sfo4zkrypppydqht3b6rkc37mjrarxn26cjrn4dm6fsxjo75l6ka._file

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/250103-hm25tstjfx/

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9356f20e-4a36-4834-83b1-e313b7c305dd

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

BASHLITE

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/915dccaa387bdf81c0f3d87d150b7f626208ddbaf09316f06cf16574bbfd5f94

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf 915dccaa387bdf81c0f3d87d150b7f626208ddbaf09316f06cf16574bbfd5f94

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3386989/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample