MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92c7eaa5dfc642b157d74b869fca719dd72e8f0191b1d9ba2704b625688ce908. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92c7eaa5dfc642b157d74b869fca719dd72e8f0191b1d9ba2704b625688ce908
SHA3-384 hash: f696aee96fa15a7669da4a4db8dfece05e6d1838d8e97a7377b00348027eed7551f3651ae42d803cfa90df4272fc155f
SHA1 hash: ce869957daeefde7cc49d0265a7fcc70720b0992
MD5 hash: 468cd149bd6b0067fd6c14a39a4632d6
humanhash: virginia-white-don-quebec
File name:dvr.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'824 bytes
First seen:2025-06-11 21:17:55 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vpdpzp9piqpfJJpFpAipTpCQpzp7p22Lpcqp2B:vDR73lrZxZRJ7LCqgB
TLSH T1653141CA21A216726CA6ED2771AB88047090E1CB64CE6F556DDC7CF988CEF047450797
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://176.65.148.194/mips2d5abf4eb00cc6440b511b260e2db161218f6b40c5ee55e5ddb1b17b7154fcbe Gafgytelf gafgyt ua-wget
http://176.65.148.194/mipsel36692e31cbb89413835b7132bd963a63cb36c541ba8db5cc4b8350b9473713bb Gafgytelf gafgyt ua-wget
http://176.65.148.194/sh4230585b224c070247f37ce6c1b0aa3405a4b4f79ca750bd1f309f1d06090869d Gafgytelf gafgyt ua-wget
http://176.65.148.194/x86_64ad72da442c717ff4d673c498b9a59ba1068eaaab35d787400b36b6a933d47dd3 Gafgytelf gafgyt ua-wget
http://176.65.148.194/arm6f2463e46daafd068a312aa241baa4622a0cb2bdd6ed45ef1ef645f76dc5042e4 Gafgytelf gafgyt ua-wget
http://176.65.148.194/i6865f981f7299bc39cfbaf450a6a901e39ada313b106f1d7fed9e01bd41c72a4738 Gafgytelf gafgyt ua-wget
http://176.65.148.194/powerpc4f2cbb52242909019bef43b0179728a39ff579f29aade60b6fb9f5843bb3f94d Gafgytcensys elf gafgyt ua-wget
http://176.65.148.194/x86d810aee1172b7189eb472fade4c7d24968a30bd7938013e4dab24a6827c2593a Gafgytelf gafgyt ua-wget
http://176.65.148.194/m68kcc39e46e983daadb8c04c96be533cea97ef79966567ec625dead6c74bfd35ab5 Gafgytelf gafgyt ua-wget
http://176.65.148.194/spc84cf0ed553e21c39d0a8345e2eec29002b489df76f876ea5842be198c531e112 Gafgytelf gafgyt ua-wget
http://176.65.148.194/arm0b143f828aff7469a235aabc874ad0b27d09c131aa72d924a2edc738194943c9 Gafgytelf gafgyt ua-wget
http://176.65.148.194/arm5799c50cf8ac75ad8d837022d930f6134cfe889b6dd79da0679e1f42250ac0627 Miraielf gafgyt mirai ua-wget
http://176.65.148.194/ppc4fpn/an/aelf ua-wget
http://176.65.148.194/arm7e4be7d6c5c1d15011342508e5705f72de5c8772c2ebff218c02cf3ec79f29311 Gafgytelf gafgyt ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6849f2a68bd5d68a12e7d82dlinux22vpnfull_triage
Tags:
agent overt remo
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/92c7eaa5dfc642b157d74b869fca719dd72e8f0191b1d9ba2704b625688ce908
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92c7eaa5dfc642b157d74b869fca719dd72e8f0191b1d9ba2704b625688ce908/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-06-11 21:18:27 UTC
File Type:
Text (Shell)
AV detection:
16 of 24 (66.67%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sld6vjo7yzblcv6xjodj7strtxls5dybsgy5torhas3ck2em5eea._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/250611-z5r61sztfx/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Creates a large amount of network flows
Enumerates running processes
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Contacts a large (4935) amount of remote hosts
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:UNK_install_script
Create hunting rule
Author:evilcel3ri
Description:Detects a suspicious behaviour in an bash installation script

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 92c7eaa5dfc642b157d74b869fca719dd72e8f0191b1d9ba2704b625688ce908

(this sample)

Gafgyt

elf 2d5abf4eb00cc6440b511b260e2db161218f6b40c5ee55e5ddb1b17b7154fcbe

  
URLhaus
https://urlhaus.abuse.ch/url/3561202/
  
Delivery method
Distributed via web download
  
Dropping
MD5 6271efb59bdc76404206f24110346bc9
  
Dropping
SHA256 2d5abf4eb00cc6440b511b260e2db161218f6b40c5ee55e5ddb1b17b7154fcbe

Comments