MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93192aadd5468cb6d84bed4221a032921c369daad6a30a9c5711d3d320968c0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93192aadd5468cb6d84bed4221a032921c369daad6a30a9c5711d3d320968c0a
SHA3-384 hash: 7b4c0a620e910eac6c7f9758b3031cccb975768901743eb50af2124db03f9f96de378b512f59689d1f5a8fad75de5777
SHA1 hash: 359653ceb5a32a4bc323fc0a1fd3a5202106904d
MD5 hash: 884f2b819fef30197ec5ae25117c8a46
humanhash: one-butter-zebra-lamp
File name:bins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'934 bytes
First seen:2025-08-18 02:04:43 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:7N47v0is5vNIFlI25yVJuBJA9qlIKWFQa:Cv0iQW90cJA8eVQa
TLSH T10641A0D712A20D766DF0D923B2794C0572D5E4EA50C66F88A4EE35F550CDC18B450BF3
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://207.167.64.12/2.mipsf758f794dbd3d35b0c4236269b1b78913596c18868e0a25848249248405fc9f8 Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.mpsl5d17d03d5f2ee245fc6cd1021d75913df3c959432b99d380e8a3638841062643 Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.sh42167d964e35b585812d66a293dcb24748ecf0c6ea2c8c64d40c0ece6dcfbdaac Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.x8614b8b6ac8a6d96e15edf83a71f042ca1b47128b8ba75439103eb88839f3eb898 Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.arm672dbb20dccfd8bf3ba4e4b9d58a0d95de432e3e780a12f41bb171361e67776cd Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.i686dfa2f76c20c39fbdd9d97f90fd9241f0635b3a0be6c238b0e11715e75c9c63ca Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.ppcd28891a4b1871516cd07a57c125bc759492584ecb7ca43571dc26074bfeac8ab Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.i5865612288ee73116ecf7178fd9fd98290352bdd8863178db3c3c07b4f742c19e67 Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.m68k618b6921b8ab050ce00b3ae4f56decd6ea6c609b627c9ac62da1ca3d842f7f73 Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.sparcc6b9d9efb681ff1ac0afe4b47103c519b68532bca79844f7e075e1ce999d74f8 Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.arm4d71cd66700fc7e1c1f921bea1df0722cfd5ba411fb434e42323d83cbbd06c136 Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.arm5f7c5e707383ac0efb2b3383e45c8e66a2bd3c5e66eff7244b691ba65741de7b0 Gafgytelf gafgyt ua-wget
http://207.167.64.12/2.arm758baecf3698e6810dd5fa6ce4cdf478f699270634f4a132314da68fc3e08c88a Gafgytelf gafgyt ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
33
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.31067.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive
Link:
https://www.filescan.io/uploads/68a28a75abfbaec3182468bb/reports/6e46d57d-9861-4b68-aafc-46c305f86433/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/948a4cb5-76fd-495d-bb4d-8a799f5d25a5
Behavior Graph:
Download SVG
%3 guuid=61e72be1-1b00-0000-d508-f23a560c0000 pid=3158 /usr/bin/sudo guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164 /tmp/sample.bin guuid=61e72be1-1b00-0000-d508-f23a560c0000 pid=3158->guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164 execve guuid=57d22de5-1b00-0000-d508-f23a5e0c0000 pid=3166 /usr/bin/busybox net send-data write-file guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=57d22de5-1b00-0000-d508-f23a5e0c0000 pid=3166 execve guuid=bd0ab947-2000-0000-d508-f23a78140000 pid=5240 /usr/bin/chmod guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=bd0ab947-2000-0000-d508-f23a78140000 pid=5240 execve guuid=e6f0a649-2000-0000-d508-f23a79140000 pid=5241 /usr/bin/dash guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=e6f0a649-2000-0000-d508-f23a79140000 pid=5241 clone guuid=a793014f-2000-0000-d508-f23a7b140000 pid=5243 /usr/bin/rm guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=a793014f-2000-0000-d508-f23a7b140000 pid=5243 execve guuid=990c7f4f-2000-0000-d508-f23a7c140000 pid=5244 /usr/bin/busybox net send-data write-file guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=990c7f4f-2000-0000-d508-f23a7c140000 pid=5244 execve guuid=19bbb6b1-2400-0000-d508-f23a9d140000 pid=5277 /usr/bin/chmod guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=19bbb6b1-2400-0000-d508-f23a9d140000 pid=5277 execve guuid=c31740b2-2400-0000-d508-f23a9e140000 pid=5278 /usr/bin/dash guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=c31740b2-2400-0000-d508-f23a9e140000 pid=5278 clone guuid=7ae4bbb3-2400-0000-d508-f23aa0140000 pid=5280 /usr/bin/rm guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=7ae4bbb3-2400-0000-d508-f23aa0140000 pid=5280 execve guuid=c25140b4-2400-0000-d508-f23aa1140000 pid=5281 /usr/bin/busybox net send-data write-file guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=c25140b4-2400-0000-d508-f23aa1140000 pid=5281 execve guuid=1f93531c-2700-0000-d508-f23aa2140000 pid=5282 /usr/bin/chmod guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=1f93531c-2700-0000-d508-f23aa2140000 pid=5282 execve guuid=c504091d-2700-0000-d508-f23aa3140000 pid=5283 /usr/bin/dash guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=c504091d-2700-0000-d508-f23aa3140000 pid=5283 clone guuid=c8d0421e-2700-0000-d508-f23aa5140000 pid=5285 /usr/bin/rm guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=c8d0421e-2700-0000-d508-f23aa5140000 pid=5285 execve guuid=5043bd1e-2700-0000-d508-f23aa6140000 pid=5286 /usr/bin/busybox net send-data write-file guuid=1f4ed0e4-1b00-0000-d508-f23a5c0c0000 pid=3164->guuid=5043bd1e-2700-0000-d508-f23aa6140000 pid=5286 execve 454a936c-4915-58d9-8a55-485e12ecf4b4 207.167.64.12:80 guuid=57d22de5-1b00-0000-d508-f23a5e0c0000 pid=3166->454a936c-4915-58d9-8a55-485e12ecf4b4 send: 82B guuid=990c7f4f-2000-0000-d508-f23a7c140000 pid=5244->454a936c-4915-58d9-8a55-485e12ecf4b4 send: 82B guuid=c25140b4-2400-0000-d508-f23aa1140000 pid=5281->454a936c-4915-58d9-8a55-485e12ecf4b4 send: 81B guuid=5043bd1e-2700-0000-d508-f23aa6140000 pid=5286->454a936c-4915-58d9-8a55-485e12ecf4b4 send: 81B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/93192aadd5468cb6d84bed4221a032921c369daad6a30a9c5711d3d320968c0a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93192aadd5468cb6d84bed4221a032921c369daad6a30a9c5711d3d320968c0a/
Verdict:
Malicious
Threat:
HEUR:Trojan-Downloader.Shell.Agent
Link:
https://tip.neiki.dev/file/93192aadd5468cb6d84bed4221a032921c369daad6a30a9c5711d3d320968c0a
Threat name:
Linux.Trojan.Geninst
Create hunting rule
Status:
Malicious
First seen:
2025-08-18 02:05:36 UTC
File Type:
Text (Shell)
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smmsvlovi2glnwcl5vbcdibssiodnhnk22rqvhcxchj5giewrqfa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250818-ch7a4abl71/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/93192aadd5468cb6d84bed4221a032921c369daad6a30a9c5711d3d320968c0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 93192aadd5468cb6d84bed4221a032921c369daad6a30a9c5711d3d320968c0a

(this sample)

Gafgyt

elf f758f794dbd3d35b0c4236269b1b78913596c18868e0a25848249248405fc9f8

  
URLhaus
https://urlhaus.abuse.ch/url/3603965/
  
Delivery method
Distributed via web download
  
Dropping
MD5 efa6340385795cfb62ba3ebdb3509c9e
  
Dropping
SHA256 f758f794dbd3d35b0c4236269b1b78913596c18868e0a25848249248405fc9f8

Comments