MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b6e6be673ec666e4b81c77314c456309e492b6a32b54589690d8366dd0b5993. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b6e6be673ec666e4b81c77314c456309e492b6a32b54589690d8366dd0b5993
SHA3-384 hash: 35ea188ca389823b2342ebb4aea10474ec2232a93b9a673473e64e13d8cfb8c6b6364ac3883aa52b76506df4c49156a6
SHA1 hash: eafc58abf7f17e3955c8037e9634ef5387329f86
MD5 hash: 6a3f24b642d0ac8cca26fc7b870f6fee
humanhash: violet-six-texas-nitrogen
File name:armv7l
Download: download sample
Signature Gafgyt
Create hunting rule
File size:223'228 bytes
First seen:2025-07-07 04:55:00 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:5ynoKSrnI5bon8OtHp6aUULkuLJxhLv1EMQzt/GnBtYFbzOxx/FUXokytveQI:5cOtHUikQJxhL2rp/GnBtYZzODvMQ
TLSH T1E6241A85EC82D600F1D73976BD0D01EDF3135BB8D7EB7226ECD41B24268795A6E3A602
telfhash t170d02351df1e15ec66c4c8424374475ff376b1c12301005251e4df947f72455f154907
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
1
# of downloads :
16
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.31075.LX.BOT.UNOFFICIAL
Create hunting rule

Unix.Trojan.Gafgyt-6981160-0
Create hunting rule

Unix.Dropper.Mirai-7135828-0
Create hunting rule

Unix.Dropper.Mirai-7135872-0
Create hunting rule

Unix.Dropper.Mirai-7135893-0
Create hunting rule

Unix.Dropper.Mirai-7135900-0
Create hunting rule

Unix.Dropper.Mirai-7135951-0
Create hunting rule

Unix.Dropper.Mirai-7136105-0
Create hunting rule

Unix.Trojan.Mirai-7759336-0
Create hunting rule

Unix.Trojan.Mirai-7772538-0
Create hunting rule

Unix.Trojan.Mirai-8041689-0
Create hunting rule

Unix.Trojan.Gafgyt-9876285-0
Create hunting rule

Unix.Trojan.Gafgyt-9876369-0
Create hunting rule

Unix.Trojan.Mirai-9885259-0
Create hunting rule

Unix.Trojan.Mirai-9885284-0
Create hunting rule

Unix.Trojan.Mirai-9924065-0
Create hunting rule

Unix.Trojan.Mirai-9933849-0
Create hunting rule

Unix.Trojan.Gafgyt-9940653-0
Create hunting rule

Unix.Trojan.Mirai-9951089-0
Create hunting rule

Unix.Trojan.Mirai-10004218-0
Create hunting rule

Unix.Trojan.Gafgyt-6735924-0
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686b532fc9eb974737674900linux22vpnfull_triage
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/686b532f9db85bde254e0fde/reports/47414ee5-3291-487d-b7c4-2dc161b04539/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
not packed
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/9b6e6be673ec666e4b81c77314c456309e492b6a32b54589690d8366dd0b5993
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/04885b2b-cfb6-4182-bf6b-6c9333aa9e7b
Behavior Graph:
Download SVG
%3 guuid=203bfeba-1a00-0000-3801-00c8060b0000 pid=2822 /usr/bin/sudo guuid=1edc14be-1a00-0000-3801-00c80c0b0000 pid=2828 /tmp/sample.bin guuid=203bfeba-1a00-0000-3801-00c8060b0000 pid=2822->guuid=1edc14be-1a00-0000-3801-00c80c0b0000 pid=2828 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0751a51a-2390-4c26-b6eb-37eaa51eb215
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1729775
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/9b6e6be673ec666e4b81c77314c456309e492b6a32b54589690d8366dd0b5993
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b6e6be673ec666e4b81c77314c456309e492b6a32b54589690d8366dd0b5993/
Threat name:
Linux.Backdoor.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2025-07-07 04:55:12 UTC
File Type:
ELF32 Little (Exe)
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tnxgxztt5rtg4s4by5zrjrcwgcpesk3kgk2ulcljbwbwnxillgjq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/250707-fj6mqsx1ey/
Verdict:
Malicious
Tags:
Unix.Trojan.Gafgyt-6981160-0
YARA:
n/a
Link:
https://app.threat.zone/submission/85cdbe5d-e34e-4d40-a617-0d21ee1d62f0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9b6e6be673ec666e4b81c77314c456309e492b6a32b54589690d8366dd0b5993

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh eccadf08fa7e0ffb13115ae57ab3c1b88f4d92d47fa6886af225b0220efadf8d

Gafgyt

elf 9b6e6be673ec666e4b81c77314c456309e492b6a32b54589690d8366dd0b5993

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3569510/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 eccadf08fa7e0ffb13115ae57ab3c1b88f4d92d47fa6886af225b0220efadf8d
  
Dropped by
MD5 b53ab11e64ab255971872ce47b8f859f
  
Dropped by
SHA256 c26b9355d42f7d1783711e39d7490823470833c8b6953bc9db1d54b9b0683c0c
  
Dropped by
MD5 62e100c22495d37d9968974bf89d2b77
  
Dropped by
SHA256 818f65dbf513517cf5344a5c48f6bb72bc245857246375977db610d0e7e955d2
  
Dropped by
MD5 cbaffcf51d253ae0a62bffe96b9b822a
  
URLhaus
https://urlhaus.abuse.ch/url/3579314/
  
URLhaus
https://urlhaus.abuse.ch/url/3579317/
  
URLhaus
https://urlhaus.abuse.ch/url/3579321/

Comments