MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d506a765821d3836dcedf7d5fe972cefbc5c6bd7a0fb1ccb4320a4b341fb35b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d506a765821d3836dcedf7d5fe972cefbc5c6bd7a0fb1ccb4320a4b341fb35b
SHA3-384 hash: de8032ce42dca173dd9bfe82b203433ea9f4a0a80dab616208619df36aaf3463db8e6747cdf53ccedaeebf54c0bcfdd3
SHA1 hash: 471456a1770c0ce926d21b25e03b1ee9913767a1
MD5 hash: 25ec421ebd75d419b4615261f8c04e19
humanhash: wisconsin-asparagus-fourteen-alpha
File name:wget.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:591 bytes
First seen:2025-08-28 07:33:12 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:JRWKamcytOG6cT0EAG6cTVzREAG6cfoI3BEAG6cfXyEAG6cflEAG6cfEBEAvWE:W7m8G6TE960E96u3E96uXyE96ulE96uW
TLSH T189F081CD4542FCB89875CCD3B9529D2688CECAD835B50F18EEC005A66C5AA2C3350FCA
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://185.121.13.159/tmipsf846869bce0273829deb7c4f736dd45e536a757ac52b21245e6caa6700a7af36 Gafgytelf gafgyt ua-wget
http://185.121.13.159/tmpsln/an/aelf ua-wget
http://185.121.13.159/tarmn/an/aelf ua-wget
http://185.121.13.159/tarm5n/an/aelf ua-wget
http://185.121.13.159/tarm6n/an/aelf ua-wget
http://185.121.13.159/tarm7n/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive mirai
Link:
https://www.filescan.io/uploads/68b006a18d7e238761841f2f/reports/a6aabb02-e62c-42d7-b97d-2425929a45d9/overview
Verdict:
Malicious
File Type:
text
First seen:
2025-07-20T02:18:00Z UTC
Last seen:
2025-07-20T02:18:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/9d506a765821d3836dcedf7d5fe972cefbc5c6bd7a0fb1ccb4320a4b341fb35b/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/f2a4b5ec-011d-4996-824e-158ab3017772
Behavior Graph:
Download SVG
%3 guuid=1456c8af-1a00-0000-0bd8-0ce1970b0000 pid=2967 /usr/bin/sudo guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974 /tmp/sample.bin guuid=1456c8af-1a00-0000-0bd8-0ce1970b0000 pid=2967->guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974 execve guuid=0c0591b3-1a00-0000-0bd8-0ce19f0b0000 pid=2975 /usr/bin/wget net send-data write-file guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=0c0591b3-1a00-0000-0bd8-0ce19f0b0000 pid=2975 execve guuid=84a406bb-1a00-0000-0bd8-0ce1b20b0000 pid=2994 /usr/bin/chmod guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=84a406bb-1a00-0000-0bd8-0ce1b20b0000 pid=2994 execve guuid=41c26cbb-1a00-0000-0bd8-0ce1b30b0000 pid=2995 /usr/bin/dash guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=41c26cbb-1a00-0000-0bd8-0ce1b30b0000 pid=2995 clone guuid=cbdc40bc-1a00-0000-0bd8-0ce1b60b0000 pid=2998 /usr/bin/wget net send-data guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=cbdc40bc-1a00-0000-0bd8-0ce1b60b0000 pid=2998 execve guuid=5ee38cc0-1a00-0000-0bd8-0ce1bf0b0000 pid=3007 /usr/bin/chmod guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=5ee38cc0-1a00-0000-0bd8-0ce1bf0b0000 pid=3007 execve guuid=4441d8c0-1a00-0000-0bd8-0ce1c10b0000 pid=3009 /home/sandbox/.a guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=4441d8c0-1a00-0000-0bd8-0ce1c10b0000 pid=3009 execve guuid=9a2de7c1-1a00-0000-0bd8-0ce1c50b0000 pid=3013 /usr/bin/wget net send-data guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=9a2de7c1-1a00-0000-0bd8-0ce1c50b0000 pid=3013 execve guuid=90894dc5-1a00-0000-0bd8-0ce1ce0b0000 pid=3022 /usr/bin/chmod guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=90894dc5-1a00-0000-0bd8-0ce1ce0b0000 pid=3022 execve guuid=dfa691c5-1a00-0000-0bd8-0ce1d00b0000 pid=3024 /home/sandbox/.a guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=dfa691c5-1a00-0000-0bd8-0ce1d00b0000 pid=3024 execve guuid=40533bc6-1a00-0000-0bd8-0ce1d40b0000 pid=3028 /usr/bin/wget net send-data guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=40533bc6-1a00-0000-0bd8-0ce1d40b0000 pid=3028 execve guuid=29e457c9-1a00-0000-0bd8-0ce1dc0b0000 pid=3036 /usr/bin/chmod guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=29e457c9-1a00-0000-0bd8-0ce1dc0b0000 pid=3036 execve guuid=d6f9f4cd-1a00-0000-0bd8-0ce1ea0b0000 pid=3050 /home/sandbox/.a guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=d6f9f4cd-1a00-0000-0bd8-0ce1ea0b0000 pid=3050 execve guuid=609ee3cf-1a00-0000-0bd8-0ce1f00b0000 pid=3056 /usr/bin/wget net send-data guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=609ee3cf-1a00-0000-0bd8-0ce1f00b0000 pid=3056 execve guuid=b0141ad5-1a00-0000-0bd8-0ce1fd0b0000 pid=3069 /usr/bin/chmod guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=b0141ad5-1a00-0000-0bd8-0ce1fd0b0000 pid=3069 execve guuid=b63e87d5-1a00-0000-0bd8-0ce1fe0b0000 pid=3070 /home/sandbox/.a guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=b63e87d5-1a00-0000-0bd8-0ce1fe0b0000 pid=3070 execve guuid=67823fd6-1a00-0000-0bd8-0ce1020c0000 pid=3074 /usr/bin/wget net send-data guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=67823fd6-1a00-0000-0bd8-0ce1020c0000 pid=3074 execve guuid=7dac75d9-1a00-0000-0bd8-0ce10c0c0000 pid=3084 /usr/bin/chmod guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=7dac75d9-1a00-0000-0bd8-0ce10c0c0000 pid=3084 execve guuid=f0dbbcd9-1a00-0000-0bd8-0ce10d0c0000 pid=3085 /home/sandbox/.a guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=f0dbbcd9-1a00-0000-0bd8-0ce10d0c0000 pid=3085 execve guuid=b33b7fda-1a00-0000-0bd8-0ce1110c0000 pid=3089 /usr/bin/rm guuid=1720fbb2-1a00-0000-0bd8-0ce19e0b0000 pid=2974->guuid=b33b7fda-1a00-0000-0bd8-0ce1110c0000 pid=3089 execve 46c5cf3c-ed7d-558b-b835-3a135f52a779 185.121.13.159:80 guuid=0c0591b3-1a00-0000-0bd8-0ce19f0b0000 pid=2975->46c5cf3c-ed7d-558b-b835-3a135f52a779 send: 134B guuid=cbdc40bc-1a00-0000-0bd8-0ce1b60b0000 pid=2998->46c5cf3c-ed7d-558b-b835-3a135f52a779 send: 134B guuid=9a2de7c1-1a00-0000-0bd8-0ce1c50b0000 pid=3013->46c5cf3c-ed7d-558b-b835-3a135f52a779 send: 133B guuid=40533bc6-1a00-0000-0bd8-0ce1d40b0000 pid=3028->46c5cf3c-ed7d-558b-b835-3a135f52a779 send: 134B guuid=609ee3cf-1a00-0000-0bd8-0ce1f00b0000 pid=3056->46c5cf3c-ed7d-558b-b835-3a135f52a779 send: 134B guuid=67823fd6-1a00-0000-0bd8-0ce1020c0000 pid=3074->46c5cf3c-ed7d-558b-b835-3a135f52a779 send: 134B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9d506a765821d3836dcedf7d5fe972cefbc5c6bd7a0fb1ccb4320a4b341fb35b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d506a765821d3836dcedf7d5fe972cefbc5c6bd7a0fb1ccb4320a4b341fb35b/
Threat name:
Script-Shell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-07-21 01:18:00 UTC
File Type:
Text (Shell)
AV detection:
6 of 36 (16.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tvigu5syehjyg3oo356v72lsz354lrv5pih3dtfugifewna7wnnq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250828-jehlwssq16/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9d506a765821d3836dcedf7d5fe972cefbc5c6bd7a0fb1ccb4320a4b341fb35b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 9d506a765821d3836dcedf7d5fe972cefbc5c6bd7a0fb1ccb4320a4b341fb35b

(this sample)

Gafgyt

elf f846869bce0273829deb7c4f736dd45e536a757ac52b21245e6caa6700a7af36

  
URLhaus
https://urlhaus.abuse.ch/url/3613038/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3613039/
  
Dropping
MD5 8acda12c19831e78dc788337f4d2af42
  
Dropping
SHA256 f846869bce0273829deb7c4f736dd45e536a757ac52b21245e6caa6700a7af36

Comments