MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a22c52f0d1142da1eca1c715efdfdbac7a40d7764ce80517a83fc18f3f1778ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash: a22c52f0d1142da1eca1c715efdfdbac7a40d7764ce80517a83fc18f3f1778ee
SHA3-384 hash: 213fec80441e5a0e51874bd90892dd023b7d60dde8288e526c48093c585a0467850fbf4334ab95c481d82ec5dce2fbe4
SHA1 hash: 80fd6935b9c256623e9fb0ded884364881a9fc21
MD5 hash: bf2d72e82bcbf52e17b4d55758cf8dbc
humanhash: ink-table-crazy-island
File name:bins.sh
Download: download sample
Signature Gafgyt
File size:1'031 bytes
First seen:2025-12-13 07:56:31 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 12:Gn0FnLGUMEe2i0FnLGo2qWYy0FnLR/nsdjIgv0FnLKKNITqLFho0FnLKVwFT+0Fu:1b9FTrGKNIT4hJGVwFT7GC7UN
TLSH T1D5115B8B90B046715C62B913336A7604BCB190A7B88B5FFFA8E9FAD640CDE74741D543
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://193.35.154.205/ionetworks.mipsa4cb5422b2a7e49ad24ab4a80a1938fd0989e18d29541389ff6e4d37e40fb296 Gafgytelf gafgyt geofenced mips mirai ua-wget USA
http://193.35.154.205/ionetworks.mpslfbeffc678b3931304d95983bc5d9d817d132a0c5d3e2e23f4a27e501afa663e4 Gafgytelf gafgyt geofenced mips mirai ua-wget USA
http://193.35.154.205/ionetworks.x860f622b258be87d3f91224168c366b1c5de90af6fdcf941e2d8b72d0ad40cd4a4 Gafgytelf gafgyt geofenced mirai ua-wget USA x86
http://193.35.154.205/ionetworks.arm613f166bc0c57ed6f23acf5613c8366e0d4cfab1ca97b2689a841d48b9f237a14 Gafgytarm elf gafgyt geofenced mirai ua-wget USA
http://193.35.154.205/ionetworks.arm4bd71a74141ac31ea87ac42c7e6837177422576b35e4c5b940ee5f2725b2a9ba7 Gafgytarm elf gafgyt geofenced mirai ua-wget USA
http://193.35.154.205/ionetworks.arm5d2670dd44eb6690c5f51e500da348566473f84665992d899c816fb66834a9081 Gafgytarm elf gafgyt geofenced mirai ua-wget USA

Intelligence


File Origin
# of uploads :
1
# of downloads :
52
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive medusa mirai
Verdict:
Malicious
File Type:
text
First seen:
2025-12-13T06:14:00Z UTC
Last seen:
2025-12-14T07:37:00Z UTC
Hits:
~10
Threat name:
Linux.Downloader.Medusa
Status:
Malicious
First seen:
2025-12-13 07:51:12 UTC
File Type:
Text (Shell)
AV detection:
21 of 38 (55.26%)
Threat level:
  3/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh a22c52f0d1142da1eca1c715efdfdbac7a40d7764ce80517a83fc18f3f1778ee

(this sample)

  
Delivery method
Distributed via web download

Comments