MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2f7d5d2d5f5ce212bdb068c90f66f00622bd760e07677bb8013f3b2d86cc0e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2f7d5d2d5f5ce212bdb068c90f66f00622bd760e07677bb8013f3b2d86cc0e2
SHA3-384 hash: 701dd0eda0e88ddc310fc34c914ea173634c22c9aed522c15ff7fad036a372ff51ad109023e8a5f3229efd34d02f3b19
SHA1 hash: c6fc1ab22af5dfb68fd014bf49e513b41b160c0e
MD5 hash: e53bc1bf84d3a5856957b1b5a2e441c6
humanhash: nitrogen-kitten-one-fillet
File name:leet.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'696 bytes
First seen:2025-05-20 15:49:59 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:vCqCCaCLJCIV4CzksCUNIDxksCECCUyCxSsCLbeRQLCUyC79CQf:vtC9C1JV4mJOxJpC9yGjgbeRQL9y09ff
TLSH T104314EC6E0912535AD61DA2B31B9C9C4B0C0E0DA95DB9F54A8FC35E5858DE4CB460B93
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://92.112.125.62/leet.mips4bc642fa023a12150b0a164b8a08da5e7cae6d67f7b5d098de416ca57534627c Gafgytelf gafgyt ua-wget
http://92.112.125.62/leet.mpsldc71bc6ee8b4e460e8fbfffdec2ade71d5c22ce4fdb5f75ac50bff92cbb7a767 Gafgytelf gafgyt ua-wget
http://92.112.125.62/leet.sh41ffc47b8710026133531343425f2ec5f66dc4a97e0f37b093956e5673a0ba6bf Gafgytelf gafgyt ua-wget
http://92.112.125.62/leet.x8682080c59426b1a012ec99824f6978062ee382a217417131a86de576e7761ef33 Gafgytelf gafgyt ua-wget
http://92.112.125.62/leet.arm62f3deb5573e9d0c142c052c4eac3a596ebce091c403e55b5ecbda9e44929efbb Gafgytelf gafgyt ua-wget
http://92.112.125.62/leet.x3210316c5cdb1549f14234eca59ff661bcfb3c01780c1852c88a50389f5ebd2358 Gafgytelf gafgyt ua-wget
http://92.112.125.62/leet.ppcc931c44335aadd7ef5f4017cf13ffa57d35f1138ee6b8488edc05427e87f0b40 Gafgytelf gafgyt ua-wget
http://92.112.125.62/leet.i586185f5bb64eba9b5e30ad5fefdbd15c02c5d4f3699d4e8dc865da455b08326968 Gafgytelf gafgyt ua-wget
http://92.112.125.62/leet.m68k09e27e7061339a32c686e88c4221a9af2de32c8af971c6e451d17c7f241ed3e6 Gafgytelf gafgyt ua-wget
http://92.112.125.62/leet.arm4163527ebc630080c10ca4be4a67c8cb47ca1f8da9378de7b7567f32e90a58fa9 Gafgytelf gafgyt ua-wget
http://92.112.125.62/leet.arm5n/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ca50ec28c67d666426307linux22vpnfull_triage
Tags:
trojandownloader trojware agent
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a2f7d5d2d5f5ce212bdb068c90f66f00622bd760e07677bb8013f3b2d86cc0e2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2f7d5d2d5f5ce212bdb068c90f66f00622bd760e07677bb8013f3b2d86cc0e2/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-05-20 15:50:51 UTC
File Type:
Text (Shell)
AV detection:
25 of 38 (65.79%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ul35luwv6xhcck63a2gjb5tpabrcxv3a4b3hpo4acpz3fwdmydra._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/250520-s987rsfq8z/
Behaviour
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
File and Directory Permissions Modification
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2f7d5d2d5f5ce212bdb068c90f66f00622bd760e07677bb8013f3b2d86cc0e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh a2f7d5d2d5f5ce212bdb068c90f66f00622bd760e07677bb8013f3b2d86cc0e2

(this sample)

Gafgyt

elf 4bc642fa023a12150b0a164b8a08da5e7cae6d67f7b5d098de416ca57534627c

  
URLhaus
https://urlhaus.abuse.ch/url/3548252/
  
Delivery method
Distributed via web download
  
Dropping
MD5 d4a45e8ccc35e0ef631fe805bee04172
  
Dropping
SHA256 4bc642fa023a12150b0a164b8a08da5e7cae6d67f7b5d098de416ca57534627c

Comments