MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a32ed09b0224ed8dc2ef29548f6979a53516d0e0d68eea4d509e9517c1242780. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a32ed09b0224ed8dc2ef29548f6979a53516d0e0d68eea4d509e9517c1242780
SHA3-384 hash: e519954334639503c4bbc98c2539da3bb4eb4ff6e636db35e695aee13ed4f45a459c043a4ad9c3316243a23202cf22a2
SHA1 hash: 7bd07c89003d250df37bdb986b6d0827e1d25986
MD5 hash: 8cb5df2a6052ba026412868cbf1d0bed
humanhash: magnesium-jig-vermont-autumn
File name:kk.x86
Download: download sample
Signature Gafgyt
Create hunting rule
File size:71'064 bytes
First seen:2026-01-21 12:30:54 UTC
Last seen:Never
File type: elf
MIME type:application/x-sharedlib
ssdeep 1536:x54rsuicTROuRYVJ5aXWgkfDKM6G+tTBd+ZNocorts:H7uicThRYVHaXjkrKLYfWG
TLSH T108636C85FBDBD1F1F5830670002BEB6F9B349D154015EEA9EF093B65AC727528A1B22C
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
1
# of downloads :
24
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
12
Number of processes launched:
5
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/a32ed09b0224ed8dc2ef29548f6979a53516d0e0d68eea4d509e9517c1242780
Behaviour
Persistence
Process Renaming
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/466aa1ff-0025-4bdf-bbec-201e9795de64
Behavior Graph:
Download SVG
%3 guuid=e5155ebb-1700-0000-f460-4b30cf0d0000 pid=3535 /usr/bin/sudo guuid=faea7bbd-1700-0000-f460-4b30d80d0000 pid=3544 /tmp/sample.bin write-config guuid=e5155ebb-1700-0000-f460-4b30cf0d0000 pid=3535->guuid=faea7bbd-1700-0000-f460-4b30d80d0000 pid=3544 execve guuid=c909aabd-1700-0000-f460-4b30d90d0000 pid=3545 /usr/bin/dash guuid=faea7bbd-1700-0000-f460-4b30d80d0000 pid=3544->guuid=c909aabd-1700-0000-f460-4b30d90d0000 pid=3545 execve guuid=150b43bf-1700-0000-f460-4b30e30d0000 pid=3555 /usr/bin/.sshd net send-data zombie guuid=faea7bbd-1700-0000-f460-4b30d80d0000 pid=3544->guuid=150b43bf-1700-0000-f460-4b30e30d0000 pid=3555 execve guuid=f5f3d2bd-1700-0000-f460-4b30db0d0000 pid=3547 /usr/bin/cp guuid=c909aabd-1700-0000-f460-4b30d90d0000 pid=3545->guuid=f5f3d2bd-1700-0000-f460-4b30db0d0000 pid=3547 execve guuid=486960be-1700-0000-f460-4b30de0d0000 pid=3550 /usr/bin/chmod guuid=c909aabd-1700-0000-f460-4b30d90d0000 pid=3545->guuid=486960be-1700-0000-f460-4b30de0d0000 pid=3550 execve guuid=1617b0be-1700-0000-f460-4b30e00d0000 pid=3552 /usr/bin/chattr guuid=c909aabd-1700-0000-f460-4b30d90d0000 pid=3545->guuid=1617b0be-1700-0000-f460-4b30e00d0000 pid=3552 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=150b43bf-1700-0000-f460-4b30e30d0000 pid=3555->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con c476d878-a463-52dd-90ed-ab9852c36430 15.204.230.147:5480 guuid=150b43bf-1700-0000-f460-4b30e30d0000 pid=3555->c476d878-a463-52dd-90ed-ab9852c36430 send: 270B
Malware family:
Gafgyt
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1b02f4f5-5af0-4853-9c92-695e0ca5fbbd
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1854833
Signature
Drops files in suspicious directories
Drops invisible ELF files
Protects files from modification
Sample tries to persist itself using System V runlevels
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1854833 Sample: kk.x86.elf Startdate: 21/01/2026 Architecture: LINUX Score: 56 33 169.254.169.254, 80 USDOSUS Reserved 2->33 35 15.204.230.147, 5480 HP-INTERNET-ASUS United States 2->35 37 2 other IPs or domains 2->37 7 kk.x86.elf 2->7         started        11 dash rm 2->11         started        13 dash cat 2->13         started        15 9 other processes 2->15 process3 file4 31 /etc/rc.local, ASCII 7->31 dropped 45 Sample tries to persist itself using System V runlevels 7->45 17 kk.x86.elf sh 7->17         started        19 kk.x86.elf .sshd 7->19         started        signatures5 process6 process7 21 sh cp 17->21         started        25 sh chattr 17->25         started        27 sh chmod 17->27         started        file8 29 /usr/bin/.sshd, ELF 21->29 dropped 39 Drops invisible ELF files 21->39 41 Drops files in suspicious directories 21->41 43 Protects files from modification 25->43 signatures9
Score:
99%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/a32ed09b0224ed8dc2ef29548f6979a53516d0e0d68eea4d509e9517c1242780
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a32ed09b0224ed8dc2ef29548f6979a53516d0e0d68eea4d509e9517c1242780/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=umxnbgycetwy3qxpffki62lzuu2rnuha22houtkqt2krpqjee6aa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux persistence
Link:
https://tria.ge/reports/260121-pq3n4adv8c/
Behaviour
Reads runtime system information
Changes its process name
Modifies rc script
Write file to user bin folder
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf a32ed09b0224ed8dc2ef29548f6979a53516d0e0d68eea4d509e9517c1242780

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3761290/
  
Delivery method
Distributed via web download

Comments