MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a62f1bb030f259ff74bf624e76f60e422431699d9c04bf8732c1b0f3812f7692. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a62f1bb030f259ff74bf624e76f60e422431699d9c04bf8732c1b0f3812f7692
SHA3-384 hash: 84edd6ce905a86c87528d3682a491415ff8e9d777178c75568679dd257e7ba0a2ee3a300a82db81c1114a610e8b77e56
SHA1 hash: c2c33a5e536abc82fa6b8142ab1e9ca05cf8fb11
MD5 hash: 4859a8e429f2b8cd469a417df695fc41
humanhash: fish-comet-failed-wyoming
File name:ISIS.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'981 bytes
First seen:2025-11-23 08:06:51 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vqth4t/uaLaMalsH4HdHp4H/3/c9oJQfEoja17afQ9WlkX7A/FiVszbsWlkX7ed9:vqth4t/uaLaMalsHedpe//c9oJQfEojt
TLSH T1B8416187259208B03C5294B7736AAD1430D5B24E64C6BF5F7BEC3DE5088DEB579247C2
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://95.181.173.3/m-i.p-s.ISIS2559906f912d9fef2aabf41401fbc6b1b648a8753f556900fda92cd7d73ca10f Gafgytelf gafgyt ua-wget
http://95.181.173.3/m-p.s-l.ISISd9f313457c0161e3459563e146d60a7d8c88180d19ac6b16240bb4e49e31bc67 Gafgytelf gafgyt ua-wget
http://95.181.173.3/s-h.4-.ISISbc14bb7a29ba5e46e530190a862d9ca0b28bad5cf2504ba8730f7f7db3e50a9a Gafgytelf gafgyt ua-wget
http://95.181.173.3/x-8.6-.ISISbef894e294ef5c1f544b33898e30eea390db88bfd752bb30c651ab0c52bef1a7 Gafgytelf gafgyt ua-wget
http://95.181.173.3/a-r.m-6.ISIS8e39c2895169007b7981a39c82d1cbfc4e2543b1c8a7210f402fced5dcc0efc0 Gafgytelf gafgyt ua-wget
http://95.181.173.3/x-3.2-.ISISba77a604534d032f1735260b66476812fa7e60eb2d4301cbd1e971d05cf5a791 Gafgytelf gafgyt ua-wget
http://95.181.173.3/a-r.m-7.ISIS74abe84700da9863bdfd848fed77687bdd57f8ecadc014a0ed8b01ed010beaeb Gafgytelf gafgyt ua-wget
http://95.181.173.3/p-p.c-.ISIS80eb0fc811819924f8d63b47e3013a3eda53708ec2d665dcbbb1904db16d1a2f Gafgytelf gafgyt ua-wget
http://95.181.173.3/i-5.8-6.ISISafbcb4d7bb14477ae44f45451d913eb3378c7c99f820bb5c0eea36871fffb7d4 Gafgytelf gafgyt ua-wget
http://95.181.173.3/m-6.8-k.ISIS2d0468eaec68d6c17264c34cd15097ad1f94e7b05b53ba0211ea71ada46767c7 Gafgytelf gafgyt ua-wget
http://95.181.173.3/a-r.m-4.ISIS074ca5637549f4b3c9f3dacd13d5c2957abfca6abcce51420129e4396402dd01 Gafgytelf gafgyt ua-wget
http://95.181.173.3/a-r.m-5.ISIS3532d395896f767950d5986c405d5b7ff9631c9870085d4faa160c9cedae4a4d Gafgytelf gafgyt ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
36
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-23T05:22:00Z UTC
Last seen:
2025-11-24T05:37:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/a62f1bb030f259ff74bf624e76f60e422431699d9c04bf8732c1b0f3812f7692/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9c7042f8-617e-426e-a328-68a32950ada9
Behavior Graph:
Download SVG
%3 guuid=0684499a-1600-0000-9e7b-1f7acb0c0000 pid=3275 /usr/bin/sudo guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282 /tmp/sample.bin guuid=0684499a-1600-0000-9e7b-1f7acb0c0000 pid=3275->guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282 execve guuid=f860bd9c-1600-0000-9e7b-1f7ad40c0000 pid=3284 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=f860bd9c-1600-0000-9e7b-1f7ad40c0000 pid=3284 execve guuid=c24aa9bb-1600-0000-9e7b-1f7a040d0000 pid=3332 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=c24aa9bb-1600-0000-9e7b-1f7a040d0000 pid=3332 execve guuid=f16ce6bb-1600-0000-9e7b-1f7a050d0000 pid=3333 /usr/bin/bash guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=f16ce6bb-1600-0000-9e7b-1f7a050d0000 pid=3333 clone guuid=5fc985bc-1600-0000-9e7b-1f7a080d0000 pid=3336 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=5fc985bc-1600-0000-9e7b-1f7a080d0000 pid=3336 execve guuid=c7f120bd-1600-0000-9e7b-1f7a0a0d0000 pid=3338 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=c7f120bd-1600-0000-9e7b-1f7a0a0d0000 pid=3338 execve guuid=303d42dc-1600-0000-9e7b-1f7a3a0d0000 pid=3386 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=303d42dc-1600-0000-9e7b-1f7a3a0d0000 pid=3386 execve guuid=7b3dc7dc-1600-0000-9e7b-1f7a3c0d0000 pid=3388 /usr/bin/bash guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=7b3dc7dc-1600-0000-9e7b-1f7a3c0d0000 pid=3388 clone guuid=8d95c6dd-1600-0000-9e7b-1f7a400d0000 pid=3392 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=8d95c6dd-1600-0000-9e7b-1f7a400d0000 pid=3392 execve guuid=f7878ade-1600-0000-9e7b-1f7a420d0000 pid=3394 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=f7878ade-1600-0000-9e7b-1f7a420d0000 pid=3394 execve guuid=f7eb44f7-1600-0000-9e7b-1f7a720d0000 pid=3442 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=f7eb44f7-1600-0000-9e7b-1f7a720d0000 pid=3442 execve guuid=ff1abbf7-1600-0000-9e7b-1f7a730d0000 pid=3443 /usr/bin/bash guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=ff1abbf7-1600-0000-9e7b-1f7a730d0000 pid=3443 clone guuid=007a60fa-1600-0000-9e7b-1f7a7b0d0000 pid=3451 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=007a60fa-1600-0000-9e7b-1f7a7b0d0000 pid=3451 execve guuid=9f33e6fa-1600-0000-9e7b-1f7a7d0d0000 pid=3453 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=9f33e6fa-1600-0000-9e7b-1f7a7d0d0000 pid=3453 execve guuid=8c48b913-1700-0000-9e7b-1f7aa20d0000 pid=3490 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=8c48b913-1700-0000-9e7b-1f7aa20d0000 pid=3490 execve guuid=48b25b14-1700-0000-9e7b-1f7aa70d0000 pid=3495 /tmp/x-8.6-.ISIS net guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=48b25b14-1700-0000-9e7b-1f7aa70d0000 pid=3495 execve guuid=2262b714-1700-0000-9e7b-1f7aaa0d0000 pid=3498 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=2262b714-1700-0000-9e7b-1f7aaa0d0000 pid=3498 execve guuid=4aae3015-1700-0000-9e7b-1f7aab0d0000 pid=3499 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=4aae3015-1700-0000-9e7b-1f7aab0d0000 pid=3499 execve guuid=d3843a33-1700-0000-9e7b-1f7acf0d0000 pid=3535 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=d3843a33-1700-0000-9e7b-1f7acf0d0000 pid=3535 execve guuid=d1e6bf33-1700-0000-9e7b-1f7ad20d0000 pid=3538 /usr/bin/bash guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=d1e6bf33-1700-0000-9e7b-1f7ad20d0000 pid=3538 clone guuid=fea0d734-1700-0000-9e7b-1f7ad40d0000 pid=3540 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=fea0d734-1700-0000-9e7b-1f7ad40d0000 pid=3540 execve guuid=86a17a35-1700-0000-9e7b-1f7ad60d0000 pid=3542 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=86a17a35-1700-0000-9e7b-1f7ad60d0000 pid=3542 execve guuid=43dea353-1700-0000-9e7b-1f7a0d0e0000 pid=3597 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=43dea353-1700-0000-9e7b-1f7a0d0e0000 pid=3597 execve guuid=7a900d54-1700-0000-9e7b-1f7a0f0e0000 pid=3599 /tmp/x-3.2-.ISIS net guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=7a900d54-1700-0000-9e7b-1f7a0f0e0000 pid=3599 execve guuid=8f18dc55-1700-0000-9e7b-1f7a170e0000 pid=3607 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=8f18dc55-1700-0000-9e7b-1f7a170e0000 pid=3607 execve guuid=2aad2f56-1700-0000-9e7b-1f7a190e0000 pid=3609 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=2aad2f56-1700-0000-9e7b-1f7a190e0000 pid=3609 execve guuid=5445bf73-1700-0000-9e7b-1f7a7f0e0000 pid=3711 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=5445bf73-1700-0000-9e7b-1f7a7f0e0000 pid=3711 execve guuid=e7f5fa73-1700-0000-9e7b-1f7a810e0000 pid=3713 /usr/bin/bash guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=e7f5fa73-1700-0000-9e7b-1f7a810e0000 pid=3713 clone guuid=341f8474-1700-0000-9e7b-1f7a850e0000 pid=3717 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=341f8474-1700-0000-9e7b-1f7a850e0000 pid=3717 execve guuid=a49cc474-1700-0000-9e7b-1f7a890e0000 pid=3721 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=a49cc474-1700-0000-9e7b-1f7a890e0000 pid=3721 execve guuid=eb707c8c-1700-0000-9e7b-1f7a050f0000 pid=3845 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=eb707c8c-1700-0000-9e7b-1f7a050f0000 pid=3845 execve guuid=55ffbe8c-1700-0000-9e7b-1f7a070f0000 pid=3847 /tmp/p-p.c-.ISIS net guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=55ffbe8c-1700-0000-9e7b-1f7a070f0000 pid=3847 execve guuid=dbe09e8d-1700-0000-9e7b-1f7a0d0f0000 pid=3853 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=dbe09e8d-1700-0000-9e7b-1f7a0d0f0000 pid=3853 execve guuid=12abdd8d-1700-0000-9e7b-1f7a0f0f0000 pid=3855 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=12abdd8d-1700-0000-9e7b-1f7a0f0f0000 pid=3855 execve guuid=ac7372ab-1700-0000-9e7b-1f7a760f0000 pid=3958 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=ac7372ab-1700-0000-9e7b-1f7a760f0000 pid=3958 execve guuid=f4aef0ab-1700-0000-9e7b-1f7a780f0000 pid=3960 /usr/bin/bash guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=f4aef0ab-1700-0000-9e7b-1f7a780f0000 pid=3960 clone guuid=afa3faac-1700-0000-9e7b-1f7a7e0f0000 pid=3966 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=afa3faac-1700-0000-9e7b-1f7a7e0f0000 pid=3966 execve guuid=5cd484ad-1700-0000-9e7b-1f7a7f0f0000 pid=3967 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=5cd484ad-1700-0000-9e7b-1f7a7f0f0000 pid=3967 execve guuid=b81305cc-1700-0000-9e7b-1f7ac70f0000 pid=4039 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=b81305cc-1700-0000-9e7b-1f7ac70f0000 pid=4039 execve guuid=23b07ccc-1700-0000-9e7b-1f7ac90f0000 pid=4041 /usr/bin/bash guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=23b07ccc-1700-0000-9e7b-1f7ac90f0000 pid=4041 clone guuid=f65654cd-1700-0000-9e7b-1f7acc0f0000 pid=4044 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=f65654cd-1700-0000-9e7b-1f7acc0f0000 pid=4044 execve guuid=e071c5cd-1700-0000-9e7b-1f7ad00f0000 pid=4048 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=e071c5cd-1700-0000-9e7b-1f7ad00f0000 pid=4048 execve guuid=8a0a54e6-1700-0000-9e7b-1f7a06100000 pid=4102 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=8a0a54e6-1700-0000-9e7b-1f7a06100000 pid=4102 execve guuid=c0a1cbe6-1700-0000-9e7b-1f7a08100000 pid=4104 /tmp/p-p.c-.ISIS net guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=c0a1cbe6-1700-0000-9e7b-1f7a08100000 pid=4104 execve guuid=47915de8-1700-0000-9e7b-1f7a0e100000 pid=4110 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=47915de8-1700-0000-9e7b-1f7a0e100000 pid=4110 execve guuid=bd34dee8-1700-0000-9e7b-1f7a0f100000 pid=4111 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=bd34dee8-1700-0000-9e7b-1f7a0f100000 pid=4111 execve guuid=05820f07-1800-0000-9e7b-1f7a4d100000 pid=4173 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=05820f07-1800-0000-9e7b-1f7a4d100000 pid=4173 execve guuid=089c9007-1800-0000-9e7b-1f7a51100000 pid=4177 /usr/bin/bash guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=089c9007-1800-0000-9e7b-1f7a51100000 pid=4177 clone guuid=ec95b808-1800-0000-9e7b-1f7a54100000 pid=4180 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=ec95b808-1800-0000-9e7b-1f7a54100000 pid=4180 execve guuid=ec2c3909-1800-0000-9e7b-1f7a56100000 pid=4182 /usr/bin/wget net send-data write-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=ec2c3909-1800-0000-9e7b-1f7a56100000 pid=4182 execve guuid=3329f127-1800-0000-9e7b-1f7a91100000 pid=4241 /usr/bin/chmod guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=3329f127-1800-0000-9e7b-1f7a91100000 pid=4241 execve guuid=0aca6d28-1800-0000-9e7b-1f7a93100000 pid=4243 /usr/bin/bash guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=0aca6d28-1800-0000-9e7b-1f7a93100000 pid=4243 clone guuid=470c2c2b-1800-0000-9e7b-1f7a9b100000 pid=4251 /usr/bin/rm delete-file guuid=a94d6a9c-1600-0000-9e7b-1f7ad20c0000 pid=3282->guuid=470c2c2b-1800-0000-9e7b-1f7a9b100000 pid=4251 execve 48ff0355-7780-5186-83c0-5b2c1b41fa75 95.181.173.3:80 guuid=f860bd9c-1600-0000-9e7b-1f7ad40c0000 pid=3284->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 139B guuid=c7f120bd-1600-0000-9e7b-1f7a0a0d0000 pid=3338->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 139B guuid=f7878ade-1600-0000-9e7b-1f7a420d0000 pid=3394->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 138B guuid=9f33e6fa-1600-0000-9e7b-1f7a7d0d0000 pid=3453->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 138B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=48b25b14-1700-0000-9e7b-1f7aa70d0000 pid=3495->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=e058a114-1700-0000-9e7b-1f7aa80d0000 pid=3496 /tmp/x-8.6-.ISIS guuid=48b25b14-1700-0000-9e7b-1f7aa70d0000 pid=3495->guuid=e058a114-1700-0000-9e7b-1f7aa80d0000 pid=3496 clone guuid=f2e5a614-1700-0000-9e7b-1f7aa90d0000 pid=3497 /tmp/x-8.6-.ISIS net zombie guuid=e058a114-1700-0000-9e7b-1f7aa80d0000 pid=3496->guuid=f2e5a614-1700-0000-9e7b-1f7aa90d0000 pid=3497 clone 7a509403-0451-54c9-8619-59bae1bf55ab 95.181.173.3:839 guuid=f2e5a614-1700-0000-9e7b-1f7aa90d0000 pid=3497->7a509403-0451-54c9-8619-59bae1bf55ab con guuid=4aae3015-1700-0000-9e7b-1f7aab0d0000 pid=3499->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 139B guuid=86a17a35-1700-0000-9e7b-1f7ad60d0000 pid=3542->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 138B guuid=7a900d54-1700-0000-9e7b-1f7a0f0e0000 pid=3599->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=d587c155-1700-0000-9e7b-1f7a150e0000 pid=3605 /tmp/x-3.2-.ISIS guuid=7a900d54-1700-0000-9e7b-1f7a0f0e0000 pid=3599->guuid=d587c155-1700-0000-9e7b-1f7a150e0000 pid=3605 clone guuid=1936cb55-1700-0000-9e7b-1f7a160e0000 pid=3606 /tmp/x-3.2-.ISIS net zombie guuid=d587c155-1700-0000-9e7b-1f7a150e0000 pid=3605->guuid=1936cb55-1700-0000-9e7b-1f7a160e0000 pid=3606 clone guuid=1936cb55-1700-0000-9e7b-1f7a160e0000 pid=3606->7a509403-0451-54c9-8619-59bae1bf55ab con guuid=2aad2f56-1700-0000-9e7b-1f7a190e0000 pid=3609->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 139B guuid=a49cc474-1700-0000-9e7b-1f7a890e0000 pid=3721->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 138B guuid=55ffbe8c-1700-0000-9e7b-1f7a070f0000 pid=3847->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=6621888d-1700-0000-9e7b-1f7a0b0f0000 pid=3851 /tmp/p-p.c-.ISIS guuid=55ffbe8c-1700-0000-9e7b-1f7a070f0000 pid=3847->guuid=6621888d-1700-0000-9e7b-1f7a0b0f0000 pid=3851 clone guuid=0ebb8e8d-1700-0000-9e7b-1f7a0c0f0000 pid=3852 /tmp/p-p.c-.ISIS net zombie guuid=6621888d-1700-0000-9e7b-1f7a0b0f0000 pid=3851->guuid=0ebb8e8d-1700-0000-9e7b-1f7a0c0f0000 pid=3852 clone guuid=0ebb8e8d-1700-0000-9e7b-1f7a0c0f0000 pid=3852->7a509403-0451-54c9-8619-59bae1bf55ab con guuid=12abdd8d-1700-0000-9e7b-1f7a0f0f0000 pid=3855->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 139B guuid=5cd484ad-1700-0000-9e7b-1f7a7f0f0000 pid=3967->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 139B guuid=e071c5cd-1700-0000-9e7b-1f7ad00f0000 pid=4048->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 138B guuid=c0a1cbe6-1700-0000-9e7b-1f7a08100000 pid=4104->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=c6743fe8-1700-0000-9e7b-1f7a0c100000 pid=4108 /tmp/p-p.c-.ISIS guuid=c0a1cbe6-1700-0000-9e7b-1f7a08100000 pid=4104->guuid=c6743fe8-1700-0000-9e7b-1f7a0c100000 pid=4108 clone guuid=1a1c4ae8-1700-0000-9e7b-1f7a0d100000 pid=4109 /tmp/p-p.c-.ISIS net zombie guuid=c6743fe8-1700-0000-9e7b-1f7a0c100000 pid=4108->guuid=1a1c4ae8-1700-0000-9e7b-1f7a0d100000 pid=4109 clone guuid=1a1c4ae8-1700-0000-9e7b-1f7a0d100000 pid=4109->7a509403-0451-54c9-8619-59bae1bf55ab con guuid=bd34dee8-1700-0000-9e7b-1f7a0f100000 pid=4111->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 139B guuid=ec2c3909-1800-0000-9e7b-1f7a56100000 pid=4182->48ff0355-7780-5186-83c0-5b2c1b41fa75 send: 139B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/a62f1bb030f259ff74bf624e76f60e422431699d9c04bf8732c1b0f3812f7692
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a62f1bb030f259ff74bf624e76f60e422431699d9c04bf8732c1b0f3812f7692/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 07:09:00 UTC
File Type:
Text (Shell)
AV detection:
17 of 24 (70.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uyxrxmbq6jm765f7mjhhn5qoiisdc2m5tqcl7bzsygyphajpo2ja._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/251123-jz6jfswrbp/
Behaviour
Writes file to tmp directory
Reads system network configuration
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Malware Config
C2 Extraction:
95.181.173.3:839
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.09
Link:
https://yomi.yoroi.company/submissions/a62f1bb030f259ff74bf624e76f60e422431699d9c04bf8732c1b0f3812f7692

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh a62f1bb030f259ff74bf624e76f60e422431699d9c04bf8732c1b0f3812f7692

(this sample)

Gafgyt

elf 2559906f912d9fef2aabf41401fbc6b1b648a8753f556900fda92cd7d73ca10f

  
URLhaus
https://urlhaus.abuse.ch/url/3714678/
  
Delivery method
Distributed via web download
  
Dropping
MD5 9f4216333f9b8b692b6f3c6ac5ec52b4
  
Dropping
SHA256 2559906f912d9fef2aabf41401fbc6b1b648a8753f556900fda92cd7d73ca10f

Comments