MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad5aec8723a8ab586cc8442cb7ee4794feb633b15a96d0b1d8ae924aa3a94986. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad5aec8723a8ab586cc8442cb7ee4794feb633b15a96d0b1d8ae924aa3a94986
SHA3-384 hash: 0ce4b499e4a0f44f22b3d6fd41eb50aa997b687e3f399631fbdd1d3ba8ba90e44e5fdefd5627793b7378c5bed8ec4539
SHA1 hash: c8dff84e50d1c00be26dc2bfab7c13341e51ead7
MD5 hash: 68dcf39cfbd689d99c471c140300f110
humanhash: two-fish-island-johnny
File name:3yahbbprg4
Download: download sample
Signature Gafgyt
Create hunting rule
File size:246'860 bytes
First seen:2026-04-04 19:14:15 UTC
Last seen:2026-04-05 13:18:34 UTC
File type: elf
MIME type:application/x-sharedlib
ssdeep 6144:0wM1mczgZ4GmRg87dvqqjpyuUjsoo8cFrPBESWGQAxyJUatxrNCxW:0wM1mcWgRg8Iqjpujsoo8qPBJAXPtxrr
TLSH T19B341242FBC191B1E46703B40907DBEFCA34FA240150E5A6F395BA54B8F76C361AD7A8
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
4
# of downloads :
78
Origin country :
DE DE
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Changes access rights for a written file
Sets a written file as executable
Changes the time when the file was created, accessed, or modified
Runs as daemon
Creating a file
Deleting a recently created file
Creating a process from a recently created file
Launching a process
Creates or modifies files in /cron to set up autorun
Writes files to system directory
Substitutes an application name
Deletes a system binary file
Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
46
Number of processes launched:
5
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/ad5aec8723a8ab586cc8442cb7ee4794feb633b15a96d0b1d8ae924aa3a94986
Behaviour
Anti-VM
Persistence
Process Renaming
Information Gathering
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.le
First seen:
2026-04-04T16:27:00Z UTC
Last seen:
2026-04-06T14:52:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/ad5aec8723a8ab586cc8442cb7ee4794feb633b15a96d0b1d8ae924aa3a94986/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/24758bf2-fdac-4607-a099-52eb9263845f
Behavior Graph:
Download SVG
%3 guuid=488dfcb9-1800-0000-10bd-49f08a050000 pid=1418 /usr/bin/sudo guuid=32f881bc-1800-0000-10bd-49f08c050000 pid=1420 memfd:gvfozrsd net write-file guuid=488dfcb9-1800-0000-10bd-49f08a050000 pid=1418->guuid=32f881bc-1800-0000-10bd-49f08c050000 pid=1420 execve cc0ac6be-7bea-5e42-bee5-f132cb1dd4d5 192.0.2.1:80 guuid=32f881bc-1800-0000-10bd-49f08c050000 pid=1420->cc0ac6be-7bea-5e42-bee5-f132cb1dd4d5 con guuid=50fbcbf8-1800-0000-10bd-49f028060000 pid=1576 memfd:gvfozrsd guuid=32f881bc-1800-0000-10bd-49f08c050000 pid=1420->guuid=50fbcbf8-1800-0000-10bd-49f028060000 pid=1576 clone guuid=c790d4f8-1800-0000-10bd-49f029060000 pid=1577 memfd:gvfozrsd delete-file net send-data write-config write-file zombie guuid=50fbcbf8-1800-0000-10bd-49f028060000 pid=1576->guuid=c790d4f8-1800-0000-10bd-49f029060000 pid=1577 clone 5c4dc244-93f3-5dcb-b797-2d80f54a56d0 179.43.182.70:443 guuid=c790d4f8-1800-0000-10bd-49f029060000 pid=1577->5c4dc244-93f3-5dcb-b797-2d80f54a56d0 send: 290B 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=c790d4f8-1800-0000-10bd-49f029060000 pid=1577->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 34B guuid=c790d4f8-1800-0000-10bd-49f029060000 pid=1583 memfd:gvfozrsd guuid=c790d4f8-1800-0000-10bd-49f029060000 pid=1577->guuid=c790d4f8-1800-0000-10bd-49f029060000 pid=1583 clone guuid=c790d4f8-1800-0000-10bd-49f029060000 pid=1584 memfd:gvfozrsd delete-file zombie guuid=c790d4f8-1800-0000-10bd-49f029060000 pid=1577->guuid=c790d4f8-1800-0000-10bd-49f029060000 pid=1584 clone
Malware family:
Gafgyt
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6bd3a6b9-2bf8-4705-97c0-b2e050aa93e0
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1893493
Signature
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Sample tries to persist itself using cron
Uses dynamic DNS services
Writes identical ELF files to multiple locations
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1893493 Sample: 3yahbbprg4.elf Startdate: 04/04/2026 Architecture: LINUX Score: 60 41 igmc.duckdns.org 2->41 43 igmc.duckdns.org 179.43.182.70, 443, 60492 PLI-ASCH Panama 2->43 45 192.0.2.1, 80 unknown Reserved 2->45 47 Writes identical ELF files to multiple locations 2->47 49 Drops files in suspicious directories 2->49 10 10 2->10         started        signatures3 51 Uses dynamic DNS services 41->51 process4 file5 39 /memfd:xrm86bjv (deleted), ELF 10->39 dropped 57 Writes identical ELF files to multiple locations 10->57 14 10->14         started        signatures6 process7 process8 16 14->16         started        file9 29 /usr/sbin/VGAuthService, ELF 16->29 dropped 31 /usr/libexec/VGAuthService, ELF 16->31 dropped 33 /usr/lib/dropbear-agent, ELF 16->33 dropped 35 2 other malicious files 16->35 dropped 19 sh 16->19         started        21 sh 16->21         started        process10 process11 23 sh crontab 19->23         started        27 sh crontab 21->27         started        file12 37 /var/spool/cron/crontabs/tmp.tXv2Vo, ASCII 23->37 dropped 53 Sample tries to persist itself using cron 23->53 55 Executes the "crontab" command typically for achieving persistence 23->55 signatures13
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ad5aec8723a8ab586cc8442cb7ee4794feb633b15a96d0b1d8ae924aa3a94986
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad5aec8723a8ab586cc8442cb7ee4794feb633b15a96d0b1d8ae924aa3a94986/
Threat name:
Linux.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-04-04 19:15:46 UTC
File Type:
ELF32 Little (SO)
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvnozbzdvcvvq3giiqwlp3shst7lmm5rlklnbmoyv2jevi5jjgda._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
antivm credential_access discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260404-xxtc1abx3p/
Behaviour
Reads runtime system information
Writes file to tmp directory
Changes its process name
Reads process memory
Checks SCSI settings
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Enumerates running processes
Modifies systemd
Write file to user bin folder
Writes file to system bin folder
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.23
Link:
https://yomi.yoroi.company/submissions/ad5aec8723a8ab586cc8442cb7ee4794feb633b15a96d0b1d8ae924aa3a94986

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf ad5aec8723a8ab586cc8442cb7ee4794feb633b15a96d0b1d8ae924aa3a94986

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3811226/
  
Delivery method
Distributed via web download

Comments