MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae85ae418daca215f3e0ccf5b659e958333b0de16f3ab0b9b156ad3e65ce14b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae85ae418daca215f3e0ccf5b659e958333b0de16f3ab0b9b156ad3e65ce14b6
SHA3-384 hash: 1466fe3be1d7181bcab4d6f173ead0c703d3e5d0f547355019ec938246941ffca3b57ab0b040eb9c4818879a79ed1ade
SHA1 hash: 2f088cfc200e92b7fbe307c1496121d03c97f410
MD5 hash: f2b4b23e718d2889eeea6ed8c641e0d1
humanhash: gee-lactose-red-louisiana
File name:2016Nwjm68k
Download: download sample
Signature Gafgyt
Create hunting rule
File size:227'303 bytes
First seen:2026-01-26 12:38:05 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 6144:MTF8GyH3fdwfkizaKEy6nzeQOg4STOqBLIw0E+U00ymcbZ36lfPx4gdpd2KG:MTFe3fdwfkizra190E+bmcbZ36lfPx4l
TLSH T145243A93B905DEB6F40EA73204D347317272BB6249531A72B3277979AE3A3C43426F85
telfhash t117917318993d48e9df630c1d586dabe21493b52632b67f18ff25cec0094e429f254d0f
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Unix.Downloader.Mirai-7340346-0
Create hunting rule

Unix.Trojan.Gafgyt-7782058-0
Create hunting rule

Unix.Trojan.Mirai-9940650-0
Create hunting rule

Unix.Trojan.Mirai-10012509-0
Create hunting rule

Unix.Trojan.Mirai-10017111-0
Create hunting rule

Unix.Trojan.Mirai-10018298-0
Create hunting rule

Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
anti-vm anti-vm gafgyt gcc mirai
Link:
https://www.filescan.io/uploads/69776046f3c1b7b1fbdce65e/reports/ea2eb158-2b1d-48d0-9bf7-cb67bf5f24dd/overview
Result
Gathering data
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/ca237771-3882-40a3-87f4-1ab94b092181
Behavior Graph:
Download SVG
%3 guuid=da67a255-1800-0000-ff77-0454d8090000 pid=2520 /usr/bin/sudo guuid=ad755158-1800-0000-ff77-0454de090000 pid=2526 /tmp/sample.bin guuid=da67a255-1800-0000-ff77-0454d8090000 pid=2520->guuid=ad755158-1800-0000-ff77-0454de090000 pid=2526 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a650e699-5e40-4da8-91cd-0282bf1ea827
Result
Threat name:
Gafgyt
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1857561
Signature
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/ae85ae418daca215f3e0ccf5b659e958333b0de16f3ab0b9b156ad3e65ce14b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae85ae418daca215f3e0ccf5b659e958333b0de16f3ab0b9b156ad3e65ce14b6/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/ae85ae418daca215f3e0ccf5b659e958333b0de16f3ab0b9b156ad3e65ce14b6
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2c24qmnvsrbl47azt23mwpjlaztwdpbn45lbonrk2wt4zoocs3a._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt linux
Link:
https://tria.ge/reports/260126-p4a61aaw9c/
Malware Config
C2 Extraction:
78.142.228.144:65483
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:enterpriseunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise UNIX
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf ae85ae418daca215f3e0ccf5b659e958333b0de16f3ab0b9b156ad3e65ce14b6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3758122/
  
Delivery method
Distributed via web download

Comments