MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b26bc09c2052e8441608c45bd9484db5a3daf124e23b930854dfd34db97e4de1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	b26bc09c2052e8441608c45bd9484db5a3daf124e23b930854dfd34db97e4de1
SHA3-384 hash:	be50e1894466fcc5cac2bc94092126297a8c6583547f5368200426883dd5e5e4c5d0790e1f30c2462815d8cd2c090590
SHA1 hash:	c130bcecd704ddb2d2ae3d0c261f9fe719363e6c
MD5 hash:	1f07be036e79aaebbcfa11537a5698c8
humanhash:	hawaii-uranus-video-low
File name:	sex.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	1'603 bytes
First seen:	2026-01-13 16:32:08 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	12:Gn0FO7ki0FO50FYc43Iu0FNeQgv0FW0Fv60FNCFv0FKv0FAv0FlsfR0Fu5aS0FeF:1i6LYc4ENJDHNGU/Llsfy+aneeS
TLSH	T1AB3184CA22F50A786CE0BD2B71F64C547AD7E1C760C69F1A2DDC38E9808EE147085793
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://64.227.48.87/mips	9ad54a0427d0894e51d9909f829c9f136a469181eecaee3b0baa8026cba14085	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/mipsel	10d2e9a4252a01e55dbc057378d6f47e2f2d7c9f70717af11e6b17b4a4de997e	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/sh4	7e475c818cb46ccf89cd902d2951b449bc2f63aff28378f63f32ec15392b9a88	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/x86	17dea70173364026b0f95b789b9c44638fc647ee0eb10c7699de1e472aca58d7	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/arm61	b00b699d0d0dee973b1936ab780814507f4d97c1d8d976e6c52a65f27af9dfa7	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/i686	aed29844e0286c83180f232b04721e3b7ff7e9dab8525b211cf60f9ffc200964	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/ppc	b735ce21477cfb873b29af093a75eadc769c076cc16b2d8a83c7a0beee53e3b7	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/586	38eef08452fe412b5ced2064695aaca1cc8510a5d73e9260621c88fee1527f47	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/m68k	385d1d9f31d5a12c95b6f63fffabdf3dbb7c1b68d1e9e6062938f6225d74e9c2	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/dc	12605ff21b726567d6698d38f5daf7aeacbb490ad09f1dd59de51a00c30ddd4d	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/dss	1bfc03486e401b779bdd14d6480fcb281cffe4e3bc718f0c54554eb94656374f	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/co	55fdd5ebb555ac7d165081fd622a56738d01d6ce8a10af6ad6a29e4ee869ab84	Gafgyt	elf gafgyt ua-wget
http://64.227.48.87/scar	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive medusa mirai

Link:

https://www.filescan.io/uploads/696673b43827c9e1249b8671/reports/52e400fb-38a0-4d2f-8895-970e91b252cc/overview

Result

Gathering data

Verdict:

Unknown

File Type:

Link:

https://opentip.kaspersky.com/b26bc09c2052e8441608c45bd9484db5a3daf124e23b930854dfd34db97e4de1/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/3ba66548-820d-492e-889e-7c2daba8d546

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/b26bc09c2052e8441608c45bd9484db5a3daf124e23b930854dfd34db97e4de1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b26bc09c2052e8441608c45bd9484db5a3daf124e23b930854dfd34db97e4de1/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/b26bc09c2052e8441608c45bd9484db5a3daf124e23b930854dfd34db97e4de1

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-01-13 16:20:05 UTC

File Type:

Text (Shell)

AV detection:

21 of 36 (58.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wjv4bhbaklueifqiyrn5sscnwwr5v4je4i5zgccu37ju3ol6jxqq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260113-t17s1scx2e/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/b26bc09c2052e8441608c45bd9484db5a3daf124e23b930854dfd34db97e4de1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh