MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2aa076b43bb3369b6af3e884896679009dd91222f4c29f28426fdedc46d2bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	b2aa076b43bb3369b6af3e884896679009dd91222f4c29f28426fdedc46d2bde
SHA3-384 hash:	dbddc4bb17457865328a7d4332dded3c8638545652f3c93e88285dfc6ff8b53c58771e24c4d87898595d9bb2433dd9cc
SHA1 hash:	2f1194a220b677fbeb66ad6fed606e795abc5fd0
MD5 hash:	c2ab26263fa70e28e6d63b4fe4519a93
humanhash:	summer-massachusetts-three-video
File name:	corona-ddos-bot.bin
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	65'620 bytes
First seen:	2020-03-19 18:53:34 UTC
Last seen:	Never
File type:	elf
MIME type:	application/x-executable
ssdeep	768:R63MWVThFpkFLNciGBeUsEnv7jLMj/Y/7/mSyfr4CXH8scI3fkpakIsTMhaS5CCs:s8dNRGEEnTcUC93XH8sMpaki0kC8jor
TLSH	FD5329276682C97FC5D786B427DBC534A563B8391B332246B3E8BCB92F159C82E5D301
telfhash	181100a01672991d5db395304cfd45bc1a2ef63b27d0be60ef09c484a937019a32bd0f
Reporter	Libranalysis
Tags:	bashlite bot corona ddos gafgyt qbot

Libranalysis

A detailed analysis of this Corona DDoS bot can be found here: https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/

Intelligence

File Origin

# of uploads :

# of downloads :

509

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Unix.Dropper.Mirai-7138848-0

Unix.Dropper.Mirai-7139229-0

Unix.Trojan.Mirai-7640640-0

Gathering data

Threat name:

Linux.Trojan.Gafgyt

Status:

Malicious

First seen:

2019-09-26 22:03:23 UTC

File Type:

ELF64 Little (Exe)

AV detection:

14 of 29 (48.28%)

Threat level:

5/5

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legal

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b2aa076b43bb3369b6af3e884896679009dd91222f4c29f28426fdedc46d2bde

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf b2aa076b43bb3369b6af3e884896679009dd91222f4c29f28426fdedc46d2bde

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/169351/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample