MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3ec243d4382a4b7a800e407fb89e70b0c264b22afb39b4fb3aec521e91dc9f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	b3ec243d4382a4b7a800e407fb89e70b0c264b22afb39b4fb3aec521e91dc9f4
SHA3-384 hash:	6a0a4036c0aab65a6a74c8c5db8cbec8060486fab31cacd92fbbdcff8e48577502de3e7bc33bc49cda5154c4c0e82977
SHA1 hash:	85a9347411f6c141e4af224300a3ccac58fdd40f
MD5 hash:	76f8b034b45f84f6558fd4c0d7d06279
humanhash:	mountain-stream-minnesota-december
File name:	SnOoPy.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	2'124 bytes
First seen:	2026-01-09 23:12:45 UTC
Last seen:	2026-01-10 02:50:29 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:vwjAhwO0dSxwSw4Fogw+w+TwKwUjwZ8wdswUjwewV:vCAhNRbhVNTp5M86s5tG
TLSH	T1DC41E986E1A25DF0AC96D91772F9488070D5B0CDA5C69F4E6CDFFBE8088DDD87604682
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	gafgyt sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://151.243.109.235/m-i.p-s.SNOOPY	5725e2834c67c37707df02512d9be03c8ca01b9db073234b0a36baf0e807fc6e	Gafgyt	elf gafgyt ua-wget
http://151.243.109.235/m-p.s-l.SNOOPY	7bdde542763404d1a7e8228ac625c2cf9bdd4ef96940f8b4c3f10f98a47908f4	Gafgyt	elf gafgyt ua-wget
http://151.243.109.235/s-h.4-.SNOOPY	8768450e3ec18834f983b26aad59899b25ce19a18dd258ac23d43699a94596a3	Gafgyt	elf gafgyt ua-wget
http://151.243.109.235/x-8.6-.SNOOPY	8e52535da23d28c3db736359830307656fdcb668c9e3ccd6c14b019d667b8e00	Gafgyt	elf gafgyt ua-wget
http://151.243.109.235/a-r.m-6.SNOOPY	3042a23c06544f97fd8d199c56f5dc3818ebebf27424c9049df4ae61ea66531b	Gafgyt	elf gafgyt ua-wget
http://151.243.109.235/x-3.2-.SNOOPY	771276cbdf301ddcda2581ed25262101805f8ea5a3707020cd60d70df050eaf1	Gafgyt	elf gafgyt ua-wget
http://151.243.109.235/a-r.m-7.SNOOPY	98757d069242021b515de00caccc1d96ec48f89cf30761e91544fea483be7cba	Gafgyt	elf gafgyt ua-wget
http://151.243.109.235/p-p.c-.SNOOPY	9f6c6d94ed6d6596d3bee1702ea65c4af7651a46d5a831e9387961f0cd6fcac1	Gafgyt	elf gafgyt ua-wget
http://151.243.109.235/i-5.8-6.SNOOPY	31ab92bcb710dfdb9f4ead8e0d17b458a37d42393e58b4ae85c8bf5ea50815c3	Gafgyt	elf gafgyt ua-wget
http://151.243.109.235/m-6.8-k.SNOOPY	n/a	n/a	elf ua-wget
http://151.243.109.235/a-r.m-4.SNOOPY	9f6c6d94ed6d6596d3bee1702ea65c4af7651a46d5a831e9387961f0cd6fcac1	Gafgyt	elf gafgyt ua-wget
http://151.243.109.235/a-r.m-5.SNOOPY	62ea96a95fc9b66fe58005d728492ef22b9240b5e7f5b5f361ae5fad4017e317	Gafgyt	elf gafgyt ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/69618ba507ef5fa68e835a25/reports/3a748842-983d-43ba-b0d8-f5bb9d57eb16/overview

Verdict:

Malicious

File Type:

unix shell

First seen:

2026-01-09T20:19:00Z UTC

Last seen:

2026-01-11T14:38:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/b3ec243d4382a4b7a800e407fb89e70b0c264b22afb39b4fb3aec521e91dc9f4/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/e4590daa-98cb-45ff-a361-f7e62aa0cd54

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/b3ec243d4382a4b7a800e407fb89e70b0c264b22afb39b4fb3aec521e91dc9f4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b3ec243d4382a4b7a800e407fb89e70b0c264b22afb39b4fb3aec521e91dc9f4/

Verdict:

Malicious

Threat:

Family.GAFGYT

Link:

https://tip.neiki.dev/file/b3ec243d4382a4b7a800e407fb89e70b0c264b22afb39b4fb3aec521e91dc9f4

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-01-09 23:13:36 UTC

File Type:

Text (Shell)

AV detection:

17 of 24 (70.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wpwcipkdqkslpkaa4qd7xcphbmgcmszcv6zzwt5tv3csd2i5zh2a._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260109-27pvsaev7g/

Behaviour

Writes file to tmp directory

Reads system network configuration

Reads system routing table

File and Directory Permissions Modification

Executes dropped EXE

Detected Gafgyt variant

Gafgyt family

Gafgyt/Bashlite

Malware Config

C2 Extraction:

151.243.109.235:838

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.42

Link:

https://yomi.yoroi.company/submissions/b3ec243d4382a4b7a800e407fb89e70b0c264b22afb39b4fb3aec521e91dc9f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.