MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c286a87239d30e88dd0292245215d2faf08bbabaf832a3735e89e5f200c08bf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	c286a87239d30e88dd0292245215d2faf08bbabaf832a3735e89e5f200c08bf4
SHA3-384 hash:	cbc9dcc979f2885518e506a41357b7a424182d0b681d12e8f298b154a15d65acf43d324c350d829887faeae0ce286b70
SHA1 hash:	26e94084e529e055d2256066b191c83d91ceaf03
MD5 hash:	e8ec83a74221c73fb6eef96636d2a7b7
humanhash:	west-apart-idaho-magazine
File name:	bins.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	1'461 bytes
First seen:	2025-01-27 01:31:16 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	24:7prhIsyzprhIyzprh/c42zprhDezprhNzprhS5zprhtnzprh2CzprhIqzprhyzp1:7p9Ivzp9Iyzp9U42zp9Dezp9Nzp9S5zw
TLSH	T18A3186EA14545F88C043DE2F736DA8DC62E8C8CF578F9B9A5E7E1C7D5819B08B900B44
Magika	shell
Reporter	abuse_ch
Tags:	gafgyt sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://84.200.154.119/mips	0711cce24bcda4a2dbfb866359946015f888b29244b5bd2d778748b859648e6c	Mirai	elf mirai
http://84.200.154.119/mipsel	1207bc6a84e67e60a13000e705e997197268b294373b3c01db8823bbad5b03fa	Mirai	elf mirai
http://84.200.154.119/sh4	661e26f29039af88703d9f40725217d0f2f1f778c84a1c1138b96843299a9773	Mirai	elf gafgyt mirai
http://84.200.154.119/x86_64	5c99f6dcf28b1fe4e042e943370c2704963b50dd768525db1104bcfa8cca8f69	Mirai	elf mirai
http://84.200.154.119/armv6l	bd6fe8d90efc9aa56a2ac1ab9ca64616ff9cd562a029b1cd206bec49cf9e8463	Mirai	elf mirai
http://84.200.154.119/i686	1455e4a1566be4fd860e4146287ca73a63e76294cd0217ac3585a7756a15fa14	Mirai	elf mirai
http://84.200.154.119/powerpc	n/a	n/a	elf
http://84.200.154.119/i586	n/a	n/a	elf
http://84.200.154.119/m68k	6ca3e2469b7e8b2975531fa379d910b0d04054c111188701a2b0b647b866f390	Mirai	elf mirai
http://84.200.154.119/sparc	n/a	n/a	elf mirai opendir
http://84.200.154.119/i486	b2308cfd32cd60bf9412329015c975ebc9cdff4620c1e36f4dc5db1d6881b733	Mirai	elf mirai
http://84.200.154.119/armv4l	99dc165435a7f392b75f4976d97baafba6a929acdb40a33f81bec28c49eb2ae6	Mirai	elf
http://84.200.154.119/armv5l	b00fd78930a3af87e603cffc98728ec20ae77bbb9b22ed9c7f7830855b9d3a93	Mirai	elf mirai
http://84.200.154.119/armv7l	f808c4a92b0a3951aaf8f053e527401203b2da759aeb04e81912cae243407497	Mirai	elf mirai
http://84.200.154.119/arc	2ab303826e4526b7ed47b5ee7e143d3756a54f17c1902fbb914865f2858e8ec1	Mirai	elf mirai
http://84.200.154.119/powerpc-440fp	n/a	n/a	elf

Intelligence

File Origin

# of uploads :

# of downloads :

119

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6796e2f3752ec6ca68012570linux22vpnfull_triage

Tags:

shellcode agent hype

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lolbin remote

Link:

https://www.filescan.io/uploads/6796e2132a1b30f50479fd60/reports/7f829c1b-f5e6-48dd-a4ae-1625b8b1d319/overview

Result

Verdict:

MALICIOUS

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/c286a87239d30e88dd0292245215d2faf08bbabaf832a3735e89e5f200c08bf4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c286a87239d30e88dd0292245215d2faf08bbabaf832a3735e89e5f200c08bf4/

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2025-01-27 01:32:04 UTC

File Type:

Text (Shell)

AV detection:

11 of 24 (45.83%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ykdkq4rz2mhirxicsisfefos7lyixov27azkg426rhs7eagarp2a._file

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250127-bxyrtsvlhp/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/c286a87239d30e88dd0292245215d2faf08bbabaf832a3735e89e5f200c08bf4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh c286a87239d30e88dd0292245215d2faf08bbabaf832a3735e89e5f200c08bf4

(this sample)

elf 43172fb308dee4fed732baacf23c03a2420f7beedbf9c29160de0e844a70646a

URLhaus

https://urlhaus.abuse.ch/url/3411805/

Delivery method

Distributed via web download

Dropping

MD5 eb5f1f22a1af7e26222469c68245de9d

Dropping

SHA256 43172fb308dee4fed732baacf23c03a2420f7beedbf9c29160de0e844a70646a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample