MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7ce30048cff8cd281aae097b739ac1ec446aaa0eb48a746a6f03420e4b28076. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7ce30048cff8cd281aae097b739ac1ec446aaa0eb48a746a6f03420e4b28076
SHA3-384 hash: 072288f3b571eb837e337720835a56a82dcea71a89c8afab8057dbc9396f4dd1aff4467beb063e2ea4bf2e964ef02deb
SHA1 hash: c70c5e36c4777f8ba249ac2d27607e61b50fb49f
MD5 hash: 90bbcab4a058c792954a141e5c33d1a2
humanhash: bacon-hydrogen-skylark-twelve
File name:SecuriteInfo.com.Linux.Siggen.9999.24436.24857
Download: download sample
Signature Gafgyt
Create hunting rule
File size:42'632 bytes
First seen:2025-08-01 07:18:22 UTC
Last seen:2025-08-01 08:18:46 UTC
File type: elf
MIME type:application/x-executable
ssdeep 768:Ie21gTuERImfIzbNVZ4/cpNIlME0yyqpyNRWdynAzXCkF75Is+YoerY3UGkD:GgCfZLpxqoAJ7D+p+kE
TLSH T10E13F110F2A25A81D35C4C33D56D8488BEF65EF0D89B73B2238C2BA4B599F8474755C3
telfhash t13990025007b7b0507108040785502920416c10687e1211e5292110c44470734c4f494f
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter SecuriteInfoCom
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
2
# of downloads :
28
Origin country :
FR FR
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/688c6a7e73b8ef6f4af9214b/reports/d90dbb58-ee1c-4f65-957f-42bbfa74de82/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
arm
Packer:
custom
Botnet:
unknown
Number of open files:
4
Number of processes launched:
4
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/c7ce30048cff8cd281aae097b739ac1ec446aaa0eb48a746a6f03420e4b28076
Behaviour
Anti-VM
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/e92c62fe-973d-4482-b0ce-10536e7f92f8
Behavior Graph:
Download SVG
%3 guuid=7c85b5c2-1900-0000-379e-eda9ae0b0000 pid=2990 /usr/bin/sudo guuid=25f194c4-1900-0000-379e-eda9b30b0000 pid=2995 /tmp/sample.bin guuid=7c85b5c2-1900-0000-379e-eda9ae0b0000 pid=2990->guuid=25f194c4-1900-0000-379e-eda9b30b0000 pid=2995 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8f210401-d361-4464-8f85-7d9f5a839c3d
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/c7ce30048cff8cd281aae097b739ac1ec446aaa0eb48a746a6f03420e4b28076
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7ce30048cff8cd281aae097b739ac1ec446aaa0eb48a746a6f03420e4b28076/
Verdict:
Malicious
Threat:
HEUR:Backdoor.Linux.Mirai
Link:
https://tip.neiki.dev/file/c7ce30048cff8cd281aae097b739ac1ec446aaa0eb48a746a6f03420e4b28076
Threat name:
Linux.Trojan.Svirtu
Create hunting rule
Status:
Malicious
First seen:
2025-08-01 07:19:36 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y7hdabem76gnfank4cl3oonmd3cenkva5nekorvg6a2cbzfsqb3a._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
antivm defense_evasion discovery
Link:
https://tria.ge/reports/250801-h5np6aej71/
Behaviour
Reads runtime system information
Changes its process name
Checks CPU configuration
Reads system network configuration
Enumerates active TCP sockets
Modifies Watchdog functionality
Renames itself
Contacts a large (26997) amount of remote hosts
Creates a large amount of network flows
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/23b34834-d755-4903-bc50-06e036ceb878
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/c7ce30048cff8cd281aae097b739ac1ec446aaa0eb48a746a6f03420e4b28076

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upx_antiunpack_elf32
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:UPX Anti-Unpacking technique to magic renamed for ELF32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh 29350d24dbde1be23c2e381ff8f8f8299f452f235d353b851b1502fc53a85108

Gafgyt

elf c7ce30048cff8cd281aae097b739ac1ec446aaa0eb48a746a6f03420e4b28076

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3594093/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3593892/
  
Dropped by
SHA256 29350d24dbde1be23c2e381ff8f8f8299f452f235d353b851b1502fc53a85108
  
Dropped by
MD5 05e849ffe78ac4cfa1259614999f6b08
  
Dropped by
SHA256 80d84841b160479f8011a4e751fed8f948d29190532c6789fe612f90853d85d2
  
Dropped by
MD5 eddc326890820e8884d07bb51208f716
  
Dropped by
SHA256 c2d13dd11c8069f7d39e10fcc32ebb622079225b42e7ad984ec708d198ad5b5f
  
Dropped by
MD5 17d7636b04c7b8af36b40283c3766f17
  
URLhaus
https://urlhaus.abuse.ch/url/3594255/
  
URLhaus
https://urlhaus.abuse.ch/url/3594258/
  
URLhaus
https://urlhaus.abuse.ch/url/3594262/
  
Dropped by
SHA256 9457720562854e637ea18b7b8043a0638a7cfa6f57d9e0f8eb36fbb6838fa9c5
  
Dropped by
MD5 29e1c251bfbcbab5fba48eed41c5c3ab
  
URLhaus
https://urlhaus.abuse.ch/url/3594257/

Comments