MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caf1ade1fb77a361eb31a9fae463605a77f31dbac29d64b766fb304a8e3e20ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caf1ade1fb77a361eb31a9fae463605a77f31dbac29d64b766fb304a8e3e20ff
SHA3-384 hash: 28ea104815c2399e29f4c6511e6846ed4d90af9b2bb80d2c376ec25ea482d49b51448fcc51de8a364843de7e1c67af36
SHA1 hash: ef35f57289c8e9f605c4dfdf1d6db80dc7d28f25
MD5 hash: 038b962ec3230b6fdb45cacece8598e4
humanhash: echo-don-pip-mexico
File name:dlink
Download: download sample
Signature Gafgyt
Create hunting rule
File size:947 bytes
First seen:2025-07-09 05:05:36 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 24:sEUSIbK5zOt+MB0hRZ1ak5ovk5GUpGUmk5GOGZkz:sEUXK5CEA0PZQkekmk+kz
TLSH T1C21134CF65628C20DC709DEA75A24818E48ED5D536CB8E8DE6CD0026E4ADE043071FAD
Magika txt
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://158.51.126.131/nmips15c9ec390182a640ee6e36c5ae36f633ea3c76e82a9a0e7b138283c414d15e27 Gafgytelf gafgyt mirai ua-wget
http://158.51.126.131/nmipselc14f3c5adc33a437a16c0ad651eb6b0e493c6fbcb2ff5d9fd4624666bd4f9034 Gafgytelf gafgyt mirai ua-wget
http://158.51.126.131/narmv5l42aea37337e2b2cc306bf363b15f7f7cf962b87db3b4d4449d7e13e31d8f434e Gafgytelf gafgyt mirai ua-wget
http://158.51.126.131/narmv7l89e53d182f78499c985edf7e16c4da4d768b090fe685d92f5b7778ff2748f975 Gafgytelf gafgyt mirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
23
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.32150.LX.BOT.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686dfa35900df8e7f868d5e5
Tags:
n/a
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/6bad9ba4-4edc-404c-b5c7-b180ecde3ab2
Behavior Graph:
Download SVG
%3 guuid=0536fbfd-1800-0000-70aa-c210650b0000 pid=2917 /usr/bin/sudo guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923 /tmp/sample.bin guuid=0536fbfd-1800-0000-70aa-c210650b0000 pid=2917->guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923 execve guuid=0d8fb300-1900-0000-70aa-c2106d0b0000 pid=2925 /usr/bin/dash guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=0d8fb300-1900-0000-70aa-c2106d0b0000 pid=2925 clone guuid=93741602-1900-0000-70aa-c210740b0000 pid=2932 /usr/bin/rm delete-file guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=93741602-1900-0000-70aa-c210740b0000 pid=2932 execve guuid=afd56002-1900-0000-70aa-c210750b0000 pid=2933 /usr/bin/rm delete-file guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=afd56002-1900-0000-70aa-c210750b0000 pid=2933 execve guuid=6c1fa602-1900-0000-70aa-c210760b0000 pid=2934 /usr/bin/rm delete-file guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=6c1fa602-1900-0000-70aa-c210760b0000 pid=2934 execve guuid=70f9f502-1900-0000-70aa-c210780b0000 pid=2936 /usr/bin/dash guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=70f9f502-1900-0000-70aa-c210780b0000 pid=2936 clone guuid=42fc1804-1900-0000-70aa-c2107c0b0000 pid=2940 /usr/bin/dash guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=42fc1804-1900-0000-70aa-c2107c0b0000 pid=2940 clone guuid=bceb6404-1900-0000-70aa-c2107f0b0000 pid=2943 /usr/bin/dash guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=bceb6404-1900-0000-70aa-c2107f0b0000 pid=2943 clone guuid=f4d0e638-1900-0000-70aa-c210090c0000 pid=3081 /usr/bin/chmod guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=f4d0e638-1900-0000-70aa-c210090c0000 pid=3081 execve guuid=7daa6239-1900-0000-70aa-c2100a0c0000 pid=3082 /usr/bin/dash guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=7daa6239-1900-0000-70aa-c2100a0c0000 pid=3082 clone guuid=7dcacf3a-1900-0000-70aa-c210110c0000 pid=3089 /usr/bin/dash guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=7dcacf3a-1900-0000-70aa-c210110c0000 pid=3089 clone guuid=9d0ee96c-1900-0000-70aa-c210710c0000 pid=3185 /usr/bin/chmod guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=9d0ee96c-1900-0000-70aa-c210710c0000 pid=3185 execve guuid=a9502c6d-1900-0000-70aa-c210730c0000 pid=3187 /usr/bin/dash guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=a9502c6d-1900-0000-70aa-c210730c0000 pid=3187 clone guuid=b6bbb46d-1900-0000-70aa-c210770c0000 pid=3191 /usr/bin/dash guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=b6bbb46d-1900-0000-70aa-c210770c0000 pid=3191 clone guuid=515c4ca1-1900-0000-70aa-c210ac0c0000 pid=3244 /usr/bin/chmod guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=515c4ca1-1900-0000-70aa-c210ac0c0000 pid=3244 execve guuid=bac89ea1-1900-0000-70aa-c210ad0c0000 pid=3245 /usr/bin/dash guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=bac89ea1-1900-0000-70aa-c210ad0c0000 pid=3245 clone guuid=59ae74a2-1900-0000-70aa-c210b00c0000 pid=3248 /usr/bin/dash guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=59ae74a2-1900-0000-70aa-c210b00c0000 pid=3248 clone guuid=66b868d5-1900-0000-70aa-c210000d0000 pid=3328 /usr/bin/chmod guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=66b868d5-1900-0000-70aa-c210000d0000 pid=3328 execve guuid=5a5bb8d5-1900-0000-70aa-c210020d0000 pid=3330 /usr/bin/dash guuid=51a04b00-1900-0000-70aa-c2106b0b0000 pid=2923->guuid=5a5bb8d5-1900-0000-70aa-c210020d0000 pid=3330 clone guuid=161dd000-1900-0000-70aa-c2106e0b0000 pid=2926 /usr/bin/cat guuid=0d8fb300-1900-0000-70aa-c2106d0b0000 pid=2925->guuid=161dd000-1900-0000-70aa-c2106e0b0000 pid=2926 execve guuid=fcdfdf00-1900-0000-70aa-c2106f0b0000 pid=2927 /usr/bin/grep guuid=0d8fb300-1900-0000-70aa-c2106d0b0000 pid=2925->guuid=fcdfdf00-1900-0000-70aa-c2106f0b0000 pid=2927 execve guuid=cf8bee00-1900-0000-70aa-c210700b0000 pid=2928 /usr/bin/grep guuid=0d8fb300-1900-0000-70aa-c2106d0b0000 pid=2925->guuid=cf8bee00-1900-0000-70aa-c210700b0000 pid=2928 execve guuid=d3b7fa00-1900-0000-70aa-c210710b0000 pid=2929 /usr/bin/grep guuid=0d8fb300-1900-0000-70aa-c2106d0b0000 pid=2925->guuid=d3b7fa00-1900-0000-70aa-c210710b0000 pid=2929 execve guuid=4ed20c01-1900-0000-70aa-c210720b0000 pid=2930 /usr/bin/cut guuid=0d8fb300-1900-0000-70aa-c2106d0b0000 pid=2925->guuid=4ed20c01-1900-0000-70aa-c210720b0000 pid=2930 execve guuid=d0f20503-1900-0000-70aa-c210790b0000 pid=2937 /usr/bin/cp write-file guuid=70f9f502-1900-0000-70aa-c210780b0000 pid=2936->guuid=d0f20503-1900-0000-70aa-c210790b0000 pid=2937 execve guuid=90572004-1900-0000-70aa-c2107d0b0000 pid=2941 /usr/bin/chmod guuid=42fc1804-1900-0000-70aa-c2107c0b0000 pid=2940->guuid=90572004-1900-0000-70aa-c2107d0b0000 pid=2941 execve guuid=44576d04-1900-0000-70aa-c210800b0000 pid=2944 /usr/bin/wget net send-data write-file guuid=bceb6404-1900-0000-70aa-c2107f0b0000 pid=2943->guuid=44576d04-1900-0000-70aa-c210800b0000 pid=2944 execve 2beca644-24da-5e18-bc49-c06b8c4a111d 158.51.126.131:80 guuid=44576d04-1900-0000-70aa-c210800b0000 pid=2944->2beca644-24da-5e18-bc49-c06b8c4a111d send: 134B guuid=e335d53a-1900-0000-70aa-c210120c0000 pid=3090 /usr/bin/wget net send-data write-file guuid=7dcacf3a-1900-0000-70aa-c210110c0000 pid=3089->guuid=e335d53a-1900-0000-70aa-c210120c0000 pid=3090 execve guuid=e335d53a-1900-0000-70aa-c210120c0000 pid=3090->2beca644-24da-5e18-bc49-c06b8c4a111d send: 136B guuid=0038bf6d-1900-0000-70aa-c210780c0000 pid=3192 /usr/bin/wget net send-data write-file guuid=b6bbb46d-1900-0000-70aa-c210770c0000 pid=3191->guuid=0038bf6d-1900-0000-70aa-c210780c0000 pid=3192 execve guuid=0038bf6d-1900-0000-70aa-c210780c0000 pid=3192->2beca644-24da-5e18-bc49-c06b8c4a111d send: 136B guuid=99007ea2-1900-0000-70aa-c210b10c0000 pid=3249 /usr/bin/wget net send-data write-file guuid=59ae74a2-1900-0000-70aa-c210b00c0000 pid=3248->guuid=99007ea2-1900-0000-70aa-c210b10c0000 pid=3249 execve guuid=99007ea2-1900-0000-70aa-c210b10c0000 pid=3249->2beca644-24da-5e18-bc49-c06b8c4a111d send: 136B
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/caf1ade1fb77a361eb31a9fae463605a77f31dbac29d64b766fb304a8e3e20ff
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caf1ade1fb77a361eb31a9fae463605a77f31dbac29d64b766fb304a8e3e20ff/
Threat name:
Script.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-07-09 04:30:11 UTC
File Type:
Text (Shell)
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zly23yp3o6rwd2zrvh5oiy3alj37ghn2ykowjn3g7myevdr6ed7q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250709-fspetaswgy/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/caf1ade1fb77a361eb31a9fae463605a77f31dbac29d64b766fb304a8e3e20ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh caf1ade1fb77a361eb31a9fae463605a77f31dbac29d64b766fb304a8e3e20ff

(this sample)

Gafgyt

elf 937917dc794fc3823723baae1b2ba22ce8ed58a3776c9cceb192315fcd89dcb6

  
URLhaus
https://urlhaus.abuse.ch/url/3579319/
  
Delivery method
Distributed via web download
  
Dropping
MD5 b92e71270f72194c7514937e74b8e439
  
Dropping
SHA256 937917dc794fc3823723baae1b2ba22ce8ed58a3776c9cceb192315fcd89dcb6

Comments