MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d344f563bc9061b24b4549ec3e87ec9b0acd3b647526cdc56d014361617a5dcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d344f563bc9061b24b4549ec3e87ec9b0acd3b647526cdc56d014361617a5dcb
SHA3-384 hash: d425be30f9814d3ee439a2f301bca25b6a4686d292651676cc9347a2978a4faa0f09cb60ef13ab4d9e9289af386d7220
SHA1 hash: 06fea9dc8486de7a06077c9dae2994f4ae3bebc5
MD5 hash: 98785007ac7188ff163e83257ef40fd6
humanhash: zebra-ink-seventeen-seventeen
File name:98785007ac7188ff163e83257ef40fd6
Download: download sample
Signature Gafgyt
Create hunting rule
File size:120'492 bytes
First seen:2023-12-24 07:43:20 UTC
Last seen:2023-12-28 13:50:06 UTC
File type: elf
MIME type:application/x-executable
ssdeep 3072:7+HiYXy9wfMa00Cf84AMugn4shMYBwbZnN:7+HjRnCU4AMug4YMIwRN
TLSH T19BC33A55FD829A12C2C613B7FA6E018C372513F8E3EE71039E229F24778A45B0E77A51
telfhash t1d3f05903da884d59fad80068909d07169accb15a7f5d349bfa697f1f14b01d2703d81f
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter zbetcheckin
Tags:32 arm elf gafgyt mirai

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28880.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29325.LC.Pl.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Mirai-81.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28886.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.29524.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28878.LC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28877.LC.UNOFFICIAL
Create hunting rule

Unix.Trojan.Mirai-7100807-0
Create hunting rule

Unix.Dropper.Mirai-7135868-0
Create hunting rule

Unix.Dropper.Mirai-7135891-0
Create hunting rule

Unix.Dropper.Mirai-7135892-0
Create hunting rule

Unix.Dropper.Mirai-7136013-0
Create hunting rule

Unix.Dropper.Mirai-7136034-0
Create hunting rule

Unix.Dropper.Mirai-7136057-0
Create hunting rule

Unix.Dropper.Mirai-7540663-0
Create hunting rule

Unix.Trojan.Mirai-8025795-0
Create hunting rule

Unix.Trojan.Mirai-9441505-0
Create hunting rule

Unix.Trojan.Mirai-9858729-0
Create hunting rule

Unix.Trojan.Mirai-9945193-0
Create hunting rule

Unix.Trojan.Mirai-9946826-0
Create hunting rule

Unix.Dropper.Mirai-9977145-0
Create hunting rule

Unix.Dropper.Mirai-10008433-0
Create hunting rule

Unix.Trojan.Mirai-10011027-0
Create hunting rule

Unix.Trojan.Mirai-10011918-0
Create hunting rule

Unix.Packed.Botnet-6566031-0
Create hunting rule

Unix.Dropper.Botnet-6566040-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug botnet lolbin mirai mirai obfuscated remote
Link:
https://www.filescan.io/uploads/6587e143d48681e0d6648423/reports/a2d9cb94-d663-4bb6-a12c-18349186b182/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
not packed
Botnet:
unknown
Number of open files:
41
Number of processes launched:
2065
Processes remaning?
true
Remote TCP ports scanned:
2323,23,37215,8080,80,52869,7574,81,49152,5555,8443
Full report:
https://elfdigest.com/brief/d344f563bc9061b24b4549ec3e87ec9b0acd3b647526cdc56d014361617a5dcb
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b3ce3b10-df5f-460b-8cc7-b72644a2793d
Result
Threat name:
Mirai, Moobot
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366632
Signature
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Yara detected Mirai
Yara detected Moobot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366632 Sample: lpZunDkkVn.elf Startdate: 24/12/2023 Architecture: LINUX Score: 100 37 151.12.73.3, 52869 ASN-WINDTREIUNETEU Italy 2->37 39 41.70.64.167 globe-asMW Malawi 2->39 41 99 other IPs or domains 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 4 other signatures 2->49 9 lpZunDkkVn.elf 2->9         started        signatures3 process4 process5 11 lpZunDkkVn.elf 9->11         started        13 lpZunDkkVn.elf sh 9->13         started        process6 15 lpZunDkkVn.elf 11->15         started        17 lpZunDkkVn.elf 11->17         started        19 lpZunDkkVn.elf 11->19         started        21 sh rm 13->21         started        23 sh mkdir 13->23         started        25 sh mv 13->25         started        27 sh chmod 13->27         started        process7 29 lpZunDkkVn.elf 15->29         started        31 lpZunDkkVn.elf 15->31         started        33 lpZunDkkVn.elf 15->33         started        35 1163 other processes 15->35
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d344f563bc9061b24b4549ec3e87ec9b0acd3b647526cdc56d014361617a5dcb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d344f563bc9061b24b4549ec3e87ec9b0acd3b647526cdc56d014361617a5dcb/
Threat name:
Linux.Trojan.Mirai
Create hunting rule
Status:
Malicious
First seen:
2023-12-24 03:24:21 UTC
File Type:
ELF32 Little (Exe)
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ncpky54sbq3es2fjhwd5b7mtmfm2o3eoutm3rlnafbwcyl2lxfq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai botnet:mirai
Link:
https://tria.ge/reports/231224-jktlcabaal/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d344f563bc9061b24b4549ec3e87ec9b0acd3b647526cdc56d014361617a5dcb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf d344f563bc9061b24b4549ec3e87ec9b0acd3b647526cdc56d014361617a5dcb

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2744138/

Comments


Avatar
zbet commented on 2023-12-24 07:43:21 UTC

url : hxxp://37.44.238.75/mont/.nekoisdaddy.arm5