MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d69a36b3105cb4cc441076812efdc9e1ccd683305f372aa818cd2e94e92dea0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d69a36b3105cb4cc441076812efdc9e1ccd683305f372aa818cd2e94e92dea0e
SHA3-384 hash: ff112a29d06ebf3b0a9dbc560c692e46e03f01155215313d3008351c3dd6dd13135b79f265973ea72552ddad663050a6
SHA1 hash: 73d1270bffae6a2b7c46ade37c9339f845ff7864
MD5 hash: ef55b6a463b2e6c08d35443e971762a7
humanhash: yellow-hamper-fifteen-freddie
File name:x86_64
Download: download sample
File size:29'728 bytes
First seen:2025-08-18 20:29:32 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 384:a0oUVlrA1Tc5ARUsFr2Gk2rad0zZtypXOUt+CUIWuyBQvd+ayoXbUbRNLpgR5AtO:a0VVpAF/R5HsoMOIvUIWuzL6XtgR+
TLSH T128D21887BE82C0FDC88DC27987B3A576C923797C12B5E18D27D4E9239A69F311D6C901
telfhash t17801c8b9311519e070cbf4a07359c1258d762d7e109072d79671b5f5ef02fc06e10c2e
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
DE DE
Vendor Threat Intelligence
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Opens a port
Sends data to a server
Receives data from a server
Connection attempt
DNS request
Runs as daemon
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/68a38d38419c816a6e8af125/reports/f02beb56-f14e-47ba-abb5-9f6310c10781/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/50d54289-71c3-457b-a352-2d7cf6e0cb9a
Behavior Graph:
Download SVG
%3 guuid=8113015c-1900-0000-a304-d57f62100000 pid=4194 /usr/bin/sudo guuid=ca39b15d-1900-0000-a304-d57f6b100000 pid=4203 /tmp/sample.bin guuid=8113015c-1900-0000-a304-d57f62100000 pid=4194->guuid=ca39b15d-1900-0000-a304-d57f6b100000 pid=4203 execve guuid=cc07c95d-1900-0000-a304-d57f6c100000 pid=4204 /tmp/sample.bin dns net send-data zombie guuid=ca39b15d-1900-0000-a304-d57f6b100000 pid=4203->guuid=cc07c95d-1900-0000-a304-d57f6c100000 pid=4204 clone 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=cc07c95d-1900-0000-a304-d57f6c100000 pid=4204->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 43B 8b3ce6b8-19f1-5a83-a820-38f69625dcd1 10.0.2.15:36194 guuid=cc07c95d-1900-0000-a304-d57f6c100000 pid=4204->8b3ce6b8-19f1-5a83-a820-38f69625dcd1 con 735e22e6-6bb2-5e06-aafa-8cd20c2bec95 conn.magicpacketlease.org:23120 guuid=cc07c95d-1900-0000-a304-d57f6c100000 pid=4204->735e22e6-6bb2-5e06-aafa-8cd20c2bec95 send: 17B guuid=2a17e75d-1900-0000-a304-d57f6d100000 pid=4205 /tmp/sample.bin guuid=cc07c95d-1900-0000-a304-d57f6c100000 pid=4204->guuid=2a17e75d-1900-0000-a304-d57f6d100000 pid=4205 clone guuid=80ecfc87-1a00-0000-a304-d57f8c130000 pid=5004 /tmp/sample.bin dns net send-data guuid=cc07c95d-1900-0000-a304-d57f6c100000 pid=4204->guuid=80ecfc87-1a00-0000-a304-d57f8c130000 pid=5004 clone guuid=80ecfc87-1a00-0000-a304-d57f8c130000 pid=5004->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 43B guuid=80ecfc87-1a00-0000-a304-d57f8c130000 pid=5004->735e22e6-6bb2-5e06-aafa-8cd20c2bec95 send: 3B
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7693297c-1253-4d13-afa3-ff7f8acf1333
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1759667
Signature
Malicious sample detected (through community Yara rule)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1759667 Sample: x86_64.elf Startdate: 18/08/2025 Architecture: LINUX Score: 48 22 169.254.169.254, 80 USDOSUS Reserved 2->22 24 conn.magicpacketlease.org 45.125.66.90, 23120, 56584, 56586 TELE-ASTeleAsiaLimitedHK Hong Kong 2->24 26 4 other IPs or domains 2->26 28 Malicious sample detected (through community Yara rule) 2->28 8 x86_64.elf 2->8         started        10 dash rm 2->10         started        12 dash rm 2->12         started        14 python3.8 dpkg 2->14         started        signatures3 process4 process5 16 x86_64.elf 8->16         started        process6 18 x86_64.elf 16->18         started        20 x86_64.elf 16->20         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/d69a36b3105cb4cc441076812efdc9e1ccd683305f372aa818cd2e94e92dea0e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d69a36b3105cb4cc441076812efdc9e1ccd683305f372aa818cd2e94e92dea0e/
Threat name:
Linux.PUA.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2025-08-18 20:31:02 UTC
File Type:
ELF64 Little (Exe)
AV detection:
16 of 37 (43.24%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=22ndnmyqls2myraqo2as57oj4hgnnazql43svkayzuxjj2jn5iha._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/250818-y9w54acp4v/
Verdict:
Unknown
Tags:
trojan gafgyt
YARA:
Linux_Trojan_Gafgyt_9e9530a7 Linux_Trojan_Gafgyt_807911a2 Linux_Trojan_Gafgyt_d4227dbf Linux_Trojan_Gafgyt_620087b9 Linux_Trojan_Gafgyt_33b4111a
Link:
https://app.threat.zone/submission/0876cbda-c4e6-4762-bbfb-3a28bcacaaa5
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/d69a36b3105cb4cc441076812efdc9e1ccd683305f372aa818cd2e94e92dea0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

elf d69a36b3105cb4cc441076812efdc9e1ccd683305f372aa818cd2e94e92dea0e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3605222/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments