MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da308f75a92d760aa74210eda1c8cb66f6e282905b502ed1a38a303d5e9766c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da308f75a92d760aa74210eda1c8cb66f6e282905b502ed1a38a303d5e9766c8
SHA3-384 hash: b7f38efd3d0439421bba61b4a03334174d31ab01c22396c9a884fba80f3f1414fdd02d6115236886c403540903365374
SHA1 hash: 0789fe086e7d5fea31283bcc55df8d39eb8ed2d1
MD5 hash: 6295386be2f7705aa9e0e341942512c5
humanhash: uranus-tennis-west-fifteen
File name:da308f75a92d760aa74210eda1c8cb66f6e282905b502ed1a38a303d5e9766c8.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:285 bytes
First seen:2025-11-24 09:59:06 UTC
Last seen:2025-11-25 02:14:39 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 6:h7YpQ3YkDiMvgdhmVYZG2YryMvWmVYhYLcM95b:ipQoGiMvTmUOMv5muAM9h
TLSH T1DED086AC06373804400C3869B5F74355B054D289687B4764848814FDC0CCE0C70AEE4D
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://185.241.208.197/xd/bipseld81305aa62c634523e9e7244fa27113954cfb1fa0c729c5a4c44441248d8ba6c Gafgytelf gafgyt geofenced ua-wget USA
http://185.241.208.197/xd/bips6a1f3f2805f56b4e7fcf6e8c15542754442b33af9451ff300d446a24b5289e4b Gafgytelf gafgyt geofenced ua-wget USA
http://185.241.208.197/xd/bips64f2bc8307e42e84cd5566f2ed701b55dfc8288e78b8f929e21d03feeabc738b87 Miraielf geofenced mirai ua-wget USA

Intelligence

File Origin
# of uploads :
2
# of downloads :
31
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive mirai
Link:
https://www.filescan.io/uploads/69242c7cf6a4ba1793ae43e9/reports/645a71c4-969f-4a9b-9e83-2f797de26a80/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-06T04:53:00Z UTC
Last seen:
2025-11-23T19:01:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/da308f75a92d760aa74210eda1c8cb66f6e282905b502ed1a38a303d5e9766c8/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/345f1ed2-514d-40b6-a327-099895cbf937
Behavior Graph:
Download SVG
%3 guuid=0651df46-1800-0000-1b1e-be05ac0a0000 pid=2732 /usr/bin/sudo guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742 /tmp/sample.bin guuid=0651df46-1800-0000-1b1e-be05ac0a0000 pid=2732->guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742 execve guuid=3afc0c4a-1800-0000-1b1e-be05b70a0000 pid=2743 /usr/bin/rm guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=3afc0c4a-1800-0000-1b1e-be05b70a0000 pid=2743 execve guuid=2d9c494a-1800-0000-1b1e-be05b90a0000 pid=2745 /usr/bin/wget net send-data write-file guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=2d9c494a-1800-0000-1b1e-be05b90a0000 pid=2745 execve guuid=bf3aed53-1800-0000-1b1e-be05c90a0000 pid=2761 /usr/bin/chmod guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=bf3aed53-1800-0000-1b1e-be05c90a0000 pid=2761 execve guuid=0fc23154-1800-0000-1b1e-be05cb0a0000 pid=2763 /usr/bin/dash guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=0fc23154-1800-0000-1b1e-be05cb0a0000 pid=2763 clone guuid=d2e9e354-1800-0000-1b1e-be05ce0a0000 pid=2766 /usr/bin/rm guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=d2e9e354-1800-0000-1b1e-be05ce0a0000 pid=2766 execve guuid=40922c55-1800-0000-1b1e-be05d00a0000 pid=2768 /usr/bin/wget net send-data write-file guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=40922c55-1800-0000-1b1e-be05d00a0000 pid=2768 execve guuid=3dbf855e-1800-0000-1b1e-be05de0a0000 pid=2782 /usr/bin/chmod guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=3dbf855e-1800-0000-1b1e-be05de0a0000 pid=2782 execve guuid=f5b1c25e-1800-0000-1b1e-be05df0a0000 pid=2783 /usr/bin/dash guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=f5b1c25e-1800-0000-1b1e-be05df0a0000 pid=2783 clone guuid=a2024c5f-1800-0000-1b1e-be05e30a0000 pid=2787 /usr/bin/rm guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=a2024c5f-1800-0000-1b1e-be05e30a0000 pid=2787 execve guuid=74b58a5f-1800-0000-1b1e-be05e50a0000 pid=2789 /usr/bin/wget net send-data write-file guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=74b58a5f-1800-0000-1b1e-be05e50a0000 pid=2789 execve guuid=c92e5e69-1800-0000-1b1e-be05f80a0000 pid=2808 /usr/bin/chmod guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=c92e5e69-1800-0000-1b1e-be05f80a0000 pid=2808 execve guuid=4246b369-1800-0000-1b1e-be05f90a0000 pid=2809 /usr/bin/dash guuid=bcf4d749-1800-0000-1b1e-be05b60a0000 pid=2742->guuid=4246b369-1800-0000-1b1e-be05f90a0000 pid=2809 clone 02048cca-1ced-53a9-959e-f15a3ad8f7eb 185.241.208.197:80 guuid=2d9c494a-1800-0000-1b1e-be05b90a0000 pid=2745->02048cca-1ced-53a9-959e-f15a3ad8f7eb send: 139B guuid=40922c55-1800-0000-1b1e-be05d00a0000 pid=2768->02048cca-1ced-53a9-959e-f15a3ad8f7eb send: 137B guuid=74b58a5f-1800-0000-1b1e-be05e50a0000 pid=2789->02048cca-1ced-53a9-959e-f15a3ad8f7eb send: 139B
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/da308f75a92d760aa74210eda1c8cb66f6e282905b502ed1a38a303d5e9766c8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da308f75a92d760aa74210eda1c8cb66f6e282905b502ed1a38a303d5e9766c8/
Threat name:
Document-HTML.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-11-05 06:19:14 UTC
File Type:
Text (Shell)
AV detection:
6 of 24 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3iyi65njfv3avj2ccdw2dsglm33ofauqlnic5undriyd2xuxm3ea._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux
Link:
https://tria.ge/reports/251124-lz9xzsxjer/
Behaviour
System Network Configuration Discovery
Writes file to tmp directory
File and Directory Permissions Modification
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/da308f75a92d760aa74210eda1c8cb66f6e282905b502ed1a38a303d5e9766c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh da308f75a92d760aa74210eda1c8cb66f6e282905b502ed1a38a303d5e9766c8

(this sample)

Gafgyt

elf d81305aa62c634523e9e7244fa27113954cfb1fa0c729c5a4c44441248d8ba6c

  
URLhaus
https://urlhaus.abuse.ch/url/3715328/
  
Delivery method
Distributed via web download
  
Dropping
MD5 92d4c4dbaffc9a01704726259acb6de5
  
Dropping
SHA256 d81305aa62c634523e9e7244fa27113954cfb1fa0c729c5a4c44441248d8ba6c

Comments