MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de2027289623210a2aeb746f8de4c6a92b080add00434ee0af27989990b5ddea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de2027289623210a2aeb746f8de4c6a92b080add00434ee0af27989990b5ddea
SHA3-384 hash: 0ea36d1bab636c560ee79e679d4a4698eac3cbb701cd100744c5ac6eec32f9d0aad8143eaffc37a9034b5390ce6be4da
SHA1 hash: ca149c35e615ed13491d6ddf9409c801067f9713
MD5 hash: af9a2fd2ed72581ad22e0d6f8b7ac081
humanhash: kansas-tennis-bluebird-nine
File name:i.arm5
Download: download sample
Signature Gafgyt
Create hunting rule
File size:138'870 bytes
First seen:2025-12-25 08:04:06 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:4Bupxw7bIfTzhmjaF8E1NaFoOtZjqQGxHolZOP5hEg29gDQHHe8LmyhQaS+pg7J:4S6E1NaFoOHJOP5hEg2re8LmyhQaSGgl
TLSH T13BD30905D4508B23C2D2677AFF9E474F37225BA89B9B332256296EB02FC179D2E3D510
telfhash t1be213003a5b98a192fb79d64ac7c06f11261a623b3417eb0ef1ec1848d37002b839c9b
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.29325.LC.Pl.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Mirai-81.UNOFFICIAL
Create hunting rule

Unix.Dropper.Mirai-7139229-0
Create hunting rule

Unix.Dropper.Mirai-7489238-0
Create hunting rule

Unix.Trojan.Mirai-9864781-0
Create hunting rule

Verdict:
Malicious
File Type:
elf.32.le
First seen:
2025-12-25T05:25:00Z UTC
Last seen:
2025-12-25T12:48:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/de2027289623210a2aeb746f8de4c6a92b080add00434ee0af27989990b5ddea/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/cdba2c41-c672-4056-ab80-3a22d9bd99a8
Behavior Graph:
Download SVG
%3 guuid=ca82adfe-1700-0000-2eee-7c6c810b0000 pid=2945 /usr/bin/sudo guuid=f1555200-1800-0000-2eee-7c6c880b0000 pid=2952 /tmp/sample.bin guuid=ca82adfe-1700-0000-2eee-7c6c810b0000 pid=2945->guuid=f1555200-1800-0000-2eee-7c6c880b0000 pid=2952 execve
Malware family:
Gafgyt
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1cd03c76-4eba-4242-ad32-56e7bee2ba7d
Result
Threat name:
Mirai, Gafgyt, Xmrig
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1839257
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Mirai
Detected Stratum mining protocol
Found malware configuration
Found strings related to Crypto-Mining
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Stdout / stderr contain strings indicative of a mining client
Suricata IDS alerts for network traffic
Tries to load the MSR kernel module used for reading/writing to CPUs model specific register
Writes identical ELF files to multiple locations
Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)
Yara detected Gafgyt
Yara detected Mirai
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1839257 Sample: i.arm5.elf Startdate: 25/12/2025 Architecture: LINUX Score: 100 143 us-qrl.miningocean.org 15.204.240.197, 3333, 34602 HP-INTERNET-ASUS United States 2->143 145 193.35.154.205, 2822, 3344, 55622 AS43260TR Bulgaria 2->145 147 2 other IPs or domains 2->147 149 Suricata IDS alerts for network traffic 2->149 151 Found malware configuration 2->151 153 Malicious sample detected (through community Yara rule) 2->153 157 9 other signatures 2->157 15 i.arm5.elf 2->15         started        18 python3.8 dpkg 2->18         started        signatures3 155 Detected Stratum mining protocol 143->155 process4 signatures5 167 Opens /proc/net/* files useful for finding connected devices and routers 15->167 169 Sample deletes itself 15->169 20 i.arm5.elf 15->20         started        process6 process7 22 i.arm5.elf 20->22         started        process8 24 i.arm5.elf sh 22->24         started        26 i.arm5.elf sh 22->26         started        28 i.arm5.elf sh 22->28         started        30 65 other processes 22->30 process9 32 sh xmrigDaemon 24->32         started        42 7 other processes 24->42 34 sh xmrigDaemon 26->34         started        46 7 other processes 26->46 36 sh xmrigDaemon 28->36         started        48 7 other processes 28->48 38 sh xmrigDaemon 30->38         started        40 sh xmrigDaemon 30->40         started        50 123 other processes 30->50 file10 52 xmrigDaemon sh 32->52         started        54 xmrigDaemon sh 34->54         started        56 xmrigDaemon sh 36->56         started        58 xmrigDaemon sh 38->58         started        60 xmrigDaemon sh 40->60         started        129 /xmrigMiner.1, ELF 42->129 dropped 131 /xmrigDaemon.1, ELF 42->131 dropped 133 /xmrigMiner.2, ELF 46->133 dropped 135 /xmrigDaemon.2, ELF 46->135 dropped 137 /xmrigMiner, ELF 48->137 dropped 139 /xmrigMiner.3, ELF 50->139 dropped 141 /xmrigDaemon, ELF 50->141 dropped 163 Writes identical ELF files to multiple locations 50->163 62 xmrigDaemon sh 50->62         started        64 xmrigDaemon sh 50->64         started        66 xmrigDaemon sh 50->66         started        68 49 other processes 50->68 signatures11 process12 process13 70 sh xmrigMiner 52->70         started        73 sh xmrigMiner 54->73         started        75 sh xmrigMiner 56->75         started        77 sh xmrigMiner 58->77         started        79 sh xmrigMiner 60->79         started        81 sh xmrigMiner 62->81         started        83 sh xmrigMiner 64->83         started        85 sh xmrigMiner 66->85         started        87 20 other processes 68->87 signatures14 89 xmrigMiner 70->89         started        92 xmrigMiner 73->92         started        159 Sample reads /proc/mounts (often used for finding a writable filesystem) 75->159 94 xmrigMiner 75->94         started        96 xmrigMiner 77->96         started        98 xmrigMiner 79->98         started        100 xmrigMiner 81->100         started        102 xmrigMiner 83->102         started        104 xmrigMiner 85->104         started        106 2 other processes 87->106 process15 signatures16 161 Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher) 89->161 108 xmrigMiner sh 89->108         started        110 xmrigMiner sh 92->110         started        112 xmrigMiner sh 94->112         started        114 xmrigMiner sh 96->114         started        116 xmrigMiner sh 98->116         started        118 xmrigMiner sh 100->118         started        120 xmrigMiner sh 102->120         started        122 xmrigMiner sh 104->122         started        124 2 other processes 106->124 process17 process18 126 sh modprobe 112->126         started        signatures19 165 Tries to load the MSR kernel module used for reading/writing to CPUs model specific register 126->165
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/de2027289623210a2aeb746f8de4c6a92b080add00434ee0af27989990b5ddea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de2027289623210a2aeb746f8de4c6a92b080add00434ee0af27989990b5ddea/
Threat name:
Linux.Trojan.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2025-12-25 07:15:35 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3yqcokewemqqukxlorxy3zggvevqqcw5abbu5yfpe6mjtefv3xva._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt family:xmrig antivm credential_access defense_evasion discovery miner persistence
Link:
https://tria.ge/reports/251225-jygtps1lfr/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Checks CPU configuration
Reads system network configuration
Adds a user to the system
Reads system routing table
Writes DNS configuration
File and Directory Permissions Modification
Indicator Removal: Clear Command History
Deletes itself
Executes dropped EXE
Flushes firewall rules
OS Credential Dumping
Modifies password files for system users/ groups
XMRig Miner payload
Xmrig family
xmrig
Malware Config
C2 Extraction:
193.35.154.205:2822
Verdict:
Malicious
Tags:
trojan gafgyt Unix.Dropper.Mirai-7139229-0
YARA:
Linux_Trojan_Gafgyt_28a2fe0c Linux_Gafgyt_May_2024
Link:
https://app.threat.zone/submission/7df2fca9-3eda-4d22-adcc-01c144d89fcb
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/de2027289623210a2aeb746f8de4c6a92b080add00434ee0af27989990b5ddea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:Linux_Gafgyt_Generic
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Mirai/Gafgyt samples
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Generic_Threat_d2dca9e7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_28a2fe0c
Create hunting rule
Author:Elastic Security
Rule name:Mal_LNX_Gafgyt_Botnet_ELF
Create hunting rule
Author:Phatcharadol Thangplub
Description:Use to detect Gafgyt botnet, and there variants.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:setsockopt
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for setsockopt() red flags
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

elf de2027289623210a2aeb746f8de4c6a92b080add00434ee0af27989990b5ddea

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3743114/
  
Delivery method
Distributed via web download

Comments