MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2a3a51e7a1056c8c41925aec6df02d4ecd26d2619d0bdac5b6eb2c97ab31620. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2a3a51e7a1056c8c41925aec6df02d4ecd26d2619d0bdac5b6eb2c97ab31620
SHA3-384 hash: 6f5c30ae5644729861c51e6f155b9daae779be6e6ca3b8909b9159c301156efd145a9e71a328cde2bc91422a79aa0f54
SHA1 hash: bcbdce591bdfde6d6539ef5c04c2c79080bc60ca
MD5 hash: 6ca1135aab23ccba83b9924310662a63
humanhash: autumn-network-pasta-pluto
File name:r.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:7'119 bytes
First seen:2025-03-26 23:37:59 UTC
Last seen:Never
File type: sh
MIME type:text/plain
ssdeep 96:Civ6skQ0vfPKF3HbQaUD6KCmyv3jLNP0HHL27ywt4ouJ:stObQ8V3eHLYywt4ouJ
TLSH T15FE101CC2D914BB60E15DFB9E221C86AA44ED4C365A08F0926BE30F8E9FEF457D04557
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://185.142.53.233/mips1115f758d81297173822b6403732150d67679c78959e03e4ca859337be0821f0 Gafgytddos elf gafgyt mirai
http://185.142.53.233/mpsl0838726b7805ee5198b7826afa3629936a4934fd98bd0df583b541e44ea0ad6b Gafgytddos elf gafgyt mirai
http://185.142.53.233/x8618c54bb07726b64710800d9fdc6154fa6a9eb18076b3b3803085809cb3f709af Miraiddos elf mirai
http://185.142.53.233/i6869e2207583a555e052572b26d105f58caacf8e65793b501caa064569d32aaffec Miraiddos elf mirai
http://185.142.53.233/sh4c402d76e0eceddf041567bc80914549ec7371ed091d0f66878b924703017a3ec Gafgytgafgyt mirai ua-wget
http://185.142.53.233/ppcn/an/amirai ua-wget
http://185.142.53.233/arcn/an/amirai ua-wget
http://185.142.53.233/arm66e52629466f769be17bcf6b20aee63e2bacbc19497749713d7b95da96571a70 Miraiddos elf mirai
http://185.142.53.233/arm5152a0a31ba2f6df93ae927ad82c8288f2bac69583236f6fe7855e9237bcbd06f Miraiddos elf mirai
http://185.142.53.233/arm67e44021f9458606e1deb53f19e80ec81d358b76341065451345f40e0f2454513 Miraiddos elf mirai
http://185.142.53.233/arm7fc4b814d40c1602ae693c8ddf483b659bbf0b63e301c11a9b4928fea74e01c56 Miraimirai ua-wget
ftp://5.142.53.233:8021/mipsn/an/an/a
ftp://5.142.53.233:8021/mpsln/an/an/a
ftp://5.142.53.233:8021/x86n/an/an/a
ftp://5.142.53.233:8021/i686n/an/an/a
ftp://5.142.53.233:8021/sh4n/an/an/a
ftp://5.142.53.233:8021/ppcn/an/an/a
ftp://5.142.53.233:8021/arcn/an/an/a
ftp://5.142.53.233:8021/armn/an/an/a
ftp://5.142.53.233:8021/arm5n/an/an/a
ftp://5.142.53.233:8021/arm6n/an/an/a
ftp://5.142.53.233:8021/arm7n/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e48feecb6d38a89f3e8703linux22vpnfull_triage
Tags:
trojan botnet agent
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive packed
Link:
https://www.filescan.io/uploads/67e48fea6a150b67eec72cb6/reports/69f47936-d7b3-47f7-98fa-63a9326d91fc/overview
Result
Verdict:
MALICIOUS
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e2a3a51e7a1056c8c41925aec6df02d4ecd26d2619d0bdac5b6eb2c97ab31620
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2a3a51e7a1056c8c41925aec6df02d4ecd26d2619d0bdac5b6eb2c97ab31620/
Threat name:
Script-Shell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-03-26 23:38:17 UTC
File Type:
Text (Shell)
AV detection:
7 of 24 (29.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kr2kht2cblmrrazewxmnxyc2twne3jgdhil3lc3n2zms6vtcyqa._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250326-3ms75sxjy2/
Behaviour
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2a3a51e7a1056c8c41925aec6df02d4ecd26d2619d0bdac5b6eb2c97ab31620

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:UNK_install_script
Create hunting rule
Author:evilcel3ri
Description:Detects a suspicious behaviour in an bash installation script

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh e2a3a51e7a1056c8c41925aec6df02d4ecd26d2619d0bdac5b6eb2c97ab31620

(this sample)

Gafgyt

elf 2a9e44ab7b4a86d500d67d0a495e4fd1d27c535d26d3a4fa05a88f126e3cfc54

  
URLhaus
https://urlhaus.abuse.ch/url/3491723/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3491724/
  
URLhaus
https://urlhaus.abuse.ch/url/3491729/
  
URLhaus
https://urlhaus.abuse.ch/url/3491728/
  
URLhaus
https://urlhaus.abuse.ch/url/3491731/
  
URLhaus
https://urlhaus.abuse.ch/url/3491730/
  
URLhaus
https://urlhaus.abuse.ch/url/3491733/
  
URLhaus
https://urlhaus.abuse.ch/url/3491732/
  
URLhaus
https://urlhaus.abuse.ch/url/3491734/
  
URLhaus
https://urlhaus.abuse.ch/url/3491737/
  
URLhaus
https://urlhaus.abuse.ch/url/3491739/
  
URLhaus
https://urlhaus.abuse.ch/url/3491740/
  
URLhaus
https://urlhaus.abuse.ch/url/3491756/
  
URLhaus
https://urlhaus.abuse.ch/url/3491757/
  
URLhaus
https://urlhaus.abuse.ch/url/3491758/
  
URLhaus
https://urlhaus.abuse.ch/url/3491760/
  
URLhaus
https://urlhaus.abuse.ch/url/3491762/
  
URLhaus
https://urlhaus.abuse.ch/url/3491764/
  
URLhaus
https://urlhaus.abuse.ch/url/3491763/
  
URLhaus
https://urlhaus.abuse.ch/url/3491765/
  
URLhaus
https://urlhaus.abuse.ch/url/3491766/
  
URLhaus
https://urlhaus.abuse.ch/url/3491770/
  
URLhaus
https://urlhaus.abuse.ch/url/3491772/
  
URLhaus
https://urlhaus.abuse.ch/url/3491774/
  
URLhaus
https://urlhaus.abuse.ch/url/3491775/
  
URLhaus
https://urlhaus.abuse.ch/url/3491777/
  
URLhaus
https://urlhaus.abuse.ch/url/3491776/
  
URLhaus
https://urlhaus.abuse.ch/url/3491780/
  
URLhaus
https://urlhaus.abuse.ch/url/3491778/
  
URLhaus
https://urlhaus.abuse.ch/url/3491779/
  
URLhaus
https://urlhaus.abuse.ch/url/3491798/
  
URLhaus
https://urlhaus.abuse.ch/url/3491800/
  
URLhaus
https://urlhaus.abuse.ch/url/3491719/
  
URLhaus
https://urlhaus.abuse.ch/url/3491717/
  
URLhaus
https://urlhaus.abuse.ch/url/3491735/
  
URLhaus
https://urlhaus.abuse.ch/url/3491718/
  
Dropping
MD5 4f2de56b93f8caa6a6014cc509118f8a
  
Dropping
SHA256 2a9e44ab7b4a86d500d67d0a495e4fd1d27c535d26d3a4fa05a88f126e3cfc54

Comments