MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e995fc52104ea11ec54eb5d647473721846b2caf1dcb10b4c1a52a243d36a009. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	e995fc52104ea11ec54eb5d647473721846b2caf1dcb10b4c1a52a243d36a009
SHA3-384 hash:	5a0fd401dbc40ab68b2eff5bd6902d610d230e8ede0bd6f43d46498cf83e41a79086e482d593f2fe10d316e1920214fb
SHA1 hash:	8177eb6e77edbcba3d20b085c0fce40b46a29b6b
MD5 hash:	48745b5d9ecf29b313a1fc8a28b6e50e
humanhash:	diet-zebra-california-six
File name:	onu
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	200 bytes
First seen:	2025-04-28 14:31:39 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	3:LMFFVjm0FI+nJ43zSKWJoGDSzQ9oDMFFVjm/FVGWJ43zSKWJoGDSzQ9K:LMFFV6cn9N2QGDMFFV6D9N2QM
TLSH	T113D0C9DA0CD214F54324AA496C63B542F006ED523900F9A13C4C013EC4E4470F1D6DC4
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://62.60.232.26/lol.mips	6dc7a2bdd052870e6f5d3aa25211c68e4c8128678c90977e4ddaac54930e61bb	Gafgyt	gafgyt
http://62.60.232.26/lol.mpsl	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.Downloader-35.UNOFFICIAL

Verdict:

Clean

Score:

84.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=680fcb9ecc5fb3600cc40b91linux22vpnfull_triage

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive lolbin remote

Link:

https://www.filescan.io/uploads/680f916bc502e7176af9820e/reports/dfd3eac3-7fb8-4869-b502-9dc163415dec/overview

Verdict:

Suspicious

Labled as:

SH/Mirai.C.gen

Link:

https://www.hybrid-analysis.com/sample/e995fc52104ea11ec54eb5d647473721846b2caf1dcb10b4c1a52a243d36a009

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e995fc52104ea11ec54eb5d647473721846b2caf1dcb10b4c1a52a243d36a009

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e995fc52104ea11ec54eb5d647473721846b2caf1dcb10b4c1a52a243d36a009/

Threat name:

Script.Browser.Heuristic

Status:

Malicious

First seen:

2025-04-28 17:41:52 UTC

File Type:

Text (Shell)

AV detection:

3 of 24 (12.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5gk7yuqqj2qr5rkowxleorzxegcgwlfpdxfrbngbuuvcipjwuaeq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250428-w4cs6axpx3/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e995fc52104ea11ec54eb5d647473721846b2caf1dcb10b4c1a52a243d36a009

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh e995fc52104ea11ec54eb5d647473721846b2caf1dcb10b4c1a52a243d36a009

(this sample)

Gafgyt

elf 6dc7a2bdd052870e6f5d3aa25211c68e4c8128678c90977e4ddaac54930e61bb

URLhaus

https://urlhaus.abuse.ch/url/3528904/

Delivery method

Distributed via web download

Dropping

MD5 285de81d809798a12f2709ccb8c0ff1d

Dropping

SHA256 6dc7a2bdd052870e6f5d3aa25211c68e4c8128678c90977e4ddaac54930e61bb

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample