MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef2f28b8f20aab6c56ab8bcde6a7e1a0b0ab17c2ec8cee02f3bf369140e8a700. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	ef2f28b8f20aab6c56ab8bcde6a7e1a0b0ab17c2ec8cee02f3bf369140e8a700
SHA3-384 hash:	0fe3acde971f6a47336962994582e8c0b45fda4ea3e464b513366704c1bbba2e8c22ded8cc3c25989466e52a8b5d6c99
SHA1 hash:	afe78b69e8def4806c63f56f85f9ea5e773d3c6b
MD5 hash:	79705c9ab0b03aae6462944fcf224d53
humanhash:	kansas-robin-fanta-two
File name:	californication.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	2'115 bytes
First seen:	2026-04-06 08:03:03 UTC
Last seen:	Never
File type:	sh
MIME type:	text/plain
ssdeep	48:1zttYLqnTPj/owXqCGa/zr3b66rserPqVo8:1zHnTPj/owXqCf/zzb66rsqPqV5
TLSH	T1274183C760E10770ECB5AA3772669801B9D9D0E626DD5F96DCFC38E9408CEC4389E683
Magika	txt
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://82.25.56.112/cali.mips	ee4732df2f600bba6faf9790d822a9ab9f40fe2bf72b0c64917359e12043a820	Gafgyt	elf gafgyt ua-wget
http://82.25.56.112/cali.mipsel	363cb0b6bdd66193ec537f2a2222657a8389c493e8e8b091268b748795c04c9d	Gafgyt	elf gafgyt ua-wget
http://82.25.56.112/cali.sh4	c74bda6c601c08802724569b523ab94f2bff979d6ae2e1972a618dc4e303a08a	Gafgyt	elf gafgyt ua-wget
http://82.25.56.112/cali.x86	39bea49f694f71113619706b0df298fefc29139f9006b5031a287dc4b3b351c1	Mirai	elf gafgyt ua-wget
http://82.25.56.112/cali.armv7l	365bd19979a7de7b34cb1bc01d35d7f4b4d4b0cda3996021fd88616457c3554e	Gafgyt	elf gafgyt ua-wget
http://82.25.56.112/cali.armv6l	05e8bcfc1f5ae44413daa7e5dc772d4316901be7a59fe3862a6c3f8fbf2de19c	Gafgyt	elf gafgyt ua-wget
http://82.25.56.112/cali.i686	0dbe04e2373342275ff1e25963440c56b07ab056a23927cfaf94a1d7ece8c596	Mirai	elf gafgyt ua-wget
http://82.25.56.112/cali.powerpc	b135ccb9dadede605fd0d2f9269d455419ca5fd6e01df71ed011ea157fc5d857	Gafgyt	elf gafgyt ua-wget
http://82.25.56.112/cali.i586	0c635a845f285a5b4cbe3ec0dc7cd3f2b20f3e580634c459c0e6590411f034d1	Mirai	elf gafgyt ua-wget
http://82.25.56.112/cali.m68k	e83640cd75236a3cc3f7310404e6451a31c351ae0e65b2816f8b50722a6e12c5	Gafgyt	elf gafgyt ua-wget
http://82.25.56.112/cali.sparc	834410da03692bcb79c6259b2bc5091cda7fe48c8f524d02f0a6ba93c4bedf06	Gafgyt	elf gafgyt ua-wget
http://82.25.56.112/cali.armv4l	ae39d9bb90596bad86c57dfd18a5fb1923be8f052cec069632e568cf50e79114	Gafgyt	elf gafgyt ua-wget
http://82.25.56.112/cali.armv5l	70b58485e56d83cef2e2ed664391833eef49b367b870d1050bdb13099d125d45	Gafgyt	elf gafgyt ua-wget
http://82.25.56.112/cali.powerpc-440fp	n/a	n/a	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Gathering data

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive medusa mirai

Link:

https://www.filescan.io/uploads/69d368cc972c219c8d79d7cb/reports/28484978-f413-45fc-907f-2b2209a7bc45/overview

Verdict:

Malicious

File Type:

text

First seen:

2026-04-06T00:21:00Z UTC

Last seen:

2026-04-07T23:45:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.gen HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/ef2f28b8f20aab6c56ab8bcde6a7e1a0b0ab17c2ec8cee02f3bf369140e8a700/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/13e5b4b0-2704-49a6-b289-33e8f22ddb84

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/ef2f28b8f20aab6c56ab8bcde6a7e1a0b0ab17c2ec8cee02f3bf369140e8a700

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef2f28b8f20aab6c56ab8bcde6a7e1a0b0ab17c2ec8cee02f3bf369140e8a700/

Verdict:

Malicious

Threat:

Trojan-Downloader.Shell.Agent

Link:

https://tip.neiki.dev/file/ef2f28b8f20aab6c56ab8bcde6a7e1a0b0ab17c2ec8cee02f3bf369140e8a700

Threat name:

Linux.Downloader.Medusa

Status:

Malicious

First seen:

2026-04-06 08:03:48 UTC

File Type:

Text (Shell)

AV detection:

16 of 24 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=54xsrohsbkvwyvvlrpg6nj7bucykwf6c5sgo4axtx43jcqhiu4aa._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260406-jxwlgagx41/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/ef2f28b8f20aab6c56ab8bcde6a7e1a0b0ab17c2ec8cee02f3bf369140e8a700

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh