MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1880667151a13eb689e5c1b2318b3c8ecce80315b40c4f89f30bcdc8c680bfa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	f1880667151a13eb689e5c1b2318b3c8ecce80315b40c4f89f30bcdc8c680bfa
SHA3-384 hash:	08e1e42904259b28bad89d22b2e72eceb783f29e0724fa52a294fd1b1ccddcdb468faeaa09a406e376e8e26034be56d5
SHA1 hash:	31d9e410b69c5b084959e077bbe3e1671e7f396e
MD5 hash:	0e66f137d4b4e306f31880fdfc1e4b92
humanhash:	violet-washington-purple-ten
File name:	Sakura.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	2'098 bytes
First seen:	2025-09-06 19:49:06 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vSad8jS9ttQdMSEYS7RS57SST6SQCScISnL1SV5NScISHxSGT:vDd8j+ttQdMdYmRa7PT6bCFI0B25NFIo
TLSH	T1FF4127D711A20BF32D91E937326954C0F5D09196A4C69F4ABADC7CE448BEDEC68447C3
Magika	shell
Reporter	abuse_ch
Tags:	gafgyt sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://45.170.245.23/m-i.p-s.Sakura	b41a141a47a814a7bd994e912fc03bdf5fa79305902443c346f805b563575bcc	Gafgyt	elf gafgyt ua-wget
http://45.170.245.23/m-p.s-l.Sakura	68641d8a30aab4113cd52f6b55ca7d80e2e46227c034912647bc448cbd1a0530	Gafgyt	elf gafgyt ua-wget
http://45.170.245.23/s-h.4-.Sakura	11c5dc3af21d70bbd180585286cc6c575b13531982647d0818ab8789f70b70b7	Gafgyt	elf gafgyt ua-wget
http://45.170.245.23/x-8.6-.Sakura	ea34bcef8faf9279994a6ae4b99e7ac3e3a3d9af8973e5162f979b33a206a0f3	Gafgyt	elf gafgyt ua-wget
http://45.170.245.23/a-r.m-6.Sakura	d656cb948d29b282e895536ada6ef7432617ec2e3da7fe1a44f91b075b8a348b	Gafgyt	elf gafgyt ua-wget
http://45.170.245.23/x-3.2-.Sakura	edaffffc4170552035f1c299b8cca11e8ddac1d45b120dd69ad8195b01d7f1d8	Gafgyt	elf gafgyt ua-wget
http://45.170.245.23/a-r.m-7.Sakura	67cd9ade9860af165de29dc08bd70af13b7888eed85ffa43c35df2fcf4a9d473	Gafgyt	elf gafgyt ua-wget
http://45.170.245.23/p-p.c-.Sakura	60efa56c6afd73e1cae8a7a9986ed4f03f0f0a17317eb9b0c354763fffaad0be	Gafgyt	elf gafgyt ua-wget
http://45.170.245.23/i-5.8-6.Sakura	288c0cf5ca444faccb9643278a77c6f89577cb7bcd87bc27c006822af47494be	Gafgyt	elf gafgyt ua-wget
http://45.170.245.23/m-6.8-k.Sakura	d1cff4d398e38e17c0e368628436107a03aa1f345da354181104687e26313168	Gafgyt	elf gafgyt ua-wget
http://45.170.245.23/a-r.m-4.Sakura	60efa56c6afd73e1cae8a7a9986ed4f03f0f0a17317eb9b0c354763fffaad0be	Gafgyt	elf gafgyt ua-wget
http://45.170.245.23/a-r.m-5.Sakura	aafde5a93ad631683791e7d2af5bc1ece72c0c3c5ba05ceab75170173d7c2f8e	Gafgyt	elf gafgyt ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-09-06T17:33:00Z UTC

Last seen:

2025-09-06T17:33:00Z UTC

Hits:

~10

Detections:

HEUR:Trojan-Downloader.Shell.Agent.p HEUR:Trojan-Downloader.Shell.Agent.a

Link:

https://opentip.kaspersky.com/f1880667151a13eb689e5c1b2318b3c8ecce80315b40c4f89f30bcdc8c680bfa/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/f7308ac0-b9cf-42a5-a75e-585ab56340d2

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f1880667151a13eb689e5c1b2318b3c8ecce80315b40c4f89f30bcdc8c680bfa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f1880667151a13eb689e5c1b2318b3c8ecce80315b40c4f89f30bcdc8c680bfa/

Verdict:

Malicious

Threat:

Family.GAFGYT

Link:

https://tip.neiki.dev/file/f1880667151a13eb689e5c1b2318b3c8ecce80315b40c4f89f30bcdc8c680bfa

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2025-09-06 19:55:48 UTC

File Type:

Text (Shell)

AV detection:

25 of 38 (65.79%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6geamzyvdij6w2e6lqnsggftzdwm5abrlnamj6e7gc6nzddibp5a._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/250906-ykx14aep7t/

Behaviour

Writes file to tmp directory

Reads system network configuration

Reads system routing table

File and Directory Permissions Modification

Executes dropped EXE

Detected Gafgyt variant

Gafgyt family

Gafgyt/Bashlite

Malware Config

C2 Extraction:

45.170.245.23:12345

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f1880667151a13eb689e5c1b2318b3c8ecce80315b40c4f89f30bcdc8c680bfa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.