MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3acbc3776927b1a288d317c14069d7b95396f3cb0f4705d7ca8958b3fe1d4e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3acbc3776927b1a288d317c14069d7b95396f3cb0f4705d7ca8958b3fe1d4e6
SHA3-384 hash: 31021aa5d2bf556dff17bb49de7551f637f5d73940cb8689b4d94b72f82dcc4ea75030e0ff2c2211d96639b367e15eaf
SHA1 hash: 046b60fe37569807c47805c1db3432eeaf3f4cb2
MD5 hash: 2b6cdb6dcc4cbddb1ef3e29c82b26779
humanhash: fruit-burger-music-chicken
File name:bins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'631 bytes
First seen:2025-02-16 17:01:55 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:vffEf2rf8+MfKrfcfrUfEfkf/Uf4fIfofH:vXEEjMSrEwsskgwQf
TLSH T1293176CA20921DB4BC61DD7331AA4C0475E4A4CA48CADF466DFE3CFA489EF04B944B93
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://84.200.154.119/ntpdc8514ef7562bcfe21c8c63ce9d88394ad4341d4aed606eb5c81ed37c05606d5a Gafgytelf gafgyt ua-wget
http://84.200.154.119/sshddd8d57df26725ee577a5fb8f90945bff74fafa27d1a73e5bf46237bd7175fe59 Gafgytelf gafgyt ua-wget
http://84.200.154.119/opensshc2e0a184abac97b8b9ae4589dec8f0a9e05edb608ec1098c8a1dd016aebe51f2 Gafgytelf gafgyt ua-wget
http://84.200.154.119/bash7738607b44b9501df5e4eb4023d63e4b5211ad8f18ab7ff2279e4e888e4c5046 Gafgytelf gafgyt ua-wget
http://84.200.154.119/tftpad21c5195ca77b03531a22273339970030166163682c7e31a25951673e5ae51a Gafgytelf gafgyt ua-wget
http://84.200.154.119/wgetb0af77d9cfea4a70f64d60f401fa5a482a0704accfc714898abc51196fa15b0e Gafgytelf gafgyt ua-wget
http://84.200.154.119/cron58d04ab53cbdd14240052b992fcea28572e568ec53512b88a06a3865d3beeb52 Gafgytelf gafgyt ua-wget
http://84.200.154.119/ftp2a3c26129a0a06ab40c730bf15c064a5556e6bee26c7383f776d23c83efcf7a6 Gafgytelf gafgyt ua-wget
http://84.200.154.119/pftpc4cab30457af0db3b4007b9a104b4620eb20e6acb383b754cd544c702b2188b4 Gafgytelf gafgyt ua-wget
http://84.200.154.119/sh245d18ab2fdfdb46e6c80ce283c546caa2c41da9854b4a682d8cb9df58457334 Gafgytelf gafgyt ua-wget
http://84.200.154.119/n/an/an/a
http://84.200.154.119/apache2eeec6726a9b589fc062ed891763202efe72a58827126d6a5685444d7dc7632ff Gafgytelf gafgyt ua-wget
http://84.200.154.119/telnetdn/an/an/a

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader.CP-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b21b0728ab76d43a5b4658linux22vpnfull_triage
Tags:
shellcode trojan agent
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive lolbin obfuscated remote
Link:
https://www.filescan.io/uploads/67b21a19633d73336288ea16/reports/8d2c3baf-6798-4f51-8fc7-751f2787f3c2/overview
Result
Verdict:
MALICIOUS
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f3acbc3776927b1a288d317c14069d7b95396f3cb0f4705d7ca8958b3fe1d4e6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3acbc3776927b1a288d317c14069d7b95396f3cb0f4705d7ca8958b3fe1d4e6/
Threat name:
Linux.Downloader.Morila
Create hunting rule
Status:
Malicious
First seen:
2025-02-16 17:02:18 UTC
File Type:
Text (Shell)
AV detection:
25 of 37 (67.57%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6owlyn3wsj5rukengf6bibu5pokts3z4wd2haxl4vckywp7b2tta._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/250216-vj8vestjbj/
Behaviour
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Malware Config
C2 Extraction:
84.200.154.119:4568
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BASHLITE
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/f3acbc3776927b1a288d317c14069d7b95396f3cb0f4705d7ca8958b3fe1d4e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh f3acbc3776927b1a288d317c14069d7b95396f3cb0f4705d7ca8958b3fe1d4e6

(this sample)

Gafgyt

elf bcc94ea27b78c7a721ecc09bd3acb743e6a76ba77221d0fb0c3c3f4dc9236530

  
URLhaus
https://urlhaus.abuse.ch/url/3411805/
  
Delivery method
Distributed via web download
  
Dropping
MD5 fbd4948d5c81d91c1852ecd232c4469b
  
Dropping
SHA256 bcc94ea27b78c7a721ecc09bd3acb743e6a76ba77221d0fb0c3c3f4dc9236530

Comments