MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3cde3780136aa469649c5028c4eb3262738579140d03448c618c7ca50cfd7db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	f3cde3780136aa469649c5028c4eb3262738579140d03448c618c7ca50cfd7db
SHA3-384 hash:	bac0e0f9b2ce23ddfd93e845ed6f2d08fee53e2d3afeacdfda37be8a458c020c7b879dd6493ded3c42f5ef1fcdf8df65
SHA1 hash:	9e4f57b1b0c2da1601b5f02b1272ff78fcfb34fd
MD5 hash:	6972d3d62253c486b78ab5a4ba17584b
humanhash:	low-freddie-double-equal
File name:	bins.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	1'816 bytes
First seen:	2026-01-18 19:20:26 UTC
Last seen:	2026-01-18 22:30:37 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	48:vSQL+xarHKhdJGI3OA5I3rsysRswssrI32d:vSu+xarHKhrGGOA5Gr1ofBrI32d
TLSH	T1B83145EBE4614DBD3F54A91732E5461434E098A658FEDF37ACEC34E5019CE8CA4C2693
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	gafgyt sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://103.211.218.101/yakuza.mips	b3ca938ef13b0b0320df7a2248af9bc639f732d809ca2b56997af6ebfe2ea34b	Gafgyt	DEU elf gafgyt geofenced ua-wget
http://103.211.218.101/yakuza.mpsl	2202c7e3b4f89af0f31f2d2c453e200ec320490d7327ce10a877ac6731b0ccff	Gafgyt	DEU elf gafgyt geofenced ua-wget
http://103.211.218.101/yakuza.sh4	90dedd325d5be13d2cb48f31ae13f1a8161770ccd9603c0c46320e10551c3d6d	Gafgyt	DEU elf gafgyt geofenced ua-wget
http://103.211.218.101/yakuza.x86	5f5421cb72d0c879831ad58b1f073817c976cc8c68c9bba0a95f98065e379d7b	Gafgyt	DEU elf gafgyt geofenced ua-wget
http://103.211.218.101/yakuza.arm6	dfed6a8212392e7e55b8ba709fdc6eb154a0002785b275e605688a78ce67619b	Gafgyt	DEU elf gafgyt geofenced ua-wget
http://103.211.218.101/yakuza.x32	23e3354e499b6cb514c01d1e56b9f7c2954f9fe38eaca10649a04d41726f0775	Gafgyt	DEU elf gafgyt geofenced ua-wget
http://103.211.218.101/yakuza.ppc	490735ee8f6e61fab8c608d35b9c434c8f4f7060552769584ff6ca519cbafe89	Gafgyt	DEU elf gafgyt geofenced ua-wget
http://103.211.218.101/yakuza.i586	77e2ed4ee4e8b7c84175b494c0ee4def2cddbd395408ef3f87d58863c8a79e00	Gafgyt	DEU elf gafgyt geofenced ua-wget
http://103.211.218.101/yakuza.m68k	68cf0ff1b76f0f73b0ab2de921ca6bc2d149655f9dc80fcdfe4fe644482683fc	Gafgyt	DEU elf gafgyt geofenced ua-wget
http://103.211.218.101/yakuza.arm4	ec775aa17230edba71083a13a9823164ab7f4f6b57688e59218f6bed178cdf0f	Gafgyt	DEU elf gafgyt geofenced ua-wget
http://103.211.218.101/yakuza.arm5	n/a	n/a	elf ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive

Link:

https://www.filescan.io/uploads/696d32bd584f1963ad5a4269/reports/4f981c3e-641d-4952-826f-23f1736ab623/overview

Result

Gathering data

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/7db6281b-9b62-4063-acd9-18d9126bf323

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f3cde3780136aa469649c5028c4eb3262738579140d03448c618c7ca50cfd7db

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f3cde3780136aa469649c5028c4eb3262738579140d03448c618c7ca50cfd7db/

Verdict:

Malicious

Threat:

Family.GAFGYT

Link:

https://tip.neiki.dev/file/f3cde3780136aa469649c5028c4eb3262738579140d03448c618c7ca50cfd7db

Threat name:

Linux.Downloader.Morila

Status:

Malicious

First seen:

2026-01-18 12:05:19 UTC

File Type:

Text (Shell)

AV detection:

24 of 36 (66.67%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6pg6g6abg2venfsjyubiytvteyttqv4rididisggddd4uugp27nq._file

Result

Malware family:

gafgyt

Score:

10/10

Tags:

family:gafgyt botnet defense_evasion discovery linux

Link:

https://tria.ge/reports/260118-x2e16ses3b/

Behaviour

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

File and Directory Permissions Modification

Executes dropped EXE

Detected Gafgyt variant

Gafgyt family

Gafgyt/Bashlite

Malware Config

C2 Extraction:

103.211.218.101:23

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_202412_suspect_bash_script Create hunting rule
Author:	abuse.ch
Description:	Detects suspicious Linux bash scripts

Rule name:	Linux_Shellscript_Downloader Create hunting rule
Author:	albertzsigovits
Description:	Generic Approach to Shellscript downloaders

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh