MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f48ed7be2f25639dc09e48c0c61a51b6588e4bb3fadad514cf4087daf482a56b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f48ed7be2f25639dc09e48c0c61a51b6588e4bb3fadad514cf4087daf482a56b
SHA3-384 hash: 6fc8094379ce51d4b32b68a08418d811ed09d5469c95ee029f335e1b7b60dfba5045ca0929b04431c786e72bd590a1aa
SHA1 hash: 4ea09153388189a8529ab538af04baee6a0f45b2
MD5 hash: b91b4bf8d872d687a4631cb22c3713bd
humanhash: uniform-victor-south-jig
File name:selfrep.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:1'894 bytes
First seen:2025-06-17 05:32:02 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 24:vGb5gMtJ1NqeNI7ykshsojaas6fuygLhBLIjxF+K2C:v45g01NqnyJqoj26fuyuHLkF+e
TLSH T13C4193DB36625EB52CB4ED2775AB98143480E1CE50CDAF166DED38FCA4CDE083061A87
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://104.167.221.114/mipsfd2f0b1c70e97c3c67ab54ba87a2125fb30e25a6d6050cae36a5f7f14726189c Gafgytelf gafgyt ua-wget
http://104.167.221.114/mipseld8253b55940a3d9f0a47c58ea5e1a37c1149217c7615d4a00bafc21d31035a19 Gafgytelf gafgyt ua-wget
http://104.167.221.114/sh4f43693a946b59f1d132fc620b8fc3683433c87cb046207cb18aad68b4ea091d6 Gafgytelf gafgyt ua-wget
http://104.167.221.114/x86_64d24eb20bdf28154c538be3ad296756f743753886e21a86f84e41482b7a4a45f3 Gafgytelf gafgyt ua-wget
http://104.167.221.114/arm6e89afd876b71345828df07ef82a4e6684a26cd9d8dfe5d0ee139e367de3b7330 Gafgytelf gafgyt ua-wget
http://104.167.221.114/i686476e3c2d0c589ce2372f3d1bbb59bd8f3d800847b545e360eb85a290d675e254 Gafgytelf gafgyt ua-wget
http://104.167.221.114/powerpc880ddb6fcd0ef13b964069147f6b97b8bbd61cbe92feaf20aa25473179c50612 Gafgytelf gafgyt ua-wget
http://104.167.221.114/x86857170c9591cce002273043a6f991f58683ef3bc2be7afcca54be1dc0097b57b Gafgytelf gafgyt ua-wget
http://104.167.221.114/m68k26b8ee688812ddc7257e35c1c071a3b7d9f9487d9638be829b9998ac0894d05d Gafgytelf gafgyt ua-wget
http://104.167.221.114/spc3be913565735d606fc2d64b098763b52ed9a6ba9ca93d89f723409b0348557eb Gafgytelf gafgyt ua-wget
http://104.167.221.114/arm5f83df06a5fd17487df62de3f9b939088dcb1d08d06ac762df888264ec9da0e8 Gafgytelf gafgyt ua-wget
http://104.167.221.114/arm5235733c3b02759f01d846d0333b94b3dbf2fee43d843e46f4ce062c30421b606 Gafgytelf gafgyt ua-wget
http://104.167.221.114/ppc4fpn/an/aelf ua-wget
http://104.167.221.114/arm78d8e03d31f4169577641596c31ab5ab0990ef39aa5ffea486330b230632a737a Gafgytelf gafgyt ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Gathering data
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f48ed7be2f25639dc09e48c0c61a51b6588e4bb3fadad514cf4087daf482a56b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f48ed7be2f25639dc09e48c0c61a51b6588e4bb3fadad514cf4087daf482a56b/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-06-16 08:32:34 UTC
File Type:
Text (Shell)
AV detection:
15 of 23 (65.22%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6shnpprpevrz3qe6jdammgsrwzmi4s5t7lnnkfgpicd5v5ecuvvq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access defense_evasion discovery linux
Link:
https://tria.ge/reports/250617-gaj8tawvgy/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Changes its process name
Reads system network configuration
Reads process memory
Creates a large amount of network flows
Enumerates running processes
Reads system routing table
File and Directory Permissions Modification
Executes dropped EXE
Contacts a large (927) amount of remote hosts
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f48ed7be2f25639dc09e48c0c61a51b6588e4bb3fadad514cf4087daf482a56b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts
Rule name:UNK_install_script
Create hunting rule
Author:evilcel3ri
Description:Detects a suspicious behaviour in an bash installation script

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh f48ed7be2f25639dc09e48c0c61a51b6588e4bb3fadad514cf4087daf482a56b

(this sample)

Gafgyt

elf d13ef2d656203d17db903a9f0790a95d93b75df4c0dc5bfdbe317dc2efff80b3

  
Dropping
MD5 009813b56a911b80fd0f9336aa0236a3
  
Dropping
SHA256 d13ef2d656203d17db903a9f0790a95d93b75df4c0dc5bfdbe317dc2efff80b3
  
URLhaus
https://urlhaus.abuse.ch/url/3562867/
  
Delivery method
Distributed via web download

Comments