MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb8d32cf60ffe401f131332f3efbe2bad5195df1147cf365bf87b31f30eaab3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb8d32cf60ffe401f131332f3efbe2bad5195df1147cf365bf87b31f30eaab3b
SHA3-384 hash: 16888b1543108108a6796ca8930271f783e792f2cdadbe892158d8597f2074e5ae5f43c4852920c0d589707e15cf6abf
SHA1 hash: f3cdd1000a757d45bcd81a44628b90b8ff13fc1e
MD5 hash: f4a581f33e9c542b9ecf6824ec9d19e4
humanhash: washington-failed-north-thirteen
File name:mips
Download: download sample
Signature Gafgyt
Create hunting rule
File size:84'960 bytes
First seen:2026-03-23 20:26:51 UTC
Last seen:2026-03-23 21:51:34 UTC
File type: elf
MIME type:application/x-executable
ssdeep 1536:vtpmDoTXY3/kEWJuXJuXhu05HOEQgSEgxSTn+e+SiX:1pmIYvkEx7gS6TnBiX
TLSH T15383B61E6E21DFADF659C33547B34E31A39833D626E1D685E26CD2001E6034E685FFA8
telfhash t11811c84c4d7423f497351dc91a9def76e5a030df07266d378e10a5beaa6d9415d00c0c
Magika elf
Reporter abuse_ch
Tags:elf gafgyt

Intelligence

File Origin
# of uploads :
2
# of downloads :
160
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Linux.Mirai.9373.12474.32355.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Opens a port
Substitutes an application name
Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
mips
Packer:
not packed
Botnet:
unknown
Number of open files:
40
Number of processes launched:
6
Processes remaning?
true
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/fb8d32cf60ffe401f131332f3efbe2bad5195df1147cf365bf87b31f30eaab3b
Behaviour
Process Renaming
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
File Type:
elf.32.be
Link:
https://opentip.kaspersky.com/fb8d32cf60ffe401f131332f3efbe2bad5195df1147cf365bf87b31f30eaab3b/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/043a9636-f0fe-4cc7-97f8-b8505f4420f1
Behavior Graph:
Download SVG
%3 guuid=f95ac92e-1c00-0000-910b-e7fa280d0000 pid=3368 /usr/bin/sudo guuid=54d27e31-1c00-0000-910b-e7fa2f0d0000 pid=3375 /tmp/sample.bin guuid=f95ac92e-1c00-0000-910b-e7fa280d0000 pid=3368->guuid=54d27e31-1c00-0000-910b-e7fa2f0d0000 pid=3375 execve
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4ad8cf7a-2536-490b-b6ad-b4f44c9a4b2f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1887869
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1887869 Sample: mips.elf Startdate: 23/03/2026 Architecture: LINUX Score: 60 21 www.miraibotnet.su 2->21 23 109.202.202.202, 80 INIT7CH Switzerland 2->23 25 3 other IPs or domains 2->25 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 7 mips.elf 2->7         started        9 dash rm 2->9         started        11 dash rm 2->11         started        13 python3.8 dpkg 2->13         started        signatures3 31 Performs DNS TXT record lookups 21->31 process4 process5 15 mips.elf 7->15         started        17 mips.elf 7->17         started        19 mips.elf 7->19         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/fb8d32cf60ffe401f131332f3efbe2bad5195df1147cf365bf87b31f30eaab3b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb8d32cf60ffe401f131332f3efbe2bad5195df1147cf365bf87b31f30eaab3b/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/fb8d32cf60ffe401f131332f3efbe2bad5195df1147cf365bf87b31f30eaab3b
Threat name:
Linux.Backdoor.Gafgyt
Create hunting rule
Status:
Malicious
First seen:
2026-03-23 20:27:24 UTC
File Type:
ELF32 Big (Exe)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ogtft3a77sad4jrgmxt567cxlkrsxprcr6pgzn7q6zr6mhkvm5q._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery
Link:
https://tria.ge/reports/260323-y8gn1sg15q/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Changes its process name
Enumerates running processes
Unexpected DNS network traffic destination
Creates a large amount of network flows
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fb8d32cf60ffe401f131332f3efbe2bad5195df1147cf365bf87b31f30eaab3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cecilio_botnet
Create hunting rule
Author:Nokia Deepfield ERT
Description:Cecilio botnet - CatDDoS derivative with modified RC4 table encryption
Reference:https://blog.xlab.qianxin.com/catddos-derivative-en/
Rule name:ELF_Toriilike_persist
Create hunting rule
Author:4r4
Description:Detects Torii IoT Botnet (stealthier Mirai alternative)
Reference:Identified via researched data
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 96e60b3bda86907eea1dd9d0b9289efe3f8cf9a29cc02db2dcc633c3b4df69c9

Gafgyt

elf fb8d32cf60ffe401f131332f3efbe2bad5195df1147cf365bf87b31f30eaab3b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3803551/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 96e60b3bda86907eea1dd9d0b9289efe3f8cf9a29cc02db2dcc633c3b4df69c9
  
Dropped by
MD5 c0d8f2ddeec3b44085648848530b04f0
  
URLhaus
https://urlhaus.abuse.ch/url/3803550/

Comments