MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d230a0db9f277c8f94d916beab06f184471e9ad08ae31f49013551ae05c2492. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RondoDox


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d230a0db9f277c8f94d916beab06f184471e9ad08ae31f49013551ae05c2492
SHA3-384 hash: c953906b5956e17f10c8b71505ba08f5c6b7c03d4e80b7ba5d2d9cee95f836da36980d948b5372a6cdc5bd67de563eb6
SHA1 hash: adf2da07cbb7f70d2361940d004c75b0edd711a5
MD5 hash: f200c242477f7c6ac4b8af6679cac248
humanhash: texas-india-batman-single
File name:rondo.aqu.sh
Download: download sample
Signature RondoDox
Create hunting rule
File size:10'876 bytes
First seen:2026-01-15 07:14:21 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 192:hs9W7I1vVYTSPG5oOQhwWcWPjCryEI45ReV068mfTC3egkG/zmv2YOfmoY45RmZj:hu19YTd5oXhwPWPWry945AV0LmfG3e1l
TLSH T1F32219CC31DC13BE649564426193827E6989C1EBB2928DEDD48E8CB69DF0448E17FB73
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:RondoDox sh
URLMalware sample (SHA256 hash)SignatureTags
http://41.231.37.153/rondo.loln/an/aua-wget
http://41.231.37.153/rondo.x86_647aeb450c57b466d9a280a02f5bbdb2166d6b092a5a6aa7a440b854cc2af333b5 RondoDoxgafgyt mirai RondoDox ua-wget
http://41.231.37.153/rondo.i6868d87fd06b2d964c414affc277c1a34762a24ac10136fa5be9c2cf393f2095a17 Miraimirai ua-wget
http://41.231.37.153/rondo.i586eb40a3a7f8ba5edd91bfa225d9f9f31358bc5233fc50561d382b518f7774980a Miraimirai ua-wget
http://41.231.37.153/rondo.i4867732e3ac296300ee478d9e11dbc87080658130c9d9274c7d39fa891ac0a08b1d Miraimirai ua-wget
http://41.231.37.153/rondo.armv6lf6dd15cb2803eb1a8866104e0bbfa469f8fbe0255106a8cf472d69c81f724b9f Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armv5l9affdd7320dda529271f43090f8b8c3e82963d382e21a73d00cde6068090252f Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armv4le2c0b7f64c6a8f8cbe51452349c56d8a340c98bb8a6b55d44cf33fabf8766d7f Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armv7l2d6cb85fb16a5fa70f9fe9478f6ed924280b74846f12686912105891fac17959 RondoDoxmirai RondoDox ua-wget
http://41.231.37.153/rondo.powerpcc7faf8d356dec3f94a6ea63d22e5ea588083941bd3ff760b5c8d01c112008dc0 Miraimirai ua-wget
http://41.231.37.153/rondo.powerpc-440fp57f9ba41f0cb4f774a98099fb2dda6a9cd6d9c780ecfca87e8618167c79006d2 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.mips31e825d0017b4eb68b7afd69a80f84c0a5a079ef31d3fa420088c39a3ebc4547 Gafgytgafgyt ua-wget
http://41.231.37.153/rondo.mipseld2fe03bc659bb4c6ebd78984ac7c6ee6b0cd02d1bf99387679d4ce38a1f1aafe Miraigafgyt mirai ua-wget
http://41.231.37.153/rondo.arc70078d383029563304ded927d7d82613328f6763724fa7192fcaf4f23e882a65bd3 Miraimirai ua-wget
http://41.231.37.153/rondo.sh435d9009800989ef6dfa78d8305e1486ea4cf9d1d89f6483082874493f364fca1 Miraimirai ua-wget
http://41.231.37.153/rondo.sparca501ee00340a2cc0b1a8441c888b6df1d5e52d6ca360e6996973ae85cea51966 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.m68ka78f8c90eea0183dbf8d64bd03f34696159980cf3a24937138d50be267865c95 Miraimirai ua-wget
http://41.231.37.153/rondo.armeb67219e9776b9a374c618e948f220f1871647189364487254d5cea968023b6fc9 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armebhf848464e44045c74124c228af6b76665adc8c8ea3994e2b70045a95db862bba21 Miraimirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
URLhaus.3736078.UNOFFICIAL
Create hunting rule

URLhaus.3736088.UNOFFICIAL
Create hunting rule

URLhaus.3736086.UNOFFICIAL
Create hunting rule

URLhaus.3736087.UNOFFICIAL
Create hunting rule

URLhaus.3736080.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive masquerade soft-404
Link:
https://www.filescan.io/uploads/696893d2b5214ecba5f022d3/reports/e84822f0-5e36-40bc-829a-2f6bd24fdadb/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-01-15T04:18:00Z UTC
Last seen:
2026-01-15T07:41:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/0d230a0db9f277c8f94d916beab06f184471e9ad08ae31f49013551ae05c2492/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0d230a0db9f277c8f94d916beab06f184471e9ad08ae31f49013551ae05c2492
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d230a0db9f277c8f94d916beab06f184471e9ad08ae31f49013551ae05c2492/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/0d230a0db9f277c8f94d916beab06f184471e9ad08ae31f49013551ae05c2492
Threat name:
Win32.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2026-01-15 07:15:32 UTC
File Type:
Text (Shell)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=burqudnz6j34r6knsfv6vmdpdbchd2nnbcxdd5eqcnkrvyc4esja._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig antivm credential_access defense_evasion discovery execution linux miner persistence privilege_escalation
Link:
https://tria.ge/reports/260115-h2vdjafy2d/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to shm directory
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads CPU attributes
Reads process memory
Deletes log files
Enumerates running processes
Modifies init.d
Modifies rc script
Reads hardware information
Reads list of loaded kernel modules
Write file to user bin folder
Writes file to system bin folder
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Checks hardware identifiers (DMI)
Creates/modifies Cron job
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Renames itself
XMRig Miner payload
Xmrig family
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/0d230a0db9f277c8f94d916beab06f184471e9ad08ae31f49013551ae05c2492

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RondoDox

sh 0d230a0db9f277c8f94d916beab06f184471e9ad08ae31f49013551ae05c2492

(this sample)

Mirai

elf 0a844c3added16ba55fc0db88afb9d87d9982f83471c954fc9f54d5b46d558b6

  
URLhaus
https://urlhaus.abuse.ch/url/3736083/
  
Delivery method
Distributed via web download
  
Dropping
MD5 36de3e6ab2fcc0f92a02f1377f463fdd
  
Dropping
SHA256 0a844c3added16ba55fc0db88afb9d87d9982f83471c954fc9f54d5b46d558b6

Comments