MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9
SHA3-384 hash:	4774c15528c15a145665189b44586076a3694c8136501474bd891fced1c6903214675c12f22c96e7d72852ab663e5a4c
SHA1 hash:	a506841b1b182f3fb33f344f9c04b9c1157c38ec
MD5 hash:	f472c9a409f62d3f1327ffc18fe33da9
humanhash:	pip-white-mississippi-early
File name:	rondo.aqu.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	9'432 bytes
First seen:	2025-12-25 13:10:49 UTC
Last seen:	2025-12-26 05:57:44 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:Ax0iRoLngD0J5StYf+d83foYjOoeCuNXPWo+Kz:g0goLng8eCyt
TLSH	T160121888FAC482FE26E749D611D38B7C4E2882E064738DB6DF4894F2AD7844F605F761
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://41.231.37.153/rondo.lol	n/a	n/a	ua-wget
http://41.231.37.153/rondo.x86_64	a5f035343b91205375751e0fb4d828aef261532508ef80129ffe7a9ba8a30ed0	Gafgyt	gafgyt RondoDox ua-wget
http://41.231.37.153/rondo.i686	293a3a492aef65a88cf5434ee66ad55875deb66885871c9199296e707fb17926	Mirai	mirai ua-wget
http://41.231.37.153/rondo.i586	38b3192b7e792073bde272b917f53336ad35d17482d5140b362f697861bd2c55	Mirai	mirai ua-wget
http://41.231.37.153/rondo.i486	f1beda333a121d1fc43ca60075f62a6e9848b5d9e41ef177d934ebc7138a696f	Mirai	mirai ua-wget
http://41.231.37.153/rondo.armv6l	29ed805642950a7709d058067ec1882d877beb02e67b56b673b5e2d2b17272d2	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.armv5l	635916119ab6903aa6f8672e8c59d9c658c279b6fee9b7490abfff1b58395402	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.armv4l	92a92f68af94dfc82046ebe54a51a639d972608d2516255250cd222ad2b8fddd	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.armv7l	ec6125b2e7dba1419d5cb0d0ffbcd40de93826062968999d29a933f1485249dc	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.powerpc	852713af646fc9ebe10d87b98556f42763cd8490bcb855847a46e6db0fced634	Mirai	mirai ua-wget
http://41.231.37.153/rondo.powerpc-440fp	2311ce1f03fd7a7c7b2130ebcd7cf84c346e22cec9e00749835746cfd2f2efa5	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.mips	5075648683ceb6822b87509f97f7d15436d510feb0a019053084cb63eb44520d	Gafgyt	gafgyt ua-wget
http://41.231.37.153/rondo.mipsel	d4d72de0e0335c9a3f3eec7cdfd93f7fcc5ee85fc1b8692b8fdab77355db7190	Gafgyt	gafgyt ua-wget
http://41.231.37.153/rondo.arc700	a448a233d175276ab77aa4cf9fd63dd02f9e6fd5f4ee160ce99f177df7d27d11	Mirai	mirai ua-wget
http://41.231.37.153/rondo.sh4	87b5360fc1a9b326ab7cdece074614eb30e23bd0ff7b179cb121e29aac0edb31	Mirai	mirai ua-wget
http://41.231.37.153/rondo.sparc	8ccaa9a601ec1a1750338b8074d60609b53cde76135f1761fd705428dd195bb7	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.m68k	9aedf0f1ae99ae01eed2d8edec1dd9f2a2257435a91c6a57d4b368946b0f1d18	Mirai	mirai ua-wget
http://41.231.37.153/rondo.armeb	b335b5eeaf8ea4f275a66c22322e2f35a36707979aa430ea3dadc29564f3ba09	Mirai	RondoDox ua-wget
http://41.231.37.153/rondo.armebhf	4e7384185cdff726ae05bad052983c0b3854bd5a3a69897d980cacef2f9a06fc	RondoDox	ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

URLhaus.3729149.UNOFFICIAL

URLhaus.3736087.UNOFFICIAL

URLhaus.3736082.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox masquerade

Link:

https://www.filescan.io/uploads/694d37f63f8fdbf8e951e674/reports/76214990-f48e-4f74-96c2-232080491f04/overview

Verdict:

Clean

File Type:

unix shell

Link:

https://opentip.kaspersky.com/152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/15b0302a-b291-497d-8f1a-2d44fab5a40b

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9

Threat name:

Linux.Downloader.Generic

Status:

Suspicious

First seen:

2025-12-25 13:11:19 UTC

File Type:

Text (Shell)

AV detection:

8 of 24 (33.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cuxifrryhjulv222iu52apco5eimkn3f5kozh3qefl2urvqhvxmq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux persistence privilege_escalation

Link:

https://tria.ge/reports/251225-rajx6avqgj/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to shm directory

Writes file to tmp directory

Reads CPU attributes

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Deletes log files

Disables AppArmor

Disables SELinux

Enumerates running processes

Write file to user bin folder

Writes file to system bin folder

File and Directory Permissions Modification

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.31

Link:

https://yomi.yoroi.company/submissions/152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh