MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9
SHA3-384 hash:	4774c15528c15a145665189b44586076a3694c8136501474bd891fced1c6903214675c12f22c96e7d72852ab663e5a4c
SHA1 hash:	a506841b1b182f3fb33f344f9c04b9c1157c38ec
MD5 hash:	f472c9a409f62d3f1327ffc18fe33da9
humanhash:	pip-white-mississippi-early
File name:	rondo.aqu.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	9'432 bytes
First seen:	2025-12-25 13:10:49 UTC
Last seen:	2025-12-26 05:57:44 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:Ax0iRoLngD0J5StYf+d83foYjOoeCuNXPWo+Kz:g0goLng8eCyt
TLSH	T160121888FAC482FE26E749D611D38B7C4E2882E064738DB6DF4894F2AD7844F605F761
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://41.231.37.153/rondo.lol	n/a	n/a	ua-wget
http://41.231.37.153/rondo.x86_64	7aeb450c57b466d9a280a02f5bbdb2166d6b092a5a6aa7a440b854cc2af333b5	RondoDox	gafgyt mirai RondoDox ua-wget
http://41.231.37.153/rondo.i686	8d87fd06b2d964c414affc277c1a34762a24ac10136fa5be9c2cf393f2095a17	Mirai	mirai ua-wget
http://41.231.37.153/rondo.i586	eb40a3a7f8ba5edd91bfa225d9f9f31358bc5233fc50561d382b518f7774980a	Mirai	mirai ua-wget
http://41.231.37.153/rondo.i486	7732e3ac296300ee478d9e11dbc87080658130c9d9274c7d39fa891ac0a08b1d	Mirai	mirai ua-wget
http://41.231.37.153/rondo.armv6l	f6dd15cb2803eb1a8866104e0bbfa469f8fbe0255106a8cf472d69c81f724b9f	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.armv5l	9affdd7320dda529271f43090f8b8c3e82963d382e21a73d00cde6068090252f	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.armv4l	e2c0b7f64c6a8f8cbe51452349c56d8a340c98bb8a6b55d44cf33fabf8766d7f	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.armv7l	2d6cb85fb16a5fa70f9fe9478f6ed924280b74846f12686912105891fac17959	RondoDox	mirai RondoDox ua-wget
http://41.231.37.153/rondo.powerpc	c7faf8d356dec3f94a6ea63d22e5ea588083941bd3ff760b5c8d01c112008dc0	Mirai	mirai ua-wget
http://41.231.37.153/rondo.powerpc-440fp	57f9ba41f0cb4f774a98099fb2dda6a9cd6d9c780ecfca87e8618167c79006d2	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.mips	31e825d0017b4eb68b7afd69a80f84c0a5a079ef31d3fa420088c39a3ebc4547	Gafgyt	gafgyt ua-wget
http://41.231.37.153/rondo.mipsel	d2fe03bc659bb4c6ebd78984ac7c6ee6b0cd02d1bf99387679d4ce38a1f1aafe	Mirai	gafgyt mirai ua-wget
http://41.231.37.153/rondo.arc700	78d383029563304ded927d7d82613328f6763724fa7192fcaf4f23e882a65bd3	Mirai	mirai ua-wget
http://41.231.37.153/rondo.sh4	35d9009800989ef6dfa78d8305e1486ea4cf9d1d89f6483082874493f364fca1	Mirai	mirai ua-wget
http://41.231.37.153/rondo.sparc	a501ee00340a2cc0b1a8441c888b6df1d5e52d6ca360e6996973ae85cea51966	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.m68k	a78f8c90eea0183dbf8d64bd03f34696159980cf3a24937138d50be267865c95	Mirai	mirai ua-wget
http://41.231.37.153/rondo.armeb	67219e9776b9a374c618e948f220f1871647189364487254d5cea968023b6fc9	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.armebhf	848464e44045c74124c228af6b76665adc8c8ea3994e2b70045a95db862bba21	Mirai	mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

URLhaus.3729149.UNOFFICIAL

URLhaus.3736087.UNOFFICIAL

URLhaus.3736082.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox masquerade

Link:

https://www.filescan.io/uploads/694d37f63f8fdbf8e951e674/reports/76214990-f48e-4f74-96c2-232080491f04/overview

Verdict:

Clean

File Type:

unix shell

Link:

https://opentip.kaspersky.com/152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/15b0302a-b291-497d-8f1a-2d44fab5a40b

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9

Threat name:

Linux.Downloader.Generic

Status:

Suspicious

First seen:

2025-12-25 13:11:19 UTC

File Type:

Text (Shell)

AV detection:

8 of 24 (33.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cuxifrryhjulv222iu52apco5eimkn3f5kozh3qefl2urvqhvxmq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux persistence privilege_escalation

Link:

https://tria.ge/reports/251225-rajx6avqgj/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to shm directory

Writes file to tmp directory

Reads CPU attributes

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Deletes log files

Disables AppArmor

Disables SELinux

Enumerates running processes

Write file to user bin folder

Writes file to system bin folder

File and Directory Permissions Modification

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.31

Link:

https://yomi.yoroi.company/submissions/152e82c6383a68baeb5a453ba03c4ee910c53765ea9d93ee042af548d607add9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh