MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cfed5e3963fd22823a63fe44ba533a014dff9528b44c9c2b620c81963d595ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	1cfed5e3963fd22823a63fe44ba533a014dff9528b44c9c2b620c81963d595ce
SHA3-384 hash:	e7af6b5370e8556f65307e4d27733c79482cbb4545bfba4855c54f6a7ed0ab654e3c81f33db27b491e1c002c95fcb60e
SHA1 hash:	3232310db72ddc733ffa825bfec96025b930ab49
MD5 hash:	42566c3c0ed2ead8e191f6dbffebeca1
humanhash:	may-cat-one-oxygen
File name:	rondo.dcn.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	13'784 bytes
First seen:	2025-08-13 07:37:23 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	192:DUIzkLhZoC1NSNigJQKlTjPXzR1lBgMPhVVn2eB/HQ:DWX
TLSH	T12C52588914D006F391DD494BB3C3DAAC6C49A1FFB0A3BEB9E864A8BFD530944B46D744
Magika	shell
Reporter	smica83
Tags:	74-194-191-52 HUN sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://74.194.191.52/rondo.lol	n/a	n/a	elf ua-wget
http://74.194.191.52/rondo.armv6l	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.armv5l	bb0069de1a2b09dab1947e8c9a7668c422a6fbc188b41d6808b23f5396766296	RondoDox	elf geofenced ITA mirai RondoDox ua-wget
http://74.194.191.52/rondo.armv4l	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.armv7l	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.mipsel	9424c99087c5ee58e153eb7e6ac57dad449093bee74ddeb12a5f1ca344a95a1e	RondoDox	elf geofenced HUN mirai ua-wget
http://74.194.191.52/rondo.mips	n/a	n/a	elf mirai ua-wget
http://74.194.191.52/rondo.x86_64	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.powerpc	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.powerpc-440fp	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.i686	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.i586	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.i486	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.fbsdamd64	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.fbsdi386	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.fbsdpowerpc	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.fbsdarm64	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.arc700	n/a	n/a	CHE elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.sh4	ee62ba350ea11f7f3d18db104eaa339ca21459c9e986859e356add6d95aa88b8	RondoDox	elf geofenced HUN mirai ua-wget
http://74.194.191.52/rondo.sparc	0e8c75c260f3e61faa02cbe9b33546b86ace79b89725124b6f10f1809fabe764	RondoDox	DEU elf geofenced mirai ua-wget
http://74.194.191.52/rondo.m68k	n/a	n/a	elf geofenced HNG mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/a6109f4b-0def-4454-b1c6-d93c1a8484ce

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/1cfed5e3963fd22823a63fe44ba533a014dff9528b44c9c2b620c81963d595ce

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1cfed5e3963fd22823a63fe44ba533a014dff9528b44c9c2b620c81963d595ce/

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/1cfed5e3963fd22823a63fe44ba533a014dff9528b44c9c2b620c81963d595ce

Threat name:

Script.Trojan.Multiverze

Status:

Malicious

First seen:

2025-08-11 15:08:15 UTC

File Type:

Text (Shell)

AV detection:

6 of 24 (25.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dt7nly4wh7jcqi5gh7sexjjtuakn76ksrncmtqvwedebsy6vsxha._file

Result

Malware family:

n/a

Score:

7/10

Tags:

antivm defense_evasion discovery linux persistence

Link:

https://tria.ge/reports/250813-jgfv3shm4w/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

System Network Configuration Discovery

Writes file to shm directory

Writes file to tmp directory

Checks CPU configuration

Reads CPU attributes

Deletes log files

Disables AppArmor

Disables SELinux

Enumerates running processes

Write file to user bin folder

Writes file to system bin folder

File and Directory Permissions Modification

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.29

Link:

https://yomi.yoroi.company/submissions/1cfed5e3963fd22823a63fe44ba533a014dff9528b44c9c2b620c81963d595ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Mirai

sh 1cfed5e3963fd22823a63fe44ba533a014dff9528b44c9c2b620c81963d595ce

(this sample)

Mirai

elf 9fb06f9f87f1db4cb8eaeac3804935e6edbe71eac2cfaab227b0da07ac62dd20

Dropping

MD5 02f1f36e11090a1d3048028697f325fc

Dropping

SHA256 9fb06f9f87f1db4cb8eaeac3804935e6edbe71eac2cfaab227b0da07ac62dd20

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample