MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 628c8f319f2aec171effe37e8fad0faeab04abe09e9ff9c8db27e7de6b25a60e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 628c8f319f2aec171effe37e8fad0faeab04abe09e9ff9c8db27e7de6b25a60e
SHA3-384 hash: d2c401995aa188f78b44474d0bc4c21af1c2b41b5045e655baa0f507add9f59de11ee806e6bf0e7e9db9b4781dc808dd
SHA1 hash: f09153e8a92dc6dfd914c2bc6002e5e3f7db3800
MD5 hash: 52fe9bbcb486665c1ce0c75db8084569
humanhash: california-zulu-steak-cat
File name:rondo.aqu.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:9'432 bytes
First seen:2025-12-25 06:03:31 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 96:Ax0iRoLngDEy9q5eSkYEfKeWs45mCIYYPS+ywaPeL2K+mSMcRGqkwCIeCuCou8SI:g0goLngiYCHW
TLSH T10912C388F1E112FA7CA548466193937C8D44C1E1607BD9B6D848D8FEBAB86CCA07DF47
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:sh
URLMalware sample (SHA256 hash)SignatureTags
http://41.231.37.153/rondo.loln/an/aua-wget
http://41.231.37.153/rondo.x86_64a5f035343b91205375751e0fb4d828aef261532508ef80129ffe7a9ba8a30ed0 Gafgytgafgyt RondoDox ua-wget
http://41.231.37.153/rondo.i686293a3a492aef65a88cf5434ee66ad55875deb66885871c9199296e707fb17926 Miraimirai ua-wget
http://41.231.37.153/rondo.i58638b3192b7e792073bde272b917f53336ad35d17482d5140b362f697861bd2c55 Miraimirai ua-wget
http://41.231.37.153/rondo.i486f1beda333a121d1fc43ca60075f62a6e9848b5d9e41ef177d934ebc7138a696f Miraimirai ua-wget
http://41.231.37.153/rondo.armv6l29ed805642950a7709d058067ec1882d877beb02e67b56b673b5e2d2b17272d2 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armv5l635916119ab6903aa6f8672e8c59d9c658c279b6fee9b7490abfff1b58395402 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armv4l92a92f68af94dfc82046ebe54a51a639d972608d2516255250cd222ad2b8fddd Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armv7lec6125b2e7dba1419d5cb0d0ffbcd40de93826062968999d29a933f1485249dc Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.powerpc852713af646fc9ebe10d87b98556f42763cd8490bcb855847a46e6db0fced634 Miraimirai ua-wget
http://41.231.37.153/rondo.powerpc-440fp2311ce1f03fd7a7c7b2130ebcd7cf84c346e22cec9e00749835746cfd2f2efa5 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.mips5075648683ceb6822b87509f97f7d15436d510feb0a019053084cb63eb44520d Gafgytgafgyt ua-wget
http://41.231.37.153/rondo.mipseld4d72de0e0335c9a3f3eec7cdfd93f7fcc5ee85fc1b8692b8fdab77355db7190 Gafgytgafgyt ua-wget
http://41.231.37.153/rondo.arc700a448a233d175276ab77aa4cf9fd63dd02f9e6fd5f4ee160ce99f177df7d27d11 Miraimirai ua-wget
http://41.231.37.153/rondo.sh487b5360fc1a9b326ab7cdece074614eb30e23bd0ff7b179cb121e29aac0edb31 Miraimirai ua-wget
http://41.231.37.153/rondo.sparc8ccaa9a601ec1a1750338b8074d60609b53cde76135f1761fd705428dd195bb7 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.m68k9aedf0f1ae99ae01eed2d8edec1dd9f2a2257435a91c6a57d4b368946b0f1d18 Miraimirai ua-wget
http://41.231.37.153/rondo.armebb335b5eeaf8ea4f275a66c22322e2f35a36707979aa430ea3dadc29564f3ba09 MiraiRondoDox ua-wget
http://41.231.37.153/rondo.armebhf4e7384185cdff726ae05bad052983c0b3854bd5a3a69897d980cacef2f9a06fc RondoDoxua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
URLhaus.3736078.UNOFFICIAL
Create hunting rule

URLhaus.3736090.UNOFFICIAL
Create hunting rule

URLhaus.3736093.UNOFFICIAL
Create hunting rule

URLhaus.3736085.UNOFFICIAL
Create hunting rule

URLhaus.3736082.UNOFFICIAL
Create hunting rule

URLhaus.3736094.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox masquerade
Link:
https://www.filescan.io/uploads/694cd3e084afa5547b5dc3e1/reports/45533a43-980b-45b7-aa64-f5f589f8de85/overview
Verdict:
Clean
File Type:
unix shell
Link:
https://opentip.kaspersky.com/628c8f319f2aec171effe37e8fad0faeab04abe09e9ff9c8db27e7de6b25a60e/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/628c8f319f2aec171effe37e8fad0faeab04abe09e9ff9c8db27e7de6b25a60e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/628c8f319f2aec171effe37e8fad0faeab04abe09e9ff9c8db27e7de6b25a60e/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/628c8f319f2aec171effe37e8fad0faeab04abe09e9ff9c8db27e7de6b25a60e
Threat name:
Linux.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-25 06:04:15 UTC
File Type:
Text (Shell)
AV detection:
8 of 24 (33.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mkgi6mm7flwbohx74n7i7lipv2vqjk7at2p7tsg3e7t542zfuyha._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux persistence privilege_escalation
Link:
https://tria.ge/reports/251225-gsa3vsfk8y/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to shm directory
Writes file to tmp directory
Reads CPU attributes
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Deletes log files
Disables AppArmor
Disables SELinux
Enumerates running processes
Write file to user bin folder
Writes file to system bin folder
File and Directory Permissions Modification
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/628c8f319f2aec171effe37e8fad0faeab04abe09e9ff9c8db27e7de6b25a60e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 628c8f319f2aec171effe37e8fad0faeab04abe09e9ff9c8db27e7de6b25a60e

(this sample)

Gafgyt

elf 092a91a8ec8d2c719cb214d41f5b4429fa31dbcd29fc698f05d22c97c0f40b0c

  
URLhaus
https://urlhaus.abuse.ch/url/3736083/
  
Delivery method
Distributed via web download
  
Dropping
MD5 542833382147a9aaab56ec86e0952317
  
Dropping
SHA256 092a91a8ec8d2c719cb214d41f5b4429fa31dbcd29fc698f05d22c97c0f40b0c

Comments