MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63b7f1a4db8928360637160e67622eae244656df1c090c6f2ac8dc6f12ae5c14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	63b7f1a4db8928360637160e67622eae244656df1c090c6f2ac8dc6f12ae5c14
SHA3-384 hash:	4f54cfe3c880879490f80d2ab3eef446db0a4c30f2daa2c60521a20dbe89ab6f82a8d22ce7432bcbce14048621844519
SHA1 hash:	b457d0c331f99832bbb45da0416ded0629579a7d
MD5 hash:	9d8b49712e2aed0d3bc39a901fec3505
humanhash:	sodium-paris-nitrogen-orange
File name:	rondo.aqu.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	9'731 bytes
First seen:	2025-12-19 05:24:18 UTC
Last seen:	2025-12-19 16:03:55 UTC
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:raPEcac/iRoLngD5w5cfqp4f2tK5CFQ+eC8OSwfo+Qz:mPEcac/goLng+sCtI
TLSH	T1C61285CC76E112BF2DA98E06F1F342BD9F0C85D0E5A68EB6D84488BEF97884C705D645
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://41.231.37.153/rondo.lol	n/a	n/a	ua-wget
http://41.231.37.153/rondo.x86_64	a5f035343b91205375751e0fb4d828aef261532508ef80129ffe7a9ba8a30ed0	Gafgyt	gafgyt RondoDox ua-wget
http://41.231.37.153/rondo.i686	293a3a492aef65a88cf5434ee66ad55875deb66885871c9199296e707fb17926	Mirai	mirai ua-wget
http://41.231.37.153/rondo.i586	38b3192b7e792073bde272b917f53336ad35d17482d5140b362f697861bd2c55	Mirai	mirai ua-wget
http://41.231.37.153/rondo.i486	f1beda333a121d1fc43ca60075f62a6e9848b5d9e41ef177d934ebc7138a696f	Mirai	mirai ua-wget
http://41.231.37.153/rondo.armv6l	29ed805642950a7709d058067ec1882d877beb02e67b56b673b5e2d2b17272d2	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.armv5l	635916119ab6903aa6f8672e8c59d9c658c279b6fee9b7490abfff1b58395402	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.armv4l	92a92f68af94dfc82046ebe54a51a639d972608d2516255250cd222ad2b8fddd	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.armv7l	ec6125b2e7dba1419d5cb0d0ffbcd40de93826062968999d29a933f1485249dc	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.powerpc	852713af646fc9ebe10d87b98556f42763cd8490bcb855847a46e6db0fced634	Mirai	mirai ua-wget
http://41.231.37.153/rondo.powerpc-440fp	2311ce1f03fd7a7c7b2130ebcd7cf84c346e22cec9e00749835746cfd2f2efa5	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.mips	5075648683ceb6822b87509f97f7d15436d510feb0a019053084cb63eb44520d	Gafgyt	gafgyt ua-wget
http://41.231.37.153/rondo.mipsel	d4d72de0e0335c9a3f3eec7cdfd93f7fcc5ee85fc1b8692b8fdab77355db7190	Gafgyt	gafgyt ua-wget
http://41.231.37.153/rondo.arc700	a448a233d175276ab77aa4cf9fd63dd02f9e6fd5f4ee160ce99f177df7d27d11	Mirai	mirai ua-wget
http://41.231.37.153/rondo.sh4	87b5360fc1a9b326ab7cdece074614eb30e23bd0ff7b179cb121e29aac0edb31	Mirai	mirai ua-wget
http://41.231.37.153/rondo.sparc	8ccaa9a601ec1a1750338b8074d60609b53cde76135f1761fd705428dd195bb7	Mirai	mirai RondoDox ua-wget
http://41.231.37.153/rondo.m68k	9aedf0f1ae99ae01eed2d8edec1dd9f2a2257435a91c6a57d4b368946b0f1d18	Mirai	mirai ua-wget
http://41.231.37.153/rondo.armeb	b335b5eeaf8ea4f275a66c22322e2f35a36707979aa430ea3dadc29564f3ba09	Mirai	RondoDox ua-wget
http://41.231.37.153/rondo.armebhf	4e7384185cdff726ae05bad052983c0b3854bd5a3a69897d980cacef2f9a06fc	RondoDox	ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

URLhaus.3736077.UNOFFICIAL

URLhaus.3736084.UNOFFICIAL

URLhaus.3736078.UNOFFICIAL

URLhaus.3736088.UNOFFICIAL

URLhaus.3736090.UNOFFICIAL

URLhaus.3736079.UNOFFICIAL

URLhaus.3736086.UNOFFICIAL

URLhaus.3736093.UNOFFICIAL

URLhaus.3736081.UNOFFICIAL

URLhaus.3736087.UNOFFICIAL

URLhaus.3736089.UNOFFICIAL

URLhaus.3736085.UNOFFICIAL

URLhaus.3736082.UNOFFICIAL

URLhaus.3736091.UNOFFICIAL

URLhaus.3736080.UNOFFICIAL

URLhaus.3736092.UNOFFICIAL

URLhaus.3736094.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox masquerade

Link:

https://www.filescan.io/uploads/6944e1c5e126b9ff43882e3f/reports/e518d3f8-9eb0-48ac-8edb-7a938a515065/overview

Verdict:

Adware

File Type:

unix shell

First seen:

2025-12-19T02:30:00Z UTC

Last seen:

2025-12-19T03:23:00Z UTC

Hits:

~10

Detections:

not-a-virus:HEUR:Downloader.Shell.Miner.a

Link:

https://opentip.kaspersky.com/63b7f1a4db8928360637160e67622eae244656df1c090c6f2ac8dc6f12ae5c14/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/6eb27b52-e584-4835-aa34-9a5352b4307b

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/63b7f1a4db8928360637160e67622eae244656df1c090c6f2ac8dc6f12ae5c14

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/63b7f1a4db8928360637160e67622eae244656df1c090c6f2ac8dc6f12ae5c14/

Verdict:

Malicious

Threat:

Downloader.Shell.Miner

Link:

https://tip.neiki.dev/file/63b7f1a4db8928360637160e67622eae244656df1c090c6f2ac8dc6f12ae5c14

Threat name:

Win32.Trojan.Vigorf

Status:

Malicious

First seen:

2025-12-19 05:25:29 UTC

File Type:

Text (Shell)

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mo37djg3reudmbrxcyhgoyrovysemvw7dqeqy3zkzdog6evolqka._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux persistence privilege_escalation

Link:

https://tria.ge/reports/251219-f3zcrshp9t/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to shm directory

Writes file to tmp directory

Reads CPU attributes

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Deletes log files

Disables AppArmor

Disables SELinux

Enumerates running processes

Write file to user bin folder

Writes file to system bin folder

File and Directory Permissions Modification

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/63b7f1a4db8928360637160e67622eae244656df1c090c6f2ac8dc6f12ae5c14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh