MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69dd6cc4fbc3d6f9abeaf54f07b2bb7f34963bac59b58343dfa34a4ab9092e18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RondoDox

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	69dd6cc4fbc3d6f9abeaf54f07b2bb7f34963bac59b58343dfa34a4ab9092e18
SHA3-384 hash:	f39776cc6b758c187ed89ab203ebe498609aa5d0657b2c2c30b55b481f3e484a6382fae7e2901ef2490e992a65426469
SHA1 hash:	66e2864240e4680796d7dcc4f6acecba8d363300
MD5 hash:	11cba098f9e140f02a5d0d537a62f49c
humanhash:	asparagus-mike-bluebird-wyoming
File name:	rondo.uzz.sh
Download:	download sample
Signature	RondoDox Create hunting rule
File size:	8'441 bytes
First seen:	2025-11-28 06:07:22 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:xiRoLngDuyPIkcyPWtyPLCyPB2wsyPNQyPotyPi7byPNzKUKyPuRyPacBgpyPbK5:xgoLngJQ8pFbVzvtTpBgMNAe5tpq
TLSH	T15002288958C00BF260DD450772C3D67CBC49C2FE6573AEBEE8A548BEE570954B0AE784
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	RondoDox sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://74.194.191.52/rondo.lol	n/a	n/a	elf ua-wget
http://74.194.191.52/rondo.armv6l	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.armv5l	65ae3072d2b63d50244b979443172a874dd7ba8157743d6ca1bc51014595225c	RondoDox	elf geofenced ITA mirai RondoDox ua-wget
http://74.194.191.52/rondo.armv4l	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.armv7l	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.mipsel	9424c99087c5ee58e153eb7e6ac57dad449093bee74ddeb12a5f1ca344a95a1e	RondoDox	elf geofenced HUN mirai ua-wget
http://74.194.191.52/rondo.mips	n/a	n/a	elf mirai ua-wget
http://74.194.191.52/rondo.x86_64	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.powerpc	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.powerpc-440fp	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.i686	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.i586	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.i486	n/a	n/a	elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.arc700	n/a	n/a	CHE elf geofenced mirai ua-wget USA
http://74.194.191.52/rondo.sh4	ee62ba350ea11f7f3d18db104eaa339ca21459c9e986859e356add6d95aa88b8	RondoDox	elf geofenced HUN mirai ua-wget
http://74.194.191.52/rondo.sparc	0e8c75c260f3e61faa02cbe9b33546b86ace79b89725124b6f10f1809fabe764	RondoDox	DEU elf geofenced mirai ua-wget
http://74.194.191.52/rondo.m68k	n/a	n/a	elf geofenced HNG mirai ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox masquerade

Link:

https://www.filescan.io/uploads/69293c4d2cd29ea63002b366/reports/bcc7efb3-ca0a-4e53-b4c7-c102287ecc3e/overview

Result

Gathering data

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/0a296375-b595-404b-9dc0-b945f97d4307

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/69dd6cc4fbc3d6f9abeaf54f07b2bb7f34963bac59b58343dfa34a4ab9092e18

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/69dd6cc4fbc3d6f9abeaf54f07b2bb7f34963bac59b58343dfa34a4ab9092e18/

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nhowzrh3yplptk7k6vhqpmv3p42jmo5mlg2ygq67unfevoijfyma._file

Result

Malware family:

rondodox

Score:

10/10

Tags:

family:rondodox botnet defense_evasion discovery linux persistence

Link:

https://tria.ge/reports/251128-gvyxpsak6w/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to shm directory

Writes file to tmp directory

Reads CPU attributes

Deletes log files

Disables AppArmor

Disables SELinux

Enumerates running processes

Write file to user bin folder

Writes file to system bin folder

File and Directory Permissions Modification

Detects RondoDox Payload

RondoDox

Rondodox family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.29

Link:

https://yomi.yoroi.company/submissions/69dd6cc4fbc3d6f9abeaf54f07b2bb7f34963bac59b58343dfa34a4ab9092e18

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RondoDox

sh 69dd6cc4fbc3d6f9abeaf54f07b2bb7f34963bac59b58343dfa34a4ab9092e18

(this sample)

hta e480c5556efd90bf1c71eb9a645ad1c7c31b2610f68aec7ac57a28218446484c

URLhaus

https://urlhaus.abuse.ch/url/3681743/

Delivery method

Distributed via web download

Dropping

MD5 2d5e910108a99d4743fbb660af282456

Dropping

SHA256 e480c5556efd90bf1c71eb9a645ad1c7c31b2610f68aec7ac57a28218446484c

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample