MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a76c8182883729901d56c2ee0cc5f42d99ef804ff0da5323545af520a628de6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a76c8182883729901d56c2ee0cc5f42d99ef804ff0da5323545af520a628de6
SHA3-384 hash: 39f47a78776ec1ac1793e0122433ab85f680874d6a59b70ae2dbdc061adadf71335982a16c5ca8d423f9f1e7f31d2a48
SHA1 hash: d9711d532663f9061d0a515b19b666efcae1524a
MD5 hash: 122ad8d82189a8d3dae18d945070d14b
humanhash: juliet-oregon-thirteen-missouri
File name:rondo.aqu.sh
Download: download sample
Signature CoinMiner
Create hunting rule
File size:10'876 bytes
First seen:2026-01-12 17:43:43 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 96:hiOfWVc1dZd4cjzlZ16EMvyK6tTVRei0E3aSl4h0C9Qa+yvhQzm8Kol7Upcu+ifv:hs9W7I1vVYTSPrCNk
TLSH T1E2220AC87BD411FA24E64842E3F3D37C9D8481ED69E78EBAE45848FD9AB0548E07DB41
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:CoinMiner sh
URLMalware sample (SHA256 hash)SignatureTags
http://41.231.37.153/rondo.loln/an/aua-wget
http://41.231.37.153/rondo.x86_640a844c3added16ba55fc0db88afb9d87d9982f83471c954fc9f54d5b46d558b6 Miraigafgyt mirai RondoDox ua-wget
http://41.231.37.153/rondo.i68617f7ae49f8e81015b4ad26357507a65afc167c3d64e057ef68dc45b30ad51c3c Miraimirai ua-wget
http://41.231.37.153/rondo.i586eb40a3a7f8ba5edd91bfa225d9f9f31358bc5233fc50561d382b518f7774980a Miraimirai ua-wget
http://41.231.37.153/rondo.i4868ba46030874e46aaa2e5fb21fa05d786cfb24d41f439076271f3d96c1dcb27ad Miraimirai ua-wget
http://41.231.37.153/rondo.armv6le08a8f9b7d39e947b4cfb237e82b114c3e8993f67d45856046490a4b170845a4 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armv5la5c8a3aaf0f478e6a10340d90598a3bea27def6cea5960a27ef83b6d8d3819bb RondoDoxmirai RondoDox ua-wget
http://41.231.37.153/rondo.armv4l42557fe5dcf3a61d5978042e19695d126b331b83423fe518dfb2c9bf72972d57 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armv7ld954df447abfeafc899580d9d985863b7045029c1c64fa7982857aebde535b0f Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.powerpc79501cc73b6c589076028148fc2339affd9e417e8559064705610cc98372e818 Miraimirai ua-wget
http://41.231.37.153/rondo.powerpc-440fpb5037bccb1c82871b75fb129874ea466fd877bf7513e05d642cdee930210a210 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.mips31e825d0017b4eb68b7afd69a80f84c0a5a079ef31d3fa420088c39a3ebc4547 Gafgytgafgyt ua-wget
http://41.231.37.153/rondo.mipsel826fbd4b636f2b35253de1ec7bf904a561cf0616eeaaed0022ab4937299622f6 Miraigafgyt mirai ua-wget
http://41.231.37.153/rondo.arc7005c962dd26e5abde76e00bc103556830877f1d918e1a0a2a1ed7651bc9a2bed20 Miraimirai ua-wget
http://41.231.37.153/rondo.sh4a65e69fc4d85ca011f2ea990f0c60e0354eced0b48823af44baa4e9c7c291426 Miraimirai ua-wget
http://41.231.37.153/rondo.sparc56b4cd8885adff593836b6b6d6c205b2001df64cd47c4d0d0d16a65898a6b0aa Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.m68ka78f8c90eea0183dbf8d64bd03f34696159980cf3a24937138d50be267865c95 Miraimirai ua-wget
http://41.231.37.153/rondo.armebb335b5eeaf8ea4f275a66c22322e2f35a36707979aa430ea3dadc29564f3ba09 MiraiRondoDox ua-wget
http://41.231.37.153/rondo.armebhfc672c09e8b96031b1faf2f3a877c40fab2ce986fe82f38b58d07587ae1679c33 Miraimirai ua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
URLhaus.3736077.UNOFFICIAL
Create hunting rule

URLhaus.3736088.UNOFFICIAL
Create hunting rule

URLhaus.3736093.UNOFFICIAL
Create hunting rule

URLhaus.3736091.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive masquerade soft-404
Link:
https://www.filescan.io/uploads/696532f837b9ae66b7865ae5/reports/28b9d68b-9a3a-4c5d-b054-64ff4b33429e/overview
Result
Gathering data
Verdict:
Malicious
File Type:
Script
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/8a76c8182883729901d56c2ee0cc5f42d99ef804ff0da5323545af520a628de6/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8a76c8182883729901d56c2ee0cc5f42d99ef804ff0da5323545af520a628de6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a76c8182883729901d56c2ee0cc5f42d99ef804ff0da5323545af520a628de6/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/8a76c8182883729901d56c2ee0cc5f42d99ef804ff0da5323545af520a628de6
Threat name:
Script-Shell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-01-12 17:44:25 UTC
File Type:
Text (Shell)
AV detection:
4 of 36 (11.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rj3mqgbiqnzjsaovnqxobtc7ilmz56ae74g2kmrviwxvectcrxta._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig antivm credential_access defense_evasion discovery execution linux miner persistence privilege_escalation
Link:
https://tria.ge/reports/260112-wbcbxshz9h/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to shm directory
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads CPU attributes
Reads process memory
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Deletes log files
Enumerates running processes
Modifies init.d
Modifies rc script
Reads hardware information
Reads list of loaded kernel modules
Write file to user bin folder
Writes file to system bin folder
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Renames itself
XMRig Miner payload
Xmrig family
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/8a76c8182883729901d56c2ee0cc5f42d99ef804ff0da5323545af520a628de6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

sh 8a76c8182883729901d56c2ee0cc5f42d99ef804ff0da5323545af520a628de6

(this sample)

Mirai

elf 0a844c3added16ba55fc0db88afb9d87d9982f83471c954fc9f54d5b46d558b6

  
URLhaus
https://urlhaus.abuse.ch/url/3736083/
  
Delivery method
Distributed via web download
  
Dropping
MD5 36de3e6ab2fcc0f92a02f1377f463fdd
  
Dropping
SHA256 0a844c3added16ba55fc0db88afb9d87d9982f83471c954fc9f54d5b46d558b6

Comments