MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd23d80709df7b574e859681a96355d14042b9c364b0b9f3992745bc02fba181. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RondoDox


Vendor detections: 9


Intelligence 9 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd23d80709df7b574e859681a96355d14042b9c364b0b9f3992745bc02fba181
SHA3-384 hash: cb5e9ba744e840922f7e1f5fdd6668e96ad422b484361cf41a4ca29a02b0e8e0f9e3110b502218374eacf3c9f1660cda
SHA1 hash: caf44bcb87edebb21bd932cb8556a92a77d5b561
MD5 hash: 7cfd5bda9ba98ee5e2e0990e3a0c2be3
humanhash: tennessee-montana-undress-north
File name:rondo.x86_64
Download: download sample
Signature RondoDox
Create hunting rule
File size:115'416 bytes
First seen:2025-12-19 06:38:37 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 3072:CnFpsshBHfhecEus1v1JKHX8SkbiK6Gl:CFKsfHsHNE38wCl
TLSH T1B8B34A0AB581D5FCC8A8D2B42B9F6125D531F1A8113039AE2B84FF163DAC9543F6BAD1
telfhash t14c31c0f02d92398c31d79785738eedeaec7205250d5176e48f27fe948d57b8c0952822
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf RondoDox

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Deleting of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gafgyt mirai obfuscated
Link:
https://www.filescan.io/uploads/6944f315e126b9ff43884453/reports/172134fd-6dcf-4b64-8c02-2e50cbf7f209/overview
Verdict:
Clean
File Type:
elf.64.le
Link:
https://opentip.kaspersky.com/dd23d80709df7b574e859681a96355d14042b9c364b0b9f3992745bc02fba181/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/bdf8cb21-c153-4ff0-8f8a-ee226cd29664
Behavior Graph:
Download SVG
%3 guuid=fbf12fff-1600-0000-28ff-ab10490e0000 pid=3657 /usr/bin/sudo guuid=640cdd01-1700-0000-28ff-ab104a0e0000 pid=3658 /tmp/sample.bin delete-file guuid=fbf12fff-1600-0000-28ff-ab10490e0000 pid=3657->guuid=640cdd01-1700-0000-28ff-ab104a0e0000 pid=3658 execve
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/245c39df-def1-49f0-8f3e-916fdd149c53
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1836108
Signature
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample deletes itself
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/dd23d80709df7b574e859681a96355d14042b9c364b0b9f3992745bc02fba181
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd23d80709df7b574e859681a96355d14042b9c364b0b9f3992745bc02fba181/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/dd23d80709df7b574e859681a96355d14042b9c364b0b9f3992745bc02fba181
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-12-19 06:39:18 UTC
File Type:
ELF64 Little (Exe)
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ur5qbyj355votufs2a2sy2v2faefoodmsylt44ze5c3yax3ugaq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
linux
Link:
https://tria.ge/reports/251219-hew9lsylet/
Behaviour
Deletes itself
Verdict:
Malicious
Tags:
trojan gafgyt Unix.Trojan.Mirai-7640640-0
YARA:
Linux_Trojan_Gafgyt_9e9530a7 Linux_Trojan_Gafgyt_807911a2 Linux_Trojan_Gafgyt_d4227dbf Linux_Trojan_Gafgyt_d996d335 Linux_Trojan_Gafgyt_620087b9 Linux_Trojan_Gafgyt_0cd591cd Linux_Trojan_Gafgyt_33b4111a Linux_Trojan_Gafgyt_a33a8363
Link:
https://app.threat.zone/submission/943c53c4-e80c-411f-be35-30d1bfbcc8bc
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dd23d80709df7b574e859681a96355d14042b9c364b0b9f3992745bc02fba181

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Gafgyt_0cd591cd
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_a33a8363
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d996d335
Create hunting rule
Author:Elastic Security
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RondoDox

sh ee3b6aaa1edecd0ed27bcd9ab835ca41735c85263fc8219cc2a9c62f66cad920

RondoDox

elf dd23d80709df7b574e859681a96355d14042b9c364b0b9f3992745bc02fba181

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3736077/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 ee3b6aaa1edecd0ed27bcd9ab835ca41735c85263fc8219cc2a9c62f66cad920
  
Dropped by
MD5 36894f7a190f3e2eb0f6061671e7299b
  
URLhaus
https://urlhaus.abuse.ch/url/3736083/

Comments