MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e757f9cca122d5fc5a9f6fa40c3a61addc5c641193ba7e24085d208fc6c82ec6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gafgyt

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	e757f9cca122d5fc5a9f6fa40c3a61addc5c641193ba7e24085d208fc6c82ec6
SHA3-384 hash:	a480713d3295ab25f71dd97fbcc762bae1d84181be6ac12bb7e4139e844aee28d09084944d1e129dc08a724d1ca2672b
SHA1 hash:	2a8075a4d3fa48842e986563baf4cec6d625907d
MD5 hash:	cbc0db96d5f4749b2166d2426ba164e2
humanhash:	dakota-white-massachusetts-burger
File name:	rondo.aqu.sh
Download:	download sample
Signature	Gafgyt Create hunting rule
File size:	9'432 bytes
First seen:	2025-12-26 13:10:53 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	96:Ax0iRoLngDHPC5hCwCXCyCFCICjCuCsYCvCuC9CLCeC5CwRCqiCo+FCz:g0goLng+kC32
TLSH	T19412B28C71C013F66EE5B8C7539382BC8D46A1E1E57B89B6D8488AF65EF044CA06D773
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://41.231.37.153/rondo.lol	n/a	n/a	ua-wget
http://41.231.37.153/rondo.x86_64	092a91a8ec8d2c719cb214d41f5b4429fa31dbcd29fc698f05d22c97c0f40b0c	Gafgyt	gafgyt RondoDox ua-wget
http://41.231.37.153/rondo.i686	6d2acf6dadd434eba2646ab214b943fc57c5ee6ee6294c71e3e1cecb71b532f0	Mirai	mirai ua-wget
http://41.231.37.153/rondo.i586	4312bc23da1046b884de3be3326540afe18b423df3b0f13958219f87fceb81d6	Mirai	mirai ua-wget
http://41.231.37.153/rondo.i486	n/a	n/a	mirai ua-wget
http://41.231.37.153/rondo.armv6l	76817011188dc0939fc026be83fdbf48be41ea362a8c9146195761cd71ab57d4	RondoDox	mirai ua-wget
http://41.231.37.153/rondo.armv5l	60b6bdfb2e378d6749ad4f69dcd61b2255dee10067cdb863fc4eb0bb9a07e34b	RondoDox	mirai RondoDox ua-wget
http://41.231.37.153/rondo.armv4l	e376b8a3af155f4d9c2408fea4d4266ba9cf165317cf06d42a048b37e549186f	Mirai	mirai ua-wget
http://41.231.37.153/rondo.armv7l	c53c1790a9133621d8e6e4611e981d26a3b338ff2d4c2921960fedba9d96354e	RondoDox	mirai RondoDox ua-wget
http://41.231.37.153/rondo.powerpc	a3b5397d5249497bd52e5a46635f135cd668e56ade104be100e6add9291fcb61	Mirai	mirai ua-wget
http://41.231.37.153/rondo.powerpc-440fp	n/a	n/a	mirai RondoDox ua-wget
http://41.231.37.153/rondo.mips	1150d27a2f9e1bc4bd7e100fe6436a1318357963b6b1b25b381816e7f13e3904	Gafgyt	gafgyt ua-wget
http://41.231.37.153/rondo.mipsel	a9d3f2d841cc1f2e1cffc45d498c7d082b370079702bec3a65bc294a33a9910a	Gafgyt	gafgyt ua-wget
http://41.231.37.153/rondo.arc700	1a1f3f0486a05ac160306cc1a7da24b9e6964b1298e915e363bba4612751a969	Mirai	mirai ua-wget
http://41.231.37.153/rondo.sh4	n/a	n/a	mirai ua-wget
http://41.231.37.153/rondo.sparc	n/a	n/a	mirai ua-wget
http://41.231.37.153/rondo.m68k	0e571eaa740bcbb03d1d7d93df6630cbcedaedd0c3bdeabdf4df6f54fdacc248	Mirai	mirai ua-wget
http://41.231.37.153/rondo.armeb	n/a	n/a	RondoDox ua-wget
http://41.231.37.153/rondo.armebhf	n/a	n/a	ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Detection(s):

URLhaus.3736084.UNOFFICIAL

URLhaus.3736090.UNOFFICIAL

URLhaus.3736079.UNOFFICIAL

URLhaus.3736086.UNOFFICIAL

URLhaus.3736082.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

busybox masquerade

Link:

https://www.filescan.io/uploads/694e89723f8fdbf8e952b054/reports/44e6c58d-7788-4ccf-9ae4-40e40f08971b/overview

Result

Gathering data

Verdict:

Clean

File Type:

unix shell

Link:

https://opentip.kaspersky.com/e757f9cca122d5fc5a9f6fa40c3a61addc5c641193ba7e24085d208fc6c82ec6/results?tab=lookup

Status:

Failed

Link:

https://sandbox.kunai.rocks/analysis/dddb0f1d-c48a-4c62-936d-123e91f2d511

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e757f9cca122d5fc5a9f6fa40c3a61addc5c641193ba7e24085d208fc6c82ec6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e757f9cca122d5fc5a9f6fa40c3a61addc5c641193ba7e24085d208fc6c82ec6/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/e757f9cca122d5fc5a9f6fa40c3a61addc5c641193ba7e24085d208fc6c82ec6

Gathering data

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=45l7ttfbelk7ywu7n6sayotbvxofyzarso5h4jailuqi7rwif3da._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux persistence privilege_escalation

Link:

https://tria.ge/reports/251226-qe2hbszmap/

Behaviour

Enumerates kernel/hardware configuration

Reads runtime system information

Writes file to shm directory

Writes file to tmp directory

Reads CPU attributes

Abuse Elevation Control Mechanism: Sudo and Sudo Caching

Deletes log files

Disables AppArmor

Disables SELinux

Enumerates running processes

Write file to user bin folder

Writes file to system bin folder

File and Directory Permissions Modification

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh