MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea572aa1601efb862ff287734c66674af0352a64884da58dccd5c57f6c834d37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RondoDox


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea572aa1601efb862ff287734c66674af0352a64884da58dccd5c57f6c834d37
SHA3-384 hash: 42289350cd3fcb283b5d39f3ed47ac86f3bdcd09a1ff268f2fe31bc01704ffdf093d66ef6f98cda87e9ac396aef7746e
SHA1 hash: 1b617a8f5dc3d08f36b6363a1b152dc0c890e5f1
MD5 hash: 822f4982f63c0cb80b7bf2533bab782b
humanhash: double-cup-iowa-early
File name:rondo.aqu.sh
Download: download sample
Signature RondoDox
Create hunting rule
File size:10'876 bytes
First seen:2026-01-11 17:21:17 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 192:hs9W7I1vVYTSPZ5K575e5p5U5n5C575Q5a5Z5c505jCv5/55o5A5Y:hu19YTGCpw
TLSH T1C52207CC75CCE1BA29EFCC426197827C9A48C2E174778DA9E47948F29AB04CC605D7F1
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:RondoDox sh
URLMalware sample (SHA256 hash)SignatureTags
http://41.231.37.153/rondo.loln/an/aua-wget
http://41.231.37.153/rondo.x86_64a5f035343b91205375751e0fb4d828aef261532508ef80129ffe7a9ba8a30ed0 Gafgytgafgyt RondoDox ua-wget
http://41.231.37.153/rondo.i686n/an/amirai ua-wget
http://41.231.37.153/rondo.i586eb40a3a7f8ba5edd91bfa225d9f9f31358bc5233fc50561d382b518f7774980a Miraimirai ua-wget
http://41.231.37.153/rondo.i486f1beda333a121d1fc43ca60075f62a6e9848b5d9e41ef177d934ebc7138a696f Miraimirai ua-wget
http://41.231.37.153/rondo.armv6le08a8f9b7d39e947b4cfb237e82b114c3e8993f67d45856046490a4b170845a4 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armv5la5c8a3aaf0f478e6a10340d90598a3bea27def6cea5960a27ef83b6d8d3819bb RondoDoxmirai RondoDox ua-wget
http://41.231.37.153/rondo.armv4l92a92f68af94dfc82046ebe54a51a639d972608d2516255250cd222ad2b8fddd Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.armv7lec6125b2e7dba1419d5cb0d0ffbcd40de93826062968999d29a933f1485249dc Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.powerpc852713af646fc9ebe10d87b98556f42763cd8490bcb855847a46e6db0fced634 Miraimirai ua-wget
http://41.231.37.153/rondo.powerpc-440fp2311ce1f03fd7a7c7b2130ebcd7cf84c346e22cec9e00749835746cfd2f2efa5 Miraimirai RondoDox ua-wget
http://41.231.37.153/rondo.mips5075648683ceb6822b87509f97f7d15436d510feb0a019053084cb63eb44520d Gafgytgafgyt ua-wget
http://41.231.37.153/rondo.mipsel826fbd4b636f2b35253de1ec7bf904a561cf0616eeaaed0022ab4937299622f6 Miraigafgyt mirai ua-wget
http://41.231.37.153/rondo.arc700n/an/amirai ua-wget
http://41.231.37.153/rondo.sh4n/an/amirai ua-wget
http://41.231.37.153/rondo.sparcn/an/amirai RondoDox ua-wget
http://41.231.37.153/rondo.m68kb1cb071443ab306df0445b74bcbe27535153c2178561be77f58ee03002fa9d00 Miraimirai ua-wget
http://41.231.37.153/rondo.armebb335b5eeaf8ea4f275a66c22322e2f35a36707979aa430ea3dadc29564f3ba09 MiraiRondoDox ua-wget
http://41.231.37.153/rondo.armebhfn/an/aua-wget

Intelligence

File Origin
# of uploads :
1
# of downloads :
21
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
URLhaus.3736084.UNOFFICIAL
Create hunting rule

URLhaus.3736078.UNOFFICIAL
Create hunting rule

URLhaus.3736089.UNOFFICIAL
Create hunting rule

URLhaus.3736085.UNOFFICIAL
Create hunting rule

URLhaus.3736082.UNOFFICIAL
Create hunting rule

URLhaus.3736091.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive masquerade
Link:
https://www.filescan.io/uploads/6963dc2130368802bb805de1/reports/deb7e16c-7bd0-438a-a2d7-f7a19db12420/overview
Result
Gathering data
Verdict:
Malicious
File Type:
unix shell
Detections:
HEUR:Trojan-Downloader.Shell.Agent.bc
Link:
https://opentip.kaspersky.com/ea572aa1601efb862ff287734c66674af0352a64884da58dccd5c57f6c834d37/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ea572aa1601efb862ff287734c66674af0352a64884da58dccd5c57f6c834d37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea572aa1601efb862ff287734c66674af0352a64884da58dccd5c57f6c834d37/
Verdict:
Malicious
Threat:
Family.MIRAI
Link:
https://tip.neiki.dev/file/ea572aa1601efb862ff287734c66674af0352a64884da58dccd5c57f6c834d37
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5jlsvilad35yml7sq5zuyzthjlydkkterbg2ldom2xcx63edju3q._file
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig antivm credential_access defense_evasion discovery execution linux miner persistence privilege_escalation
Link:
https://tria.ge/reports/260111-vw7swsay3b/
Behaviour
Enumerates kernel/hardware configuration
Reads runtime system information
System Network Configuration Discovery
Writes file to shm directory
Writes file to tmp directory
Changes its process name
Checks CPU configuration
Reads CPU attributes
Reads process memory
Abuse Elevation Control Mechanism: Sudo and Sudo Caching
Checks hardware identifiers (DMI)
Creates/modifies Cron job
Deletes log files
Enumerates running processes
Modifies init.d
Modifies rc script
Reads hardware information
Reads list of loaded kernel modules
Write file to user bin folder
Writes file to system bin folder
File and Directory Permissions Modification
Deletes itself
Executes dropped EXE
Renames itself
XMRig Miner payload
Xmrig family
xmrig
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/ea572aa1601efb862ff287734c66674af0352a64884da58dccd5c57f6c834d37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MAL_Linux_IoT_MultiArch_BotnetLoader_Generic
Create hunting rule
Author:Anish Bogati
Description:Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:MalwareBazaar sample lilin.sh

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RondoDox

sh ea572aa1601efb862ff287734c66674af0352a64884da58dccd5c57f6c834d37

(this sample)

Gafgyt

elf a5f035343b91205375751e0fb4d828aef261532508ef80129ffe7a9ba8a30ed0

  
URLhaus
https://urlhaus.abuse.ch/url/3736083/
  
Delivery method
Distributed via web download
  
Dropping
MD5 2ad24dde37606ce27ea5d5eec2636c95
  
Dropping
SHA256 a5f035343b91205375751e0fb4d828aef261532508ef80129ffe7a9ba8a30ed0

Comments