stealthworker | b358b30e38d9aad71f28c95d0e50e727d41871f9df7f8e54c9299e4291fea952 | Triage

Resubmissions

22-03-2022 21:52

220322-1rbgsafcbq 10

22-03-2022 02:40

220322-c53w7aecd9 10

Sharing

General

Target

0tZjAN
Size

2.7MB
Sample

220322-c53w7aecd9
MD5

0ed58468974629e33b5c94e6df64a520
SHA1

94994b5f13367652f40ab7d37716d6fa4f334dbf
SHA256

b358b30e38d9aad71f28c95d0e50e727d41871f9df7f8e54c9299e4291fea952
SHA512

da83c3c7086d2527333909f411c1d7df1a96b12a85f0b5a21664287cd1fcb60d2555e78a97a91665165d4b4b36a83582ffcdc1d406a4ba18e196c6ea9b08b817

Score

10^/10

stealthworker antivm botnet linux

Malware Config

Targets

- Target
  
  0tZjAN
- Size
  
  2.7MB
- MD5
  
  0ed58468974629e33b5c94e6df64a520
- SHA1
  
  94994b5f13367652f40ab7d37716d6fa4f334dbf
- SHA256
  
  b358b30e38d9aad71f28c95d0e50e727d41871f9df7f8e54c9299e4291fea952
- SHA512
  
  da83c3c7086d2527333909f411c1d7df1a96b12a85f0b5a21664287cd1fcb60d2555e78a97a91665165d4b4b36a83582ffcdc1d406a4ba18e196c6ea9b08b817
Score

10^/10

stealthworker antivm botnet
- StealthWorker
  StealthWorker is golang-based brute force malware.
  botnet stealthworker
- Attempts to identify hypervisor via CPU configuration
  Checks CPU information for indicators that the system is a virtual machine.
  antivm
- Modifies hosts file
  Adds to hosts file used for mapping hosts to IP addresses.
- Writes DNS configuration
  Writes data to DNS resolver config file.
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Exfiltration

Command and Control

Dynamic Resolution

Impact

Tasks

static1

behavioral1

stealthworkerantivmbotnet