Overview

overview

10

Static

static

426f407414...72e1eb

linux_amd64

10

Analysis

  • max time kernel
    0s
  • max time network
    108s
  • platform
    linux_amd64
  • resource
    ubuntu1804-amd64-en-20211208
  • submitted
    03-05-2022 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb

  • Size

    2.7MB

  • MD5

    3e9b6a7bcddd52ff509f775876146464

  • SHA1

    d57de50674cb4d1463a3c55297a8b61f2389e637

  • SHA256

    426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb

  • SHA512

    d6fb76725c0e3aadb9161c9dcea4dc755b988c6341d4e4f5c8c6d47131527b362498c202ff307778f1e140b73e4aee7abc34a1966aa4006dce5c469288400b3d

Score
10/10
stealthworkerantivmbotnetsuricata

Malware Config

Signatures

  • StealthWorker

    StealthWorker is golang-based brute force malware.

    botnetstealthworker
  • suricata: ET MALWARE GoBrut/StealthWorker Requesting Brute Force List (flowbit set)

    suricata: ET MALWARE GoBrut/StealthWorker Requesting Brute Force List (flowbit set)

    suricata
  • suricata: ET MALWARE GoBrut/StealthWorker Service Bruter CnC Activity

    suricata: ET MALWARE GoBrut/StealthWorker Service Bruter CnC Activity

    suricata
  • suricata: ET MALWARE GoBrut/StealthWorker Service Bruter CnC Checkin

    suricata: ET MALWARE GoBrut/StealthWorker Service Bruter CnC Checkin

    suricata
  • Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs

    Checks CPU information for indicators that the system is a virtual machine.

    antivm
  • Modifies hosts file 1 IoCs

    Adds to hosts file used for mapping hosts to IP addresses.

  • Writes DNS configuration 1 TTPs 1 IoCs

    Writes data to DNS resolver config file.

  • Reads runtime system information 6 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to tmp directory 4 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • ./426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb
    ./426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb
    1⤵
    • Reads runtime system information
    PID:581
    • /bin/cat
      cat /proc/version
      2⤵
      • Reads runtime system information
      PID:589
  • /bin/cat
    cat /proc/cpuinfo
    1⤵
    • Attempts to identify hypervisor via CPU configuration
    PID:590
  • /bin/uname
    uname -a
    1⤵
      PID:591
    • /usr/bin/getconf
      getconf LONG_BIT
      1⤵
        PID:592
      • /tmp/426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb
        "[stealth]"
        1⤵
        • Reads runtime system information
        PID:593
        • /bin/cat
          cat /proc/version
          2⤵
          • Reads runtime system information
          PID:597
      • /bin/cat
        cat /proc/cpuinfo
        1⤵
        • Attempts to identify hypervisor via CPU configuration
        PID:598
      • /bin/uname
        uname -a
        1⤵
          PID:599
        • /usr/bin/getconf
          getconf LONG_BIT
          1⤵
            PID:600
          • /usr/bin/crontab
            /usr/bin/crontab /tmp/nip9iNeiph5chee
            1⤵
            • Writes file to tmp directory
            PID:602

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Virtualization/Sandbox Evasion

          1
          T1497

          Credential Access

          Discovery

          Virtualization/Sandbox Evasion

          1
          T1497

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Dynamic Resolution

          1
          T1568

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads