Analysis
-
max time kernel
0s -
max time network
108s -
platform
linux_amd64 -
resource
ubuntu1804-amd64-en-20211208 -
submitted
03-05-2022 05:06
Static task
static1
Behavioral task
behavioral1
Sample
426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb
-
Size
2.7MB
-
MD5
3e9b6a7bcddd52ff509f775876146464
-
SHA1
d57de50674cb4d1463a3c55297a8b61f2389e637
-
SHA256
426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb
-
SHA512
d6fb76725c0e3aadb9161c9dcea4dc755b988c6341d4e4f5c8c6d47131527b362498c202ff307778f1e140b73e4aee7abc34a1966aa4006dce5c469288400b3d
Malware Config
Signatures
-
StealthWorker
StealthWorker is golang-based brute force malware.
-
suricata: ET MALWARE GoBrut/StealthWorker Requesting Brute Force List (flowbit set)
suricata: ET MALWARE GoBrut/StealthWorker Requesting Brute Force List (flowbit set)
-
suricata: ET MALWARE GoBrut/StealthWorker Service Bruter CnC Activity
suricata: ET MALWARE GoBrut/StealthWorker Service Bruter CnC Activity
-
suricata: ET MALWARE GoBrut/StealthWorker Service Bruter CnC Checkin
suricata: ET MALWARE GoBrut/StealthWorker Service Bruter CnC Checkin
-
Attempts to identify hypervisor via CPU configuration 1 TTPs 2 IoCs
Checks CPU information for indicators that the system is a virtual machine.
Processes:
catcatdescription ioc process /proc/cpuinfo /proc/cpuinfo cat /proc/cpuinfo /proc/cpuinfo cat -
Modifies hosts file 1 IoCs
Adds to hosts file used for mapping hosts to IP addresses.
Processes:
description ioc /etc/hosts /etc/hosts -
Writes DNS configuration 1 TTPs 1 IoCs
Writes data to DNS resolver config file.
-
Reads runtime system information 6 IoCs
Reads data from /proc virtual filesystem.
Processes:
426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1ebcat426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1ebcatdescription ioc process /proc/self/exe /proc/self/exe 426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb /proc/sys/net/core/somaxconn /proc/sys/net/core/somaxconn 426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb /proc/version /proc/version cat /proc/self/exe /proc/self/exe 426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb /proc/sys/net/core/somaxconn /proc/sys/net/core/somaxconn 426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb /proc/version /proc/version cat -
Writes file to tmp directory 4 IoCs
Malware often drops required files in the /tmp directory.
Processes:
crontabdescription ioc process /tmp/nip9iNeiph5chee /tmp/nip9iNeiph5chee crontab /tmp/[stealth].pid /tmp/[stealth].pid /tmp/.pid /tmp/.pid /tmp/nip9iNeiph5chee /tmp/nip9iNeiph5chee
Processes
-
./426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb./426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Attempts to identify hypervisor via CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/tmp/426f407414fb07db97da4d88630bf7a5be3ada280b39d5eff11cb727b772e1eb"[stealth]"1⤵
- Reads runtime system information
-
/bin/catcat /proc/version2⤵
- Reads runtime system information
-
/bin/catcat /proc/cpuinfo1⤵
- Attempts to identify hypervisor via CPU configuration
-
/bin/unameuname -a1⤵
-
/usr/bin/getconfgetconf LONG_BIT1⤵
-
/usr/bin/crontab/usr/bin/crontab /tmp/nip9iNeiph5chee1⤵
- Writes file to tmp directory