85c3bb78f60519055314fd2cbc9652211624cf62e12da00c14d31291ef25c5c8

Resubmissions

25/11/2023, 16:38

231125-t5eyssca6s 10

25/11/2023, 16:35

231125-t36nqsca5y 10

Analysis

max time kernel
306s
max time network
308s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231026-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231026-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
25/11/2023, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/b/run
Size

109KB
MD5

85a925d6d5ade4c8c18abcbc5d7e1865
SHA1

670e14b59e5644ea9a2b3ee0fea74d461367fbf5
SHA256

2c65ad038df140aa929acfa8e682df6231e22eaaa0b860c270dea9acb2ca1d26
SHA512

5d019c480babbda7bb1ef9f1cfad7413259dbf17fc9c0a0a1049db72eea52100cb04b848a7ee082063dc9a8370769396ad0fe3f753313547e9497c37c851e29c
SSDEEP

1536:EfbpT8PqfZOHV2lyG6dkLpUqE3VuQz7lG6dkLpUqE3VuQz7a:yZuXdkODXdkOY

Score

7^/10

Malware Config

Signatures

Changes its process name 3 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	rsync	1566	perl
Changes the process name, possibly in an attempt to hide itself	rsync	1571	perl
Changes the process name, possibly in an attempt to hide itself	rsync	1576	perl

/tmp/.rsync/b/run
/tmp/.rsync/b/run
1⤵
PID:1557
- /usr/bin/nohup
  nohup ./stop
  2⤵
  PID:1558
- /bin/sleep
  sleep 5
  2⤵
  PID:1559
- /tmp/.rsync/b/stop
  ./stop
  2⤵
  PID:1558
- /usr/bin/base64
  base64 --decode
  2⤵
  PID:1565
- /usr/bin/perl
  perl
  2⤵
  - Changes its process name
  PID:1566
- - /usr/local/sbin/uname
    uname -a
    3⤵
    PID:1567
- - /usr/local/bin/uname
    uname -a
    3⤵
    PID:1567
- - /usr/sbin/uname
    uname -a
    3⤵
    PID:1567
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1567
- - /sbin/uname
    uname -a
    3⤵
    PID:1567
- - /bin/uname
    uname -a
    3⤵
    PID:1567
- /usr/bin/perl
  perl
  2⤵
  - Changes its process name
  PID:1571
- - /usr/local/sbin/uname
    uname -a
    3⤵
    PID:1572
- - /usr/local/bin/uname
    uname -a
    3⤵
    PID:1572
- - /usr/sbin/uname
    uname -a
    3⤵
    PID:1572
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1572
- - /sbin/uname
    uname -a
    3⤵
    PID:1572
- - /bin/uname
    uname -a
    3⤵
    PID:1572
- /usr/bin/base64
  base64 --decode
  2⤵
  PID:1570
- /usr/bin/base64
  base64 --decode
  2⤵
  PID:1575
- /usr/bin/perl
  perl
  2⤵
  - Changes its process name
  PID:1576
- - /usr/local/sbin/uname
    uname -a
    3⤵
    PID:1577
- - /usr/local/bin/uname
    uname -a
    3⤵
    PID:1577
- - /usr/sbin/uname
    uname -a
    3⤵
    PID:1577
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1577
- - /sbin/uname
    uname -a
    3⤵
    PID:1577
- - /bin/uname
    uname -a
    3⤵
    PID:1577

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads