90b5e729c46a964887ee2995f88c7d5985f010747df90a09a550495a486bc740

Analysis

max time kernel
152s
max time network
154s
platform
debian-9_armhf
resource
debian9-armhf-20231215-en
resource tags

arch:armhfimage:debian9-armhf-20231215-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
19-12-2023 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e946e8956924d95d46250d1beac6b53
Size

157KB
MD5

4e946e8956924d95d46250d1beac6b53
SHA1

09e4318782e17c3e662817005aec29ed511d1bf1
SHA256

90b5e729c46a964887ee2995f88c7d5985f010747df90a09a550495a486bc740
SHA512

f6295f2a69662ae0c9cb5a70d4037bac7dc078a13d532c3df31d852ef919ac30266db6faab3a4374fcbe2bac9b90e945a68a57c595b0627754578154c9de57ab
SSDEEP

3072:zfm3+bfkM2MFhedk++nLaa8MA8+Vo86Ooa9YEvj+uYM/9yy8j2Yp:Lm3ofJQdYLaa8MA8+Vx6OXvj+FM/9ydn

Score

9^/10

discovery

Malware Config

Signatures

Contacts a large (197206) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Changes its process name 1 IoCs

Processes:

4e946e8956924d95d46250d1beac6b53

description ioc pid process

Changes the process name, possibly in an attempt to hide itself rtsp 650 4e946e8956924d95d46250d1beac6b53
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.

System Network Connections Discovery
T1049

Processes:

description ioc

File opened for reading /proc/net/tcp
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.

System Network Configuration Discovery
T1016

Processes:

description ioc

File opened for reading /proc/net/tcp
Reads runtime system information 3 IoCs
Reads data from /proc virtual filesystem.

Processes:

description ioc

File opened for reading /proc/568/exe
File opened for reading /proc/568/maps
File opened for reading /proc/574/exe

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	rtsp	650	4e946e8956924d95d46250d1beac6b53

description	ioc
File opened for reading	/proc/net/tcp

description	ioc
File opened for reading	/proc/net/tcp

description	ioc
File opened for reading	/proc/568/exe
File opened for reading	/proc/568/maps
File opened for reading	/proc/574/exe

/tmp/4e946e8956924d95d46250d1beac6b53
/tmp/4e946e8956924d95d46250d1beac6b53
1⤵
- Changes its process name
PID:650

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Network Connections Discovery

T1049

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads