Analysis Overview
SHA256
1f94e02d6d6f7b445149cd62d8275b7b627a2df507860558f6c374f80dc94fc6
Threat Level: Known bad
The file ea098fa13658a107dabf7c408674d391 was found to be: Known bad.
Malicious Activity Summary
StealthWorker payload
Stealthworker family
Creates/modifies Cron job
Reads runtime system information
Writes file to tmp directory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-20 16:36
Signatures
StealthWorker payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealthworker family
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-20 16:36
Reported
2023-12-22 12:38
Platform
ubuntu1804-amd64-20231215-en
Max time kernel
153s
Max time network
156s
Command Line
Signatures
Creates/modifies Cron job
| Description | Indicator | Process | Target |
| File opened for modification | /var/spool/cron/crontabs/tmp.QjAKpo | /usr/bin/crontab | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/sys/net/core/somaxconn | /tmp/ea098fa13658a107dabf7c408674d391 | N/A |
| File opened for reading | /proc/sys/net/core/somaxconn | /tmp/ea098fa13658a107dabf7c408674d391 | N/A |
Writes file to tmp directory
| Description | Indicator | Process | Target |
| File opened for modification | /tmp/pid | /tmp/ea098fa13658a107dabf7c408674d391 | N/A |
| File opened for modification | /tmp/nip9iNeiph5chee | /tmp/ea098fa13658a107dabf7c408674d391 | N/A |
| File opened for modification | /tmp/[stealth].pid | /tmp/ea098fa13658a107dabf7c408674d391 | N/A |
Processes
/tmp/ea098fa13658a107dabf7c408674d391
[/tmp/ea098fa13658a107dabf7c408674d391]
/tmp/ea098fa13658a107dabf7c408674d391
[[stealth]]
/usr/bin/crontab
[/usr/bin/crontab /tmp/nip9iNeiph5chee]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.2.49:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| GB | 89.187.167.2:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.7:443 | 1527653184.rsc.cdn77.org | tcp |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp | |
| BG | 185.205.209.131:7000 | tcp |
Files
/tmp/[stealth].pid
| MD5 | 819c9fbfb075d62a16393b9fe4fcbaa5 |
| SHA1 | 8959169251e7394bcf4b9004326f83e266a06bfb |
| SHA256 | 50a0a04f2d67b4a26d3aaa163fa2fb0d80a5457716579587cc45ce5bc89d8fce |
| SHA512 | 1a2836932a771fac43e720d14d8df08c3e32ca5d6d335ae38788fa774e05568c6c05a7c5531ab745b8ec7a9d410f7460ea86c3f5fb6fc097a991170cf26feb57 |