Overview

overview

10

Static

static

10

Malware-ma...er.hta

windows7-x64

3

Malware-ma...er.hta

windows10-2004-x64

8

Malware-ma...075.js

windows7-x64

1

Malware-ma...075.js

windows10-2004-x64

1

Malware-ma...jan.js

windows7-x64

1

Malware-ma...jan.js

windows10-2004-x64

1

Malware-ma...Mozi.m

debian-9-armhf

9

Malware-ma...Mozi.a

debian-9-mips

8

Malware-ma...Mozi.m

debian-9-mipsel

1

Malware-ma...us.arm

debian-9-armhf

9

Malware-ma.../ELF/e

ubuntu-18.04-amd64

Malware-ma.../ELF/f

ubuntu-18.04-amd64

1

Malware-ma...rmfile

ubuntu-18.04-amd64

10

Malware-ma.../ELF/m

ubuntu-18.04-amd64

6

Malware-ma...ELF/m1

ubuntu-18.04-amd64

6

Malware-ma...F/m68k

ubuntu-18.04-amd64

Malware-ma...F/m68k

debian-9-armhf

Malware-ma...F/m68k

debian-9-mips

Malware-ma...F/m68k

debian-9-mipsel

Malware-ma...F/mips

debian-9-mips

9

Malware-ma...LF/ppc

ubuntu-18.04-amd64

Malware-ma...LF/ppc

debian-9-armhf

Malware-ma...LF/ppc

debian-9-mips

Malware-ma...LF/ppc

debian-9-mipsel

Malware-ma...LF/sh4

ubuntu-18.04-amd64

Malware-ma...LF/sh4

debian-9-armhf

Malware-ma...LF/sh4

debian-9-mips

Malware-ma...LF/sh4

debian-9-mipsel

Malware-ma...LF/x86

ubuntu-18.04-amd64

10

Malware-ma...oad.js

windows7-x64

1

Malware-ma...oad.js

windows10-2004-x64

1

Malware-ma...e64.js

windows7-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Malware-master.zip

  • Size

    18.3MB

  • Sample

    231226-hvh2xsbca3

  • MD5

    67f2f74a83633f2da3df8b0c77955884

  • SHA1

    d6b4f46d0688df2a090f8ed8a98b41f040ea32aa

  • SHA256

    418b34fe8f70f8449742f56607d810bc1d011b9ab4d32f3c2999334d7ddfe2b4

  • SHA512

    36e55bdd9ebbf21bfb49acb9b8a9dd02f200161e4c916d5ffa09ff99376abf3d3fef0a8c316184d70e09bb83e6292ae2b05478817a5b77d8ff7e6d6a1195b0f7

  • SSDEEP

    393216:K6fb3LZPdJrHsCaRxzcD2fyvLXYkWiod+vjqRAbs7X4+dQDgX:K6fDNlFHsCaRRc5uKQTDdQMX

Score
10/10
miraixmrigkytonlzrdunstableantivmbotnetdiscoverylinuxminerpersistencepyinstallerupx

Malware Config

Extracted

Family

mirai

Botnet

LZRD

Extracted

Family

mirai

Botnet

KYTON

Extracted

Family

mirai

Botnet

KYTON

Extracted

Family

mirai

C2

8.8.8.8

Extracted

Family

mirai

C2

o.do.do

Extracted

Family

mirai

Botnet

UNSTABLE

Extracted

Family

mirai

Botnet

KYTON

Targets

    • Target

      Malware-master/HTML,HTM, HTA Exploit/New Order.hta

    • Size

      12KB

    • MD5

      0dbe7c34c61b5a8e18246b2788fa463e

    • SHA1

      627f2c10f3ff10febb39ca31d583973c7e27fa6a

    • SHA256

      cddc4a76493dd94858727d66873d254696eee5cb60f67fe91b0b4b133ecee878

    • SHA512

      5f90b089dd0e03b7d7dc0dda9276405bbe8baf03e23a86e98058f7ee16bb1f12846b22763f63c4360b24713453ba3c7daa13cc6b6681e25824c573043e835c21

    • SSDEEP

      192:Q6Z7bZI9d9B9h9p9W9h9g90Za9sb9ei/IRr:Q6V2rHnPOnI0EOZIl

    Score
    8/10

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      Malware-master/HTML,HTM, HTA Exploit/html-trojan-agent-37075

    • Size

      267KB

    • MD5

      8bdb0a184d878077f0f1bbcf423e27ae

    • SHA1

      275d87403b095e538187c0b22a30b43ab084457b

    • SHA256

      68b913d4f53adbeb8ec18a3ddee6880d8489fdfd13053c9133cfd3be7d643e8d

    • SHA512

      35d9bb1e5a255946603da4dc81f453a7161dc17490745a0e69547aa6e668db8f033da8c6bdde048f1d907a1c7aa8c438efa6c5cd8049635722acb51820861dd2

    • SSDEEP

      3072:PyyMGaCiDH1t7+M38K+R3wglQEDExWUUQdAP5oban7NkL7Puivfgr:PysaR71t7+M38K+R3ZhhUUYAPKqIzAr

    Score
    1/10
    behavioral3behavioral4

    • Target

      Malware-master/HTML,HTM, HTA Exploit/trojan.obfus-263

    • Size

      32KB

    • MD5

      fb82b773f1e8ba4f664f03d4748727a6

    • SHA1

      d13c8ae45565efb782b52cb7f6a3b3828e3d77a7

    • SHA256

      bf0e17523e8f57ccb02223b6e5adea462a5479afc4e79d9cbf80ca7f6186dc69

    • SHA512

      a1924beaa6acc20cb43a093454518f646752deb87aee11fe54fd2a796d916b8a2fd7efa265df71fe5cc23cde64d98d8d925a1504f94f32aaa86bc2a54b77bb54

    • SSDEEP

      768:uU8HKM0kZZ5YgiPajy+3Egogkwjm0IfUw2JUzEFPshYyQc+51cZP0h1JRTuI2QG8:K90kZZGgiPajy+3Egogkwjm0IfUwgUzo

    Score
    1/10
    behavioral5behavioral6

    • Target

      Malware-master/Linux/ELF/2021.04.20-Mozi.m

    • Size

      300KB

    • MD5

      eec5c6c219535fba3a0492ea8118b397

    • SHA1

      292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21

    • SHA256

      12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef

    • SHA512

      3482c8324a18302f0f37b6e23ed85f24fff9f50bb568d8fd7461bf57f077a7c592f7a88bb2e1c398699958946d87bb93ab744d13a0003f9b879c15e6471f7400

    • SSDEEP

      6144:T2s/gAWuboqsJ9xcJxspJBqQgTuaJZRhVabE5wKSDP99zBa77oNsKqqfPqOJ:T2s/bW+UmJqBxAuaPRhVabEDSDP99zBT

    Score
    9/10
    discoverypersistence

    • Contacts a large (2029) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Changes its process name

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

      persistence

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

    • Writes file to system bin folder

    behavioral7

    • Target

      Malware-master/Linux/ELF/2021.04.26-Mozi.a

    • Size

      129KB

    • MD5

      fbe51695e97a45dc61967dc3241a37dc

    • SHA1

      1ed14334b5b71783cd6ec14b8a704fe48e600cf0

    • SHA256

      2e4506802aedea2e6d53910dfb296323be6620ac08c4b799a879eace5923a7b6

    • SHA512

      c35eab56ba59beb2ec2b362e4d1aae734fadc2d9db1d720439337dcade13ec9c7b68da9d03821efc7277abaf9bace342ff35593373e04c67327d5f7db460ad8a

    • SSDEEP

      3072:/TNVO/QJHZcfFj4rwLQGTNO5VZLwHm7vuQTpZUyY6cot:7O/QJHZweEL/NOjCHm7FZZncI

    Score
    8/10
    discovery

    • Contacts a large (1082) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Changes its process name

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

    • Writes file to system bin folder

    behavioral8

    • Target

      Malware-master/Linux/ELF/Mozi.m

    • Size

      134KB

    • MD5

      3849f30b51a5c49e8d1546960cc206c7

    • SHA1

      61c74136534b826059c63221a2373dc0613a47b7

    • SHA256

      f6c97b1e2ed02578ca1066c8235ba4f991e645f89012406c639dbccc6582eec8

    • SHA512

      43d79293d1fbf716111c27e50df95a0860a0d706079625fa2b8a6b57c5ee06fa7b5b6b8c0acae33714a2181686426728513c990534e44b6f03a05dde0629ab86

    • SSDEEP

      3072:biMYFJvw6Yh0b1gKobtCGCmCRlrisfrYm:fYFJvwe1gKCYVl2szN

    Score
    1/10
    behavioral9

    • Target

      Malware-master/Linux/ELF/Zeus.arm

    • Size

      82KB

    • MD5

      a3d81aab12674eac5b9bc50d62ad4692

    • SHA1

      ff252286518360f3f4006f89e1bdbd6b447041d9

    • SHA256

      4dba3fc09e36d67060174fe1775db2a93e091f6083546b7b47320a8b6d599d15

    • SHA512

      8a1ebceb94c03d232f58fded2282a657abb0b6547d6e659adc4ca5f2133edb46200e0ffd7361709fe3127b58ab8017c3752ede296380c8c1ba5cc8cc4d086deb

    • SSDEEP

      1536:VRhb/dng3gRtSWOlkSzRRfa21ZT5dw0z00hj9TSAJeZWEnzw/8e7EPC8j:9z5g3gRtH6Di8Z7/0O9ScwdnTe2

    Score
    9/10
    discovery

    • Contacts a large (344528) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery
    behavioral10

    • Target

      Malware-master/Linux/ELF/e

    • Size

      14KB

    • MD5

      0d01bd11d1d3e7676613aacb109de55f

    • SHA1

      317f1a5ac392476d32920eeba5d5d5539ea0be2b

    • SHA256

      45ed59d5b27d22567d91a65623d3b7f11726f55b497c383bc2d8d330e5e17161

    • SHA512

      433450c6c4fbf2a9ea7eda816f872283ef548e7c8b35c22c8250d0a2d06f9cda862d64f1de799d635c1541ef7e5650548a7a9a6d3b8e64667dcdb7c471271b58

    • SSDEEP

      192:fjU408Q7akapzlalhJYu4/c0B+4BIEQ1iZcXtCE7hwfn:fjo8QmDpp+MVZYti

    Score
    1/10
    behavioral11

    • Target

      Malware-master/Linux/ELF/f

    • Size

      818KB

    • MD5

      c644c04bce21dacdeb1e6c14c081e359

    • SHA1

      59f5b21ef8a570c02453b5edb0e750a42a1382f6

    • SHA256

      7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf

    • SHA512

      0748de2583e3fd33a19b1180875a9e3991b1d5ac403152b65c247a701cf00c70b3ee87e5518e8d9f5102317647a45ed60f7e139c40b88c5396b76aba7d82f076

    • SSDEEP

      12288:Vui9LWdJeS1cm27VCabT/BrVSr5oWOy7jaZH/QQwK54k2QPPVi97ATmsh1FjR8k:VumLWdJeS1cm27VtyXawuKQ3VwAiS1v

    Score
    1/10
    behavioral12

    • Target

      Malware-master/Linux/ELF/frmfile

    • Size

      27KB

    • MD5

      844e491577d646354d68e63239aba6f1

    • SHA1

      6ec5bcf2573e5973d4d6ab7019e93645a7a64476

    • SHA256

      8d236f3ea9db3a01b65c4e806913eaf8f5c13c4f7f3949a7970fa64bceb05423

    • SHA512

      fc2ae2b92b5cd95da0243c483c283a03d9e8afd49c21cb22b24e0e4423af3424d0846d5f1fdd02b48f1692ec52a5cb2233b9e4ab5c3f034b85ce3c09bd9c2556

    • SSDEEP

      768:L8SKQvyt98Gj6HyWj6JrW71X0OdedOdTuwtN3r:QaY8Gj6HNAInjdXNb

    Score
    10/10
    miraiunstablebotnet

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

      botnetmirai

    • Changes its process name

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Writes file to system bin folder

    behavioral13

    • Target

      Malware-master/Linux/ELF/m

    • Size

      1.6MB

    • MD5

      cf908520709270a26d6130c3278b3248

    • SHA1

      f00e1f4c277bdb99319f4c7540e0c5637d5ef07d

    • SHA256

      4dd64f5fcae460d43e5647c32aff7b21686f5c7fc3c7a534d3e5a6ef45e02d98

    • SHA512

      2293fae1baa8fd4fd82eae4cea1132fe4da53bca7cfaab384a2185efc90410cf0d30633d39fba5864b010e4e324b81c1b40feee71a47feaa07398ef54142a6c5

    • SSDEEP

      49152:o5pEF2ZZjzToIjNIT0uIqkw8Csw5bhVWARoU:eEF2ZZjzMIjNIT9OUhbR

    Score
    6/10

    • Reads CPU attributes

    behavioral14

    • Target

      Malware-master/Linux/ELF/m1

    • Size

      1.3MB

    • MD5

      1d43757909e395914f375d85a1990055

    • SHA1

      1e8290da0b6ae499d93176bdebd09a7970b4f3c0

    • SHA256

      de33d79d136e3c7a32fb58ae2fcc02c80e4bcaaba9a512891658721a358b506a

    • SHA512

      cdc5151e502751cd2c26700d774c01e32e29c9ca5e54e77393472e282f17dc5d97fce632eed14a96afe4ce52f329f34c0aa4a3b31b14d532605e3d891dd4f9f6

    • SSDEEP

      24576:/JQo0RvQdAYL/fcYoI3g5Dhi+FCSMjFto1MIXjZNKHDelvNLGwH6Xn964hv5CI8t:KRGfjfC+SMjdjOGHZawGmUfj

    Score
    6/10
    antivm

    • Checks CPU configuration

      Checks CPU information which indicate if the system is a virtual machine.

      antivm
    behavioral15

    • Target

      Malware-master/Linux/ELF/m68k

    • Size

      91KB

    • MD5

      640b271dacf0e1dd122f55b1308b7965

    • SHA1

      b6401c37718b1cc5b0b9656ad812d4e622cdcab2

    • SHA256

      02dbc70883be7b485ca263bc9d14c39f5b4e27f3d191b908e1535df2c29afa25

    • SHA512

      d591f3cff38d4fb1fb86626eeb2e24bc4694deec08c563bb01434c9477a635c1cee711fcb91e8164a29069d5e170844994440d2d458f7bce39a272d4931dbfce

    • SSDEEP

      1536:mTrXVz4nthy40VuSxZDzgbzPTOsi+KTda5hhNINe8tfahvjym4U1SwxOvzr+OvfJ:mvV0n/y4FjK2h2Npahvjym4UEwxIBT

    Score
    1/10
    behavioral16behavioral17behavioral18behavioral19

    • Target

      Malware-master/Linux/ELF/mips

    • Size

      41KB

    • MD5

      710f7ac63b5d1a20f065768221e94e58

    • SHA1

      ceb1317c931842f2ce3dba4ead4e9e6df7fa96b7

    • SHA256

      4fe3bfe510380a605d8c2888bfa04ebd8bf8a1b771e830c72cd68820b2d812f5

    • SHA512

      27a8e7f0d54e997f0b9a42d29c2490690525d40f2c69c328eb3619750b904f1c0a2a2cbb996fd10b023e0c2febb545491c5af12c07a2fae1ba3a4ab54aa938cc

    • SSDEEP

      768:T3Abo2eD4M/izW/tUhPS1m6miUnWZSsBvJBVXJO1TMLTCGgNzYVV6vEEDIjkJgGR:T3AblR61zzEMp9JBVc1uPgFYf6vEsIAR

    Score
    9/10
    discovery

    • Contacts a large (181933) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery
    behavioral20

    • Target

      Malware-master/Linux/ELF/ppc

    • Size

      39KB

    • MD5

      ade581eb329396291b2959a682f93a53

    • SHA1

      082b264760a92e692326f82373ccb2a94c62738b

    • SHA256

      de3a6e1e1aa94f95d22630fc7268889ad41a7976d301d37ca84822e536e75fd7

    • SHA512

      c15688708bef8c5e974e7cec4b76b2ef3fd6b5f333640bd82f861567a5695341d36d149bd128cd886b69408875553f5c8e4dd4cf4c2348f6e4cfbca73763206b

    • SSDEEP

      768:WZWy2bCyap+e+4gC0JR+AaJbgFtgqiE4dypT88dWay9d4uVcqgw09h:WZIbOpeXNJR+AEKyqia8i29d4u+qgw0n

    Score
    1/10
    behavioral21behavioral22behavioral23behavioral24

    • Target

      Malware-master/Linux/ELF/sh4

    • Size

      77KB

    • MD5

      53ec4f340fcecfe236416746e816e455

    • SHA1

      66a3f39cfa7c36af955a94e4d97a8915aaa572ef

    • SHA256

      104ca843630192657a014847d37b2c30c2a2274fa9acc4a9e81f8447634828e0

    • SHA512

      3b02b0a04cad8428858294c788d2d20bfad1294e356e4edda94f36f5257a53ae4bc02c3c67b49a2ea56b80e2cc062e29376cf8373668827398ffb1e418f7d5a8

    • SSDEEP

      1536:rA0zJM25UdCyTd40qTVNiUkJVCZk9HKZUBNBcuC7:DiKNyTd4zJkJVqZ3z

    Score
    1/10
    behavioral25behavioral26behavioral27behavioral28

    • Target

      Malware-master/Linux/ELF/x86

    • Size

      32KB

    • MD5

      aa8f5bf5bc4b7b4fa9914b126d835059

    • SHA1

      256984af68ae69890167fbb3d57ef2feace5fb83

    • SHA256

      da3c0bb3531cecb87b644bddc9eb1d87a7a5bd59cb849ddec0acdbf0f1a13263

    • SHA512

      1895740ebc29d639175e59d7224bec1362970b6e7afbcb7b0d75d9754d1f7620996bdb8a68bf009e8feecdbe12284804654edd37b5dd378cdc4731dc96a37b98

    • SSDEEP

      768:IK4lJwqvPf+3ZUIVCpwctsvtjZqhkQZqlmXqvVyf284jUFDnbcuyD7UHQRj13:IK4ZX+OFZsVlqhVslmsIf2Lw9nouy8Hq

    Score
    10/10
    miraikytonbotnetdiscovery

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

      botnetmirai

    • Contacts a large (182622) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Changes its process name

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Writes file to system bin folder

    behavioral29

    • Target

      Malware-master/PHP/async-upload.php

    • Size

      14KB

    • MD5

      e303eeeca4742a4c83238d0e89f6c6d1

    • SHA1

      1b9d2b87019a796d4f6c7aa58debb0a40dec5957

    • SHA256

      47bdb8c21bdc2e7c4030a0b8eebe7cbd3d3ecaeff9279f4012b5102d9660e31f

    • SHA512

      a75c4a6f124b2e3a5385614eee044780790b5024909b2bbc5adf94502ec9a8665dc600b3691d982835e78e420c082a5a597e9a221f35689b94fccec6963ddb73

    • SSDEEP

      96:5hRAjI2kB527gwyaP9+55P9BuwLV9x9OCyACGVzV9Zqyx9mZwnn02KnkuodlxSTy:56+bC8b9wB2EY0E5ME7LEQZn

    Score
    1/10
    behavioral30behavioral31

    • Target

      Malware-master/PHP/class-IXR-base64.php

    • Size

      10KB

    • MD5

      fe1a7f2098adaa1d4c088c6924c0265e

    • SHA1

      48811dfb412cc18945ad62265399a9567e0fd48c

    • SHA256

      25ad48eff1bbff04782422a785d046f27a514edf364a835fa54d5ddcb506d268

    • SHA512

      751d0a2e5be2fdce10827c7c2a8a7c245e4c4c2f0e91080dc013a76b006daf1155ca5ca5066920453c9e844a0427ca14dd0b6b68b69a9ae59dca2a2039ab3d0f

    • SSDEEP

      192:Ayt6eeTjisWkeJ3fSTcCxJsUWRW9nXPTQ6eCKkDu:Ayt6eeTjisWkeJ3aTcCxJsUWRW9XPTQv

    Score
    1/10
    behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

upxlzrdminerkytonpyinstallermiraixmrig
Score
10/10

behavioral1

Score
3/10

behavioral2

Score
8/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

discoverypersistence
Score
9/10

behavioral8

discovery
Score
8/10

behavioral9

Score
1/10

behavioral10

discovery
Score
9/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

miraiunstablebotnet
Score
10/10

behavioral14

Score
6/10

behavioral15

antivm
Score
6/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

discovery
Score
9/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

miraikytonbotnetdiscovery
Score
10/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10