stealthworker | 15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b

Analysis

max time kernel
143s
max time network
144s
platform
debian-9_mips
resource
debian9-mipsbe-20240226-en
resource tags

arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
05/03/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9044d7e0ac4cab8917829cc22df9abda.elf
Size

2.4MB
MD5

9044d7e0ac4cab8917829cc22df9abda
SHA1

e3076668487ccb1091f8d02fbfed62627d3bfe55
SHA256

15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b
SHA512

412d6456de87e3656446c0e096667b3d0c3a8bcc7088adc7f0622b6f563cc04e66932c09a0a165c50d57b22523bf70110e73ed830ea5ed8b055c6bd49243a487
SSDEEP

49152:I22aCIjTfiH8LnLf61ayqpTj0lB4ykrrpUymAI:zCsD1pTj0l+FGyO

Score

10^/10

stealthworker antivm botnet persistence

Malware Config

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.gI1P78	crontab

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/exe	9044d7e0ac4cab8917829cc22df9abda.elf
File opened for reading	/proc/version	cat
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/self/exe	9044d7e0ac4cab8917829cc22df9abda.elf
File opened for reading	/proc/version	cat

/tmp/9044d7e0ac4cab8917829cc22df9abda.elf
/tmp/9044d7e0ac4cab8917829cc22df9abda.elf
1⤵
- Reads runtime system information
PID:705
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:720
- /bin/cat
  cat /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:722
- /bin/uname
  uname -a
  2⤵
  PID:725
- /usr/bin/getconf
  getconf LONG_BIT
  2⤵
  PID:727
- /tmp/9044d7e0ac4cab8917829cc22df9abda.elf
  "[stealth]"
  2⤵
  - Reads runtime system information
  PID:729
- - /bin/cat
    cat /proc/version
    3⤵
    - Reads runtime system information
    PID:739
- - /bin/cat
    cat /proc/cpuinfo
    3⤵
    - Checks CPU configuration
    PID:740
- - /bin/uname
    uname -a
    3⤵
    PID:742
- - /usr/bin/getconf
    getconf LONG_BIT
    3⤵
    PID:743
- - /usr/bin/crontab
    /usr/bin/crontab /tmp/nip9iNeiph5chee
    3⤵
    - Creates/modifies Cron job
    - Reads runtime system information
    PID:745

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid

Filesize
3B

MD5
5751ec3e9a4feab575962e78e006250d

SHA1
baa924ce1ee3617f30a87ca26b2aeb62911af478

SHA256
509694b0a010c6431900e71b8210521af57d39ce8e64deb365f0a5c6c9a2ef6d

SHA512
47ccc6b01d9b2b8f27bac167d1fa138ad0f76d377637d4676c4496aa58300a393713a7188d0effd3973a7a16cce2a690e8060689286b171b12bd1cb3d33da536

Download Submit
/tmp/nip9iNeiph5chee

Filesize
70B

MD5
f8c66737a5a1d0fa12f393e973728935

SHA1
a6155b82a9124e9502043ca7f1d9f953ed281595

SHA256
b1a91d53a00a377760ef6624e7f48858777fac647af44cc6b782e19d08a44f46

SHA512
5c677e9e8af688e21914e5d4a3c5b42b47af063844dec9c2febcd3a6d1545616c552c7002897e7ebf39d30acdcb37e2ff2a7a29c55e59e2e8822219266f1104e

Download Submit
/var/spool/cron/crontabs/tmp.gI1P78

Filesize
264B

MD5
59da7e33ee2478dade6cdb5690884229

SHA1
32e67f0265b6f4dcfd8a015802f86323f77aaf56

SHA256
bc90fcc38db716a2703a2f6e4276887522106ea8cd1e5297e1d87040464b7674

SHA512
c6f2f94c9cd39ea5442321d61507c080c7493f85d39cf0cb3a7434df676f75dbf0eae7e8c12d3f12985e0caa68730087fad435aaea3c061b4423246d93baf399

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads