stealthworker | 9abd614cd0027048c86c4e4de67271dbc53b0361373da06cc5cebce8f7646ec4

Analysis

max time kernel
149s
max time network
155s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240221-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
05/03/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

241b87293b2cf3e9579810b55a45d1b9.elf
Size

2.5MB
MD5

241b87293b2cf3e9579810b55a45d1b9
SHA1

d2974053f4ce24a1f437ae6b683d30fcd5815475
SHA256

9abd614cd0027048c86c4e4de67271dbc53b0361373da06cc5cebce8f7646ec4
SHA512

ce1f6755230a07977a6a4636e7531dc3717f1162b81ebdefe22cd36a112fe626ef6277d69c285a35a809af51692d3ffa4a456b0e89a7a0d17e105699e05c49d2
SSDEEP

49152:Eq4TDswC9nb+Feo7ZWCIrWT8vg4NsqKaRkS+nkDoYaAeFU0WYdDmj/2:E/nqyFVuFvdt9k9QomnXMDmi

Score

10^/10

stealthworker antivm botnet discovery persistence

Malware Config

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker
Contacts a large (6832) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.BFKpTa	crontab

Reads runtime system information 6 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/version	cat
File opened for reading	/proc/self/exe	241b87293b2cf3e9579810b55a45d1b9.elf
File opened for reading	/proc/sys/net/core/somaxconn	241b87293b2cf3e9579810b55a45d1b9.elf
File opened for reading	/proc/version	cat
File opened for reading	/proc/self/exe	241b87293b2cf3e9579810b55a45d1b9.elf
File opened for reading	/proc/sys/net/core/somaxconn	241b87293b2cf3e9579810b55a45d1b9.elf

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/.pid
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[stealth].pid

/tmp/241b87293b2cf3e9579810b55a45d1b9.elf
/tmp/241b87293b2cf3e9579810b55a45d1b9.elf
1⤵
- Reads runtime system information
PID:1477

/usr/bin/cat
cat /proc/version
1⤵
- Reads runtime system information
PID:1490

/usr/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1493

/usr/bin/uname
uname -a
1⤵
PID:1495

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1496

/tmp/241b87293b2cf3e9579810b55a45d1b9.elf
"[stealth]"
1⤵
- Reads runtime system information
PID:1497

/usr/bin/cat
cat /proc/version
1⤵
- Reads runtime system information
PID:1500

/usr/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:1502

/usr/bin/uname
uname -a
1⤵
PID:1504

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:1505

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
PID:1534

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid

Filesize
4B

MD5
55c567fd4395ecef6d936cf77b8d5b2b

SHA1
9bc8d5789d9a97e335bc3a1700b281325cb59f12

SHA256
556ea1b2f7420f2cd4e6d1d548f7389cdaf91535020c5917e16d2b3bf6b98844

SHA512
60aed26051a8b28629098174ef3fbaef802c5868ca1d53e99b7da050feb3a903528b47044fd042e4c002b9cb2e2de9ce410b6b9a3cecd0ac4582fdfb4bd4c864

Download Submit
/tmp/nip9iNeiph5chee

Filesize
70B

MD5
c25b1f94585b211ffe0b8c8185a29e3c

SHA1
53e8fe90fca0162c422f141fe957898e361c9688

SHA256
1a6a5e729b7f1100c6e7f6ac2a3859696509a41ae3a854300d3dbc9be2af25b6

SHA512
78aeeb760e97d481b1366627afbf0db81a617a7a9b0d9af1196bc2c5049d03eed3f3fd6f494f3fb21d51ab2458947236ddd831eabe293a2ce2364e5246649ae5

Download Submit
/var/spool/cron/crontabs/tmp.BFKpTa

Filesize
264B

MD5
0c0884c397ad23656c7f8b26ea91435e

SHA1
a3b57164ba5ee8ce3f8f96b68674e360ca9cba77

SHA256
41a0fd4549ffa9ec096ae5b32a7931ee6f4c8bb505de8556f9c0c59005ac68c7

SHA512
18e8f767ffe0d4137810c78e7df2dbd8b5beb4d72398f2022d64bea5c7de9444422eeb1ae0ebefeb7a163ba68096c00a80fa82f94bcf4cb2fbe74426417c8dc8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads