stealthworker | f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a

Analysis

max time kernel
150s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
05/03/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da12ead92069e02db3b88d15ac2c2823.elf
Size

2.4MB
MD5

da12ead92069e02db3b88d15ac2c2823
SHA1

297bf4ce9a344d6c27eba64bf1ddf2707567a2ef
SHA256

f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a
SHA512

5769feee3276dbacae7a6711a7a5b7ddae425f689aa5655cb1bfb7dd4046a28ac075c807a8436a191542f97103c60ef42bcfd9110bb68a82891a2ab9b04cdd25
SSDEEP

49152:e5R845g7EfVpclzm6XRkQfqFWWrO7dE2UlFHuOqrJPLWziHTHpDj:eDqUpuzmiRFiXrWa2UlwrJWzGFj

Score

10^/10

stealthworker antivm botnet discovery persistence

Malware Config

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker
Contacts a large (1984) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.7ybeh8	crontab

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/self/exe	da12ead92069e02db3b88d15ac2c2823.elf
File opened for reading	/proc/sys/net/core/somaxconn	da12ead92069e02db3b88d15ac2c2823.elf
File opened for reading	/proc/version	cat
File opened for reading	/proc/self/exe	da12ead92069e02db3b88d15ac2c2823.elf
File opened for reading	/proc/sys/net/core/somaxconn	da12ead92069e02db3b88d15ac2c2823.elf
File opened for reading	/proc/version	cat
File opened for reading	/proc/filesystems	crontab

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.pid	da12ead92069e02db3b88d15ac2c2823.elf
File opened for modification	/tmp/nip9iNeiph5chee	Process not Found
File opened for modification	/tmp/[stealth].pid	Process not Found

/tmp/da12ead92069e02db3b88d15ac2c2823.elf
/tmp/da12ead92069e02db3b88d15ac2c2823.elf
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:659
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:677
- /bin/cat
  cat /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:681
- /bin/uname
  uname -a
  2⤵
  PID:682
- /usr/bin/getconf
  getconf LONG_BIT
  2⤵
  PID:685
- /tmp/da12ead92069e02db3b88d15ac2c2823.elf
  "[stealth]"
  2⤵
  - Reads runtime system information
  PID:687
- - /bin/cat
    cat /proc/version
    3⤵
    - Reads runtime system information
    PID:697

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:700

/bin/uname
uname -a
1⤵
PID:702

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:704

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:705

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid

Filesize
3B

MD5
7f5d04d189dfb634e6a85bb9d9adf21e

SHA1
dbe8ddfe63caf36d00ca9e558b358c59d1434e04

SHA256
c2077253a9b10166e7c8ffda8f2377456f332029eea3d27def7fb2b23502c0d4

SHA512
15fa214b1df6f863c3b227d61ca920dafd4ba16235bb81c16b09ecc0bf33ec6a6638f186ff5ec63d71a8b61019554d7de992a097c5fde92f3a897425880ef0f6

Download Submit
/tmp/nip9iNeiph5chee

Filesize
70B

MD5
9daa8e9108fcac23e1c200759be68713

SHA1
c8af9e04afafea52378928672cc3a0e8a20c5b15

SHA256
4bd95c705a61444ed1309da82dfa1e2fd1a40366356ff9faaa428e1c55813513

SHA512
16b888ccf645920f0bb02456358e1c159fa3699aae24667f58409fe37c19023b2296d61526537dcbedb1ce02f4e82eeebc836ca69976ad5980f5d671e06039a8

Download Submit
/var/spool/cron/crontabs/tmp.7ybeh8

Filesize
264B

MD5
bf184c78dc4d490371573c6a310a9993

SHA1
209b64da92f9d40315c5f8f41d9958cb81af19f9

SHA256
042a09582123f7cc8095d360216fcf648e7f3cdcbd9fb1a1924e562a1c4de80d

SHA512
7d8347593dcb52b7c9339365769ad7918f2ea0ea1ed119de5d2a9f416844e4b005726b0a118168e787453ea6a59a3ad7f1e6d12f354c5ee9264a163adc5f4467

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads