stealthworker | f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a

Analysis

max time kernel
150s
max time network
153s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
05-03-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da12ead92069e02db3b88d15ac2c2823.elf
Size

2.4MB
MD5

da12ead92069e02db3b88d15ac2c2823
SHA1

297bf4ce9a344d6c27eba64bf1ddf2707567a2ef
SHA256

f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a
SHA512

5769feee3276dbacae7a6711a7a5b7ddae425f689aa5655cb1bfb7dd4046a28ac075c807a8436a191542f97103c60ef42bcfd9110bb68a82891a2ab9b04cdd25
SSDEEP

49152:e5R845g7EfVpclzm6XRkQfqFWWrO7dE2UlFHuOqrJPLWziHTHpDj:eDqUpuzmiRFiXrWa2UlwrJWzGFj

Score

10^/10

stealthworker antivm botnet discovery persistence

Malware Config

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker
Contacts a large (1984) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Checks CPU configuration 1 TTPs 2 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

Virtualization/Sandbox Evasion
T1497

Processes:

catcat

description ioc process

File opened for reading /proc/cpuinfo cat
File opened for reading /proc/cpuinfo cat
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.7ybeh8 crontab

description	ioc	process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.7ybeh8	crontab

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

Processes:

da12ead92069e02db3b88d15ac2c2823.elfcatda12ead92069e02db3b88d15ac2c2823.elfcatcrontab

description	ioc	process
File opened for reading	/proc/self/exe	da12ead92069e02db3b88d15ac2c2823.elf
File opened for reading	/proc/sys/net/core/somaxconn	da12ead92069e02db3b88d15ac2c2823.elf
File opened for reading	/proc/version	cat
File opened for reading	/proc/self/exe	da12ead92069e02db3b88d15ac2c2823.elf
File opened for reading	/proc/sys/net/core/somaxconn	da12ead92069e02db3b88d15ac2c2823.elf
File opened for reading	/proc/version	cat
File opened for reading	/proc/filesystems	crontab

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

Processes:

da12ead92069e02db3b88d15ac2c2823.elf

description	ioc	process
File opened for modification	/tmp/.pid	da12ead92069e02db3b88d15ac2c2823.elf
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[stealth].pid

/tmp/da12ead92069e02db3b88d15ac2c2823.elf
/tmp/da12ead92069e02db3b88d15ac2c2823.elf
1⤵
- Reads runtime system information
- Writes file to tmp directory
PID:659

/bin/cat
cat /proc/version
2⤵
- Reads runtime system information
PID:677

/bin/cat
cat /proc/cpuinfo
2⤵
- Checks CPU configuration
PID:681

/bin/uname
uname -a
2⤵
PID:682

/usr/bin/getconf
getconf LONG_BIT
2⤵
PID:685

/tmp/da12ead92069e02db3b88d15ac2c2823.elf
"[stealth]"
2⤵
- Reads runtime system information
PID:687

/bin/cat
cat /proc/version
3⤵
- Reads runtime system information
PID:697

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:700

/bin/uname
uname -a
1⤵
PID:702

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:704

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:705

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid
Filesize
3B

MD5
7f5d04d189dfb634e6a85bb9d9adf21e

SHA1
dbe8ddfe63caf36d00ca9e558b358c59d1434e04

SHA256
c2077253a9b10166e7c8ffda8f2377456f332029eea3d27def7fb2b23502c0d4

SHA512
15fa214b1df6f863c3b227d61ca920dafd4ba16235bb81c16b09ecc0bf33ec6a6638f186ff5ec63d71a8b61019554d7de992a097c5fde92f3a897425880ef0f6

Download Submit
/tmp/nip9iNeiph5chee
Filesize
70B

MD5
9daa8e9108fcac23e1c200759be68713

SHA1
c8af9e04afafea52378928672cc3a0e8a20c5b15

SHA256
4bd95c705a61444ed1309da82dfa1e2fd1a40366356ff9faaa428e1c55813513

SHA512
16b888ccf645920f0bb02456358e1c159fa3699aae24667f58409fe37c19023b2296d61526537dcbedb1ce02f4e82eeebc836ca69976ad5980f5d671e06039a8

Download Submit
/var/spool/cron/crontabs/tmp.7ybeh8
Filesize
264B

MD5
bf184c78dc4d490371573c6a310a9993

SHA1
209b64da92f9d40315c5f8f41d9958cb81af19f9

SHA256
042a09582123f7cc8095d360216fcf648e7f3cdcbd9fb1a1924e562a1c4de80d

SHA512
7d8347593dcb52b7c9339365769ad7918f2ea0ea1ed119de5d2a9f416844e4b005726b0a118168e787453ea6a59a3ad7f1e6d12f354c5ee9264a163adc5f4467

Download Submit
memory/659-1-0x00010000-0x00725760-memory.dmp

Download
memory/687-2-0x00010000-0x00725760-memory.dmp

Download