stealthworker | f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a

Analysis

max time kernel
148s
max time network
152s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
06/03/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
Size

2.4MB
MD5

da12ead92069e02db3b88d15ac2c2823
SHA1

297bf4ce9a344d6c27eba64bf1ddf2707567a2ef
SHA256

f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a
SHA512

5769feee3276dbacae7a6711a7a5b7ddae425f689aa5655cb1bfb7dd4046a28ac075c807a8436a191542f97103c60ef42bcfd9110bb68a82891a2ab9b04cdd25
SSDEEP

49152:e5R845g7EfVpclzm6XRkQfqFWWrO7dE2UlFHuOqrJPLWziHTHpDj:eDqUpuzmiRFiXrWa2UlwrJWzGFj

Score

10^/10

stealthworker antivm botnet persistence

Malware Config

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker

Deletes itself 1 IoCs

pid
659

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.AiTPTz	crontab

Reads runtime system information 7 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/sys/net/core/somaxconn	f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
File opened for reading	/proc/version	cat
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/self/exe	f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
File opened for reading	/proc/sys/net/core/somaxconn	f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
File opened for reading	/proc/version	cat
File opened for reading	/proc/self/exe	f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/.pid
File opened for modification	/tmp/nip9iNeiph5chee
File opened for modification	/tmp/[stealth].pid

/tmp/f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
/tmp/f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
1⤵
- Reads runtime system information
PID:660
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:679

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:682

/bin/uname
uname -a
1⤵
PID:684

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:687

/tmp/f4345a8c7f841767e5173140c8b57aedb4b9ad2333950341a37ffc2d1ed3f47a.elf
"[stealth]"
1⤵
- Reads runtime system information
PID:689
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:699

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:702

/bin/uname
uname -a
1⤵
PID:704

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:706

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:707

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid

Filesize
3B

MD5
07a96b1f61097ccb54be14d6a47439b0

SHA1
53c53c5d2b630c0d912264bb9edf8cf6f0afa260

SHA256
fc4fb94d36f45aa9d13358022455e55db4b6f0eb536a1b2897c90dfd3df9eb9b

SHA512
affb35d9483f4468ac879d5279b64f1d57a9754061b47beafc877e92874610cea38d3200499a59cb6927b568871dcf4e80ec7984e680db64198be72a75aa6d51

Download Submit
/tmp/nip9iNeiph5chee

Filesize
102B

MD5
5beb64e696f167cf70c565db95086bb6

SHA1
1d014c3aca2ff129a7a9ca32e48cffa0824c483c

SHA256
abf2f9adb0147db9430e7154be77b00c13c0ddb374d7eb73dff629d582c39b38

SHA512
18d37229734ebeeaad876144ee2b0351c28aab501b8d83252dc074be91c2456cb92ed6ddb4c0a841c5f140985ca7e4a47a81f2e8932c33f16288bc22fbff0e05

Download Submit
/var/spool/cron/crontabs/tmp.AiTPTz

Filesize
296B

MD5
19f8a018f9446613ede02c8d22096d66

SHA1
34a2665bcd418e5677e165e425f4948972e1bb78

SHA256
0d0440d2480a67ae31ba86513bf8bbc1bc0d3cbe152d8dc1356754e9ba60fb3c

SHA512
36fb1472bd853af9bd71ce6b1cc8902e87eb5a540fbb9b92313bb7e20079b2eba8f9fdf8f72a86ad5e21632634bc30e46c65fb7dd3dbc17ccac869f75b86fcab

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads