stealthworker | 15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b

Analysis

max time kernel
149s
max time network
153s
platform
debian-9_mips
resource
debian9-mipsbe-20240226-en
resource tags

arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
06/03/2024, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b.elf
Size

2.4MB
MD5

9044d7e0ac4cab8917829cc22df9abda
SHA1

e3076668487ccb1091f8d02fbfed62627d3bfe55
SHA256

15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b
SHA512

412d6456de87e3656446c0e096667b3d0c3a8bcc7088adc7f0622b6f563cc04e66932c09a0a165c50d57b22523bf70110e73ed830ea5ed8b055c6bd49243a487
SSDEEP

49152:I22aCIjTfiH8LnLf61ayqpTj0lB4ykrrpUymAI:zCsD1pTj0l+FGyO

Score

10^/10

stealthworker antivm botnet persistence

Malware Config

Signatures

StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker

Checks CPU configuration 1 TTPs 2 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	cat
File opened for reading	/proc/cpuinfo	cat

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.s1p2Xg	crontab

Reads runtime system information 5 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/version	cat
File opened for reading	/proc/filesystems	crontab
File opened for reading	/proc/self/exe	15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b.elf
File opened for reading	/proc/version	cat
File opened for reading	/proc/self/exe	15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b.elf

/tmp/15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b.elf
/tmp/15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b.elf
1⤵
- Reads runtime system information
PID:709
- /bin/cat
  cat /proc/version
  2⤵
  - Reads runtime system information
  PID:725
- /bin/cat
  cat /proc/cpuinfo
  2⤵
  - Checks CPU configuration
  PID:728
- /bin/uname
  uname -a
  2⤵
  PID:730
- /usr/bin/getconf
  getconf LONG_BIT
  2⤵
  PID:732
- /tmp/15b75fa3114a2dad6981e1a145cb45a9875948007a6e41ca2b2df4ad08aaff2b.elf
  "[stealth]"
  2⤵
  - Reads runtime system information
  PID:743
- - /bin/cat
    cat /proc/version
    3⤵
    - Reads runtime system information
    PID:748

/bin/cat
cat /proc/cpuinfo
1⤵
- Checks CPU configuration
PID:750

/bin/uname
uname -a
1⤵
PID:751

/usr/bin/getconf
getconf LONG_BIT
1⤵
PID:752

/usr/bin/crontab
/usr/bin/crontab /tmp/nip9iNeiph5chee
1⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:754

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.pid

Filesize
3B

MD5
5c572eca050594c7bc3c36e7e8ab9550

SHA1
f032e58930733b4d76fabb3398e75d86d881b245

SHA256
0df5486b7bca884d5f00c502e216f734b2865b202397f24bca25ac9b8a95ab4a

SHA512
e123b36abe204842ee829186f2de9e604f66f634322e3678af903e9d06d03dccdf5accc4d5cd612c2ff75f4c64a283e9500c466e235d7031f77a6329f8be56b9

Download Submit
/tmp/nip9iNeiph5chee

Filesize
102B

MD5
bfcddd8e98f8e3f1eebd6b58b115a318

SHA1
2b1b1e9ac3b6361c63e18d5d7d89f41b41e46e51

SHA256
c01426f38518b1ebf0be9108b6e6cb8f4dea2dcfaa54068e0afca69163c7f734

SHA512
b2b452b198ece9b2d23f75919c8d310d38846afb5d852dd46d2acecf41ae65011995f64e0c1918ed081fbf1c75941b8d7b22a91c69127aff361e3235c9dcfe75

Download Submit
/var/spool/cron/crontabs/tmp.s1p2Xg

Filesize
296B

MD5
661eb8495ff413b7b98afeb8cff2b506

SHA1
dec2a10d03dbc290fc868e7be8bcbe1a629f8c9c

SHA256
0d45ffc872e2d241cbb60c00fd7afd2b427f4b2857deff12257d8c00d75b51fd

SHA512
7e98f970f475e1bbdc55f4dc12c651c16c17a6dbcd295a73ada836c24214b8789d3f466572ec9b12fad775c18dda3ad985f28565099dc5ffb0ab9c98c71fd144

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads