Overview

overview

10

Static

static

10

30c9166a9f...c55.sh

ubuntu-18.04-amd64

7

30c9166a9f...c55.sh

debian-9-armhf

7

30c9166a9f...c55.sh

debian-9-mips

7

30c9166a9f...c55.sh

debian-9-mipsel

7

3d93d26bca...b06.sh

ubuntu-18.04-amd64

3

3d93d26bca...b06.sh

debian-9-armhf

3

3d93d26bca...b06.sh

debian-9-mips

3

3d93d26bca...b06.sh

debian-9-mipsel

3

31.214.157...tor.sh

windows7-x64

3

31.214.157...tor.sh

windows10-2004-x64

3

31.214.157...tor.sh

windows7-x64

3

31.214.157...tor.sh

windows10-2004-x64

3

31.214.157...or1.sh

windows7-x64

3

31.214.157...or1.sh

windows10-2004-x64

3

31.214.157...ode.sh

windows7-x64

3

31.214.157...ode.sh

windows10-2004-x64

3

31.214.157...de1.sh

windows7-x64

3

31.214.157...de1.sh

windows10-2004-x64

3

31.214.157...rst.sh

ubuntu-18.04-amd64

7

31.214.157...rst.sh

debian-9-armhf

7

31.214.157...rst.sh

debian-9-mips

7

31.214.157...rst.sh

debian-9-mipsel

7

31.214.157...ond.sh

ubuntu-18.04-amd64

7

31.214.157...ond.sh

debian-9-armhf

7

31.214.157...ond.sh

debian-9-mips

7

31.214.157...ond.sh

debian-9-mipsel

7

31.214.157...pt3.sh

windows7-x64

3

31.214.157...pt3.sh

windows10-2004-x64

3

31.214.157...ile.sh

ubuntu-18.04-amd64

7

31.214.157...ile.sh

debian-9-armhf

7

31.214.157...ile.sh

debian-9-mips

7

31.214.157...ile.sh

debian-9-mipsel

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    All.zip

  • Size

    7.0MB

  • Sample

    241014-r8c79szgmd

  • MD5

    2404b782c8a4c1331a548e27e1558ea7

  • SHA1

    d801e6e4dc86758272d2f1c591ee6fe492426145

  • SHA256

    55e90e18b443a15116c1102dd21397fd1c7dd1e9aff347e1267c27032e3e4bb3

  • SHA512

    4c82b0fdf873253a7bbad72e85ada1b569552b755512d727565abb5ec45564a9b7f5a2aae7951dfb97d1aa4cb305c95c3d6e1e3af8c5e1ead244473f624cfbc3

  • SSDEEP

    196608:KT8rFf9o0gtSuOOQA7P5Krz2wqYVde4p0CaOB7:KT8t6ROm7hKrz254p0KB7

Score
10/10
connectbackantivmdefense_evasiondiscoveryexecutionlinux

Malware Config

Extracted

Family

connectback

C2

185.232.65.146:1987

Targets

    • Target

      30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55.sh

    • Size

      3KB

    • MD5

      4de883db50a87d2eaf32038a6f48a3cf

    • SHA1

      5d786ee84056677315f5eb9315f7a40d7fe8cb94

    • SHA256

      30c9166a9f2c32bd7e85ba03474d71f304a7b298c50b864e488d1f9efced6c55

    • SHA512

      36bee2e2e6850fd3fb99fe832fb3de0f4792ac2b6fc7dc24987f4efb53ab8e747e6ace4d518ac3e2efa62cf997e787be7107b28a2cf305b0f7d13bbace13631d

    Score
    7/10
    defense_evasiondiscoveryantivm

    • File and Directory Permissions Modification

      Adversaries may modify file or directory permissions to evade defenses.

      defense_evasion

    • Executes dropped EXE

    behavioral1behavioral2behavioral3behavioral4

    • Target

      3d93d26bca6930823ec8b92e4b9c738c75b5a9285df077a9ff3bfbd60b5c6b06.sh

    • Size

      218B

    • MD5

      7aa2b97e89331b98754cd9b6280af0f9

    • SHA1

      b1161768ee3aa0da467a47c3023a382fd9701960

    • SHA256

      3d93d26bca6930823ec8b92e4b9c738c75b5a9285df077a9ff3bfbd60b5c6b06

    • SHA512

      9f1bd3a8b833a940459b524e3bd2a06f530a8b6c3cd5901a36e000c3dddbe0a56847edb4346beac8e7afea0427174ed763dab20db429f57ee04405fbf2b32efa

    Score
    3/10
    discovery
    behavioral5behavioral6behavioral7behavioral8

    • Target

      31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/bash_decryptor.sh

    • Size

      341B

    • MD5

      013e22cea40101aabb5104374b9799f1

    • SHA1

      a7e7734c2c6f929bca996a20ecbe15f5a7647ae8

    • SHA256

      c881660ad1883ad35f1f6b6cb75ef28cda471b54b58ef594b45183ba71ee6126

    • SHA512

      eedde28f522f3d779cff26d9605b1d9250797df9cd375c0eb657e0d976853611ab12161f2f5309f9b346a49101a4e0d19efdfa773f80a9f444460a5745267b5d

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/bash_encryptor.sh

    • Size

      2KB

    • MD5

      27be323f0057b258961da949655deaec

    • SHA1

      05d60c843a5b85cc51799d638cfaad2b4009dbf9

    • SHA256

      122d4473f8336fa9b3e69d3fb58112b22e7efd9435f53f90d06f9cf8a1dbccc1

    • SHA512

      98a48ae25952ec165b3d99516f67948062b2810ff43d993d33f7c2770c78b5739547208c2003d1b6e53d7fdb4212361f202fbfee49e8546c60e55a40a2d3e758

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/bash_encryptor1.sh

    • Size

      2KB

    • MD5

      ba7d82ff5ddaa55e206e346bdfdf2872

    • SHA1

      8fc79950d628ec81bc04bda01dd7aa4868c8259e

    • SHA256

      691afd4ef5f33d99053c57456ce9fa126e29d51d4dd510928193d8c3332547b1

    • SHA512

      92d4454ea73182d86686f0384480aaee09636705655b7e7a40e470d12677cd9ab471e33af79b81de52c362a2119292b7952fb6b84c42baa44812e07d348696ae

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/code.sh

    • Size

      4KB

    • MD5

      4409d0036c0668c33ca152abb8eb8776

    • SHA1

      e918e127494ac5dcc839e827b1ca9e40a0650cb0

    • SHA256

      4c037b151ab09258f31193160d5b715c2fd14290344bfdf12fab16301095f7b7

    • SHA512

      e0524e00bd42d3d4eb38e1b84e80416d95d9f081792e66f16a38e8fb8b5b71bd3b06b9fc7143bddeb87f4101aa12beacabcd540a985e8f2249a8e6f4d7a18059

    • SSDEEP

      96:lNsfEZEPDuzf+HLbVnrGFO7vf5l1tYqV2Ov/kYNxDEqonFd2qtFYKcpnWljs:HsMZEPDHLbVnrGFOZtXVzTNxDmdtFYKW

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/code1.sh

    • Size

      9B

    • MD5

      9cc18818c45b8fe0999c315c2195563d

    • SHA1

      d9190b425679cf5a1504ccc15e25aba46c573ac5

    • SHA256

      e31a27236c48bd15977bfa014ca28a2f601625fd1c0ba02a65067cdd3f723c93

    • SHA512

      323bad4242af6f33fce91c82b08ef7d9cdacd7c9efa0968a02223bc670ae874e6536700941b16a19ed9d79480572ed056f9e7bca4f0ed5753e4db0056d91ec02

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/crypt2_first.sh

    • Size

      17KB

    • MD5

      8224c9faafd5f4a8678bfa511fc4b5e2

    • SHA1

      215d777140728b748fc264ef203ebd27b2388666

    • SHA256

      e380c4b48cec730db1e32cc6a5bea752549bf0b1fb5e7d4a20776ef4f39a8842

    • SHA512

      3946c910a579ffe0e0939b1df0183fb06fbc470e454e6af268d18df0db02bcf46a73c14948a1b25be858d9b330ef89fb5b2c06a179e4cbb2d1152356905e8038

    • SSDEEP

      384:wydCpDwMwt6x7666x04vo0Or6T4vo0OBdRK:wECpEL8xmDx0vWTvvA

    Score
    7/10
    defense_evasiondiscoveryexecutionantivm

    • Deobfuscate/Decode Files or Information

      Adversaries may deobfuscate or decode files or information to evade detection mechanisms.

      defense_evasion

    • Deletes log files

      Deletes log files on the system.

      defense_evasion
    behavioral19behavioral20behavioral21behavioral22

    • Target

      31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/crypt2_second.sh

    • Size

      17KB

    • MD5

      35dbc971ba859fb80c291d811154b112

    • SHA1

      1168e6f49632123d6df8c0f91291512ed82f6b1e

    • SHA256

      719e0120cf1e5c0dd80e8e88d9c0c621f8b6f0fd03f7c10758eb453006aecf1f

    • SHA512

      a82d86d8c74ad034f1530c83cfe13c13f1f5bae63f31fcc26d08b632da1a02e4eb64ac7ba609a119d25d6c129ef98741417b1accb482c641ade09602810e2277

    • SSDEEP

      384:wydspDw5wi6xc696x04vo0Os6T4vo0OltRK:wEspEmLxRMx0vhTvbA

    Score
    7/10
    defense_evasiondiscoveryexecutionantivm

    • Deobfuscate/Decode Files or Information

      Adversaries may deobfuscate or decode files or information to evade detection mechanisms.

      defense_evasion

    • Deletes log files

      Deletes log files on the system.

      defense_evasion
    behavioral23behavioral24behavioral25behavioral26

    • Target

      31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/crypt3.sh

    • Size

      5KB

    • MD5

      3402c9373726396598011ef6ec1ea243

    • SHA1

      919b574a4d000161e52d57b827976b6d9388b33f

    • SHA256

      0243ac9f6148098de0b5f215c6e9802663284432492d29f7443a5dc36cb9aab5

    • SHA512

      138d3d9de064a3107218856a510d968a857860c90a3bd7250eb79a8f7df13e588d7bfc90563a63c5a4dc9027e5d4d21cadb4118f4ff1add6fac6b2b9510b1ba6

    • SSDEEP

      96:3rRSrMvtMn2IbtGfMibe/WJdb7oc9pHb/7yZnubZQKKXVNJw/0Jw5kgpkf2dSF1K:l6WtM/btGBbe/WJd99pHb/jbunJwMJw9

    Score
    3/10
    discovery
    behavioral27behavioral28

    • Target

      31.214.157.40_#DarkRadiation_by_@r3dbU7z/api/crypt_file.sh

    • Size

      124B

    • MD5

      d8f152e71f32f0d07d4484b6857fa13f

    • SHA1

      583014546cbd25056bb27eb913e076614d014d17

    • SHA256

      100211701ce54cc15504e60e27306fef339155bbd37bb9294c4c01cabf56c52c

    • SHA512

      059ca3af5a78e27962985dd1050a17387ff0bf8bfd58239cc76fbd9311c36faf95b40ffd4321daac19bac55b766da48a599b85c3c86e8352467430113c3deecc

    Score
    7/10
    defense_evasion

    • Obfuscated Files or Information

      Files were encrypted using OpenSSL. Adversaries may obfuscate files or information to evade detection.

      defense_evasion
    behavioral29behavioral30behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Software Deployment Tools

1
T1072

Persistence

Privilege Escalation

Defense Evasion

Deobfuscate/Decode Files or Information

1
T1140

File and Directory Permissions Modification

1
T1222

Linux and Mac File and Directory Permissions Modification

1
T1222.002

Indicator Removal

1
T1070

Clear Linux or Mac System Logs

1
T1070.002

Obfuscated Files or Information

1
T1027

Encrypted/Encoded File

1
T1027.013

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Virtualization/Sandbox Evasion

1
T1497

System Checks

1
T1497.001

Lateral Movement

Software Deployment Tools

1
T1072

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

connectback
Score
10/10

behavioral1

defense_evasiondiscovery
Score
7/10

behavioral2

antivmdefense_evasiondiscovery
Score
7/10

behavioral3

defense_evasiondiscovery
Score
7/10

behavioral4

defense_evasiondiscovery
Score
7/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

Score
3/10

behavioral19

defense_evasiondiscoveryexecution
Score
7/10

behavioral20

antivmdefense_evasiondiscoveryexecution
Score
7/10

behavioral21

defense_evasiondiscoveryexecution
Score
7/10

behavioral22

defense_evasiondiscoveryexecution
Score
7/10

behavioral23

defense_evasiondiscoveryexecution
Score
7/10

behavioral24

antivmdefense_evasiondiscoveryexecution
Score
7/10

behavioral25

defense_evasiondiscoveryexecution
Score
7/10

behavioral26

defense_evasiondiscoveryexecution
Score
7/10

behavioral27

discovery
Score
3/10

behavioral28

Score
3/10

behavioral29

defense_evasion
Score
7/10

behavioral30

defense_evasion
Score
7/10

behavioral31

defense_evasion
Score
7/10

behavioral32

defense_evasion
Score
7/10