xmrig | 747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7

Resubmissions

27-11-2024 08:55

241127-kvn92stkar 10

27-11-2024 05:48

241127-ghggwszqes 10

Sharing

Copy URL

Twitter E-mail

General

Target

hoze样本.zip
Size

7.6MB
Sample

241127-kvn92stkar
MD5

8bb80dc9058ea755ff166d45fbcdbdcf
SHA1

e49e083725dcd42fba86a57959ea2cae6c7aed57
SHA256

747091fd60a9c41ff26d3878bac923c9c14b5472238874754577e14d47b8cba7
SHA512

87dab1c4e11517538113fddfd22877817455a99a0664c340c56417e9f46d4165ac7236307710378db1016628e664871f2a7db2fd48c752c17fc09370abed7226
SSDEEP

196608:8Qz8WgK/p06m121FaxrhZeeWDLAfVPKRWC9:tz5gK/m6mw1U2Dc4EA

Score

10^/10

Malware Config

Targets

- Target
  
  xrx/chattr
- Size
  
  35KB
- MD5
  
  a074fef55aacf28bd6d7a5b2f5a99fc9
- SHA1
  
  2217b96394209dac95f75bdbd78f97f48a2c7f5d
- SHA256
  
  34a4f26cb133ab9bfaf9339e73b3421f88b3cf2ae7b59be0a186b19f8dd3fb66
- SHA512
  
  4c1899197719512f4088253bb8579f139f8a21a67f8f801009c1a3137335ca677d1ef43cebd6d3b05f45fb20b5fe3561798f9a8a720a82442382d620109abf14
- SSDEEP
  
  768:5TPE/yJQgRjt7wEYp2EeggGPVyzErU2np:xjQgVt8EYp2ETPoorUq
Score

1^/10
behavioral1
- Target
  
  xrx/config.json
- Size
  
  4KB
- MD5
  
  6fa72ed187a47489ee53aa68896ae30e
- SHA1
  
  b3ce93e7b86c342dd24a1b29a24466235293a6c9
- SHA256
  
  9783c06015b727cb4fd24439f1877aefd166131667083005d2b9d757ff1e9b9e
- SHA512
  
  dae02a1b455c60bf72218f0d58a98c3518abfae22e3c21dde54bacc8656a17568475f677a897a50434d9364fed3dc4d91242da856715ab499cdf56ab7eaef4bf
- SSDEEP
  
  96:CtWTdyHFBEUCvfPiwVniwPiwyiwE+iw0FiB:LzUCHawViwawdwEpw0Fi
Score

1^/10
behavioral2 behavioral3 behavioral4 behavioral5
- Target
  
  xrx/init.sh
- Size
  
  1020KB
- MD5
  
  42693670c71a529a11e81943f5b36c5b
- SHA1
  
  9026cc25786215bba3bc06c4875f7da410425f8c
- SHA256
  
  eb2329422e52901d0bea0c0fcc4b3a6d1923ef278a96d2a14ab1839882cd0ecf
- SHA512
  
  a92d9bd9cd4c1c81a2e8042a9b7c31badba5e033743f34fb851b60350c5833afb246c64fc982112afecad9b1fc48bfdeab16a7bda169b4a635a8922549067d82
- SSDEEP
  
  12288:ztLJzlNZDaY9FnavUIqEhgvmKe36myOP7/67LN5kwrHNq9EnE:zvxNZD7FnavUILhgvJeb/67LFLNq9
Score

6^/10

discovery
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral6
- Target
  
  xrx/init0
- Size
  
  1.0MB
- MD5
  
  73f9917255a953eb749f5a3c90e3b383
- SHA1
  
  c8e392cf523aca7e2df62f72d68c83829f0c085d
- SHA256
  
  c5c11802623d02ba9b1c2c7a52579dbf0c3aa4c87ae6fc85cbfcd71dffffec27
- SHA512
  
  65b8946b67d42003272690266ccddb59ce715edd16eb6e67e8c3e2b34bb9e092ec736900432efbc1c70777c831742f820b61de8098a6438005641df4f3ddbe46
- SSDEEP
  
  12288:fbS+JhtEBBYYFkfciIqELZ3OlN6myOP7/i7L95k2rHNq9EnE:fXJ/EBJFkfciIjLZ3Ih/i7LbLNq9
Score

8^/10

antivm credential_access defense_evasion discovery execution persistence privilege_escalatio privilege_escalation
- Adds new SSH keys
  Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.
  persistence privilege_escalation
- Modifies password files for system users/ groups
  Modifies files storing password hashes of existing users/ groups, likely to grant additional privileges.
  persistence credential_access defense_evasion
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Modifies PAM framework files
  Modifies Linux PAM framework files, possibly to intercept credentials.
  persistence credential_access defense_evasion
- OS Credential Dumping
  Adversaries may attempt to dump credentials to use it in password cracking.
  credential_access
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  Abuse sudo or cached sudo credentials to execute code.
  privilege_escalation defense_evasion
- Adds a user to the system
- Attempts to change immutable files
  Modifies inode attributes on the filesystem to allow changing of immutable files.
- Checks hardware identifiers (DMI)
  Checks DMI information which indicate if the system is a virtual machine.
  antivm
- Checks mountinfo of local process
  Checks mountinfo of running processes which indicate if it is running in chroot jail.
  antivm
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
- Deletes log files
  Deletes log files on the system.
  defense_evasion
- Enumerates running processes
  Discovers information about currently running processes on the system
- Modifies special file permissions
  Adds special setuid and/ or setgid bits on a file, possibly to elevate privileges.
  defense_evasion privilege_escalation
- Write file to user bin folder
  persistence
- Reads process memory
  Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.
  credential_access
behavioral7
- Target
  
  xrx/key
- Size
  
  388B
- MD5
  
  ccd9cd77d2eb605e072a608b23bed991
- SHA1
  
  95a5b3a753122370cb429c8c1ad346a5dac04560
- SHA256
  
  7030c0f2c017d2e433965bf1112ea402ff36d852af1c2969261fc2b66d94183d
- SHA512
  
  9676f9b7bec2f916921f99e46885f326a1374fb20715582dbdd87942ab5b9dfde5e78a96c62b14108c9229717e40a7dce880c787f9ff79ab42a4e9fd209cea62
Score

1^/10
behavioral10 behavioral11 behavioral8 behavioral9
- Target
  
  xrx/scp
- Size
  
  63B
- MD5
  
  7e21ae4da5edbbe4adaeacd5f7c1ece6
- SHA1
  
  f5574230833e98e010ecea9ceb027c2981f57488
- SHA256
  
  fc26873006164decacbcfb01d246b54539b786b404be0bb1a5cde5263031663a
- SHA512
  
  113ca3b1217fa477acd003d65faac8913e805281ae7f664a7a91d6195c0e354831645238f98c6c9d7fe622587065e1db5e7d2a2385ad32ff17b6644832563b1c
Score

1^/10
behavioral12 behavioral13 behavioral14 behavioral15
- Target
  
  xrx/secure
- Size
  
  1023KB
- MD5
  
  069ad3938c3f9c049f670a8eb49dc1d8
- SHA1
  
  f4fd0c87a18d45ab4b642f32a94673c949ab7caf
- SHA256
  
  84d4b99f0d98900b4eadb7e107bf54196f2e5796d8707ebf0dcd76f5b6693295
- SHA512
  
  3c627883f53082face65b22d353c1926c4d4f4de008cf41cf2a3326762ad080dd95324f2fd35c3f60c069df4fb2c510d4fa07b26cbc404678f8a655c884beedb
- SSDEEP
  
  12288:SBgtRmLBGYhFcueTIqRe/w/Yt6myOP7/x7L15k7bKrHNq9EnE:SQRmLBTFcueTIie/wgB/x7LFLNq9
Score

7^/10

defense_evasion discovery execution persistence privilege_escalatio
- File and Directory Permissions Modification
  Adversaries may modify file or directory permissions to evade defenses.
  defense_evasion
- Attempts to change immutable files
  Modifies inode attributes on the filesystem to allow changing of immutable files.
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  execution persistence privilege_escalatio
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral16
- Target
  
  xrx/uninstall.sh
- Size
  
  2KB
- MD5
  
  e4cc1a7f992909e8509520fdd6c9a3f7
- SHA1
  
  2978a46c0be87a65e4371c0682329fbda7f631b0
- SHA256
  
  5b6783965bcab2350aa9559c6f4c08fe44d7ae764ac8fbdcb7722056a2b000d3
- SHA512
  
  20e14b888f90e5f5ee3c560326f16be46dfded9cf992a8436295d0318c41336109cc9750e9f3b9e5461cd95fc226da9619af0b65fdcf9093c289df983cb5040b
Score

6^/10

discovery
- Enumerates running processes
  Discovers information about currently running processes on the system
behavioral17 behavioral18 behavioral19 behavioral20
- Target
  
  xrx/xrx
- Size
  
  5.9MB
- MD5
  
  9d099882a24757ac5033b0c675fecbe5
- SHA1
  
  1c1b1a4608918b6e95065c86b4a338e245ab36b2
- SHA256
  
  fb86120a4a1b13b29957eb5f95f7857cf9e469514fc20d25fad02ae87bf99091
- SHA512
  
  a59a855b10c0b0a0f84cfdfa89ae004c76be08a4879761d588810ef2e5f247298be63e3cd60dd2510ab35e3f3653fa4423ffb579c17f7b3e09ac47c5d4aeb9d0
- SSDEEP
  
  98304:h5ge1EgVtDw6pvf0pttZppppppZppppRlclclJGToGToGTCaqOpU6cXTpKDL4xW+:hNrD2irwCYM5qDv
Score

6^/10

antivm discovery
- Checks hardware identifiers (DMI)
  Checks DMI information which indicate if the system is a virtual machine.
  antivm
- Reads hardware information
  Accesses system info like serial numbers, manufacturer names etc.
  discovery
behavioral21