Analysis
-
max time kernel
149s -
max time network
152s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
29-11-2024 17:25
Static task
static1
Behavioral task
behavioral1
Sample
i586.elf
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
10 signatures
150 seconds
General
-
Target
i586.elf
-
Size
84KB
-
MD5
f4c7c1923b70ef59b7f6497b566cf4e1
-
SHA1
ff1140096069212e88aad285ed2d9018b028a92a
-
SHA256
56a4cdf8e1b0495ed616771f89503cb7d61db1b0dd50ea1b109d3794799da385
-
SHA512
fc7071f23c47c20b70cbac52f2dff30cef4d1dbf5acee86c1c6bb238e85eb8628f2e296296902d62ed2581e6161e214779ea8e7de4b5a4503754fde73d2fead9
-
SSDEEP
1536:MMVHgID0gMG8lecoq52lp3lwNE0NhW+2h3Ab2m5C+6RsU731k9HXquJr:MQgIDx8wcoq52lpK57Wxh3eRwO9nt
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Redline family
-
Contacts a large (35360) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc Process File opened for modification /dev/watchdog i586.elf File opened for modification /dev/misc/watchdog i586.elf -
Renames itself 1 IoCs
pid Process 1584 i586.elf -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
description ioc pid Process Changes the process name, possibly in an attempt to hide itself /usr/bin/inetd 1584 i586.elf -
Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
description ioc Process File opened for reading /proc/cpuinfo i586.elf -
description ioc Process File opened for reading /proc/5/cmdline i586.elf File opened for reading /proc/210/cmdline i586.elf File opened for reading /proc/424/cmdline i586.elf File opened for reading /proc/644/cmdline i586.elf File opened for reading /proc/1150/cmdline i586.elf File opened for reading /proc/1592/cmdline i586.elf File opened for reading /proc/mounts i586.elf File opened for reading /proc/224/cmdline i586.elf File opened for reading /proc/1045/cmdline i586.elf File opened for reading /proc/744/cmdline i586.elf File opened for reading /proc/764/cmdline i586.elf File opened for reading /proc/862/cmdline i586.elf File opened for reading /proc/1277/cmdline i586.elf File opened for reading /proc/self/exe i586.elf File opened for reading /proc/89/cmdline i586.elf File opened for reading /proc/92/cmdline i586.elf File opened for reading /proc/217/cmdline i586.elf File opened for reading /proc/373/cmdline i586.elf File opened for reading /proc/837/cmdline i586.elf File opened for reading /proc/11/cmdline i586.elf File opened for reading /proc/22/cmdline i586.elf File opened for reading /proc/73/cmdline i586.elf File opened for reading /proc/221/cmdline i586.elf File opened for reading /proc/1027/cmdline i586.elf File opened for reading /proc/1049/cmdline i586.elf File opened for reading /proc/1085/cmdline i586.elf File opened for reading /proc/82/cmdline i586.elf File opened for reading /proc/214/cmdline i586.elf File opened for reading /proc/222/cmdline i586.elf File opened for reading /proc/523/cmdline i586.elf File opened for reading /proc/605/cmdline i586.elf File opened for reading /proc/75/cmdline i586.elf File opened for reading /proc/220/cmdline i586.elf File opened for reading /proc/497/cmdline i586.elf File opened for reading /proc/589/cmdline i586.elf File opened for reading /proc/259/cmdline i586.elf File opened for reading /proc/8/cmdline i586.elf File opened for reading /proc/12/cmdline i586.elf File opened for reading /proc/18/cmdline i586.elf File opened for reading /proc/81/cmdline i586.elf File opened for reading /proc/94/cmdline i586.elf File opened for reading /proc/215/cmdline i586.elf File opened for reading /proc/223/cmdline i586.elf File opened for reading /proc/602/cmdline i586.elf File opened for reading /proc/1588/cmdline i586.elf File opened for reading /proc/1182/cmdline i586.elf File opened for reading /proc/93/cmdline i586.elf File opened for reading /proc/101/cmdline i586.elf File opened for reading /proc/629/cmdline i586.elf File opened for reading /proc/631/cmdline i586.elf File opened for reading /proc/839/cmdline i586.elf File opened for reading /proc/1032/cmdline i586.elf File opened for reading /proc/1083/cmdline i586.elf File opened for reading /proc/1306/cmdline i586.elf File opened for reading /proc/15/cmdline i586.elf File opened for reading /proc/158/cmdline i586.elf File opened for reading /proc/766/cmdline i586.elf File opened for reading /proc/771/cmdline i586.elf File opened for reading /proc/1180/cmdline i586.elf File opened for reading /proc/1198/cmdline i586.elf File opened for reading /proc/1265/cmdline i586.elf File opened for reading /proc/1393/cmdline i586.elf File opened for reading /proc/13/cmdline i586.elf File opened for reading /proc/584/cmdline i586.elf