3968a850f5bc70d954bb5609d929f181a6f05a117fa3be4531cbd96cedfde5d6

Resubmissions

02-01-2025 21:27

250102-1arsfawnat 10

21-12-2024 14:36

241221-ryt32a1mhx 10

Analysis

max time kernel
6s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
02-01-2025 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

329D6F9DDBF138D4/locker_ESXI_X64
Size

93KB
MD5

b76b092f5188ccc8a046ffb4659c3641
SHA1

82e19d8b7bc5379528feb9c3a335d70d79358229
SHA256

dd1cf10faf4e638bb5a0efeeaa4bc2f1c91557c22e93d3f135e7e7c7f0e7be55
SHA512

bf06f2d65f7eca482066da6b1cace219cba2e2ebae0034de3e3bae429a2e821ea2d35a41534d6d9d159ae992ef0b5c5a268a48a05ae1fbb0da69a2122631653f
SSDEEP

1536:Jv8RiloA2YObuLk8WKP/gCILnPG+atNoU+tqRAJy+p4G:1Zl/2Ym8LZOnPG+iNoDtqRaya

Score

8^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Traces remote process 1 IoCs

pid	Process
1482	locker_ESXI_X64

Reads user data of web browsers 3 TTPs 17 IoCs

Reads stored browser data which can include saved credentials.

spyware stealer credential_access discovery

Data from Local System

T1005

Credentials from Web Browsers

T1555.003

Browser Information Discovery

T1217

description	ioc	Process
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/storage/permanent/chrome/idb/3561288849sdhlie.files	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.files	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/storage/permanent/chrome/idb/1657114595AmcateirvtiSty.files	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/Crash Reports	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/wnke7l3k.default	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/security_state	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/storage/permanent	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/minidumps	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/storage	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/storage/permanent/chrome	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/crashes	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/crashes/events	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/storage/permanent/chrome/idb	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/Pending Pings	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/Crash Reports/events	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/sowduft3.default-release/storage/permanent/chrome/idb/1451318868ntouromlalnodry--epcr.files	locker_ESXI_X64

Reads AppArmor ptrace settings 1 TTPs 1 IoCs

Discovery of allowed ptrace capabilities by AppArmor.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/security/apparmor/features/ptrace	locker_ESXI_X64

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 1 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/power	locker_ESXI_X64

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/statistics	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/power	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	locker_ESXI_X64

Reads CPU attributes 1 TTPs 23 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/vulnerabilities	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/microcode	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/hotplug	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpufreq	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpuidle	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/microcode	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/smt	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/topology	locker_ESXI_X64

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4/js0/power	locker_ESXI_X64
File opened for reading	/sys/bus/i2c/drivers/max77693	locker_ESXI_X64
File opened for reading	/sys/devices/platform/floppy.0/block/fd0/holders	lsblk
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sendmmsg	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/block/loop5/slaves	locker_ESXI_X64
File opened for reading	/sys/firmware/qemu_fw_cfg/by_key/33	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_lgetxattr	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getsid	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/bdi/7:7	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/block/sr0/power	locker_ESXI_X64
File opened for reading	/sys/bus/platform/drivers/clk-lpt	locker_ESXI_X64
File opened for reading	/sys/bus/i2c/drivers/palmas	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:a-0000064	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/timer/hrtimer_start	locker_ESXI_X64
File opened for reading	/sys/module/pcie_aspm/parameters	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/tty/tty52/power	locker_ESXI_X64
File opened for reading	/sys/devices/platform/serial8250/tty/ttyS28	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:06.0/virtio1/block/vda/mq/0	locker_ESXI_X64
File opened for reading	/sys/devices	locker_ESXI_X64
File opened for reading	/sys/block/sr0/dev	lsblk
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_chmod	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/irq/irq_handler_exit	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/cpuhp/cpuhp_exit	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/block/loop7	locker_ESXI_X64
File opened for reading	/sys/module/vt/parameters	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_dbc_handle_event	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/block/block_dirty_buffer	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/writeback/writeback_mark_inode_dirty	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_mknod	locker_ESXI_X64
File opened for reading	/sys/devices/system/clockevents	locker_ESXI_X64
File opened for reading	/sys/module/pstore/parameters	locker_ESXI_X64
File opened for reading	/sys/dev/block/7:1	lsblk
File opened for reading	/sys/kernel/slab/sock_inode_cache	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:0000384/cgroup	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_setaffinity	locker_ESXI_X64
File opened for reading	/sys/class/ata_link	locker_ESXI_X64
File opened for reading	/sys/fs/cgroup/pids/user.slice/user-0.slice	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/dax_cache/cgroup	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/xhci-hcd/xhci_free_virt_device	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/proc_inode_cache	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/block/loop4	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_inotify_init	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sched_getaffinity	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/fs_dax/dax_pte_fault_done	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/irq/softirq_entry	locker_ESXI_X64
File opened for reading	/sys/devices/system/container/PNP0A06:01	locker_ESXI_X64
File opened for reading	/sys/module/cryptd/holders	locker_ESXI_X64
File opened for reading	/sys/bus/pci-epf/drivers	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_sysfs	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata3/ata_port/ata3	locker_ESXI_X64
File opened for reading	/sys/bus/platform/drivers/fw_cfg	locker_ESXI_X64
File opened for reading	/sys/bus/pci/drivers/ata_generic	locker_ESXI_X64
File opened for reading	/sys/module/kgdboc	locker_ESXI_X64
File opened for reading	/sys/module/fb_sys_fops/holders	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata3/host2/scsi_host/host2/power	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/tty/tty40/power	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_brk	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata7/link7/ata_link/link7/power	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/block/loop3/slaves	locker_ESXI_X64
File opened for reading	/sys/bus/pci	locker_ESXI_X64
File opened for reading	/sys/firmware	locker_ESXI_X64
File opened for reading	/sys/module/printk/parameters	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/regulator/regulator_set_voltage_complete	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_vhangup	locker_ESXI_X64

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1035/stat	ps
File opened for reading	/proc/1137/cmdline	ps
File opened for reading	/proc/160/task/160/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/267/task/267/ns	locker_ESXI_X64
File opened for reading	/proc/1475/task/1475/ns	locker_ESXI_X64
File opened for reading	/proc/7/fd	locker_ESXI_X64
File opened for reading	/proc/1140/task/1142/net	locker_ESXI_X64
File opened for reading	/proc/1157/task/1170/attr/smack	locker_ESXI_X64
File opened for reading	/proc/1479/task/1479/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/1169/task/1169/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/1054/status	ps
File opened for reading	/proc/166/task/166/fdinfo	locker_ESXI_X64
File opened for reading	/proc/198/task/198/net	locker_ESXI_X64
File opened for reading	/proc/1005/task/1014/attr/smack	locker_ESXI_X64
File opened for reading	/proc/536	locker_ESXI_X64
File opened for reading	/proc/538/task/545	locker_ESXI_X64
File opened for reading	/proc/1173/task	locker_ESXI_X64
File opened for reading	/proc/172/fdinfo	locker_ESXI_X64
File opened for reading	/proc/1077/task/1080/net	locker_ESXI_X64
File opened for reading	/proc/1118/cmdline	ps
File opened for reading	/proc/948/task/952/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/1140/map_files	locker_ESXI_X64
File opened for reading	/proc/1275/task/1280/attr	locker_ESXI_X64
File opened for reading	/proc/1141/task/1141/net/stat	locker_ESXI_X64
File opened for reading	/proc/1183	locker_ESXI_X64
File opened for reading	/proc/79/map_files	locker_ESXI_X64
File opened for reading	/proc/1077	locker_ESXI_X64
File opened for reading	/proc/1077/task/1078/attr/smack	locker_ESXI_X64
File opened for reading	/proc/1298/task/1298	locker_ESXI_X64
File opened for reading	/proc/424/ns	locker_ESXI_X64
File opened for reading	/proc/651/task/657/net/stat	locker_ESXI_X64
File opened for reading	/proc/1157/task/1192/attr/smack	locker_ESXI_X64
File opened for reading	/proc/157/task/157/ns	locker_ESXI_X64
File opened for reading	/proc/1077/task/1077/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/1255/task/1257/fdinfo	locker_ESXI_X64
File opened for reading	/proc/153/task/153/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/709/task/991/fdinfo	locker_ESXI_X64
File opened for reading	/proc/1143/task/1152/fd	locker_ESXI_X64
File opened for reading	/proc/1143/stat	ps
File opened for reading	/proc/253/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/267/task/267/fdinfo	locker_ESXI_X64
File opened for reading	/proc/1122/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/506/task/506/attr	locker_ESXI_X64
File opened for reading	/proc/937/task	locker_ESXI_X64
File opened for reading	/proc/1029/task/1029/fd	locker_ESXI_X64
File opened for reading	/proc/709/task/1460/attr	locker_ESXI_X64
File opened for reading	/proc/1157/task/1157/attr	locker_ESXI_X64
File opened for reading	/proc/1239/attr/smack	locker_ESXI_X64
File opened for reading	/proc/1323/fdinfo	locker_ESXI_X64
File opened for reading	/proc/82/net/stat	locker_ESXI_X64
File opened for reading	/proc/651/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/699/task/699/net/stat	locker_ESXI_X64
File opened for reading	/proc/253/attr	locker_ESXI_X64
File opened for reading	/proc/507/task/518/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/559/task/563/ns	locker_ESXI_X64
File opened for reading	/proc/1035/task/1036/fdinfo	locker_ESXI_X64
File opened for reading	/proc/12/task/12/ns	locker_ESXI_X64
File opened for reading	/proc/23/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/26/attr/smack	locker_ESXI_X64
File opened for reading	/proc/1005/fdinfo	locker_ESXI_X64
File opened for reading	/proc/1255/task/1256	locker_ESXI_X64
File opened for reading	/proc/1293/task/1311/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/1331/net/stat	locker_ESXI_X64
File opened for reading	/proc/1361/task/1361/net/stat	locker_ESXI_X64

/tmp/329D6F9DDBF138D4/locker_ESXI_X64
/tmp/329D6F9DDBF138D4/locker_ESXI_X64
1⤵
- Traces remote process
- Reads user data of web browsers
- Reads AppArmor ptrace settings
- Reads hardware information
- Reads network interface configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1482
- /bin/sh
  sh -c "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"
  2⤵
  PID:1483
- - /usr/bin/cut
    cut -d "\"" -f2
    3⤵
    PID:1486
- - /bin/grep
    grep cpuModel
    3⤵
    PID:1485
- /bin/sh
  sh -c "esxcli storage filesystem list | tail -n +3"
  2⤵
  PID:1487
- - /usr/bin/tail
    tail -n +3
    3⤵
    PID:1489
- /bin/sh
  sh -c "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"
  2⤵
  PID:1490
- - /usr/bin/tail
    tail -n +2
    3⤵
    PID:1492
- - /bin/lsblk
    lsblk -io "KNAME,TYPE,SIZE,MODEL"
    3⤵
    - Enumerates kernel/hardware configuration
    PID:1491
- /bin/sh
  sh -c "uname -a"
  2⤵
  PID:1493
- - /bin/uname
    uname -a
    3⤵
    PID:1494
- /bin/sh
  sh -c "vmware -v"
  2⤵
  PID:1495
- /bin/sh
  sh -c "ls -alR /vmfs/"
  2⤵
  PID:1507
- - /bin/ls
    ls -alR /vmfs/
    3⤵
    PID:1508
- /bin/sh
  sh -c "ps auxf"
  2⤵
  PID:1509
- - /bin/ps
    ps auxf
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1510

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads