3968a850f5bc70d954bb5609d929f181a6f05a117fa3be4531cbd96cedfde5d6

Resubmissions

02-01-2025 21:27

250102-1arsfawnat 10

21-12-2024 14:36

241221-ryt32a1mhx 10

Analysis

max time kernel
3s
max time network
131s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240729-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
02-01-2025 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

329D6F9DDBF138D4/locker_ESXI_X64
Size

93KB
MD5

b76b092f5188ccc8a046ffb4659c3641
SHA1

82e19d8b7bc5379528feb9c3a335d70d79358229
SHA256

dd1cf10faf4e638bb5a0efeeaa4bc2f1c91557c22e93d3f135e7e7c7f0e7be55
SHA512

bf06f2d65f7eca482066da6b1cace219cba2e2ebae0034de3e3bae429a2e821ea2d35a41534d6d9d159ae992ef0b5c5a268a48a05ae1fbb0da69a2122631653f
SSDEEP

1536:Jv8RiloA2YObuLk8WKP/gCILnPG+atNoU+tqRAJy+p4G:1Zl/2Ym8LZOnPG+iNoDtqRaya

Score

8^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Traces remote process 1 IoCs

pid	Process
1402	locker_ESXI_X64

Reads user data of web browsers 3 TTPs 18 IoCs

Reads stored browser data which can include saved credentials.

spyware stealer credential_access discovery

Data from Local System

T1005

Credentials from Web Browsers

T1555.003

Browser Information Discovery

T1217

description	ioc	Process
File opened for reading	/root/.mozilla/firefox/Crash Reports/events	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/crashes	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.files	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/storage/permanent/chrome/idb/3561288849sdhlie.files	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/crashes/events	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/storage/permanent	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/storage/permanent/chrome/idb/1657114595AmcateirvtiSty.files	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/storage/permanent/chrome/idb	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/storage/permanent/chrome/idb/1451318868ntouromlalnodry--epcr.files	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/minidumps	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/storage/permanent/chrome	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/Pending Pings	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/Crash Reports	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/8tev645p.default	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/extension-store	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/security_state	locker_ESXI_X64
File opened for reading	/root/.mozilla/firefox/ei3lxjf8.default-release/storage	locker_ESXI_X64

Reads AppArmor ptrace settings 1 TTPs 1 IoCs

Discovery of allowed ptrace capabilities by AppArmor.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/security/apparmor/features/ptrace	locker_ESXI_X64

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 1 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/power	locker_ESXI_X64

Reads network interface configuration 2 TTPs 12 IoCs

Fetches information about one or more active network interfaces.

discovery

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

description	ioc	Process
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/statistics	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0/byte_queue_limits	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/rx-0	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/statistics	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0/byte_queue_limits	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/rx-0	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/power	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:03.0/net/ens3/queues/tx-0	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/power	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/net/lo/queues/tx-0	locker_ESXI_X64

Reads CPU attributes 1 TTPs 16 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/hotplug	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/topology	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/cpuidle	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/vulnerabilities	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpufreq	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/hotplug	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/power	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/smt	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache	locker_ESXI_X64
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1	locker_ESXI_X64

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/tracing/events/huge_memory/mm_collapse_huge_page_swapin	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:A-0000128/cgroup/pid(441:dbus.service)	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_pwritev	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/misc/vga_arbiter	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/filelock/generic_delete_lease	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/skbuff_head_cache	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/net/netif_rx_exit	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/block/loop4	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/sched/sched_switch	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/rtc/rtc_read_time	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_sync_file_range	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/scsi/scsi_dispatch_cmd_error	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/writeback/writeback_exec	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/block/loop3/mq/0	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/dentry/cgroup/dentry(425:cron.service)	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/anon_vma/cgroup/anon_vma(663:unattended-upgrades.service)	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/kmalloc-512/cgroup/kmalloc-512(369:accounts-daemon.service)	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:A-0001152/cgroup/signal_cache(633:gdm.service)	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_sched_getattr	locker_ESXI_X64
File opened for reading	/sys/module/usbhid	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_enter_chroot	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/kmalloc-64/cgroup/kmalloc-64(1053:gnome-terminal-server.service)	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/ext4/ext4_getfsmap_low_key	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_symlinkat	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/syscalls/sys_exit_fremovexattr	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:a-0000104/cgroup/buffer_head(1065:gvfs-metadata.service)	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:A-0000040/cgroup/pde_opener(989:gsd-smartcard.service)	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata8/link8/power	locker_ESXI_X64
File opened for reading	/sys/devices/msr/power	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/ras/arm_event	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_ioprio_get	locker_ESXI_X64
File opened for reading	/sys/devices/system/memory/memory9/power	locker_ESXI_X64
File opened for reading	/sys/devices/parport0/lp.0	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/jbd2/jbd2_checkpoint	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_enter_getcpu	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/vc/vcs5	locker_ESXI_X64
File opened for reading	/sys/module/mac_hid/holders	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/RAWv6/cgroup	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_timer_gettime	locker_ESXI_X64
File opened for reading	/sys/module/qemu_fw_cfg	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/block/block_plug	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/syscalls/sys_exit_mkdir	locker_ESXI_X64
File opened for reading	/sys/fs/cgroup/systemd/user.slice/user-0.slice/[email protected]/init.scope	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/irq_vectors/threshold_apic_entry	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/QEMU0002:00	locker_ESXI_X64
File opened for reading	/sys/module/syscopyarea/sections	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:0002632/cgroup	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:A-0000040/cgroup/pde_opener(369:accounts-daemon.service)	locker_ESXI_X64
File opened for reading	/sys/kernel/security/integrity/ima	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/power/pm_qos_add_request	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/workqueue	locker_ESXI_X64
File opened for reading	/sys/fs/cgroup/systemd/user.slice/user-0.slice/[email protected]/gsd-a11y-settings.service	locker_ESXI_X64
File opened for reading	/sys/fs/cgroup/unified/user.slice/user-0.slice/[email protected]/gsd-smartcard.service	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/kmalloc-64/cgroup/kmalloc-64(831:NetworkManager.service)	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:A-0000256/cgroup/filp(361:snapd.socket)	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/:A-0000128/cgroup/pid(857:evolution-addressbook-factory.service)	locker_ESXI_X64
File opened for reading	/sys/devices/pci0000:00/0000:00:04.0/ata4/host3/target3:0:0/3:0:0:0/scsi_device/3:0:0:0	locker_ESXI_X64
File opened for reading	/sys/fs/cgroup/memory/user.slice/user-0.slice/[email protected]/gsd-keyboard.service	locker_ESXI_X64
File opened for reading	/sys/kernel/tracing/events/tcp/tcp_retransmit_skb	locker_ESXI_X64
File opened for reading	/sys/kernel/slab/radix_tree_node/cgroup/radix_tree_node(321:systemd-tmpfiles-setup.service)	locker_ESXI_X64
File opened for reading	/sys/kernel/debug/tracing/events/power/clock_set_rate	locker_ESXI_X64
File opened for reading	/sys/devices/virtual/tty/tty27	locker_ESXI_X64
File opened for reading	/sys/bus/acpi/drivers/hardware_error_device	locker_ESXI_X64

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/669	locker_ESXI_X64
File opened for reading	/proc/779/fd	locker_ESXI_X64
File opened for reading	/proc/74/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/480/task/480/fdinfo	locker_ESXI_X64
File opened for reading	/proc/924/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/90/task/90/attr	locker_ESXI_X64
File opened for reading	/proc/118/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/442/task/442	locker_ESXI_X64
File opened for reading	/proc/924/task/924/net/stat	locker_ESXI_X64
File opened for reading	/proc/1075/task/1162/ns	locker_ESXI_X64
File opened for reading	/proc/5/task/5/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/161/map_files	locker_ESXI_X64
File opened for reading	/proc/1033/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/6/fdinfo	locker_ESXI_X64
File opened for reading	/proc/171/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/903/fdinfo	locker_ESXI_X64
File opened for reading	/proc/960/task/961/net	locker_ESXI_X64
File opened for reading	/proc/925/task/948/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/954/task/955/attr/smack	locker_ESXI_X64
File opened for reading	/proc/1041/task/1043/net	locker_ESXI_X64
File opened for reading	/proc/1298/task/1299/attr	locker_ESXI_X64
File opened for reading	/proc/967/task/967/net	locker_ESXI_X64
File opened for reading	/proc/1023/task/1024/fdinfo	locker_ESXI_X64
File opened for reading	/proc/1349/task	locker_ESXI_X64
File opened for reading	/proc/87/fd	locker_ESXI_X64
File opened for reading	/proc/92/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/560/task/560	locker_ESXI_X64
File opened for reading	/proc/898/task/898/net	locker_ESXI_X64
File opened for reading	/proc/1127/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/70/task/70/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/480/attr	locker_ESXI_X64
File opened for reading	/proc/irq/5	locker_ESXI_X64
File opened for reading	/proc/173/task/173/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/1122/task/1148/attr/smack	locker_ESXI_X64
File opened for reading	/proc/1340/task/1340/attr	locker_ESXI_X64
File opened for reading	/proc/1/task/1/net/stat	locker_ESXI_X64
File opened for reading	/proc/588/map_files	locker_ESXI_X64
File opened for reading	/proc/1054/task/1054/ns	locker_ESXI_X64
File opened for reading	/proc/1115/task/1166/attr	locker_ESXI_X64
File opened for reading	/proc/1115/fd	locker_ESXI_X64
File opened for reading	/proc/159/task/159/net	locker_ESXI_X64
File opened for reading	/proc/200/task/200/attr/apparmor	locker_ESXI_X64
File opened for reading	/proc/73/status	ps
File opened for reading	/proc/828/stat	ps
File opened for reading	/proc/24/task/24/net/stat	locker_ESXI_X64
File opened for reading	/proc/828/task/828/net/stat	locker_ESXI_X64
File opened for reading	/proc/1399/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/1064/task/1067/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/1119/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/169/attr/smack	locker_ESXI_X64
File opened for reading	/proc/694/task	locker_ESXI_X64
File opened for reading	/proc/828/task/828/net/netfilter	locker_ESXI_X64
File opened for reading	/proc/1033/task/1036/net	locker_ESXI_X64
File opened for reading	/proc/932/stat	ps
File opened for reading	/proc/15	locker_ESXI_X64
File opened for reading	/proc/165/task/165/net/dev_snmp6	locker_ESXI_X64
File opened for reading	/proc/560/status	ps
File opened for reading	/proc/9/map_files	locker_ESXI_X64
File opened for reading	/proc/1064/task/1066/ns	locker_ESXI_X64
File opened for reading	/proc/89/task/89/attr	locker_ESXI_X64
File opened for reading	/proc/1023/task/1026/attr/smack	locker_ESXI_X64
File opened for reading	/proc/1102/task/1159/attr/smack	locker_ESXI_X64
File opened for reading	/proc/4/task/4/net/stat	locker_ESXI_X64
File opened for reading	/proc/14/task/14/ns	locker_ESXI_X64

/tmp/329D6F9DDBF138D4/locker_ESXI_X64
/tmp/329D6F9DDBF138D4/locker_ESXI_X64
1⤵
- Traces remote process
- Reads user data of web browsers
- Reads AppArmor ptrace settings
- Reads hardware information
- Reads network interface configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:1402
- /bin/sh
  sh -c "vim-cmd hostsvc/hostsummary | grep cpuModel | cut -d '\"' -f2"
  2⤵
  PID:1403
- - /usr/bin/cut
    cut -d "\"" -f2
    3⤵
    PID:1406
- - /usr/bin/grep
    grep cpuModel
    3⤵
    PID:1405
- /bin/sh
  sh -c "esxcli storage filesystem list | tail -n +3"
  2⤵
  PID:1407
- - /usr/bin/tail
    tail -n +3
    3⤵
    PID:1409
- /bin/sh
  sh -c "lsblk -io KNAME,TYPE,SIZE,MODEL | tail -n +2"
  2⤵
  PID:1410
- - /usr/bin/tail
    tail -n +2
    3⤵
    PID:1412
- - /usr/bin/lsblk
    lsblk -io "KNAME,TYPE,SIZE,MODEL"
    3⤵
    PID:1411
- /bin/sh
  sh -c "uname -a"
  2⤵
  PID:1413
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1414
- /bin/sh
  sh -c "vmware -v"
  2⤵
  PID:1415
- /bin/sh
  sh -c "ls -alR /vmfs/"
  2⤵
  PID:1455
- - /usr/bin/ls
    ls -alR /vmfs/
    3⤵
    PID:1456
- /bin/sh
  sh -c "ps auxf"
  2⤵
  PID:1457
- - /usr/bin/ps
    ps auxf
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1458

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Network Configuration Discovery

T1016

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads