Analysis
-
max time kernel
132s -
max time network
150s -
platform
ubuntu-22.04_amd64 -
resource
ubuntu2204-amd64-20240611-en -
resource tags
arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system -
submitted
01-02-2025 11:33
Behavioral task
behavioral1
Sample
193.143.1.32-x86-2025-02-01T101650.elf
Resource
ubuntu2204-amd64-20240611-en
ubuntu-22.04-amd64
General
-
Target
193.143.1.32-x86-2025-02-01T101650.elf
-
Size
48KB
-
MD5
dc2fc820c51c91236cf18c5528f95cde
-
SHA1
4e44cb3135adccc8fa699d3ea8a192dfcceb779f
-
SHA256
5188c58d0629c08606d274d4dfadd1503271c8c99bdcf5098544e3a00e0808c6
-
SHA512
cdf9a8c71c4fccd6e435214447522f2f2462050e654891098c72e8d165b0193e9c327e66a76583d7636bc54299b5723f61b0c6bf71235e646f36d50bddd83023
-
SSDEEP
1536:aH3oG7jBo2VZXuP58uwVcRON9u/Sre1szExab:aH40jBo2ru58uUcoi/SreyzS8
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Redline family
-
Contacts a large (110952) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes itself 1 IoCs
pid 1573 -
Modifies Watchdog functionality 1 TTPs 2 IoCs
Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
description ioc File opened for modification /dev/misc/watchdog File opened for modification /dev/watchdog -
Renames itself 1 IoCs
pid 1573 -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 194.36.144.87 -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
description ioc File opened for reading /proc/net/tcp -
Enumerates running processes
Discovers information about currently running processes on the system
-
Changes its process name 1 IoCs
description pid Changes the process name, possibly in an attempt to hide itself 1573 -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
description ioc File opened for reading /proc/net/tcp -
description ioc File opened for reading /proc/1057/status File opened for reading /proc/1058/status File opened for reading /proc/1170/status File opened for reading /proc/1244/status File opened for reading /proc/453/status File opened for reading /proc/552/status File opened for reading /proc/768/status File opened for reading /proc/1177/status File opened for reading /proc/417/status File opened for reading /proc/590/status File opened for reading /proc/957/status File opened for reading /proc/1078/status File opened for reading /proc/1101/status File opened for reading /proc/1128/status File opened for reading /proc/1186/status File opened for reading /proc/1563/status File opened for reading /proc/843/status File opened for reading /proc/866/status File opened for reading /proc/1146/status File opened for reading /proc/1160/status File opened for reading /proc/1161/status File opened for reading /proc/984/status File opened for reading /proc/1081/status File opened for reading /proc/870/status File opened for reading /proc/991/status File opened for reading /proc/1037/status File opened for reading /proc/1088/status File opened for reading /proc/1135/status File opened for reading /proc/1182/status File opened for reading /proc/713/status File opened for reading /proc/776/status File opened for reading /proc/1042/status File opened for reading /proc/1166/status File opened for reading /proc/1207/status File opened for reading /proc/1322/status File opened for reading /proc/1363/status File opened for reading /proc/783/status File opened for reading /proc/992/status File opened for reading /proc/1269/status File opened for reading /proc/1319/status File opened for reading /proc/635/status File opened for reading /proc/963/status File opened for reading /proc/594/status File opened for reading /proc/636/status File opened for reading /proc/761/status File opened for reading /proc/771/status File opened for reading /proc/1165/status File opened for reading /proc/1183/status File opened for reading /proc/377/status File opened for reading /proc/586/status File opened for reading /proc/1442/status File opened for reading /proc/1392/status File opened for reading /proc/1428/status File opened for reading /proc/746/status File opened for reading /proc/1159/status File opened for reading /proc/1162/status File opened for reading /proc/637/status File opened for reading /proc/738/status File opened for reading /proc/837/status File opened for reading /proc/1090/status File opened for reading /proc/1238/status File opened for reading /proc/1278/status File opened for reading /proc/614/status File opened for reading /proc/747/status