Overview

overview

10

Static

static

10

Malware.20...f09f56

debian-9-mips

6

Malware.20...1d2347

ubuntu-18.04-amd64

Malware.20...1d2347

debian-9-armhf

Malware.20...1d2347

debian-9-mips

Malware.20...1d2347

debian-9-mipsel

Malware.20...465127

debian-9-armhf

6

Malware.20...37d14f

ubuntu-18.04-amd64

Malware.20...37d14f

debian-9-armhf

Malware.20...37d14f

debian-9-mips

Malware.20...37d14f

debian-9-mipsel

1

Malware.20...58207c

debian-9-armhf

6

Malware.20...ff8c1c

debian-12-mipsel

6

Malware.20...4315ee

debian-12-mipsel

9

Malware.20...207d62

ubuntu-18.04-amd64

Malware.20...207d62

debian-9-armhf

Malware.20...207d62

debian-9-mips

Malware.20...207d62

debian-9-mipsel

Malware.20...978e5b

ubuntu-18.04-amd64

Malware.20...978e5b

debian-9-armhf

Malware.20...978e5b

debian-9-mips

Malware.20...978e5b

debian-9-mipsel

Malware.20...dcd5e3

debian-9-mips

9

Malware.20...d11707

debian-12-mipsel

1

Malware.20...3bc67c

debian-9-armhf

1

Malware.20...67fb15

debian-9-mipsel

1

Malware.20...35453b

ubuntu-18.04-amd64

Malware.20...35453b

debian-9-armhf

Malware.20...35453b

debian-9-mips

Malware.20...35453b

debian-9-mipsel

Malware.20...567266

ubuntu-18.04-amd64

Malware.20...567266

debian-9-armhf

Malware.20...567266

debian-9-mips

Resubmissions

13-02-2025 13:04

250213-qaxnksymhs 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Malware.2024.10.31.7z

  • Size

    802.5MB

  • Sample

    250213-qaxnksymhs

  • MD5

    000c365df8d417faecab1c506bb77740

  • SHA1

    32b972072cb61700aa67ec80e30b392bf5b2618c

  • SHA256

    04c37e63a08cede9a9a3676ad9813674d49ee71caf8f4bff9bdeb2feb38c7a2a

  • SHA512

    37e466b5a2be5d35a1898c2c1d24f5d297e814681fdf05b76b3dbd883f5ac65e3413192d1a612aed79aa90e48cfb1e28e3647d3717a5dc208035e6facd9a75e2

  • SSDEEP

    25165824:QtNY1nFM703lIVITdz6liM3wD/KtcVwmQRsLDo:2oFM703uVITJ6kMgD3iuo

Score
10/10
amadeyammyyadminasyncratateraagentberbewblackmooncobaltstrikefloxifgafgytgandcrabgh0strathealerkaijilokibotlummametasploitmimicmiraimofongoloadernjratquasarremcosurelasvidarxtremeratxworm041f1d4e9dfd92d46e8ae8d6acda187cacezerdefaultfortnitecheatintexhackednoprivoffice04queda ツremotehost-16465solarafakezartalaspackv2backdoorcredential_accessdefense_evasiondiscoverylinklinuxloadermacromacro_on_actionpdfphishingratstealerupxvmprotectxlm

Malware Config

Extracted

Family

gafgyt

C2

109.120.156.253:1780

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028
Mutex

zdzHZZ7YIg6O

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

1.tcp.ap.ngrok.io:21049

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/s14cUU5G

aes.plain
aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

DcRatMutex_qwqdanchun

Attributes
  • c2_url_file

    https://Pastebin.com/raw/fevFJe98

  • delay

    1

  • install

    true

  • install_file

    123.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SolaraFake

C2

anyone-blogging.gl.at.ply.gg:22284

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Windows.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

CEZER

C2

148.113.165.11:3236

Mutex

eqwe2131ewqeqwe

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

didjmdk3nindi3nd.zapto.org:7000

70.241.39.14:7000

ensure-manual.gl.at.ply.gg:41199
Mutex

Q6QXs3CM0drEuir0

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    XC.exe

aes.plain
aes.plain
aes.plain
aes.plain
aes.plain

Extracted

Family

xworm

C2

award-nails.gl.at.ply.gg:43867

includes-icon.gl.at.ply.gg:41717

fe80::edf5:92cd:756d:3fbd%9:5552

147.185.221.22:46682

127.0.0.1:46682

join-ez.gl.at.ply.gg:55

nohicsq.localto.net:3985
Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

Extracted

Family

remcos

Botnet

zartal

C2

blanjio.com:5172

blanjio.com:8182
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    1

  • connect_interval

    3

  • copy_file

    enroll.exe

  • copy_folder

    enroll

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • mouse_option

    false

  • mutex

    zapartal-JLINYI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

RemoteHost-16465

C2

80.76.51.190:16465

rem.aaahorneswll.com:16465
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-XH0QAV

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

NoPriv

C2

a.ufcfan.org:2425

majikaas.gotdns.ch:2425
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    lose.dat

  • keylog_flag

    false

  • keylog_folder

    Letmeknow

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Baya-RT8KSP

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

lumma

C2

https://servicedny.site/api

https://authorisev.site/api

https://faulteyotk.site/api

https://dilemmadu.site/api

https://contemteny.site/api

https://goalyfeastz.site/api

https://opposezmny.site/api

https://seallysl.site/api

https://drinkyresule.cyou/api

Extracted

Family

vidar

Version

11.3

Botnet

41f1d4e9dfd92d46e8ae8d6acda187ca

Extracted

Family

gandcrab

C2

http://gdcbghvjyqy7jclk.onion.top/

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Fortnitecheatintex

C2

192.168.0.76:4449

Mutex

wjswzgnhbdofbim

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.127.0.227:4782

10.127.0.200:4782

10.127.1.2:1604
Mutex

cc382a3d-9ce3-4b59-ba4b-40acd01a72a5

Attributes
  • encryption_key

    955952829EF4D4C700D061DBC84790B29C3FF5DD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Java update

  • subdirectory

    SubDir

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://31.214.157.49/chrome.zip

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

192.168.91.128:2316

192.168.117.129:2324

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

3C-55-76-C6-BA-75:7777

192.168.0.48:7777
Mutex

d4092da992fc1a554a7600d3355f8f5d

Attributes
  • reg_key

    d4092da992fc1a554a7600d3355f8f5d

  • splitter

    |'|'|

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

21.ip.gl.ply.gg:57655

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Queda ツ

C2

45.61.174.20:5552

Mutex

ZltvfUGAo7zsf3naNu

Attributes
  • encryption_key

    EDWqFemxb3ZTD9Ymr9np

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

Extracted

Family

mofongoloader

Extracted

Family

lokibot

C2

http://solutviewmen.viewdns.net/bdifygidj/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.dd-54fe5560cb69338057594bfdf0911c042c625a22f54ea59d7d3cfd9d4cf09f56

    • Size

      207KB

    • MD5

      d9a674fbf18283b2457bed5acf6eeee3

    • SHA1

      4514cbde77537c8ecff0ed4fa3e8ea8c31eaae63

    • SHA256

      54fe5560cb69338057594bfdf0911c042c625a22f54ea59d7d3cfd9d4cf09f56

    • SHA512

      2372bf24f078b4fb282cdaf29b4218e8b6bf1475b0ef2a9bbfa22c054f48636a88bd794d13c408f70b87b5f5b30d9a1e21fcb29bcd002b2cc141568e99192ff5

    • SSDEEP

      3072:8WP0M+Qz7aFFzo7ksOIaCHA5hPgsz0Fl0mrpy6n9Nn:JpSgGJCHA5hP1mrpy6n9Nn

    Score
    6/10
    discovery

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

      discovery
    behavioral1

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.dd-7d1b988102f6447b1f2c9ed95273c072946e8ed6768df132a92fb35eaa1d2347

    • Size

      154KB

    • MD5

      3134049b6dd1e3fd8011067c436ff8cb

    • SHA1

      2eb528ed96e50dfb0e0cac97426deb769ee965d8

    • SHA256

      7d1b988102f6447b1f2c9ed95273c072946e8ed6768df132a92fb35eaa1d2347

    • SHA512

      424facb0bd36216c3cf550a8cdb8f0113f0321864cf897315c17b2a337fe7132974eeee0daaa377d6f148845fe5ab7e63b87810879cb581423f15143935b4166

    • SSDEEP

      3072:/EOSql29zGorF8qGnQeqacWucW0JcWcBFI5vN2sPw6MGp8DQv8J3v7NvAmmu1kTG:cPzonQeqacWucW0JcWcBkvE+pFp8DA8D

    Score
    1/10
    behavioral2behavioral3behavioral4behavioral5

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.dd-96e1d6d0086e23b8023c853c5c8e2fe6ddbd046119ed9910317ed2b7d8465127

    • Size

      203KB

    • MD5

      59ca31c31c6144cbd335da008f7b10b4

    • SHA1

      9b91304afbf9019912f8219f19648ddc64956155

    • SHA256

      96e1d6d0086e23b8023c853c5c8e2fe6ddbd046119ed9910317ed2b7d8465127

    • SHA512

      64c93db624f7006cf36d8ce75c0e8d92d103f6d564e57ff3c5b60fe399109d71c3fdf6af6ceab4bfc0ba0e304518bad2652b91c95f11ed4aea2bdab6baf52079

    • SSDEEP

      6144:EmC4ha+4oWsJ17qG/+5hOA6PW4V7ekom0wfB5RyAn:EmC4ha+4oWsJI/5hOO6Vom0mB5RyAn

    Score
    6/10
    discovery

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

      discovery
    behavioral6

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.dd-bb433d2a6c99f2d94140e6e66f0f29e030ead6156eb10f61a0bf562b9e37d14f

    • Size

      154KB

    • MD5

      83faa150586ad1b9e5f44e72be9a4b0e

    • SHA1

      5a501bf035ea5ac3326e34ac70b6bf6037fa1cea

    • SHA256

      bb433d2a6c99f2d94140e6e66f0f29e030ead6156eb10f61a0bf562b9e37d14f

    • SHA512

      dacfb4526e56f06437fd65576dad7019185f84df374db72b40ae30bbb3cfd20e15c2dc16410486f48bd93927e80f05f91621dff7d2e1a74c96204d58b83ca155

    • SSDEEP

      3072:ZMwGBsAshVEB/4BGAXFz5h8HqJmwsweDdAH:3LXh2Qh5h8HkmwsweDdAH

    Score
    1/10
    behavioral10behavioral7behavioral8behavioral9

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.dd-d1a05da3a2d4a15d57ce67f1fdee24ad473e9f35b910557ab775b31e9f58207c

    • Size

      203KB

    • MD5

      d9ad5be591065d93b58d333974e6e638

    • SHA1

      d43b1f921085d202f5bd792e47143aa24993527a

    • SHA256

      d1a05da3a2d4a15d57ce67f1fdee24ad473e9f35b910557ab775b31e9f58207c

    • SHA512

      f4dcfc3e1bd27dfb0675599ae88aeedcafe2d49187c70d677a5899dbb1f61dd4d86529a5ae2b4f1f9f91b11184c2d8ad3ea16f65fedb016f287493f64b6a2cfb

    • SSDEEP

      6144:EmC4ha+4oWsJ17qG/+5hOA6i2ixVekom0wfB5RyAn:EmC4ha+4oWsJI/5hO56Xom0mB5RyAn

    Score
    6/10
    discovery

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

      discovery
    behavioral11

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.dd-da93c0050adf790ae5b18989953da8bf4b33e8308e531b833200a4a039ff8c1c

    • Size

      207KB

    • MD5

      1b486a8660f9840f28b8f48661a32f78

    • SHA1

      eafd2036e60b74ada91c11919fb0c6a2e9bc8c75

    • SHA256

      da93c0050adf790ae5b18989953da8bf4b33e8308e531b833200a4a039ff8c1c

    • SHA512

      6f1bc57af7dd1acc24e00c9eb7a87dce8aad839539094b75026427ea4f4052e73dedd62e57dad4aa30ba75bc28e9ee8d75ba9ed9948a07bb4d30d4ee2ce816e0

    • SSDEEP

      3072:v4dnFE7GqykuXDjS+P475hNMD5Hmrpy6n9Nn:WC7GHnq+P475hNWdmrpy6n9Nn

    Score
    6/10
    discovery

    • Reads system routing table

      Gets active network interfaces from /proc virtual filesystem.

      discovery
    behavioral12

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.fj-11c7521680ffbd1f388845179c94dd5bab33a04de39a7a664d6c3eb6b84315ee

    • Size

      100KB

    • MD5

      af1e4bb41b871bc250e35ba6d4f6ce91

    • SHA1

      ce8f08ad52497d99563cba79d3f4530375071539

    • SHA256

      11c7521680ffbd1f388845179c94dd5bab33a04de39a7a664d6c3eb6b84315ee

    • SHA512

      4e02e54b83d226880892b3027c46c25c2a4e509d3f9b5e0449babc23266357243b4ed1128820f80c6992a20c8d44cd92c33ae686196a6f0e0574221bcb352fac

    • SSDEEP

      1536:s5RXUsyDrTrtw9xjOsE1TZvOj3nEiXCEAQhtxsxBEwZ9oyThfnzsTh7V:s55xyDrTrtw9xjjE1TFODF25tfnk

    Score
    9/10
    credential_accessdefense_evasiondiscovery

    • Contacts a large (33827) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

      defense_evasion

    • Renames itself

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

      discovery

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads process memory

      Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

      credential_access
    behavioral13

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.fj-afee245b6f999f6b9d0dd997436df5f2abfb3c8d2a8811ff57e3c21637207d62

    • Size

      62KB

    • MD5

      9e9e24999b43ded769a7f05c31a44886

    • SHA1

      519039426bc9f3f9320d4544240b1747944e788c

    • SHA256

      afee245b6f999f6b9d0dd997436df5f2abfb3c8d2a8811ff57e3c21637207d62

    • SHA512

      94e2cb1153795ffcdc4950d5c394d1fd3090308f9a39624a1642258b457af7218470cb1705f999d65394f41855863ebed52bbb71f90865d1e006cde552b82dac

    • SSDEEP

      1536:S+1VwwGY7/+nCGGkr0nq+Wcysu1N2V1CCtnzsTx:S+14Y+nCGX0nqYu1N2V1NnC

    Score
    1/10
    behavioral14behavioral15behavioral16behavioral17

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.fj-ca3f6dce945ccad5a50ea01262b2d42171f893632fc5c5b8ce4499990e978e5b

    • Size

      70KB

    • MD5

      f23a6bb0404a659b26f2cc143acf1b1e

    • SHA1

      eb3385ded22950ecad06ef4e4ab144f7d4ebb3a9

    • SHA256

      ca3f6dce945ccad5a50ea01262b2d42171f893632fc5c5b8ce4499990e978e5b

    • SHA512

      f632e02013a7074945598617d56d89f01c3a2308d81abcda5fc689e79b489c6e82c738cc2105047a499323903574245cca41c1e1336e399d2997ec2d31596e8a

    • SSDEEP

      1536:LhQ47DACmcw9rD9MxtEFtG6fqYfVpCT9nzsTe:u47DACnUuHExFV0T9n9

    Score
    1/10
    behavioral18behavioral19behavioral20behavioral21

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.fj-df176fb8cfbc7512c77673f862e73833641ebb0d43213492c168f99302dcd5e3

    • Size

      98KB

    • MD5

      ce3c4d1798f20895709453372304ffdc

    • SHA1

      adc9f8f5c3b1ce672e1039051ec691d2106d6780

    • SHA256

      df176fb8cfbc7512c77673f862e73833641ebb0d43213492c168f99302dcd5e3

    • SHA512

      64c024c51497bd11ce32576a6444922dd858b86f100ae742517f1c974a0bab14f65398c1e302b4094c9e345dc686c7ada99bfe55ef8d2436d084a5b33eea5050

    • SSDEEP

      1536:N2kIXCkiYE9LbcypXLvYoSO37DsNVr2LZzRSHDbqfPnzsTrBaZHH:NmQbcy9vYoND9zcDm3niBax

    Score
    9/10
    credential_accessdefense_evasiondiscovery

    • Contacts a large (30383) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Modifies Watchdog functionality

      Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.

      defense_evasion

    • Renames itself

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

      discovery

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads process memory

      Read the memory of a process through the /proc virtual filesystem. This can be used to steal credentials.

      credential_access
    behavioral22

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.hy-216ab12c56bba575bd40aaa5d602c062abb5fc8ac405f27a43619c3370d11707

    • Size

      88KB

    • MD5

      fd929479db7457ef8fd2449c9c6051f6

    • SHA1

      38f298adaacb628366eb3e192537849c6f4f02bc

    • SHA256

      216ab12c56bba575bd40aaa5d602c062abb5fc8ac405f27a43619c3370d11707

    • SHA512

      8a6c775483714de2efc13aa82c0bc96b9be7216f564bb6f70f1ace7ed7f45daf9bb451a9002b6a2665eeea7717cefb3e568dbe5a3ead4f4166eaf618a7561fe6

    • SSDEEP

      768:c6Xd/XbmCjFE2VD5xyQJBLTgScM8DXiXs8FbdRH3safLgs7vZIplgPMCLn8uG2U:lNXCRy5xyQJBLTgSq0s8Bd5v/fEY8J2U

    Score
    1/10
    behavioral23

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.hy-2ee2eaa1fce89b91fb70dd2e853ac63b600c11feae4a1624fa90f1c6e33bc67c

    • Size

      100KB

    • MD5

      537559b8588d173d38e35b80fe7ab118

    • SHA1

      65c59f1b6994ae45a1c25e73f75679aea132f57d

    • SHA256

      2ee2eaa1fce89b91fb70dd2e853ac63b600c11feae4a1624fa90f1c6e33bc67c

    • SHA512

      1e000b34d719bd71733ba635848af3b1de569f35e0f9a14a6b566669ccbbcb2ab2f40f8c4b6e9fbfe420351e45839432124ac88040a06727215f607f1def0ab9

    • SSDEEP

      1536:y5nKVd62/zAXmlnizmfAt0pZxYF6gxgT+rAkebG9JPL4y78843o/9n:BVd6AfAt0pjTTT+UWV7bFn

    Score
    1/10
    behavioral24

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.hy-5432ce11eb5dc2d2fee13f42f2e7f358f068dbc809adc4cee460a4456967fb15

    • Size

      68KB

    • MD5

      d45be67bb801540e16a3716ca586bd2e

    • SHA1

      4dad9a89e6f9c08df29f385699f2a5ee85de3225

    • SHA256

      5432ce11eb5dc2d2fee13f42f2e7f358f068dbc809adc4cee460a4456967fb15

    • SHA512

      0812d0a058480cd52b78f17df533ee13053f5461e3d250e4d2b62815d96ca4e4ae29db60887f9056b0d127ab749a5c4fcccfe12bde499c30dc049f8463fb3343

    • SSDEEP

      768:0T3AgtxMXId4p2ztDGjXkju0ovEPS52sDXigkbrwK+w0cUtmb/puCISwK:OAgtxqdmSQju0ovoSg0Kz0Yt

    Score
    1/10
    behavioral25

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.hy-9fd06d80534b729cca8ad2affa0be6b3108c6a117e7b20f81470b2c01335453b

    • Size

      45KB

    • MD5

      f7fdd0158fd87c040244df7fb3297488

    • SHA1

      1b592b3ecb835b867860c02d7a001aa12b7dbc94

    • SHA256

      9fd06d80534b729cca8ad2affa0be6b3108c6a117e7b20f81470b2c01335453b

    • SHA512

      b9d0b9219050ba9bb10e412877bacc9079c045d2a6c122354e8df47fc756b0cd1330db5a8f522bddcf71c357eded4f6ae31013bfaccfd3e9ecc69f299b8f3373

    • SSDEEP

      768:ROKz8O0JhNHrMhQeadacWOWhcW0JcWcZHZ+9f3FAVDUaXQ/IuO/6il0Ho6Zz9Wwq:n83NwQekacWVcW0JcWcBs36JUaXQ/IuY

    Score
    1/10
    behavioral26behavioral27behavioral28behavioral29

    • Target

      Malware.2024.10.31/HEUR.Backdoor.Linux.Gafgyt.hy-a0f145290eaa8b3b74d83702f391952617262388779aa607dbaac524b4567266

    • Size

      61KB

    • MD5

      51eced7c24260817e1ed7ccdd03f4818

    • SHA1

      2987660051abf78cdbd391a9e680ad42d1855f5a

    • SHA256

      a0f145290eaa8b3b74d83702f391952617262388779aa607dbaac524b4567266

    • SHA512

      c8e02863ccdb38be36320c3a5d2b702c3f2589b3a77e503d5f3b5c945a7e99f99d9fd5ffc35c81b587f92a1f5041cb2e8e411455bf7d4f7a8c8e48365975f8ab

    • SSDEEP

      1536:Ac38nquaYQekacWVcW0JcWcB502GUPCY2xrAUAG7D8Zf53Cw7/2:AcQq7YQekacWVcW0JcWcB62GUPh2iGEE

    Score
    1/10
    behavioral30behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

upxratdefaultsolarafakecezervmprotectzartalremotehost-16465noprivpdflinkstealer41f1d4e9dfd92d46e8ae8d6acda187cafortnitecheatintexoffice04macromacro_on_action0hackedbackdoorqueda ツloaderphishingaspackv2xlmgh0stratberbewxtremeratgafgytmiraiasyncratxwormurelasremcoslummaamadeyvidargandcrabmimickaijihealerquasarcobaltstrikemetasploitnjratfloxifmofongoloaderblackmoonlokibotateraagentammyyadmin
Score
10/10

behavioral1

discovery
Score
6/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

discovery
Score
6/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

discovery
Score
6/10

behavioral12

discovery
Score
6/10

behavioral13

credential_accessdefense_evasiondiscovery
Score
9/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

credential_accessdefense_evasiondiscovery
Score
9/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10