54f249ddcab444a40cae6c0db0474ca8ffcd87af74819666fb6d2e72eecc3bc9

Analysis

max time kernel
0s
max time network
3s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20250307-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20250307-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
18/03/2025, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bert
Size

102KB
MD5

29a2cc59a9ebd334103ce146bca38522
SHA1

4a4a58abebe37642c1ed3411e3154d1f68bca4d3
SHA256

c7efe9b84b8f48b71248d40143e759e6fc9c6b7177224eb69e0816cc2db393db
SHA512

07537f8f8c6e89f188d0d0bce04ce5d8e51ef46cbbbb8b56bfa6fc2e0af094e9cdb89c14694e884c6644ff56d182263b9df60a62484df9b6d2df7d0ce1a9eb1f
SSDEEP

3072:Lb+XxBHGVJgggwgggwgggwgggwggggmOrIlp:LrIl

Score

7^/10

discovery

Malware Config

Signatures

Manipulates ESXi 2 IoCs

Manipulates ESXi.

pid	Process
1571	sh
1573	awk

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 1 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/109/status	pkill
File opened for reading	/proc/uptime	pkill
File opened for reading	/proc/27/status	pkill
File opened for reading	/proc/81/status	pkill
File opened for reading	/proc/412/cmdline	pkill
File opened for reading	/proc/895/status	pkill
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/75/cmdline	pkill
File opened for reading	/proc/113/status	pkill
File opened for reading	/proc/225/cmdline	pkill
File opened for reading	/proc/408/cmdline	pkill
File opened for reading	/proc/677/cmdline	pkill
File opened for reading	/proc/953/cmdline	pkill
File opened for reading	/proc/1108/status	pkill
File opened for reading	/proc/218/status	pkill
File opened for reading	/proc/220/cmdline	pkill
File opened for reading	/proc/446/status	pkill
File opened for reading	/proc/1353/cmdline	pkill
File opened for reading	/proc/1372/cmdline	pkill
File opened for reading	/proc/1486/status	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/3/cmdline	pkill
File opened for reading	/proc/15/status	pkill
File opened for reading	/proc/218/cmdline	pkill
File opened for reading	/proc/219/cmdline	pkill
File opened for reading	/proc/770/status	pkill
File opened for reading	/proc/1035/cmdline	pkill
File opened for reading	/proc/1199/cmdline	pkill
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/504/cmdline	pkill
File opened for reading	/proc/633/cmdline	pkill
File opened for reading	/proc/910/status	pkill
File opened for reading	/proc/1122/cmdline	pkill
File opened for reading	/proc/1354/status	pkill
File opened for reading	/proc/1444/status	pkill
File opened for reading	/proc/1569/status	pkill
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/75/status	pkill
File opened for reading	/proc/308/status	pkill
File opened for reading	/proc/417/cmdline	pkill
File opened for reading	/proc/923/status	pkill
File opened for reading	/proc/930/status	pkill
File opened for reading	/proc/1179/status	pkill
File opened for reading	/proc/112/status	pkill
File opened for reading	/proc/8/status	pkill
File opened for reading	/proc/8/cmdline	pkill
File opened for reading	/proc/83/status	pkill
File opened for reading	/proc/97/cmdline	pkill
File opened for reading	/proc/1547/cmdline	pkill
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/19/status	pkill
File opened for reading	/proc/417/status	pkill
File opened for reading	/proc/582/status	pkill
File opened for reading	/proc/1155/cmdline	pkill
File opened for reading	/proc/1277/status	pkill
File opened for reading	/proc/219/status	pkill
File opened for reading	/proc/221/status	pkill
File opened for reading	/proc/425/status	pkill
File opened for reading	/proc/6/status	pkill
File opened for reading	/proc/6/cmdline	pkill
File opened for reading	/proc/80/cmdline	pkill
File opened for reading	/proc/82/cmdline	pkill
File opened for reading	/proc/307/cmdline	pkill

Writes file to tmp directory 27 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/snap-private-tmp/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-systemd-logind.service-RaoY0a/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-power-profiles-daemon.service-ArcLX8/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-ModemManager.service-7HQ7UE/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/.ICE-unix/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-colord.service-cRXzDd/tmp/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-systemd-resolved.service-badrh2/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-upower.service-t86pyy/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/.X11-unix/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-systemd-timedated.service-ipYyXT/tmp/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-systemd-timedated.service-ipYyXT/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-colord.service-cRXzDd/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-systemd-logind.service-RaoY0a/tmp/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/.XIM-unix/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-systemd-resolved.service-badrh2/tmp/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/.font-unix/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/bert	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-switcheroo-control.service-UbeqTi/tmp/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-switcheroo-control.service-UbeqTi/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-power-profiles-daemon.service-ArcLX8/tmp/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/gdm3-config-err-7GmhjO	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-systemd-oomd.service-OJp2It/tmp/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-systemd-oomd.service-OJp2It/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/.Test-unix/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-upower.service-t86pyy/tmp/encrypted_by_bert-decrypt.txt	bert
File opened for modification	/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-ModemManager.service-7HQ7UE/tmp/encrypted_by_bert-decrypt.txt	bert

/tmp/bert
/tmp/bert
1⤵
- Writes file to tmp directory
PID:1562
- /bin/sh
  sh -c "uname -a && echo \" | \" && hostname"
  2⤵
  PID:1563
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1564
- - /usr/bin/hostname
    hostname
    3⤵
    PID:1565
- /bin/sh
  sh -c "uname -a && echo \" | \" && hostname"
  2⤵
  PID:1566
- - /usr/bin/uname
    uname -a
    3⤵
    PID:1567
- - /usr/bin/hostname
    hostname
    3⤵
    PID:1568
- /bin/sh
  sh -c "pkill -9 vmx-*"
  2⤵
  PID:1569
- - /usr/bin/pkill
    pkill -9 "vmx-*"
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1570
- /bin/sh
  sh -c "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}'"
  2⤵
  - Manipulates ESXi
  PID:1571
- - /usr/bin/awk
    awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" \$1)}"
    3⤵
    - Manipulates ESXi
    - Reads runtime system information
    PID:1573

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/systemd-private-ad2efc34db864b92b6baf7057352567c-upower.service-t86pyy/tmp/encrypted_by_bert-decrypt.txt

Filesize
256B

MD5
e4f3a1de63b19ca06df4946e6eabf8e5

SHA1
3257ed96207615e314714489a06eb69dde1fa0fe

SHA256
1e3702a37ff22736442f73f7ded170b37e8f63f04d7198d3105b111a4d5dea70

SHA512
ab5ba53eb72c87eb9ba67bf560471d983f627fe2af8d8a518158dc91854a74ec21f4e8edf82d3351b8826c4d0cb5d41f609497183109168345654d17c5f9d532

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads