Overview

overview

10

Static

static

10

a46aab76

ubuntu-22.04-amd64

4

chme

ubuntu-22.04-amd64

4

isots

ubuntu-24.04-amd64

6

mctes

ubuntu-18.04-amd64

1

mswc

ubuntu-24.04-amd64

1

netstat.gz

windows7-x64

1

netstat.gz

windows10-2004-x64

1

blue_helper

ubuntu-20.04-amd64

10

kerndiacet

ubuntu-24.04-amd64

10

systemctl

ubuntu-24.04-amd64

3

uptime

ubuntu-22.04-amd64

3

w

ubuntu-22.04-amd64

3

node1

ubuntu-22.04-amd64

1

pasuspende

ubuntu-18.04-amd64

6

pasuspende

debian-9-armhf

6

pasuspende

debian-9-mips

6

pasuspende

debian-9-mipsel

6

systemctl

ubuntu-18.04-amd64

1

uptime

ubuntu-24.04-amd64

3

w

ubuntu-24.04-amd64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample.zip

  • Size

    6.5MB

  • Sample

    250319-gz8mpsxk19

  • MD5

    ee899d17be65610934e2d7598e12f5f0

  • SHA1

    bb25a619c06f6c5d619bacc0e188937dd5220e28

  • SHA256

    49290f83b42d99c5314f8bf07479509cc69fbf20586c1e5826fc739e6ad0889a

  • SHA512

    07dd8e41bcdb0af1ecf86682113c210970f74406ab06a87ec492b0e5349dfc21a687a47185aac4d113e6c9de403c0c87c0ba56f2111c44f6a090ed0e66b8ec95

  • SSDEEP

    196608:doo9EeF25UhbJ4DCTf8qFBe0VPrlYODXi:doo9EeLhbXTfvOU2ui

Score
10/10
xmrigxmrig_linuxantivmcredential_accessdefense_evasiondiscoveryexecutionlinuxminerprivilege_escalationrootkit

Malware Config

Targets

    • Target

      a46aab76

    • Size

      93KB

    • MD5

      9e7be1909caf15eaeba9cf844367699a

    • SHA1

      eccff0b4574c6f13c4049889b3fd45b385a611e6

    • SHA256

      194fdfa497496f0adba7eb6da98d3d023178d84ee9b137d7d9362ffae8a3b91a

    • SHA512

      39f9da1af1905e97ccc44572c8174d14889f8a3f66a852c350f5df3c303d177ac5304279e79293268a1b5c9481b0ffe01469c0a587eadf374cf0faaba4ab79cd

    • SSDEEP

      1536:us7Nq6zU8Jg0ogHDCVXSZ/a3laWBGbWs2dQhNbz0qB87UPDJqyMagq+TlH4CD7Vk:L7Nq6zU8i7OySQ3laWgb3CQPz1oUbIt4

    Score
    4/10
    behavioral1

    • Target

      chme

    • Size

      14KB

    • MD5

      d1b8293ff502f14d94a1c85e71a16509

    • SHA1

      a5ab41b4a2d4789729a5e27b72d18e168ecc020e

    • SHA256

      d2ae9517513b7c2a5fe91d2bbf2b229e886dceb6bd91681dd93fbff148679707

    • SHA512

      8c95a42f57e15fc32cede7ab5c09bad685dde79adafdc20015b0d4ff04ce77f22fb522193a3f1f4b3d65ff84b4a16ec715073db81a54004da0272abcc8f2e7f7

    • SSDEEP

      384:qoMQ2avXvn/3PHfXvn/3PHfayqC7ir4kqQm:34sXvn/3PHfXvn/3PHfayqC7kxbm

    Score
    4/10
    discovery
    behavioral2

    • Target

      isots

    • Size

      154KB

    • MD5

      d31d945767dd5a51e78ff0069533635f

    • SHA1

      64665a224f472b07778819f38ff5a300c1712eeb

    • SHA256

      7af5f6cda055b65e31298fe20ed4456a87d2ca92803552bc0d3422f0e1a1fda1

    • SHA512

      8efeb8df05338abbd4305fc48914a91012edc91c2f6423ba59f4e54303c867dc7c5723ee94ade118585aa6965cc888558e699533f4f9d5eeb22e45c57634a628

    • SSDEEP

      1536:lVVZidyDSsOKijSMQHiubRaPuFzbCPopEjApaSH0YnYHAznwfoORW3yfrEjucVBF:fidyKKijokmQPHcpaSHyftW3XUsNTf

    Score
    6/10
    discovery

    • Enumerates active TCP sockets

      Gets active TCP sockets from /proc virtual filesystem.

      discovery
    behavioral3

    • Target

      mctes

    • Size

      973KB

    • MD5

      0879239e580e52799f723334bad02c5a

    • SHA1

      102ac49f3639636e83d6486d6ac2502dde31e231

    • SHA256

      e4c23e2d5926e3ab70ba7f9eb65613fcc1a2cf1cad40be7f84d666543d1c63da

    • SHA512

      45516cebe071a52138cd68803752ea0f2271c312e20ffe4146099e27d05790c7df33ac798cfd5e7f3e0bce6b4b51f01d327ca296df76957a482598322047a32f

    • SSDEEP

      24576:nEb6E68PryT6RqgZpScCMeoiWzcb4YSEXEgkV9:nEb6E683MgZpScWET9

    Score
    1/10
    behavioral4

    • Target

      mswc

    • Size

      22KB

    • MD5

      53118cc1c0430495ddd7d21e8c1ec533

    • SHA1

      aa5c80480ff055c1d18b858d76e635930f72a0b9

    • SHA256

      6bd2c880e5ef87a6d20fbfebef5e6e176d02c77f9de796b049833b231e7d82a8

    • SHA512

      d6cf863d0c814a1d5e6fe337a0b709143d97096b3e18f0129f1091d2e01f8e7b8ce8f9b5158235bad7264f99856f974133590254e31505fa441df1cedb2e3c44

    • SSDEEP

      384:dHdzC/F91tldVNF91tldVNF91tIgo5QoAYwIg4QoAYwIg4Q3oxf59O3CHa2K4Z7m:dY/F91tldVNF91tldVNF91tIg4QoAYw1

    Score
    1/10
    behavioral5

    • Target

      netstat

    • Size

      4.3MB

    • MD5

      bed4d8947235ab7d8cb3ca8f1907d703

    • SHA1

      5694600d22a830f3fffdd18b82500c9b0ddab385

    • SHA256

      92871df5031884ded319b31ff8e4c855f4ddf60118361c8bc1dd411a6a92e2d3

    • SHA512

      83422506aca00ab2e13cf43ef099ec5bf5d03b6a1266e51d47e2885410766c05ef2200e759ec76e7130a57c74b23986b71e39b22deea1d7793dd5145cd9e3750

    • SSDEEP

      98304:g+jsMvRICPdDkXLmRRLJcXGMwHnm7EHfo2pAPXL2VVlMYt:BYkRF4X6RRLKXGtHmIbpcyVVv

    Score
    1/10
    behavioral6behavioral7

    • Target

      blue_helper

    • Size

      8.4MB

    • MD5

      64364c68af1f47395a411fbb3e43f5ce

    • SHA1

      8f663b71637952fa5c67f74fee27a029f66df6db

    • SHA256

      6aa9763ff750dafb1df79abcf6d97309150cca4eb37ccdfd58507b25955ed0bd

    • SHA512

      8e51657de022b1eff06fa74b447b7f8948cf0762e2d7ce75ec731c2e3b83e8f44c8514e9e57b982d47eefcc104d8e55b268a2f450e64a3c43e7ab5bd246999cf

    • SSDEEP

      196608:YZN7pipUgdWB4adoulftMHJ2i1heqD4XnuHZs:YZN7pipUgdWaadouHMHJF+nu

    Score
    10/10
    xmrig_linuxantivmdiscoveryminer

    • Xmrig_linux family

      xmrig_linux

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig_linux

    • Checks hardware identifiers (DMI)

      Checks DMI information which indicate if the system is a virtual machine.

      antivm

    • Reads hardware information

      Accesses system info like serial numbers, manufacturer names etc.

      discovery
    behavioral8

    • Target

      kerndiacet

    • Size

      1.3MB

    • MD5

      c6f82202d8623c30a012617ea42d8cc1

    • SHA1

      edbcb3d11cbe9b4c24b9452447d42e3b6337abae

    • SHA256

      f2adb0283ed8d61bcbad39af607621346d13a25ac42b8b94a20e9f5d4b6e0ffa

    • SHA512

      043449c6e055b188995d51d6c97be1f790c1208ce88a0132989160c57042ee717237d143e9b98e8ea38e26825e4029355963663132540b857ebf2778126a8b96

    • SSDEEP

      12288:rFKoaeSf3p7BHjYU9PQM2DNdBIdRUEksDszUeaXmy1GsX/jL8C10p5k:qeSf3p9Ht9PQM25dBIdmEkMs+oHCO

    Score
    10/10
    xmrig_linuxcredential_accessdefense_evasiondiscoveryexecutionminerprivilege_escalationrootkit

    • Xmrig_linux family

      xmrig_linux

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig_linux

    • Deletes journal logs

      Deletes systemd journal logs. Likely to evade detection.

      defense_evasion

    • Loads a kernel module

      Loads a Linux kernel module, potentially to achieve persistence

      rootkit

    • OS Credential Dumping

      Adversaries may attempt to dump credentials to use it in password cracking.

      credential_access

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Deletes log files

      Deletes log files on the system.

      defense_evasion

    • Enumerates running processes

      Discovers information about currently running processes on the system

    • Reads list of loaded kernel modules

      Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

      defense_evasion
    behavioral9

    • Target

      systemctl

    • Size

      1.3MB

    • MD5

      d5462e5598d0598ed181b0e9d38ac9bc

    • SHA1

      5c169bcaedbc1b809d794bda1afc2dab9e9e08f1

    • SHA256

      f9cee6d2d8f5c66ce0676b46036866c416f349313260717fea13d4a62201792f

    • SHA512

      44b4b9404861f769abcc25aeb5d3ae3f222b837115b4c837f95f8849ec6d82a45c2ea4f2b8c33f89d706890941f99ebe822c780e7591cb9cc8a0dae9502a6c69

    • SSDEEP

      24576:5DsB7qCB0FwV8G10LzJYsN+m7QdXOA5K:S1q7FwqE0LzJYsN+m8dXr

    Score
    3/10
    discovery
    behavioral10

    • Target

      uptime

    • Size

      1.3MB

    • MD5

      3360733db8c342e4e27c386e439f19fd

    • SHA1

      d0eb93bcf9e275455fdb3f413c9bff0798175f7e

    • SHA256

      f3bf42a350f7ee3632cb7de5429d4788c685c6a8df5c8ff7016ddcef26c58756

    • SHA512

      f7d3c3dd3efa669ca7f8398d9f65a6b584119b86f2a27f0c9fb422f9170972dd9b54897614d3585f7b8ccb89dbe479636010897b92e86f73affe7c9d07f9a842

    • SSDEEP

      24576:k/MVGU9AEwutWTdz+1MSUNaFLNS1SuSSVCI0:kUoQAEw3Tdz+1MSUN+LNCr

    Score
    3/10
    discovery
    behavioral11

    • Target

      w

    • Size

      1.3MB

    • MD5

      ef05690556c20a3cb64227693f2c9ac1

    • SHA1

      563989d7787bc2e7c16636e3a9204c1a2edfca50

    • SHA256

      94c89c4417538bd1aae2e4887a495b90a53e37634ce87a4860647bda8b6ef193

    • SHA512

      fee165013ce7fe496d07efa2ccecf139fad50825edb57f7de13e90ec38f1cf540c4fd3f8995a49cdaf3eab96c470984f2f844f3ca78d8a05724b650cc376c479

    • SSDEEP

      24576:hUv+TVGHRJNZxvGQihrwTSBZBSOXDZApX:ha+TVGLNZYQihrwTSBZIOXD

    Score
    3/10
    discovery
    behavioral12

    • Target

      node1

    • Size

      14KB

    • MD5

      bf905b50ad1a0d027a364271dc2c363f

    • SHA1

      ece7e9e2ddf0d0c69e126dc725bed04a66933953

    • SHA256

      9849ded20dcea53f4bb4383c7d768af5f246b4a032925e8f58120350c738ca5b

    • SHA512

      71fa48cb4091af4e2552f0f46406ba2da26229217d01e5506a690cfea61927ef081f51480ce9facbb40132a0f6040dbd03406c80e9c4903508a8e35ecddc3371

    • SSDEEP

      384:2UB18wukn/3PHfayqC6SKiayqC6SKiay/1sxIFnUGMm:2k4kn/3PHfayqC6SKiayqC6SKiay/np5

    Score
    1/10
    behavioral13

    • Target

      pasuspende

    • Size

      168B

    • MD5

      2c2b5f7b2f1aa69edf0a10517d84a7c8

    • SHA1

      6952156c2a3d7fde285376da514ea36c040c567b

    • SHA256

      293d484c0785dd3d3ecc3c339a8826267a788632960380ec6b0ddd4dbb914c89

    • SHA512

      510cf90071b39862c741b05730bdfede694e181197a567cce52724409d9ef8543ce68fb1df8c3d01c6188089276b049ebf4ff64a4cc94ea3695c19183cb27e13

    Score
    6/10
    defense_evasiondiscoveryprivilege_escalation

    • Abuse Elevation Control Mechanism: Sudo and Sudo Caching

      Abuse sudo or cached sudo credentials to execute code.

      privilege_escalationdefense_evasion

    • Enumerates running processes

      Discovers information about currently running processes on the system

    behavioral14behavioral15behavioral16behavioral17

    • Target

      systemctl

    • Size

      1.3MB

    • MD5

      d5462e5598d0598ed181b0e9d38ac9bc

    • SHA1

      5c169bcaedbc1b809d794bda1afc2dab9e9e08f1

    • SHA256

      f9cee6d2d8f5c66ce0676b46036866c416f349313260717fea13d4a62201792f

    • SHA512

      44b4b9404861f769abcc25aeb5d3ae3f222b837115b4c837f95f8849ec6d82a45c2ea4f2b8c33f89d706890941f99ebe822c780e7591cb9cc8a0dae9502a6c69

    • SSDEEP

      24576:5DsB7qCB0FwV8G10LzJYsN+m7QdXOA5K:S1q7FwqE0LzJYsN+m8dXr

    Score
    1/10
    behavioral18

    • Target

      uptime

    • Size

      1.3MB

    • MD5

      3360733db8c342e4e27c386e439f19fd

    • SHA1

      d0eb93bcf9e275455fdb3f413c9bff0798175f7e

    • SHA256

      f3bf42a350f7ee3632cb7de5429d4788c685c6a8df5c8ff7016ddcef26c58756

    • SHA512

      f7d3c3dd3efa669ca7f8398d9f65a6b584119b86f2a27f0c9fb422f9170972dd9b54897614d3585f7b8ccb89dbe479636010897b92e86f73affe7c9d07f9a842

    • SSDEEP

      24576:k/MVGU9AEwutWTdz+1MSUNaFLNS1SuSSVCI0:kUoQAEw3Tdz+1MSUN+LNCr

    Score
    3/10
    discovery
    behavioral19

    • Target

      w

    • Size

      1.3MB

    • MD5

      ef05690556c20a3cb64227693f2c9ac1

    • SHA1

      563989d7787bc2e7c16636e3a9204c1a2edfca50

    • SHA256

      94c89c4417538bd1aae2e4887a495b90a53e37634ce87a4860647bda8b6ef193

    • SHA512

      fee165013ce7fe496d07efa2ccecf139fad50825edb57f7de13e90ec38f1cf540c4fd3f8995a49cdaf3eab96c470984f2f844f3ca78d8a05724b650cc376c479

    • SSDEEP

      24576:hUv+TVGHRJNZxvGQihrwTSBZBSOXDZApX:ha+TVGLNZYQihrwTSBZIOXD

    Score
    3/10
    discovery
    behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Unix Shell

1
T1059.004

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Sudo and Sudo Caching

1
T1548.003

Indicator Removal

2
T1070

Clear Linux or Mac System Logs

2
T1070.002

Virtualization/Sandbox Evasion

3
T1497

System Checks

2
T1497.001

Credential Access

OS Credential Dumping

1
T1003

/etc/passwd and /etc/shadow

1
T1003.008

Discovery

System Information Discovery

3
T1082

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

System Network Connections Discovery

1
T1049

Virtualization/Sandbox Evasion

3
T1497

System Checks

2
T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

minerxmrig
Score
10/10

behavioral1

Score
4/10

behavioral2

discovery
Score
4/10

behavioral3

discovery
Score
6/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

xmrig_linuxantivmdiscoveryminer
Score
10/10

behavioral9

xmrig_linuxcredential_accessdefense_evasiondiscoveryexecutionminerprivilege_escalationrootkit
Score
10/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

Score
1/10

behavioral14

defense_evasiondiscoveryprivilege_escalation
Score
6/10

behavioral15

defense_evasiondiscoveryprivilege_escalation
Score
6/10

behavioral16

defense_evasiondiscoveryprivilege_escalation
Score
6/10

behavioral17

defense_evasiondiscoveryprivilege_escalation
Score
6/10

behavioral18

Score
1/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10