Linux Analysis Report
pause

Overview

General Information

Sample name: pause
Analysis ID: 1560845
MD5: e56388f73341b3c8bb46fa793dd93115
SHA1: a379bad502bf673ba863e9c8e047396e6f5120a5
SHA256: b0753ac3525a72ce83df07621772d2d46ed28b8f55470026dd35039d7868308a
Infos:

Detection

Sliver
Score: 92
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Sliver Implants
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: pause Avira: detected
Multi AV Scanner detection for submitted file
Source: pause ReversingLabs: Detection: 75%
Machine Learning detection for sample
Source: pause Joe Sandbox ML: detected

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2852658 - Severity 1 - ETPRO MALWARE Sliver HTTP SessionInit Request : 192.168.2.23:60850 -> 157.245.137.49:23456
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 157.245.137.49 ports 23456,2,3,4,5,6
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 60850 -> 23456
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:60848 -> 157.245.137.49:23456
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 157.245.137.49
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown HTTP traffic detected: POST /oauth2/database/db/db/namespaces/database/sign-up.html?cj=a79617963&m=6945c9077 HTTP/1.1Host: 157.245.137.49:23456User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4757.70 Safari/537.36Content-Length: 179Upgrade-Insecure-Requests: 1Accept-Encoding: gzipData Raw: 65 54 4b 66 61 61 61 61 61 61 61 63 5a 4e 30 49 61 36 74 5a 36 65 63 4d 6f 46 79 58 47 65 4d 51 44 69 7a 66 56 30 43 35 57 43 31 2b 39 4c 4f 71 76 51 55 74 42 58 50 5a 41 57 52 47 71 64 41 30 34 4f 41 38 79 70 73 47 75 53 49 53 44 61 70 42 76 56 77 79 46 4b 6a 4a 4f 7a 62 45 6a 43 69 4f 56 58 51 68 4e 62 38 47 4e 6b 4d 46 2d 6a 54 4b 4a 57 31 32 78 56 69 38 43 4a 4e 34 4f 75 4d 71 6e 68 43 76 73 73 73 49 51 47 4a 54 69 52 59 4f 4c 45 6b 4a 6a 52 4f 6b 32 56 4e 30 6e 63 36 78 45 6e 63 61 61 6d 5a 5a 79 5a 7a 6e 6e 73 47 61 61 61 61 Data Ascii: eTKfaaaaaaacZN0Ia6tZ6ecMoFyXGeMQDizfV0C5WC1+9LOqvQUtBXPZAWRGqdA04OA8ypsGuSISDapBvVwyFKjJOzbEjCiOVXQhNb8GNkMF-jTKJW12xVi8CJN4OuMqnhCvsssIQGJTiRYOLEkJjROk2VN0nc6xEncaamZZyZznnsGaaaa
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://157.245.137.49:23456
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://157.245.137.49:23456/
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://157.245.137.49:23456/oauth2/database/db/db/namespaces/database/sign-up.html
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://157.245.137.49:23456/oauth2/database/db/db/namespaces/database/sign-up.html?
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://157.245.137.49:23456/oauth2/database/db/db/namespaces/database/sign-up.html?cj=a79617963&m=69
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://157.245.137.49:23456/oauth2/database/db/db/namespaces/database/sign-up.php
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://157.245.137.49:23456/oauth2/database/db/db/namespaces/database/sign-up.phphttp://157.245.137.
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://157.245.137.49:23456Upgrade-Insecure-Requestscj=a79617963&m=6945c9077
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://cj=a79617963&m=HTTP/1.1cj=User-Agentcj=a79617963&m=
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: http://sign-up.php
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456/
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456/db/oauth2/db/namespaces/db/register.html
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456/db/oauth2/db/namespaces/db/register.html?
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456/db/oauth2/db/namespaces/db/register.html?b=5e7350053&sm=786q50267
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456/db/oauth2/db/namespaces/db/register.html?b=5e7350053&sm=786q50267User-A
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456/db/oauth2/db/namespaces/db/register.php
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456/db/oauth2/db/namespaces/db/register.phphttps://157.245.137.49:23456/db/
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456b=5e7350053&sm=786q50267
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456http://157.245.137.49:23456n
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456https://157.245.137.49:23456https://157.245.137.49:23456
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456https://157.245.137.49:23456https://157.245.137.49:23456https://157.245.
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.137.49:23456time:
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.https://
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://157.245.tls-time
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://6https://157.245.https://
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://b=5e7350053&sm=HTTP/1.1b=User-Agentb=5e7350053&sm=
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://force-httphost-headerproxy-password6https://https://157.245.setsockoptsetsockoptsetsockopt
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://https://157.245.setsockopt
Source: pause, 6215.1.000000c000000000.000000c000800000.rw-.sdmp String found in binary or memory: https://register.php
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: pause, type: SAMPLE Matched rule: Multi_Trojan_Bishopsliver_42298c4a Author: unknown
Source: pause, type: SAMPLE Matched rule: Detects Sliver implant cross-platform adversary emulation/red team Author: ditekSHen
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Yara signature match
Source: pause, type: SAMPLE Matched rule: Multi_Trojan_Bishopsliver_42298c4a reference_sample = 3b45aae401ac64c055982b5f3782a3c4c892bdb9f9a5531657d50c27497c8007, os = multi, severity = x86, creation_date = 2021-10-20, scan_context = file, memory, license = Elastic License v2, threat_name = Multi.Trojan.Bishopsliver, fingerprint = 0734b090ea10abedef4d9ed48d45c834dd5cf8e424886a5be98e484f69c5e12a, id = 42298c4a-fcea-4c5a-b213-32db00e4eb5a, last_modified = 2022-01-14
Source: pause, type: SAMPLE Matched rule: INDICATOR_TOOL_Sliver author = ditekSHen, description = Detects Sliver implant cross-platform adversary emulation/red team
Source: classification engine Classification label: mal92.troj.lin@0/0@0/0
Source: ELF file section Submission: pause

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 60850 -> 23456
Source: pause Binary or memory string: 4s7glSnFdvs9URU1YwqsB1jF6zjssD95h3VZnsGmOOeEK9sK_zvcEarsMzaIdN24sSafdEXxZsXFuj_vJ1saKQKPPH5sbnuARJIKscanAllocschedlinkschedtickschedwhensizeCachesizeclasssjb0zYOrWsleepStubsnoihyDAaspanclasssqeaz8EXWstFPDE8ksstackLockstartAddrstartLinesyscallpcsyscallspt1kOsyatjt6zY9KxFAtCTEG0IuatJQkUzO2_tMpQBha3_tQV_MAMOItWsyN7UsGt_L2JPmWYtextStarttkZ5XxCA1tracebacktypelinkstzEvkWN6ptzTiqcB4btzxJ9AHOXu41WqnzWlu5vZQv_wyu7plPGWShuHd_0d8L2uI2MZuGi4uT1mLrgmwuXlM0Slh_ucmJVRPojukGdavOCIunmarshaluuIIUEhgbuwLi3GimjuwRGxBqcQuzGmpyiPsv7EtqemUWvIbaNv0BYvWsP4Cu8LvXou9cR04vZ0p34mngv_RRi8CwHvhw23dlgFvjPC7ZQpovm8QDqJi9voWtznspXvuHjlkmpewCTFdpZRzwDkHP_JbvwE4FPILjmwQLz8BE3awQiog6BfWwSk9bI9zYwYBtbaRIkwaitsinceweskDB0kQwi8HUMz3iwl36kQKiMwmL_XeZKewwZw_obzpx7WBMj2XGxBMACl_E0xBnIGq1nZxChHe44hVxEf6w1ajUxFaT5lCSBxLeNGrm1bxSyJQgM_mxYttkoyDNx_FzZJ09Jx_LkPco_sxnEudW9gVxyO5xxW2qxzVi5gazhy6sRhJcF7y6yCHfCsXyC5hmok0TyDtOOwXlsyI6F4UbowyLb7YDT0CyRn0dAm3UyRof_CbWEyRsJYsXXpyUbQJVEIoy_V4XCG95y_zLVSdvxyeper6NzXyflaJ5jltygJa9OIwuygp41HFqayhyF052hEyl6fcWz11yslz8Cf6ryzQLEiSLsz1HgTo_zmz2bsByjIxz6sJPEwGHz8TtUg9kez94dWVCzVz9BjB7b1IzBV0uCaR_zCeuF34MMzFdbM1Cz5zJPotRYlizJRzK2Y5OzLs6jp15jzLvU8KyUyzQTqv0MB9zSexyP7zfzTmRRrB8x
Source: pause Binary or memory string: v7EtqemUW

Stealing of Sensitive Information
barindex
Yara detected Sliver Implants
Source: Yara match File source: pause, type: SAMPLE
Source: Yara match File source: 6215.1.000000000127a000.00000000012c5000.rw-.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pause PID: 6215, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Sliver Implants
Source: Yara match File source: pause, type: SAMPLE
Source: Yara match File source: 6215.1.000000000127a000.00000000012c5000.rw-.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: pause PID: 6215, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
157.245.137.49
 unknown United States
14061 DIGITALOCEAN-ASNUS true
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://157.245.137.49:23456/oauth2/database/db/db/namespaces/database/sign-up.html?cj=a79617963&m=6945c9077 true
    		unknown