Edit tour

Linux Analysis Report
dlr.x86.elf

Overview

General Information

Sample name:dlr.x86.elf
Analysis ID:1644397
MD5:9bf6edd0e616fccab3ed88cfceb9195b
SHA1:f26d85284f33f09722487aeffaa08cde36e80496
SHA256:945e08108f98a85e02f6d28f22dde11071cd1b0b1658463808acb0aa7e29129f
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Creates hidden files and/or directories
Creates hidden files without content (potentially used as a mutex)
HTTP GET or POST without a user agent
Sample has stripped symbol table
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1644397
Start date and time:2025-03-20 15:11:15 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 56s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:dlr.x86.elf
Detection:MAL
Classification:mal56.linELF@0/0@0/0
Command:/tmp/dlr.x86.elf
PID:5552
Exit Code:4
Exit Code Info:
Killed:False
Standard Output:
AAA
Standard Error:
  • system is lnxubuntu20
  • dlr.x86.elf (PID: 5552, Parent: 5471, MD5: 9bf6edd0e616fccab3ed88cfceb9195b) Arguments: /tmp/dlr.x86.elf
  • cleanup
SourceRuleDescriptionAuthorStrings
dlr.x86.elfLinux_Trojan_Mirai_88a1b067unknownunknown
  • 0x91:$a: 00 00 00 55 89 E5 0F B6 55 08 0F B6 45 0C C1 E2 18 C1 E0 10
SourceRuleDescriptionAuthorStrings
5552.1.0000000008048000.0000000008049000.r-x.sdmpLinux_Trojan_Mirai_88a1b067unknownunknown
  • 0x91:$a: 00 00 00 55 89 E5 0F B6 55 08 0F B6 45 0C C1 E2 18 C1 E0 10
5552.1.0000000008049000.000000000804a000.rw-.sdmpLinux_Trojan_Mirai_88a1b067unknownunknown
  • 0x91:$a: 00 00 00 55 89 E5 0F B6 55 08 0F B6 45 0C C1 E2 18 C1 E0 10
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: dlr.x86.elfVirustotal: Detection: 32%Perma Link
Source: dlr.x86.elfReversingLabs: Detection: 47%
Source: global trafficHTTP traffic detected: GET /bins/x86 HTTP/Data Raw: Data Ascii:
Source: unknownTCP traffic detected without corresponding DNS query: 156.253.227.12
Source: unknownTCP traffic detected without corresponding DNS query: 156.253.227.12
Source: unknownTCP traffic detected without corresponding DNS query: 156.253.227.12
Source: unknownTCP traffic detected without corresponding DNS query: 156.253.227.12
Source: unknownTCP traffic detected without corresponding DNS query: 156.253.227.12
Source: unknownTCP traffic detected without corresponding DNS query: 156.253.227.12
Source: global trafficHTTP traffic detected: GET /bins/x86 HTTP/Data Raw: Data Ascii:

System Summary

barindex
Source: dlr.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88a1b067 Author: unknown
Source: 5552.1.0000000008048000.0000000008049000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88a1b067 Author: unknown
Source: 5552.1.0000000008049000.000000000804a000.rw-.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88a1b067 Author: unknown
Source: ELF static info symbol of initial sample.symtab present: no
Source: dlr.x86.elf, type: SAMPLEMatched rule: Linux_Trojan_Mirai_88a1b067 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 1a62db02343edda916cbbf463d8e07ec2ad4509fd0f15a5f6946d0ec6c332dd9, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b32b42975297aed7cef72668ee272a5cfb753dce7813583f0c3ec91e52f8601f, id = 88a1b067-11d5-4128-b763-2d1747c95eef, last_modified = 2021-09-16
Source: 5552.1.0000000008048000.0000000008049000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88a1b067 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 1a62db02343edda916cbbf463d8e07ec2ad4509fd0f15a5f6946d0ec6c332dd9, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b32b42975297aed7cef72668ee272a5cfb753dce7813583f0c3ec91e52f8601f, id = 88a1b067-11d5-4128-b763-2d1747c95eef, last_modified = 2021-09-16
Source: 5552.1.0000000008049000.000000000804a000.rw-.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_88a1b067 severity = 100, os = linux, arch_context = x86, creation_date = 2021-06-28, scan_context = file, memory, reference = 1a62db02343edda916cbbf463d8e07ec2ad4509fd0f15a5f6946d0ec6c332dd9, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = b32b42975297aed7cef72668ee272a5cfb753dce7813583f0c3ec91e52f8601f, id = 88a1b067-11d5-4128-b763-2d1747c95eef, last_modified = 2021-09-16
Source: classification engineClassification label: mal56.linELF@0/0@0/0
Source: /tmp/dlr.x86.elf (PID: 5552)File: /tmp/.2351Jump to behavior
Source: /tmp/dlr.x86.elf (PID: 5552)Empty hidden file: /tmp/.2351Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Hide Artifacts
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Hidden Files and Directories
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644397 Sample: dlr.x86.elf Startdate: 20/03/2025 Architecture: LINUX Score: 56 8 156.253.227.12, 39034, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 2->8 10 Malicious sample detected (through community Yara rule) 2->10 12 Multi AV Scanner detection for submitted file 2->12 6 dlr.x86.elf 2->6         started        signatures3 process4

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
dlr.x86.elf32%VirustotalBrowse
dlr.x86.elf47%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
156.253.227.12
unknownSeychelles
132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
156.253.227.12dlr.mpsl.elfGet hashmaliciousUnknownBrowse
  • /bins/mpsl
dlr.arm6.elfGet hashmaliciousUnknownBrowse
  • /bins/arm6
dlr.mips.elfGet hashmaliciousUnknownBrowse
  • /bins/mips
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
POWERLINE-AS-APPOWERLINEDATACENTERHKdlr.mpsl.elfGet hashmaliciousUnknownBrowse
  • 156.253.227.12
dlr.arm6.elfGet hashmaliciousUnknownBrowse
  • 156.253.227.12
dlr.mips.elfGet hashmaliciousUnknownBrowse
  • 156.253.227.12
hoho.sparc.elfGet hashmaliciousUnknownBrowse
  • 45.202.220.126
dokument wysy#U00c5 kowy faktury nr 52-FK-25.jsGet hashmaliciousFormBookBrowse
  • 45.202.215.236
dokument wysy#U00c5 kowy faktury nr 52-FK-25.jsGet hashmaliciousFormBookBrowse
  • 45.202.215.236
EU-Business-Register 2024-2025#U00b7pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
  • 160.124.31.74
ID2025-019#U00b7pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
  • 160.124.31.74
PE2025-019#U00b7pdf.vbsGet hashmaliciousFormBook, GuLoaderBrowse
  • 160.124.31.74
splspc.elfGet hashmaliciousUnknownBrowse
  • 154.193.113.237
No context
No context
No created / dropped files found
File type:ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
Entropy (8bit):5.438643962626416
TrID:
  • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
  • ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:dlr.x86.elf
File size:1'180 bytes
MD5:9bf6edd0e616fccab3ed88cfceb9195b
SHA1:f26d85284f33f09722487aeffaa08cde36e80496
SHA256:945e08108f98a85e02f6d28f22dde11071cd1b0b1658463808acb0aa7e29129f
SHA512:7ba79c4e39845037183b425cadd683889e117738ef19c9b7f05efcf80ee6be9d0b05c82ba6c11084ee6433ad911de71d524e245f75b3e5b199c2ac6e1e9db535
SSDEEP:24:FlqMoJFHxgxEmceZGQleZ3eLjSJvd1wyGues9O7UruQQBVNfRh:fqxL+coGQlo3eLjYFxqss7IHQPN5h
TLSH:6C21C2A7E1D4ED32D76200F662C6EF5723A5CE956016FF0B8A515402DD3A6D4C133274
File Content Preview:.ELF....................$...4...........4. ...(.....................................................................Q.td............................U....U...E...........M...E........].....................................U......u.j..D........U......u.j../.

ELF header

Class:ELF32
Data:2's complement, little endian
Version:1 (current)
Machine:Intel 80386
Version Number:0x1
Type:EXEC (Executable file)
OS/ABI:UNIX - System V
ABI Version:0
Entry Point Address:0x8048324
Flags:0x0
ELF Header Size:52
Program Header Offset:52
Program Header Size:32
Number of Program Headers:3
Section Header Offset:980
Section Header Size:40
Number of Section Headers:5
Header String Table Index:4
NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
NULL0x00x00x00x00x0000
.textPROGBITS0x80480940x940x2e90x00x6AX004
.rodataPROGBITS0x804837d0x37d0x340x10x32AMS001
.bssNOBITS0x80493b40x3b40x40x00x3WA004
.shstrtabSTRTAB0x00x3b40x1e0x00x0001
TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
LOAD0x00x80480000x80480000x3b10x3b15.86170x5R E0x1000.text .rodata
LOAD0x3b40x80493b40x80493b40x00x40.00000x6RW 0x1000.bss
GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

Download Network PCAP: filteredfull

TimestampSource PortDest PortSource IPDest IP
Mar 20, 2025 15:12:16.415333033 CET3903480192.168.2.14156.253.227.12
Mar 20, 2025 15:12:17.429341078 CET3903480192.168.2.14156.253.227.12
Mar 20, 2025 15:12:17.632602930 CET8039034156.253.227.12192.168.2.14
Mar 20, 2025 15:12:17.632885933 CET3903480192.168.2.14156.253.227.12
Mar 20, 2025 15:12:17.633915901 CET3903480192.168.2.14156.253.227.12
Mar 20, 2025 15:12:17.835814953 CET8039034156.253.227.12192.168.2.14
Mar 20, 2025 15:12:38.361464977 CET8039034156.253.227.12192.168.2.14
Mar 20, 2025 15:12:38.364425898 CET3903480192.168.2.14156.253.227.12
Mar 20, 2025 15:12:38.367685080 CET3903480192.168.2.14156.253.227.12
Mar 20, 2025 15:12:38.581732035 CET8039034156.253.227.12192.168.2.14
Session IDSource IPSource PortDestination IPDestination Port
0192.168.2.1439034156.253.227.1280
TimestampBytes transferredDirectionData
Mar 20, 2025 15:12:17.633915901 CET32OUTGET /bins/x86 HTTP/
Data Raw:
Data Ascii:


System Behavior

Start time (UTC):14:12:16
Start date (UTC):20/03/2025
Path:/tmp/dlr.x86.elf
Arguments:/tmp/dlr.x86.elf
File size:1180 bytes
MD5 hash:9bf6edd0e616fccab3ed88cfceb9195b