Edit tour

Linux Analysis Report
ub8ehJSePAfc9FYqZIT6.i686.elf

Overview

General Information

Sample name:ub8ehJSePAfc9FYqZIT6.i686.elf
Analysis ID:1649630
MD5:ba44f08a5539f2ff023791d8fa5971ad
SHA1:e9ee840954010d76206bb79deaa187a020ba175b
SHA256:b5292146e8ab7b2454b1bb45370acf1a2f8ed9f315e3b59fd8c5752dd57f8b16
Tags:elfuser-abuse_ch
Infos:

Detection

Score:68
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is packed with UPX
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1649630
Start date and time:2025-03-27 00:22:30 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 7s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:ub8ehJSePAfc9FYqZIT6.i686.elf
Detection:MAL
Classification:mal68.evad.linELF@0/0@0/0
Command:/tmp/ub8ehJSePAfc9FYqZIT6.i686.elf
PID:6265
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • cleanup
SourceRuleDescriptionAuthorStrings
6266.1.0000000008048000.000000000805c000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x115f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1161c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1166c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x116a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x116bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x116d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x116e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x116f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1170c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11748:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1175c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11770:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11784:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6266.1.0000000008048000.000000000805c000.r-x.sdmpLinux_Trojan_Mirai_3a56423bunknownunknown
  • 0x9ccb:$a: 24 1C 8B 44 24 20 0F B6 D0 C1 E8 08 89 54 24 24 89 44 24 20 BA 01 00
6266.1.0000000008048000.000000000805c000.r-x.sdmpLinux_Trojan_Mirai_dab39a25unknownunknown
  • 0x84ae:$a: 0E 75 20 50 6A 00 6A 00 6A 00 53 6A 0E FF 74 24 48 68 DD 00
6265.1.0000000008048000.000000000805c000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
  • 0x115f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1161c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11658:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1166c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11680:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11694:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x116a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x116bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x116d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x116e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x116f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1170c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11720:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11734:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11748:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x1175c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11770:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
  • 0x11784:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
6265.1.0000000008048000.000000000805c000.r-x.sdmpLinux_Trojan_Mirai_3a56423bunknownunknown
  • 0x9ccb:$a: 24 1C 8B 44 24 20 0F B6 D0 C1 E8 08 89 54 24 24 89 44 24 20 BA 01 00
Click to see the 11 entries
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: ub8ehJSePAfc9FYqZIT6.i686.elfAvira: detected
Source: ub8ehJSePAfc9FYqZIT6.i686.elfVirustotal: Detection: 46%Perma Link
Source: ub8ehJSePAfc9FYqZIT6.i686.elfReversingLabs: Detection: 58%
Source: global trafficTCP traffic: 192.168.2.23:45352 -> 61.7.209.116:3778
Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: unknownTCP traffic detected without corresponding DNS query: 61.7.209.116
Source: ub8ehJSePAfc9FYqZIT6.i686.elfString found in binary or memory: http://upx.sf.net
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443

System Summary

barindex
Source: 6266.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6266.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 6266.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: 6265.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6265.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 6265.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: 6271.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6271.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 6271.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: 6267.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6267.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 6267.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown
Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.i686.elf PID: 6265, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.i686.elf PID: 6266, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.i686.elf PID: 6267, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.i686.elf PID: 6271, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: LOAD without section mappingsProgram segment: 0xc01000
Source: 6266.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6266.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 6266.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: 6265.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6265.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 6265.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: 6271.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6271.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 6271.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: 6267.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6267.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 6267.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26
Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.i686.elf PID: 6265, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.i686.elf PID: 6266, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.i686.elf PID: 6267, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: ub8ehJSePAfc9FYqZIT6.i686.elf PID: 6271, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engineClassification label: mal68.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1582/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/3088/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/230/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/110/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/231/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/111/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/232/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1579/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/112/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/233/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1699/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/113/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/234/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1335/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1698/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/114/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/235/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1334/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1576/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/2302/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/115/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/236/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/116/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/237/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/117/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/118/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/910/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/119/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/6105/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/912/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/10/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/2307/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/11/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/918/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/12/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/13/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/14/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/15/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/16/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/17/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/18/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1594/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/120/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/121/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1349/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/122/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/243/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/123/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/2/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/124/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/3/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/4/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/125/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/126/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1344/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1465/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1586/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/127/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/6/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/248/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/128/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/249/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1463/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/800/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/9/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/801/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/20/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/21/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1900/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/22/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/23/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/6251/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/24/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/25/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/26/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/27/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/28/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/29/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/491/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/250/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/130/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/251/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/6250/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/252/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/132/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/253/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/254/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/255/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/256/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1599/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/257/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1477/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/379/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/258/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1476/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/259/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1475/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/936/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/30/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/2208/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/35/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/6265/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/1809/statusJump to behavior
Source: /tmp/ub8ehJSePAfc9FYqZIT6.i686.elf (PID: 6265)File opened: /proc/6268/statusJump to behavior
Source: ub8ehJSePAfc9FYqZIT6.i686.elfSubmission file: segment LOAD with 7.9625 entropy (max. 8.0)
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception11
Obfuscated Files or Information
1
OS Credential Dumping
System Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649630 Sample: ub8ehJSePAfc9FYqZIT6.i686.elf Startdate: 27/03/2025 Architecture: LINUX Score: 68 20 109.202.202.202, 80 INIT7CH Switzerland 2->20 22 61.7.209.116, 3778, 45352, 45354 CAT-APTheCommunicationAuthoityofThailandCATTH Thailand 2->22 24 2 other IPs or domains 2->24 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Sample is packed with UPX 2->32 8 ub8ehJSePAfc9FYqZIT6.i686.elf 2->8         started        signatures3 process4 process5 10 ub8ehJSePAfc9FYqZIT6.i686.elf 8->10         started        12 ub8ehJSePAfc9FYqZIT6.i686.elf 8->12         started        14 ub8ehJSePAfc9FYqZIT6.i686.elf 8->14         started        process6 16 ub8ehJSePAfc9FYqZIT6.i686.elf 10->16         started        18 ub8ehJSePAfc9FYqZIT6.i686.elf 10->18         started       
SourceDetectionScannerLabelLink
ub8ehJSePAfc9FYqZIT6.i686.elf46%VirustotalBrowse
ub8ehJSePAfc9FYqZIT6.i686.elf58%ReversingLabsLinux.Backdoor.Mirai
ub8ehJSePAfc9FYqZIT6.i686.elf100%AviraLINUX/AVA.Mirai.wzurc
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netub8ehJSePAfc9FYqZIT6.i686.elffalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    109.202.202.202
    unknownSwitzerland
    13030INIT7CHfalse
    61.7.209.116
    unknownThailand
    9931CAT-APTheCommunicationAuthoityofThailandCATTHfalse
    91.189.91.43
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    91.189.91.42
    unknownUnited Kingdom
    41231CANONICAL-ASGBfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
    • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
    61.7.209.116ub8ehJSePAfc9FYqZIT6.mpsl.elfGet hashmaliciousUnknownBrowse
      ub8ehJSePAfc9FYqZIT6.mips.elfGet hashmaliciousUnknownBrowse
        ub8ehJSePAfc9FYqZIT6.x86.elfGet hashmaliciousUnknownBrowse
          cbot.exeGet hashmaliciousUnknownBrowse
            raw_cbot.exeGet hashmaliciousUnknownBrowse
              cbot.exeGet hashmaliciousUnknownBrowse
                raw_cbot.exeGet hashmaliciousUnknownBrowse
                  91.189.91.43efea6.elfGet hashmaliciousMiraiBrowse
                    na.elfGet hashmaliciousPrometeiBrowse
                      na.elfGet hashmaliciousPrometeiBrowse
                        na.elfGet hashmaliciousPrometeiBrowse
                          arm5.elfGet hashmaliciousUnknownBrowse
                            arm5.elfGet hashmaliciousUnknownBrowse
                              rjfe686.elfGet hashmaliciousUnknownBrowse
                                mpsl.elfGet hashmaliciousUnknownBrowse
                                  .i.elfGet hashmaliciousUnknownBrowse
                                    eehah4.elfGet hashmaliciousUnknownBrowse
                                      91.189.91.42efea6.elfGet hashmaliciousMiraiBrowse
                                        na.elfGet hashmaliciousPrometeiBrowse
                                          na.elfGet hashmaliciousPrometeiBrowse
                                            na.elfGet hashmaliciousPrometeiBrowse
                                              arm5.elfGet hashmaliciousUnknownBrowse
                                                na.elfGet hashmaliciousPrometeiBrowse
                                                  arm5.elfGet hashmaliciousUnknownBrowse
                                                    rjfe686.elfGet hashmaliciousUnknownBrowse
                                                      mpsl.elfGet hashmaliciousUnknownBrowse
                                                        .i.elfGet hashmaliciousUnknownBrowse
                                                          No context
                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          CANONICAL-ASGBefea6.elfGet hashmaliciousMiraiBrowse
                                                          • 91.189.91.42
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 91.189.91.42
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 91.189.91.42
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 91.189.91.42
                                                          arm5.elfGet hashmaliciousUnknownBrowse
                                                          • 91.189.91.42
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 91.189.91.42
                                                          arm5.elfGet hashmaliciousUnknownBrowse
                                                          • 91.189.91.42
                                                          rjfe686.elfGet hashmaliciousUnknownBrowse
                                                          • 91.189.91.42
                                                          mpsl.elfGet hashmaliciousUnknownBrowse
                                                          • 91.189.91.42
                                                          .i.elfGet hashmaliciousUnknownBrowse
                                                          • 91.189.91.42
                                                          CANONICAL-ASGBefea6.elfGet hashmaliciousMiraiBrowse
                                                          • 91.189.91.42
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 91.189.91.42
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 91.189.91.42
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 91.189.91.42
                                                          arm5.elfGet hashmaliciousUnknownBrowse
                                                          • 91.189.91.42
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 91.189.91.42
                                                          arm5.elfGet hashmaliciousUnknownBrowse
                                                          • 91.189.91.42
                                                          rjfe686.elfGet hashmaliciousUnknownBrowse
                                                          • 91.189.91.42
                                                          mpsl.elfGet hashmaliciousUnknownBrowse
                                                          • 91.189.91.42
                                                          .i.elfGet hashmaliciousUnknownBrowse
                                                          • 91.189.91.42
                                                          CAT-APTheCommunicationAuthoityofThailandCATTHub8ehJSePAfc9FYqZIT6.mpsl.elfGet hashmaliciousUnknownBrowse
                                                          • 61.7.209.116
                                                          ub8ehJSePAfc9FYqZIT6.mips.elfGet hashmaliciousUnknownBrowse
                                                          • 61.7.209.116
                                                          ub8ehJSePAfc9FYqZIT6.x86.elfGet hashmaliciousUnknownBrowse
                                                          • 61.7.209.116
                                                          cbot.exeGet hashmaliciousUnknownBrowse
                                                          • 61.7.209.116
                                                          raw_cbot.exeGet hashmaliciousUnknownBrowse
                                                          • 61.7.209.116
                                                          cbot.exeGet hashmaliciousUnknownBrowse
                                                          • 61.7.209.116
                                                          raw_cbot.exeGet hashmaliciousUnknownBrowse
                                                          • 61.7.209.116
                                                          ub8ehJSePAfc9FYqZIT6.mpsl.elfGet hashmaliciousUnknownBrowse
                                                          • 61.7.209.115
                                                          ub8ehJSePAfc9FYqZIT6.mips.elfGet hashmaliciousUnknownBrowse
                                                          • 61.7.209.115
                                                          ub8ehJSePAfc9FYqZIT6.arm7.elfGet hashmaliciousMiraiBrowse
                                                          • 61.7.209.115
                                                          INIT7CHefea6.elfGet hashmaliciousMiraiBrowse
                                                          • 109.202.202.202
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 109.202.202.202
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 109.202.202.202
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 109.202.202.202
                                                          arm5.elfGet hashmaliciousUnknownBrowse
                                                          • 109.202.202.202
                                                          na.elfGet hashmaliciousPrometeiBrowse
                                                          • 109.202.202.202
                                                          arm5.elfGet hashmaliciousUnknownBrowse
                                                          • 109.202.202.202
                                                          rjfe686.elfGet hashmaliciousUnknownBrowse
                                                          • 109.202.202.202
                                                          mpsl.elfGet hashmaliciousUnknownBrowse
                                                          • 109.202.202.202
                                                          .i.elfGet hashmaliciousUnknownBrowse
                                                          • 109.202.202.202
                                                          No context
                                                          No context
                                                          No created / dropped files found
                                                          File type:ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header
                                                          Entropy (8bit):7.960756029051824
                                                          TrID:
                                                          • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                                          • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                                          File name:ub8ehJSePAfc9FYqZIT6.i686.elf
                                                          File size:38'304 bytes
                                                          MD5:ba44f08a5539f2ff023791d8fa5971ad
                                                          SHA1:e9ee840954010d76206bb79deaa187a020ba175b
                                                          SHA256:b5292146e8ab7b2454b1bb45370acf1a2f8ed9f315e3b59fd8c5752dd57f8b16
                                                          SHA512:15682f1f3b24a1848e82fa71a9c65a7dcd6b0dc2d2c162ae7653c335306bce13194db9532a5ced94b9798cdf36f27880c9530e0666a9185bd5dcec18f852882f
                                                          SSDEEP:768:nwtA4ek15KslGiOmNcS0zWeC1Zrd4Q57IrstnbcuyD7UHQRjj:nwtAA153K08zpCPHkAnouy8HyX
                                                          TLSH:E303F118E6BB2CC0D6CE41F50DAA2E6B0A806E6D534495EE8BCC34770C07E58DB01B43
                                                          File Content Preview:.ELF........................4...........4. ...(.....................................................................Q.td.............................-[.UPX!.........B...B......W..........?..k.I/.j....\.W'"....)....4go.|.>#.....{~vx...A.Zg..3~........2..R.

                                                          ELF header

                                                          Class:ELF32
                                                          Data:2's complement, little endian
                                                          Version:1 (current)
                                                          Machine:Intel 80386
                                                          Version Number:0x1
                                                          Type:EXEC (Executable file)
                                                          OS/ABI:UNIX - Linux
                                                          ABI Version:0
                                                          Entry Point Address:0xc092b0
                                                          Flags:0x0
                                                          ELF Header Size:52
                                                          Program Header Offset:52
                                                          Program Header Size:32
                                                          Number of Program Headers:3
                                                          Section Header Offset:0
                                                          Section Header Size:40
                                                          Number of Section Headers:0
                                                          Header String Table Index:0
                                                          TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                                          LOAD0x00xc010000xc010000x94a40x94a47.96250x5R E0x1000
                                                          LOAD0xc080x805cc080x805cc080x00x00.00000x6RW 0x1000
                                                          GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                                                          Download Network PCAP: filteredfull

                                                          • Total Packets: 52
                                                          • 3778 undefined
                                                          • 443 (HTTPS)
                                                          • 80 (HTTP)
                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 27, 2025 00:23:39.738466024 CET43928443192.168.2.2391.189.91.42
                                                          Mar 27, 2025 00:23:41.256088018 CET453523778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:23:41.614034891 CET37784535261.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:23:45.369744062 CET42836443192.168.2.2391.189.91.43
                                                          Mar 27, 2025 00:23:47.220256090 CET453543778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:23:47.575807095 CET37784535461.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:23:50.617273092 CET453563778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:23:50.973138094 CET37784535661.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:23:55.975322008 CET453583778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:23:56.335911989 CET37784535861.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:23:56.579274893 CET453603778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:23:56.941479921 CET37784536061.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:00.215692043 CET43928443192.168.2.2391.189.91.42
                                                          Mar 27, 2025 00:24:01.943365097 CET453623778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:02.302853107 CET37784536261.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:02.336606026 CET453643778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:02.691641092 CET37784536461.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:04.311039925 CET4251680192.168.2.23109.202.202.202
                                                          Mar 27, 2025 00:24:04.693011045 CET453663778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:05.047671080 CET37784536661.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:07.065120935 CET453683778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:07.432351112 CET37784536861.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:08.303973913 CET453703778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:08.669253111 CET37784537061.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:10.671773911 CET453723778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:11.039378881 CET37784537261.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:12.501804113 CET42836443192.168.2.2391.189.91.43
                                                          Mar 27, 2025 00:24:13.041374922 CET453743778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:14.069823027 CET453743778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:14.424952984 CET37784537461.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:15.439477921 CET453763778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:15.804200888 CET37784537661.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:19.806201935 CET453783778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:20.158205986 CET37784537861.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:22.426353931 CET453803778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:22.788654089 CET37784538061.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:26.790885925 CET453823778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:27.156405926 CET37784538261.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:30.159593105 CET453843778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:30.512933016 CET37784538461.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:36.515218019 CET453863778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:36.867238045 CET37784538661.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:37.157769918 CET453883778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:37.510138988 CET37784538861.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:41.169938087 CET43928443192.168.2.2391.189.91.42
                                                          Mar 27, 2025 00:24:42.869784117 CET453903778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:43.227308035 CET37784539061.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:43.511890888 CET453923778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:43.864398956 CET37784539261.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:49.866039991 CET453943778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:50.225826025 CET37784539461.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:51.229110003 CET453963778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:51.584671021 CET37784539661.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:57.586720943 CET453983778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:57.944178104 CET37784539861.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:24:58.226912975 CET454003778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:24:58.587723017 CET37784540061.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:04.589351892 CET454023778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:04.942682028 CET37784540261.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:04.945697069 CET454043778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:05.298499107 CET37784540461.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:11.944950104 CET454063778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:12.299515963 CET37784540661.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:12.300671101 CET454083778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:12.657428980 CET37784540861.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:14.659866095 CET454103778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:15.014244080 CET37784541061.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:16.018594980 CET454123778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:16.384764910 CET37784541261.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:19.302074909 CET454143778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:19.663594961 CET37784541461.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:21.669007063 CET454163778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:22.021848917 CET37784541661.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:23.023894072 CET454183778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:23.387480974 CET37784541861.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:25.386384010 CET454203778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:25.741695881 CET37784542061.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:29.743974924 CET454223778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:30.104361057 CET37784542261.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:32.108019114 CET454243778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:32.390348911 CET454263778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:32.462524891 CET37784542461.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:32.756491899 CET37784542661.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:36.758838892 CET454283778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:37.120872021 CET37784542861.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:39.126396894 CET454303778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:39.493396044 CET37784543061.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:40.469034910 CET454323778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:40.815937996 CET37784543261.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:43.819241047 CET454343778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:44.172416925 CET37784543461.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:47.496678114 CET454363778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:47.855393887 CET37784543661.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:50.858920097 CET454383778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:51.219091892 CET37784543861.7.209.116192.168.2.23
                                                          Mar 27, 2025 00:25:52.174487114 CET454403778192.168.2.2361.7.209.116
                                                          Mar 27, 2025 00:25:52.534818888 CET37784544061.7.209.116192.168.2.23

                                                          System Behavior

                                                          Start time (UTC):23:23:40
                                                          Start date (UTC):26/03/2025
                                                          Path:/tmp/ub8ehJSePAfc9FYqZIT6.i686.elf
                                                          Arguments:/tmp/ub8ehJSePAfc9FYqZIT6.i686.elf
                                                          File size:38304 bytes
                                                          MD5 hash:ba44f08a5539f2ff023791d8fa5971ad

                                                          Start time (UTC):23:23:40
                                                          Start date (UTC):26/03/2025
                                                          Path:/tmp/ub8ehJSePAfc9FYqZIT6.i686.elf
                                                          Arguments:-
                                                          File size:38304 bytes
                                                          MD5 hash:ba44f08a5539f2ff023791d8fa5971ad

                                                          Start time (UTC):23:23:40
                                                          Start date (UTC):26/03/2025
                                                          Path:/tmp/ub8ehJSePAfc9FYqZIT6.i686.elf
                                                          Arguments:-
                                                          File size:38304 bytes
                                                          MD5 hash:ba44f08a5539f2ff023791d8fa5971ad

                                                          Start time (UTC):23:23:40
                                                          Start date (UTC):26/03/2025
                                                          Path:/tmp/ub8ehJSePAfc9FYqZIT6.i686.elf
                                                          Arguments:-
                                                          File size:38304 bytes
                                                          MD5 hash:ba44f08a5539f2ff023791d8fa5971ad

                                                          Start time (UTC):23:23:46
                                                          Start date (UTC):26/03/2025
                                                          Path:/tmp/ub8ehJSePAfc9FYqZIT6.i686.elf
                                                          Arguments:-
                                                          File size:38304 bytes
                                                          MD5 hash:ba44f08a5539f2ff023791d8fa5971ad

                                                          Start time (UTC):23:23:46
                                                          Start date (UTC):26/03/2025
                                                          Path:/tmp/ub8ehJSePAfc9FYqZIT6.i686.elf
                                                          Arguments:-
                                                          File size:38304 bytes
                                                          MD5 hash:ba44f08a5539f2ff023791d8fa5971ad