Edit tour

Linux Analysis Report
arm7.elf

Overview

General Information

Sample name:arm7.elf
Analysis ID:1654180
MD5:4eb5ed90780e474d34edd0933644c52c
SHA1:c025eab3e481b50fb5064b6196aa03a7e3117bfb
SHA256:44ff52b0edd0d1cf3dbba6c6b0ea298c39673b7011726452a70698fd07866568
Tags:elfuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
Performs DNS TXT record lookups
Uses STUN server to do NAT traversial
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1654180
Start date and time:2025-04-02 03:04:21 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 43s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:arm7.elf
Detection:MAL
Classification:mal60.troj.evad.linELF@0/2@4/0
  • VT rate limit hit for: kamru.ru
Command:/tmp/arm7.elf
PID:5438
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
For God so loved the world
Standard Error:
  • system is lnxubuntu20
  • arm7.elf (PID: 5438, Parent: 5362, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm7.elf
    • arm7.elf New Fork (PID: 5442, Parent: 5438)
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: arm7.elfVirustotal: Detection: 15%Perma Link
Source: arm7.elfReversingLabs: Detection: 16%

Networking

barindex
Source: global trafficTCP traffic: 216.73.156.19 ports 0,1,50182,2,5,8
Source: global trafficTCP traffic: 156.244.44.239 ports 35086,0,3,5,6,8
Source: unknownDNS query: name: stun.l.google.com
Source: global trafficTCP traffic: 192.168.2.13:55588 -> 156.244.44.239:35086
Source: global trafficTCP traffic: 192.168.2.13:57852 -> 216.73.156.19:50182
Source: global trafficUDP traffic: 192.168.2.13:47687 -> 74.125.250.129:19302
Source: /tmp/arm7.elf (PID: 5442)Socket: 127.0.0.1:22448Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknownTCP traffic detected without corresponding DNS query: 156.244.44.239
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownTCP traffic detected without corresponding DNS query: 216.73.156.19
Source: unknownUDP traffic detected without corresponding DNS query: 208.67.222.222
Source: unknownUDP traffic detected without corresponding DNS query: 208.67.220.220
Source: global trafficDNS traffic detected: DNS query: kamru.ru
Source: global trafficDNS traffic detected: DNS query: stun.l.google.com
Source: arm7.elf, 5438.1.00007fa67c035000.00007fa67c03f000.rw-.sdmpString found in binary or memory: http://17365637265742070617373776F7264206D656D6F721/t/wget.sh
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal60.troj.evad.linELF@0/2@4/0
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/5386/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/230/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/110/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/231/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/111/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/232/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/112/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/233/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/113/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/234/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/114/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/235/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/115/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/236/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/116/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/237/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/117/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/238/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/118/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/239/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/119/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/10/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/11/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/12/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/13/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/14/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/15/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/16/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/17/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/18/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/19/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/240/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/5270/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/120/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/241/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/121/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/242/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/1/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/122/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/243/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/2/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/123/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/244/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/3/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/124/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/245/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/125/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/4/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/246/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/126/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/5/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/247/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/127/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/6/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/248/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/128/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/7/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/249/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/129/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/8/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/9/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/3645/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/20/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/21/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/22/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/23/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/24/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/25/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/26/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/27/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/28/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/3661/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/29/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/3662/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/3420/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/1482/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/490/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/1480/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/250/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/371/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/130/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/251/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/5281/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/131/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/252/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/132/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/253/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/254/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/1238/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/134/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/255/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/256/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/257/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/378/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/3413/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/258/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)File opened: /proc/259/cmdlineJump to behavior
Source: /tmp/arm7.elf (PID: 5438)Queries kernel information via 'uname': Jump to behavior
Source: arm7.elf, 5438.1.00007fa67c035000.00007fa67c03f000.rw-.sdmpBinary or memory string: vmwarem
Source: arm7.elf, 5438.1.00007fa67c035000.00007fa67c03f000.rw-.sdmpBinary or memory string: vmware
Source: arm7.elf, 5438.1.00007fa67c035000.00007fa67c03f000.rw-.sdmpBinary or memory string: qemu-arm
Source: arm7.elf, 5438.1.0000565103ef8000.0000565104047000.rw-.sdmpBinary or memory string: QV!/etc/qemu-binfmt/arm
Source: arm7.elf, 5438.1.00007ffd112ff000.00007ffd11320000.rw-.sdmpBinary or memory string: QV/tmp/qemu-open.3qUtTm:
Source: arm7.elf, 5438.1.0000565103ef8000.0000565104047000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: arm7.elf, 5438.1.00007ffd112ff000.00007ffd11320000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: arm7.elf, 5438.1.00007fa67c035000.00007fa67c03f000.rw-.sdmpBinary or memory string: qemu-arm)Zm6vnZ5U4mf8vApyWcDwXR44ZAkzslsN)D
Source: arm7.elf, 5438.1.00007ffd112ff000.00007ffd11320000.rw-.sdmpBinary or memory string: /tmp/qemu-open.3qUtTm
Source: arm7.elf, 5438.1.00007ffd112ff000.00007ffd11320000.rw-.sdmpBinary or memory string: jx86_64/usr/bin/qemu-arm/tmp/arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm7.elf

HIPS / PFW / Operating System Protection Evasion

barindex
Source: TrafficDNS traffic detected: queries for: kamru.ru
Source: TrafficDNS traffic detected: queries for: kamru.ru
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1654180 Sample: arm7.elf Startdate: 02/04/2025 Architecture: LINUX Score: 60 11 kamru.ru 2->11 13 stun.l.google.com 2->13 15 3 other IPs or domains 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Connects to many ports of the same IP (likely port scanning) 2->19 7 arm7.elf 2->7         started        signatures3 21 Performs DNS TXT record lookups 11->21 23 Uses STUN server to do NAT traversial 13->23 process4 process5 9 arm7.elf 7->9         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
arm7.elf16%VirustotalBrowse
arm7.elf17%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
stun.l.google.com
74.125.250.129
truefalse
    high
    kamru.ru
    unknown
    unknowntrue
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://17365637265742070617373776F7264206D656D6F721/t/wget.sharm7.elf, 5438.1.00007fa67c035000.00007fa67c03f000.rw-.sdmpfalse
        high
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        216.73.156.19
        unknownUnited States
        7029WINDSTREAMUStrue
        74.125.250.129
        stun.l.google.comUnited States
        15169GOOGLEUSfalse
        156.244.44.239
        unknownSeychelles
        132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        216.73.156.19mips.elfGet hashmaliciousUnknownBrowse
          ppc.elfGet hashmaliciousUnknownBrowse
            arm.elfGet hashmaliciousUnknownBrowse
              kmips.elfGet hashmaliciousUnknownBrowse
                mips.elfGet hashmaliciousUnknownBrowse
                  156.244.44.239mips.elfGet hashmaliciousUnknownBrowse
                    kmips.elfGet hashmaliciousUnknownBrowse
                      mips.elfGet hashmaliciousUnknownBrowse
                        nimips.elfGet hashmaliciousUnknownBrowse
                          sh4.elfGet hashmaliciousUnknownBrowse
                            arm7.elfGet hashmaliciousUnknownBrowse
                              No context
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WINDSTREAMUSmips.elfGet hashmaliciousUnknownBrowse
                              • 216.73.156.19
                              arm4.elfGet hashmaliciousUnknownBrowse
                              • 209.92.198.134
                              ppc.elfGet hashmaliciousMiraiBrowse
                              • 66.0.246.92
                              mpsl.elfGet hashmaliciousUnknownBrowse
                              • 184.81.122.185
                              mssecsvc.exe.exeGet hashmaliciousWannacryBrowse
                              • 207.106.28.14
                              bimbo-m68k.elfGet hashmaliciousUnknownBrowse
                              • 66.16.127.142
                              bimbo-mpsl.elfGet hashmaliciousUnknownBrowse
                              • 64.196.215.27
                              bimbo-ppc.elfGet hashmaliciousUnknownBrowse
                              • 71.16.36.149
                              bimbo-x86.elfGet hashmaliciousUnknownBrowse
                              • 209.254.199.0
                              k03ldc.ppc.elfGet hashmaliciousUnknownBrowse
                              • 71.23.128.33
                              POWERLINE-AS-APPOWERLINEDATACENTERHKDHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                              • 45.202.215.236
                              DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                              • 45.202.215.236
                              SecuriteInfo.com.Win32.BackdoorX-gen.8201.202.dllGet hashmaliciousGhostRat, MimikatzBrowse
                              • 103.215.212.130
                              SecuriteInfo.com.Win32.BackdoorX-gen.3771.16165.dllGet hashmaliciousGhostRat, MimikatzBrowse
                              • 103.85.190.202
                              .i.elfGet hashmaliciousMiraiBrowse
                              • 154.202.132.183
                              mips.elfGet hashmaliciousUnknownBrowse
                              • 156.244.44.239
                              ppc.elfGet hashmaliciousUnknownBrowse
                              • 156.244.14.93
                              arm.elfGet hashmaliciousUnknownBrowse
                              • 156.244.14.93
                              UuhANT$345432.exeGet hashmaliciousFormBookBrowse
                              • 202.165.121.125
                              boatnet.mpsl.elfGet hashmaliciousMiraiBrowse
                              • 156.251.7.178
                              No context
                              No context
                              Process:/tmp/arm7.elf
                              File Type:data
                              Category:dropped
                              Size (bytes):14
                              Entropy (8bit):3.521640636343319
                              Encrypted:false
                              SSDEEP:3:TgiLG:TgiC
                              MD5:451AC90F7FA61D0393D6A5A02158D369
                              SHA1:5A7D458802462B80F94A9CDA24E2C877437A8E34
                              SHA-256:E2D543300D643CEF7698E750F74E8499993E346EF765FA2061EB5DFAF8D77E48
                              SHA-512:EF1D000F5B8BB5AFD4F6CB347FBE0FA0E97608B8C3839B6B44CB9828E5522396B334AE37148FCD2064A423B3DDD0C8874EF7019023A84B36E3893E50353F06FE
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:/tmp/arm7.elf.
                              Process:/tmp/arm7.elf
                              File Type:data
                              Category:dropped
                              Size (bytes):14
                              Entropy (8bit):3.521640636343319
                              Encrypted:false
                              SSDEEP:3:TgiLG:TgiC
                              MD5:451AC90F7FA61D0393D6A5A02158D369
                              SHA1:5A7D458802462B80F94A9CDA24E2C877437A8E34
                              SHA-256:E2D543300D643CEF7698E750F74E8499993E346EF765FA2061EB5DFAF8D77E48
                              SHA-512:EF1D000F5B8BB5AFD4F6CB347FBE0FA0E97608B8C3839B6B44CB9828E5522396B334AE37148FCD2064A423B3DDD0C8874EF7019023A84B36E3893E50353F06FE
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:/tmp/arm7.elf.
                              File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
                              Entropy (8bit):6.100455376952038
                              TrID:
                              • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                              File name:arm7.elf
                              File size:89'608 bytes
                              MD5:4eb5ed90780e474d34edd0933644c52c
                              SHA1:c025eab3e481b50fb5064b6196aa03a7e3117bfb
                              SHA256:44ff52b0edd0d1cf3dbba6c6b0ea298c39673b7011726452a70698fd07866568
                              SHA512:1d4757dfa478bca2ccc3d28930f2b16752c77b0d4337a67ffe663c871da2e72736b2760b4c35399e977fffc126801dc5550f1c1a6244147c7a3f84b79c7c25dd
                              SSDEEP:1536:pUnExipTRI1v8ODFtGlE6nKROZTYgJhrxWLa59IzMgq5hgTCluAiyYA60CdY7ea:F81R8v8ODFt8EcgE3Jh1WLa59IzMgFsP
                              TLSH:6993175AFC819B05D5D521BAFE4E128A33532BACE3EE7212DD245B2037CA55B0F7B412
                              File Content Preview:.ELF..............(.........4....[......4. ...(........p.V...........................................X...X...............X...X...X..4....r...............X...X...X..................Q.td..................................-...L..................@-.,@...0....S

                              ELF header

                              Class:ELF32
                              Data:2's complement, little endian
                              Version:1 (current)
                              Machine:ARM
                              Version Number:0x1
                              Type:EXEC (Executable file)
                              OS/ABI:UNIX - System V
                              ABI Version:0
                              Entry Point Address:0x8194
                              Flags:0x4000002
                              ELF Header Size:52
                              Program Header Offset:52
                              Program Header Size:32
                              Number of Program Headers:5
                              Section Header Offset:89008
                              Section Header Size:40
                              Number of Section Headers:15
                              Header String Table Index:14
                              NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                              NULL0x00x00x00x00x0000
                              .initPROGBITS0x80d40xd40x100x00x6AX004
                              .textPROGBITS0x80f00xf00x13e680x00x6AX0016
                              .finiPROGBITS0x1bf580x13f580x100x00x6AX004
                              .rodataPROGBITS0x1bf680x13f680x17700x00x2A008
                              .ARM.extabPROGBITS0x1d6d80x156d80x180x00x2A004
                              .ARM.exidxARM_EXIDX0x1d6f00x156f00x1180x00x82AL204
                              .eh_framePROGBITS0x258080x158080x40x00x3WA004
                              .tbssNOBITS0x2580c0x1580c0x80x00x403WAT004
                              .init_arrayINIT_ARRAY0x2580c0x1580c0x40x00x3WA004
                              .fini_arrayFINI_ARRAY0x258100x158100x40x00x3WA004
                              .gotPROGBITS0x258180x158180xa80x40x3WA004
                              .dataPROGBITS0x258c00x158c00x27c0x00x3WA004
                              .bssNOBITS0x25b3c0x15b3c0x6f600x00x3WA004
                              .shstrtabSTRTAB0x00x15b3c0x730x00x0001
                              TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                              EXIDX0x156f00x1d6f00x1d6f00x1180x1184.51100x4R 0x4.ARM.exidx
                              LOAD0x00x80000x80000x158080x158086.11660x5R E0x8000.init .text .fini .rodata .ARM.extab .ARM.exidx
                              LOAD0x158080x258080x258080x3340x72944.14180x6RW 0x8000.eh_frame .tbss .init_array .fini_array .got .data .bss
                              TLS0x1580c0x2580c0x2580c0x00x80.00000x4R 0x4.tbss
                              GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                              Download Network PCAP: filteredfull

                              • Total Packets: 32
                              • 50182 undefined
                              • 35086 undefined
                              • 19302 undefined
                              • 53 (DNS)
                              TimestampSource PortDest PortSource IPDest IP
                              Apr 2, 2025 03:05:12.206931114 CEST5558835086192.168.2.13156.244.44.239
                              Apr 2, 2025 03:05:12.363228083 CEST3508655588156.244.44.239192.168.2.13
                              Apr 2, 2025 03:05:12.363600016 CEST5558835086192.168.2.13156.244.44.239
                              Apr 2, 2025 03:05:12.516664982 CEST3508655588156.244.44.239192.168.2.13
                              Apr 2, 2025 03:05:12.523269892 CEST5558835086192.168.2.13156.244.44.239
                              Apr 2, 2025 03:05:12.676834106 CEST3508655588156.244.44.239192.168.2.13
                              Apr 2, 2025 03:05:12.677114964 CEST5558835086192.168.2.13156.244.44.239
                              Apr 2, 2025 03:05:13.565812111 CEST5558835086192.168.2.13156.244.44.239
                              Apr 2, 2025 03:05:13.722811937 CEST3508655588156.244.44.239192.168.2.13
                              Apr 2, 2025 03:05:13.722829103 CEST3508655588156.244.44.239192.168.2.13
                              Apr 2, 2025 03:05:13.723136902 CEST5558835086192.168.2.13156.244.44.239
                              Apr 2, 2025 03:05:13.876734972 CEST3508655588156.244.44.239192.168.2.13
                              Apr 2, 2025 03:05:14.828768969 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:05:15.840277910 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:05:16.008517027 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:05:16.008688927 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:05:16.174611092 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:05:16.174782991 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:05:16.342856884 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:05:16.342998981 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:05:17.205039024 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:05:17.367621899 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:05:32.220407963 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:05:32.379204035 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:05:32.379343987 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:05:32.550674915 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:05:51.427150011 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:05:51.586251974 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:05:51.586360931 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:05:51.755883932 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:06:11.252685070 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:06:11.440187931 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:06:11.440318108 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:06:11.638590097 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:06:13.126564980 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:06:13.126821041 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:06:28.749001980 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:06:28.917959929 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:06:28.918513060 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:06:29.081168890 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:06:46.907016039 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:06:47.070259094 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:06:47.070683002 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:06:47.456362963 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:06:47.621423960 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:07:06.093450069 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:07:06.264451027 CEST5018257852216.73.156.19192.168.2.13
                              Apr 2, 2025 03:07:06.264803886 CEST5785250182192.168.2.13216.73.156.19
                              Apr 2, 2025 03:07:06.436669111 CEST5018257852216.73.156.19192.168.2.13
                              TimestampSource PortDest PortSource IPDest IP
                              Apr 2, 2025 03:05:12.030899048 CEST4888253192.168.2.13208.67.222.222
                              Apr 2, 2025 03:05:12.202532053 CEST5348882208.67.222.222192.168.2.13
                              Apr 2, 2025 03:05:13.369925022 CEST4852753192.168.2.13208.67.220.220
                              Apr 2, 2025 03:05:13.467473984 CEST5348527208.67.220.220192.168.2.13
                              Apr 2, 2025 03:05:13.468138933 CEST4768719302192.168.2.1374.125.250.129
                              Apr 2, 2025 03:05:13.564311981 CEST193024768774.125.250.129192.168.2.13
                              Apr 2, 2025 03:05:14.725244999 CEST4867253192.168.2.138.8.4.4
                              Apr 2, 2025 03:05:14.827729940 CEST53486728.8.4.4192.168.2.13
                              Apr 2, 2025 03:05:17.011034012 CEST5361453192.168.2.138.8.8.8
                              Apr 2, 2025 03:05:17.109021902 CEST53536148.8.8.8192.168.2.13
                              Apr 2, 2025 03:05:17.109316111 CEST3384619302192.168.2.1374.125.250.129
                              Apr 2, 2025 03:05:17.204652071 CEST193023384674.125.250.129192.168.2.13
                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Apr 2, 2025 03:05:12.030899048 CEST192.168.2.13208.67.222.2220x75cStandard query (0)kamru.ru16IN (0x0001)false
                              Apr 2, 2025 03:05:13.369925022 CEST192.168.2.13208.67.220.2200xef8Standard query (0)stun.l.google.comA (IP address)IN (0x0001)false
                              Apr 2, 2025 03:05:14.725244999 CEST192.168.2.138.8.4.40x2200Standard query (0)kamru.ru16IN (0x0001)false
                              Apr 2, 2025 03:05:17.011034012 CEST192.168.2.138.8.8.80xa26dStandard query (0)stun.l.google.comA (IP address)IN (0x0001)false
                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Apr 2, 2025 03:05:12.202532053 CEST208.67.222.222192.168.2.130x75cNo error (0)kamru.ruTXT (Text strings)IN (0x0001)false
                              Apr 2, 2025 03:05:13.467473984 CEST208.67.220.220192.168.2.130xef8No error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false
                              Apr 2, 2025 03:05:14.827729940 CEST8.8.4.4192.168.2.130x2200No error (0)kamru.ruTXT (Text strings)IN (0x0001)false
                              Apr 2, 2025 03:05:17.109021902 CEST8.8.8.8192.168.2.130xa26dNo error (0)stun.l.google.com74.125.250.129A (IP address)IN (0x0001)false

                              System Behavior

                              Start time (UTC):01:05:11
                              Start date (UTC):02/04/2025
                              Path:/tmp/arm7.elf
                              Arguments:-
                              File size:4956856 bytes
                              MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1