Report #11629 check_circle

Binary
ABI
ELFOSABI_SYSV
Size
15.35KB
Type
ET_EXEC
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
fb59d42ebf94175f686e20af80f49a8a
sha1
9a662a3901cd93116a5d4db40181e9fa2f246bd9
crc32
0xa878553
sha224
43d4e10c867f7279c7d84e628092753904b7b7e191b7c0375ab3bc1d
sha256
97e8c0cf1838ca34ce8b52bfb48788f4709dd11e4df721c03a3a6033994db884
sha384
1bcb88048b3b814240e48164a2be72166b699f47a15fb5bad9e2cbd9971172d6db9d246164b1314f4f67048c5330f628
sha512
ca0911c7809508948288faf21289a3edd6c747e37e89fad5efb6093902ce002b18517a6fa25256f1327ba9f7e124505d0c1b458bc507d30941ac821f1a76b451
ssdeep
192:fkxcytygnGoGDxpM4wKVrfWxu3v3Zf15v2/PU0tlcCc84pzJ74:fjcyRjHVau3v3Zf15v2/BlZH4pC
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, contentis_base64, LinuxHacktool_eyes_pscan2, is__elf

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys
../include/sys/cdefs.h, ../misc/sys/cdefs.h
Home

Proc

Password

Suspicious
True check_circle
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs

URLs
/lib/ld-linux.so.2
Mails

Suspicious
True check_circle
Strings
List
.rel.got
echo %s >> bindname.log &
libc.so.6
.rel.plt
/lib/ld-linux.so.2
Error: %s
__deregister_frame_info
__register_frame_info
check_sockets
init_sockets
Usage: %s <b-block> <port> [c-block]
Scan completed in %u seconds.
inet_addr
Unable to allocate socket.
%15s - %2u second(s)
socket@@GLIBC_2.0
__deregister_frame_info@@GLIBC_2.0
connect
__register_frame_info@@GLIBC_2.0
socket
system
.hash
cheq_ftp
long long int:t(0,6)=r(0,1);01000000000000000000000;0777777777777777777777;
long long unsigned int:t(0,7)=r(0,1);0000000000000;01777777777777777777777;
GLIBC_2.0
unsigned int:t(0,4)=r(0,1);0000000000000;0037777777777;
long int:t(0,3)=r(0,1);0020000000000;0017777777777;
completed.3
void:t(0,19)=(0,19)
.comment
gcc2_compiled.
gcc2_compiled.
object.8
__DTOR_END__
__CTOR_END__
__FRAME_END__
__dev_t:t(15,17)=(15,5)
__EH_FRAME_BEGIN__
__DTOR_LIST__
__CTOR_LIST__
_GLOBAL_OFFSET_TABLE_
_DYNAMIC
init_dummy
fini_dummy
frame_dummy
initfini.c
data_start
../intl/libintl.h
../include/xlocale.h
../include/locale.h
.dynamic
../locale/xlocale.h
../locale/locale.h
__gmon_start__
__gmon_start__
force_to_data
__errno_location
../misc/sys/cdefs.h
.note.ABI-tag
.gnu.version
.shstrtab
.eh_frame
_IO_stdin_used
_IO_stdin_used
crtstuff.c
.stabstr
__libc_start_main
__do_global_ctors_aux
__do_global_dtors_aux
.gnu.version_r
__data_start
.rodata
../include/libintl.h
../include/sys/cdefs.h
.interp
__bss_start
Invalid IP.
01.01
01.01
01.01
01.01
01.01
01.01
.symtab
pscan.c
.strtab
connlist
snprintf
u8hT
_edata
_etext
init.c
init.c
_fini
_init
.init
.fini
.dynstr
.dynsym

Symbols
List
initfini.c, gcc2_compiled., init.c, crtstuff.c, gcc2_compiled., p.2, __DTOR_LIST__, completed.3, __do_global_dtors_aux, __EH_FRAME_BEGIN__, fini_dummy, object.8, frame_dummy, init_dummy, force_to_data, __CTOR_LIST__, crtstuff.c, gcc2_compiled., __do_global_ctors_aux, __CTOR_END__, init_dummy, force_to_data, __DTOR_END__, __FRAME_END__, initfini.c, gcc2_compiled., pscan.c, gcc2_compiled., _DYNAMIC, _etext, __register_frame_info@@GLIBC_2.0, close@@GLIBC_2.0, _fp_hw, check_sockets, __errno_location@@GLIBC_2.0, system@@GLIBC_2.0, inet_ntoa@@GLIBC_2.0, _init, __deregister_frame_info@@GLIBC_2.0, fatal, time@@GLIBC_2.0, _start, init_sockets, inet_addr@@GLIBC_2.0, __bss_start, main, connlist, __libc_start_main@@GLIBC_2.0, data_start, printf@@GLIBC_2.0, _fini, fcntl@@GLIBC_2.0, snprintf@@GLIBC_2.0, cheq_ftp, exit@@GLIBC_2.0, atoi@@GLIBC_2.0, _edata, _GLOBAL_OFFSET_TABLE_, _end, htons@@GLIBC_2.0, memset@@GLIBC_2.0, connect@@GLIBC_2.0, _IO_stdin_used, sprintf@@GLIBC_2.0, __data_start, socket@@GLIBC_2.0, __gmon_start__
Number
96
Reason
None
Suspicious
False cancel
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .interp, .note.ABI-tag, .hash, .dynsym, .dynstr, .gnu.version, .gnu.version_r, .rel.got, .rel.plt, .init, .plt, .text, .fini, .rodata, .data, .eh_frame, .ctors, .dtors, .got, .dynamic, .bss, .stab, .stabstr, .comment, .note, .shstrtab, .symtab, .strtab
Number
29
Suspicious
False cancel
Segments
Number
6
Suspicious
False cancel
Compilers
List
gcc2_compiled., /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/include/stddef.h, GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release), gcc2_compiled.
Identified
9
Suspicious
True check_circle
Functions
List
, , __register_frame_info, @GLIBC_2.0 (2), close, @GLIBC_2.0 (2), __errno_location, @GLIBC_2.0 (2), system, @GLIBC_2.0 (2), inet_ntoa, @GLIBC_2.0 (2), __deregister_frame_info, @GLIBC_2.0 (2), time, @GLIBC_2.0 (2), inet_addr, @GLIBC_2.0 (2), __libc_start_main, @GLIBC_2.0 (2), printf, @GLIBC_2.0 (2), fcntl, @GLIBC_2.0 (2), snprintf, @GLIBC_2.0 (2), exit, @GLIBC_2.0 (2), atoi, @GLIBC_2.0 (2), htons, @GLIBC_2.0 (2), memset, @GLIBC_2.0 (2), connect, @GLIBC_2.0 (2), _IO_stdin_used, , sprintf, @GLIBC_2.0 (2), socket, @GLIBC_2.0 (2), __gmon_start__, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , initfini.c, , gcc2_compiled., , init.c, , crtstuff.c, , gcc2_compiled., , p.2, , __DTOR_LIST__, , completed.3, , __do_global_dtors_aux, , __EH_FRAME_BEGIN__, , fini_dummy, , object.8, , frame_dummy, , init_dummy, , force_to_data, , __CTOR_LIST__, , crtstuff.c, , gcc2_compiled., , __do_global_ctors_aux, , __CTOR_END__, , init_dummy, , force_to_data, , __DTOR_END__, , __FRAME_END__, , initfini.c, , gcc2_compiled., , pscan.c, , gcc2_compiled., , _DYNAMIC, , _etext, , __register_frame_info@@GLIBC_2.0, , close@@GLIBC_2.0, , _fp_hw, , check_sockets, , __errno_location@@GLIBC_2.0, , system@@GLIBC_2.0, , inet_ntoa@@GLIBC_2.0, , _init, , __deregister_frame_info@@GLIBC_2.0, , fatal, , time@@GLIBC_2.0, , _start, , init_sockets, , inet_addr@@GLIBC_2.0, , __bss_start, , main, , connlist, , __libc_start_main@@GLIBC_2.0, , data_start, , printf@@GLIBC_2.0, , _fini, , fcntl@@GLIBC_2.0, , snprintf@@GLIBC_2.0, , cheq_ftp, , exit@@GLIBC_2.0, , atoi@@GLIBC_2.0, , _edata, , _GLOBAL_OFFSET_TABLE_, , _end, , htons@@GLIBC_2.0, , memset@@GLIBC_2.0, , connect@@GLIBC_2.0, , _IO_stdin_used, , sprintf@@GLIBC_2.0, , __data_start, , socket@@GLIBC_2.0, , __gmon_start__,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x8048680
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
32
Number
6
Offset
52
Section Header
Size
40
Number
29
Offset
12168
AVclass
ramen
1
VirusTotal
md5
fb59d42ebf94175f686e20af80f49a8a
sha1
9a662a3901cd93116a5d4db40181e9fa2f246bd9
SCANS (DETECTION RATE = 70.18%)
AVG
result: ELF:Malware-gen
update: 20200807
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20200807
version: 2.7.2019.1
detected: False cancel

MAX
result: malware (ai score=98)
update: 20200807
version: 2019.9.16.1
detected: True check_circle

Bkav
update: 20200807
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20200807
version: 11.128.34925
detected: False cancel

ALYac
result: Worm.Linux.Lion
update: 20200807
version: 1.1.1.5
detected: True check_circle

Avast
result: ELF:Malware-gen
update: 20200807
version: 18.4.3895.0
detected: True check_circle

Avira
result: LINUX/LionWorm.1
update: 20200807
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
result: Malicious (score: 85)
update: 20200807
version: 4.0.0.24
detected: True check_circle

Cyren
result: Unix/Lion
update: 20200807
version: 6.3.0.2
detected: True check_circle

DrWeb
result: Linux.Trojan.Torn
update: 20200807
version: 7.0.46.3050
detected: True check_circle

GData
result: Worm.Linux.Lion
update: 20200807
version: A:25.26503B:27.19713
detected: True check_circle

Panda
update: 20200806
version: 4.6.4.2
detected: False cancel

VBA32
update: 20200807
version: 4.4.1
detected: False cancel

VIPRE
update: 20200807
version: 85756
detected: False cancel

Zoner
update: 20200807
version: 0.0.0.0
detected: False cancel

ClamAV
result: Unix.Worm.Ramen-1
update: 20200806
version: 0.102.4.0
detected: True check_circle

Comodo
result: Malware@#zjx824xjfp9s
update: 20200728
version: 32668
detected: True check_circle

Ikarus
result: Worm.Linux.Ramen
update: 20200807
version: 0.1.5.2
detected: True check_circle

McAfee
result: Linux/Lion.worm.a
update: 20200807
version: 6.0.6.653
detected: True check_circle

Rising
result: Worm.Linux.Ramen.si (CLASSIC)
update: 20200807
version: 25.0.0.26
detected: True check_circle

Sophos
result: Linux/Lion-A
update: 20200807
version: 4.98.0
detected: True check_circle

Yandex
result: Unix.Ramen.A2
update: 20200707
version: 5.5.2.24
detected: True check_circle

Zillya
result: Worm.Ramen.Linux.9
update: 20200806
version: 2.0.0.4149
detected: True check_circle

Arcabit
result: Worm.Linux.Lion
update: 20200807
version: 1.0.0.877
detected: True check_circle

Sangfor
result: Malware
update: 20200423
version: 1.0
detected: True check_circle

TACHYON
update: 20200807
version: 2020-08-07.02
detected: False cancel

Tencent
result: Linux.Worm-net.Ramen.Eehd
update: 20200807
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20200807
version: 2014.3.20.0
detected: False cancel

Ad-Aware
result: Worm.Linux.Lion
update: 20200807
version: 3.0.5.370
detected: True check_circle

Emsisoft
result: Worm.Linux.Lion (B)
update: 20200807
version: 2018.12.0.1641
detected: True check_circle

F-Secure
result: Malware.LINUX/LionWorm.1
update: 20200807
version: 12.0.86.52
detected: True check_circle

Fortinet
result: Unix/Ramen.A
update: 20200807
version: 6.2.142.0
detected: True check_circle

Jiangmin
result: Worm.Linux.Ramen.b
update: 20200807
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20200807
version: 2013.8.14.323
detected: False cancel

Symantec
result: SecurityRisk.gen1
update: 20200807
version: 1.11.0.0
detected: True check_circle

AhnLab-V3
result: Linux/Ramen.worm
update: 20200806
version: 3.18.1.10026
detected: True check_circle

Antiy-AVL
result: Worm[Net]/Linux.Ramen.b
update: 20200807
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Net-Worm.Linux.Ramen.b
update: 20200807
version: 15.0.1.13
detected: True check_circle

Microsoft
result: Worm:Linux/Lion
update: 20200807
version: 1.1.17300.4
detected: True check_circle

Qihoo-360
result: Linux/Worm.04f
update: 20200807
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: Net-Worm.Linux.Ramen.b
update: 20200807
version: 1.0
detected: True check_circle

ESET-NOD32
result: Linux/Ramen.C
update: 20200805
version: 21771
detected: True check_circle

TrendMicro
result: ELF_LION.15
update: 20200807
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: Worm.Linux.Lion
update: 20200807
version: 7.2
detected: True check_circle

K7AntiVirus
update: 20200807
version: 11.128.34927
detected: False cancel

SentinelOne
result: DFI - Malicious ELF
update: 20200725
version: 4.4.0.0
detected: True check_circle

Avast-Mobile
update: 20200807
version: 200807-00
detected: False cancel

Malwarebytes
update: 20200807
version: 3.6.4.335
detected: False cancel

TotalDefense
result: Linux/Lion
update: 20200807
version: 37.1.62.1
detected: True check_circle

CAT-QuickHeal
update: 20200807
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Elf32.Ramen.cmijl
update: 20200807
version: 1.0.134.25119
detected: True check_circle

BitDefenderTheta
update: 20200805
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
result: Worm.Linux.Lion
update: 20200807
version: 14.0.409.0
detected: True check_circle

SUPERAntiSpyware
update: 20200731
version: 5.6.0.1032
detected: False cancel

TrendMicro-HouseCall
result: ELF_LION.15
update: 20200807
version: 10.0.0.1040
detected: True check_circle

total
57
sha256
97e8c0cf1838ca34ce8b52bfb48788f4709dd11e4df721c03a3a6033994db884
scan_id
97e8c0cf1838ca34ce8b52bfb48788f4709dd11e4df721c03a3a6033994db884-1596792412
resource
fb59d42ebf94175f686e20af80f49a8a
positives
40
scan_date
2020-08-07 09:26:52
verbose_msg
Scan finished, information embedded
response_code
1
Ltrace
Trace

Strace
Trace
4291execve"./malware"["./malware"] -1 ENOENT (No such file or directory)
4291write2"strace: exec: No such file or di"...40 40
4291exit_group1 ?

Analysis
Ltrace
Statically-compiled samples cannot be ltraced.

Reason
Timeout

Status
Success

Strace
Success

Results
True check_circle

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Binary
RF
confidence: 60.66%
suspicious: True check_circle
MLP
confidence: 62.56%
suspicious: True check_circle
SVM
confidence: 75.01%
suspicious: True check_circle
Add to Collection
Download