Report #11678 check_circle

Binary
ABI
ELFOSABI_SYSV
Size
1.25KB
Type
ET_EXEC
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
4ffa98be139a46a8df51c887e2a01e89
sha1
6f4b82b8357e5c5a74cc83f1a50b95eb48c6e528
crc32
0x9145b011
sha224
8c3317633da187e1e3a751e4b6481f38d4c16a96fbe2907fb531c8f7
sha256
669ebf73740049adacd81c3fe0542fcb902c5ac2a0ffe970bcc5ed26fd00543c
sha384
b02eb3b79798677da5fc057e69d733d7ccd1bb6a97a9f07c84c78e05c06b1ffc2d4cd9a03c1fbc1adeea17b5181c2256
sha512
57e9142d359ff1034ebc6a8e2ec5a790c10efec2c8245aea2064e7f32a0d436e9b729ce4ec47ccdbce6a4ef6b3f8d5724dad52c1ecfd3db60596988fb30ac650
ssdeep
12:Bnlsz//gDojrEj1bp9XGCJYGnQeEX6om8u+aqzW1ppIDlDWiA4w/NLIaEwc6Mqwz:Fl8soj+t9XGcQh6ooelDWiQNMaEwc6O
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, is__elf

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys

Home

Proc

Password

Suspicious
False cancel
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs

URLs

Mails

Suspicious
False cancel
Strings
List
infect.ir
_start.vc
hasher.asm
fake_host
infect.ic
infect.fh
infect.hl
infect.iu
.comment
.shstrtab
_start.rd
_start.vr
__bss_start
.symtab
.strtab
f@at+
_edata
_self
_start
infect
_end
The Netwide Assembler 0.98.38
_size
.text
.bss
\$*j

Symbols
List
hasher.asm, _self, _size, _start.rd, _start.vc, _start.vr, infect, infect.hl, infect.iu, infect.ic, infect.ir, infect.fh, _self, _size, fake_host, _start, __bss_start, _edata, _end
Number
26
Reason
None
Suspicious
False cancel
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .text, .bss, .comment, .shstrtab, .symtab, .strtab
Number
7
Suspicious
False cancel
Segments
Number
1
Suspicious
False cancel
Compilers
List

Identified
0
Suspicious
False cancel
Functions
List
, , , , , , , , , , , , , , hasher.asm, , _self, , _size, , _start.rd, , _start.vc, , _start.vr, , infect, , infect.hl, , infect.iu, , infect.ic, , infect.ir, , infect.fh, , _self, , _size, , fake_host, , _start, , __bss_start, , _edata, , _end,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x8048080
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
32
Number
1
Offset
52
Section Header
Size
40
Number
7
Offset
428
AVclass
thou
1
VirusTotal
md5
4ffa98be139a46a8df51c887e2a01e89
sha1
6f4b82b8357e5c5a74cc83f1a50b95eb48c6e528
SCANS (DETECTION RATE = 54.24%)
AVG
result: ELF:Thou-C
update: 20200702
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20200702
version: 2.7.2019.1
detected: False cancel

MAX
result: malware (ai score=99)
update: 20200702
version: 2019.9.16.1
detected: True check_circle

Bkav
update: 20200702
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20200702
version: 11.119.34577
detected: False cancel

ALYac
result: Trojan.Linux.Agent.LS
update: 20200702
version: 1.1.1.5
detected: True check_circle

Avast
result: ELF:Thou-C
update: 20200702
version: 18.4.3895.0
detected: True check_circle

Avira
result: LINUX/Thou.C
update: 20200702
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
result: Malicious (score: 85)
update: 20200628
version: 4.0.0.24
detected: True check_circle

Cyren
update: 20200702
version: 6.3.0.2
detected: False cancel

DrWeb
result: Linux.Thoa.3
update: 20200702
version: 7.0.46.3050
detected: True check_circle

GData
result: Trojan.Linux.Agent.LS
update: 20200702
version: A:25.26095B:27.19302
detected: True check_circle

Panda
update: 20200702
version: 4.6.4.2
detected: False cancel

VBA32
update: 20200702
version: 4.4.1
detected: False cancel

VIPRE
update: 20200702
version: 84906
detected: False cancel

Zoner
update: 20200702
version: 0.0.0.0
detected: False cancel

ClamAV
result: Unix.Malware.Agent-7438812-0
update: 20200702
version: 0.102.3.0
detected: True check_circle

Comodo
update: 20200702
version: 32590
detected: False cancel

F-Prot
update: 20200702
version: 4.7.1.166
detected: False cancel

McAfee
result: RDN/Generic.dx
update: 20200702
version: 6.0.6.653
detected: True check_circle

Rising
update: 20200702
version: 25.0.0.26
detected: False cancel

Sophos
result: Mal/Generic-S
update: 20200702
version: 4.98.0
detected: True check_circle

Yandex
result: Linux.HashCave.A
update: 20200630
version: 5.5.2.24
detected: True check_circle

Zillya
result: Virus.Thou.Linux.3
update: 20200702
version: 2.0.0.4122
detected: True check_circle

Arcabit
update: 20200702
version: 1.0.0.877
detected: False cancel

FireEye
result: Trojan.Linux.Agent.LS
update: 20200702
version: 32.31.0.0
detected: True check_circle

Sangfor
result: Malware
update: 20200423
version: 1.0
detected: True check_circle

TACHYON
update: 20200702
version: 2020-07-02.03
detected: False cancel

Tencent
result: Linux.Virus.Thou.Pjeg
update: 20200702
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20200702
version: 2014.3.20.0
detected: False cancel

Ad-Aware
result: Trojan.Linux.Agent.LS
update: 20200702
version: 3.0.5.370
detected: True check_circle

Emsisoft
result: Trojan.Linux.Agent.LS (B)
update: 20200702
version: 2018.12.0.1641
detected: True check_circle

F-Secure
result: Malware.LINUX/Thou.C
update: 20200702
version: 12.0.86.52
detected: True check_circle

Fortinet
result: ELF/Small.A
update: 20200702
version: 6.2.142.0
detected: True check_circle

Jiangmin
update: 20200702
version: 16.0.100
detected: False cancel

Kingsoft
update: 20200702
version: 2013.8.14.323
detected: False cancel

Symantec
result: Trojan.Gen.NPE
update: 20200702
version: 1.11.0.0
detected: True check_circle

AhnLab-V3
update: 20200702
version: 3.18.0.10009
detected: False cancel

Antiy-AVL
result: Virus/Linux.Thou.c
update: 20200702
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Virus.Linux.Thou.c
update: 20200702
version: 15.0.1.13
detected: True check_circle

MaxSecure
update: 20200622
version: 1.0.0.1
detected: False cancel

Microsoft
update: 20200702
version: 1.1.17200.2
detected: False cancel

Qihoo-360
result: Linux/Virus.27c
update: 20200702
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: Virus.Linux.Thou.c
update: 20200702
version: 1.0
detected: True check_circle

ESET-NOD32
result: Linux/Thou.A
update: 20200702
version: 21590
detected: True check_circle

TrendMicro
result: Trojan.Linux.MIRAI.USELVEM20
update: 20200702
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: Trojan.Linux.Agent.LS
update: 20200702
version: 7.2
detected: True check_circle

K7AntiVirus
update: 20200702
version: 11.119.34577
detected: False cancel

SentinelOne
result: DFI - Suspicious ELF
update: 20200601
version: 4.3.0.105
detected: True check_circle

Avast-Mobile
update: 20200630
version: 200630-00
detected: False cancel

Malwarebytes
update: 20200702
version: 3.6.4.335
detected: False cancel

TotalDefense
update: 20200702
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20200702
version: 14.00
detected: False cancel

NANO-Antivirus
result: Virus.Elf32.Thou.cibnyl
update: 20200702
version: 1.0.134.25119
detected: True check_circle

BitDefenderTheta
update: 20200624
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
result: Trojan.Linux.Agent.LS
update: 20200702
version: 14.0.409.0
detected: True check_circle

SUPERAntiSpyware
update: 20200701
version: 5.6.0.1032
detected: False cancel

TrendMicro-HouseCall
result: Trojan.Linux.MIRAI.USELVEM20
update: 20200702
version: 10.0.0.1040
detected: True check_circle

total
59
sha256
669ebf73740049adacd81c3fe0542fcb902c5ac2a0ffe970bcc5ed26fd00543c
scan_id
669ebf73740049adacd81c3fe0542fcb902c5ac2a0ffe970bcc5ed26fd00543c-1593705014
resource
4ffa98be139a46a8df51c887e2a01e89
positives
32
scan_date
2020-07-02 15:50:14
verbose_msg
Scan finished, information embedded
response_code
1
Ltrace
Trace

Strace
Trace
4291execve"./malware"["./malware"][/* 15 vars */] 0
4291open"."O_RDONLY 3
4291readdir3{d_ino=19071278293712945, {d_ino=19071278293712945, d_off=7453586500336091142, d_off=7453586500336091142, d_reclen=0, d_reclen=0, d_name=""}d_name=""}0 1
4291open".gnupg"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=505122943246532619, {d_ino=505122943246532619, d_off=7526769938194628619, d_off=7526769938194628619, d_reclen=29295, d_reclen=29295, d_name="ity"}d_name="ity"}0 1
4291open".Xauthority"O_RDWR 4
4291lseek40SEEK_END 51
4291mmap2NULL51PROT_READ|PROT_WRITEMAP_SHARED40 0xf7fb6000
4291syscall_816615310xf7fb60000x330x330xf7fb600000xff94fca8) = -1 (errno 38 -1 (errno 38)
4291close4 0
4291readdir3{d_ino=764577201723801621, {d_ino=764577201723801621, d_off=7594879246291304455, d_off=7594879246291304455, d_reclen=103, d_reclen=103, d_name="ity"}d_name="ity"}0 1
4291open".config"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=1090564021194326028, {d_ino=1090564021194326028, d_off=8319104483295363088, d_off=8319104483295363088, d_reclen=28521, d_reclen=28521, d_name="n-errors"}d_name="n-errors"}0 1
4291open".xsession-errors"O_RDWR 4
4291lseek40SEEK_END 94
4291mmap2NULL94PROT_READ|PROT_WRITEMAP_SHARED40 0xf7fb5000
4291syscall_31160958350xf7fb50000x5e0x5e0xf7fb500000xff94fca8) = -1 (errno 38 -1 (errno 38)
4291close4 0
4291readdir3{d_ino=1895729849274466311, {d_ino=1895729849274466311, d_off=6876825611624382489, d_off=6876825611624382489, d_reclen=29537, d_reclen=29537, d_name="_admin_successful"}d_name="_admin_successful"}0 1
4291open".sudo_as_admin_successful"O_RDWR) = -1 EACCES (Permission denied -1 EACCES (Permission denied)
4291readdir3{d_ino=2033918540827590659, {d_ino=2033918540827590659, d_off=6874871693277265932, d_off=6874871693277265932, d_reclen=28524, d_reclen=28524, d_name="gout"}d_name="gout"}0 1
4291open".bash_logout"O_RDWR 4
4291lseek40SEEK_END 220
4291mmap2NULL220PROT_READ|PROT_WRITEMAP_SHARED40 0xf7fb4000
4291syscall_2817869710xf7fb40000xdc0xdc0xf7fb400000xff94fca8) = -1 (errno 38 -1 (errno 38)
4291close4 0
4291readdir3{d_ino=2626130797926285316, {d_ino=2626130797926285316, d_off=7594880358905937928, d_off=7594880358905937928, d_reclen=25964, d_reclen=25964, d_name=""}d_name=""}0 1
4291open".profile"O_RDWR 4
4291lseek40SEEK_END 655
4291mmap2NULL655PROT_READ|PROT_WRITEMAP_SHARED40 0xf7fb3000
4291syscall_3478644110xf7fb30000x28f0x28f0xf7fb300000xff94fca8) = -1 (errno 38 -1 (errno 38)
4291close4 0
4291readdir3{d_ino=3872695444423049437, {d_ino=3872695444423049437, d_off=8242000100439425031, d_off=8242000100439425031, d_reclen=101, d_reclen=101, d_name=""}d_name=""}0 1
4291open"malware"O_RDWR) = -1 ETXTBSY (Text file busy -1 ETXTBSY (Text file busy)
4291readdir3{d_ino=4161763738629439496, {d_ino=4161763738629439496, d_off=7307199665335566342, d_off=7307199665335566342, d_reclen=0, d_reclen=0, d_name=""}d_name=""}0 1
4291open".cache"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=4588938802182750210, {d_ino=4588938802182750210, d_off=7307199663674621953, d_off=7307199663674621953, d_reclen=0, d_reclen=0, d_name=""}d_name=""}0 1
4291open"."O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=4612712610102247643, {d_ino=4612712610102247643, d_off=7023193685976547339, d_off=7023193685976547339, d_reclen=27756, d_reclen=27756, d_name=".sh"}d_name=".sh"}0 1
4291open"firewall.sh"O_RDWR 4
4291lseek40SEEK_END 394
4291mmap2NULL394PROT_READ|PROT_WRITEMAP_SHARED40 0xf7fb2000
4291syscall_32554379150xf7fb20000x18a0x18a0xf7fb200000xff94fca8) = -1 (errno 38 -1 (errno 38)
4291close4 0
4291readdir3{d_ino=4688909405857251329, {d_ino=4688909405857251329, d_off=7023193195356749826, d_off=7023193195356749826, d_reclen=27756, d_reclen=27756, d_name=".sh"}d_name=".sh"}0 1
4291open".."O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=4728861054205689875, {d_ino=4728861054205689875, d_off=7954877984962838535, d_off=7954877984962838535, d_reclen=115, d_reclen=115, d_name=".sh"}d_name=".sh"}0 1
4291open"Imagens"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=5421908204132761630, {d_ino=5421908204132761630, d_off=7809632559044624390, d_off=7809632559044624390, d_reclen=0, d_reclen=0, d_name=""...}d_name=""...}0 1
4291open".local"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=5714765235019841553, {d_ino=5714765235019841553, d_off=7308626840221122570, d_off=7308626840221122570, d_reclen=29806, d_reclen=29806, d_name="os"}d_name="os"}0 1
4291open"Documentos"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=5744481765848514722, {d_ino=5744481765848514722, d_off=6874871693277265933, d_off=6874871693277265933, d_reclen=26984, d_reclen=26984, d_name="story"}d_name="story"}0 1
4291open".bash_history"O_RDWR 4
4291lseek40SEEK_END 271
4291mmap2NULL271PROT_READ|PROT_WRITEMAP_SHARED40 0xf7fb1000
4291syscall_34224750990xf7fb10000x10f0x10f0xf7fb100000xff94fca8) = -1 (errno 38 -1 (errno 38)
4291close4 0
4291readdir3{d_ino=5971648143821635597, {d_ino=5971648143821635597, d_off=2333257624432345105, d_off=2333257624432345105, d_reclen=25956, d_reclen=25956, d_name=" Trabalho"}d_name=" Trabalho"}0 1
4291open"\303\201rea de Trabalho"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=6361538179666542607, {d_ino=6361538179666542607, d_off=8028903717733203975, d_off=8028903717733203975, d_reclen=115, d_reclen=115, d_name=" Trabalho"}d_name=" Trabalho"}0 1
4291open"Modelos"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=6404076411939455172, {d_ino=6404076411939455172, d_off=7998507783272923140, d_off=7998507783272923140, d_reclen=115, d_reclen=115, d_name=" Trabalho"}d_name=" Trabalho"}0 1
4291open".ssh"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=7264692861971202064, {d_ino=7264692861971202064, d_off=7596555225747423240, d_off=7596555225747423240, d_reclen=28515, d_reclen=28515, d_name=""}d_name=""}0 1
4291open"P\303\272blico"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=7392395330741600261, {d_ino=7392395330741600261, d_off=7813865618886950928, d_off=7813865618886950928, d_reclen=29541, d_reclen=29541, d_name=".desktop"}d_name=".desktop"}0 1
4291open"examples.desktop"O_RDWR 4
4291lseek40SEEK_END 8980
4291mmap2NULL8980PROT_READ|PROT_WRITEMAP_SHARED40 0xf7fae000
4291syscall_31168827790xf7fae0000x23140x23140xf7fae00000xff94fca8) = -1 (errno 38 -1 (errno 38)
4291close4 0
4291readdir3{d_ino=7506829241080348686, {d_ino=7506829241080348686, d_off=8028913694941642761, d_off=8028913694941642761, d_reclen=25697, d_reclen=25697, d_name="s"}d_name="s"}0 1
4291open"Downloads"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=7526935748224483334, {d_ino=7526935748224483334, d_off=8243965979997896711, d_off=8243965979997896711, d_reclen=99, d_reclen=99, d_name="s"}d_name="s"}0 1
4291open".bashrc"O_RDWR 4
4291lseek40SEEK_END 3771
4291mmap2NULL3771PROT_READ|PROT_WRITEMAP_SHARED40 0xf7fad000
4291syscall_625908110xf7fad0000xebb0xebb0xf7fad00000xff94fca8) = -1 (errno 38 -1 (errno 38)
4291close4 0
4291readdir3{d_ino=7814402547910443108, {d_ino=7814402547910443108, d_off=7380959312030334982, d_off=7380959312030334982, d_reclen=0, d_reclen=0, d_name=""...}d_name=""...}0 1
4291open".gconf"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=8056589697827995870, {d_ino=8056589697827995870, d_off=8242000100439425038, d_off=8242000100439425038, d_reclen=11877, d_reclen=11877, d_name="strace"}d_name="strace"}0 1
4291open"malware.strace"O_RDWR 4
4291lseek40SEEK_END 6458
4291mmap2NULL6458PROT_READ|PROT_WRITEMAP_SHARED40 0xf7fab000
4291syscall_3966350xf7fab0000x193a0x193a0xf7fab00000xff94fca8) = -1 (errno 38 -1 (errno 38)
4291close4 0
4291readdir3{d_ino=8385580640763641971, {d_ino=8385580640763641971, d_off=8458117730471378957, d_off=8458117730471378957, d_reclen=26740, d_reclen=26740, d_name="ority"}d_name="ority"}0 1
4291open".ICEauthority"O_RDWR 4
4291lseek40SEEK_END 318
4291mmap2NULL318PROT_READ|PROT_WRITEMAP_SHARED40 0xf7faa000
4291syscall_37732462990xf7faa0000x13e0x13e0xf7faa00000xff94fca8) = -1 (errno 38 -1 (errno 38)
4291close4 0
4291readdir3{d_ino=8868526193957928978, {d_ino=8868526193957928978, d_off=7163383928287199239, d_off=7163383928287199239, d_reclen=97, d_reclen=97, d_name="ority"}d_name="ority"}0 1
4291open"M\303\272sica"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir3{d_ino=9083704515049029652, {d_ino=9083704515049029652, d_off=8026932608327090183, d_off=8026932608327090183, d_reclen=115, d_reclen=115, d_name="ority"}d_name="ority"}0 1
4291open"V\303\255deos"O_RDWR) = -1 EISDIR (Is a directory -1 EISDIR (Is a directory)
4291readdir30xff94fb980 0
4291close3 0
4291exit0 ?

Analysis
Ltrace
Statically-compiled samples cannot be ltraced.

Reason
Timeout

Status
Success

Strace
Success

Results
True check_circle

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Binary
RF
confidence: 93.50%
suspicious: True check_circle
MLP
confidence: 99.70%
suspicious: True check_circle
SVM
confidence: 76.29%
suspicious: True check_circle
Add to Collection
Download