Report #1180 check_circle

  • Creation Date: Nov. 16, 2019, 4:37 p.m.
  • Last Update: Nov. 16, 2019, 7:15 p.m.
  • File: for_uninit.bin
  • Results:
Binary
ABI
ELFOSABI_SYSV
Size
8.36KB
Type
ET_EXEC
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
64
Architecture
x64
Hashes
md5
34b9992d690222b624f771e6743e658e
sha1
cdeda71305af7ed6a84f21e1972db979405940d9
crc32
0x2d54c14e
sha224
273e1f69eaaa662422eaa09003c564c392a45d8687a71267c82bfa4d
sha256
fdf63cf054a5d2f9a00794e8e92f37a58b69b605baf8d7360f3b8dbc929655b4
sha384
f12f11ee8f5ca3c12574b6c8443fc39431c8b574fa0ecacb7dfa3b9711d0e4442453c9a89a6cabd10336e6235d2c7c36
sha512
81ef569c0c15efb1a20749445aa87826e15a605c1883d2d0924adb402eac4375245bf6c9bc0b1829b7a62883d39172e69e1b06767b7a551664a1b4acb119c612
ssdeep
96:GLToLoYW+/LMRqqIV+x2aOhrzSTj7IruBWeoBeSiZNrSN:GLcW8LDqIbajHxoESi
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, contentis_base64, is__elf

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys

Home

Proc

Password

Suspicious
False cancel
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs

URLs
/lib64/ld-linux-x86-64.so.2
Mails

Suspicious
True check_circle
Strings
List
.note.gnu.build-id
.plt.got
.gnu.hash
libc.so.6
.rela.plt
.rela.dyn
.got.plt
/lib64/ld-linux-x86-64.so.2
_Jv_RegisterClasses
deregister_tm_clones
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
.comment
__FRAME_END__
GLIBC_2.2.5
_GLOBAL_OFFSET_TABLE_
_DYNAMIC
__JCR_END__
__TMC_END__
__JCR_LIST__
__frame_dummy_init_array_entry
frame_dummy
.dynamic
__gmon_start__
__gmon_start__
.note.ABI-tag
for_uninit.c
__GNU_EH_FRAME_HDR
.gnu.version
.shstrtab
.eh_frame
.eh_frame_hdr
.fini_array
.init_array
_IO_stdin_used
crtstuff.c
__libc_start_main
__init_array_start
__do_global_dtors_aux
.gnu.version_r
__dso_handle
__data_start
.rodata
__init_array_end
__libc_csu_init
__libc_csu_fini
.interp
__bss_start
.symtab
.strtab
_edata
.fini
.init
.dynstr
.dynsym
main
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609
completed.7594
__libc_start_main@@GLIBC_2.2.5
__do_global_dtors_aux_fini_array_entry
.data
AUATL
;*3$"
@8 @
UH-0
AWAVA
.text
.bss
.jcr
[]A\A]A^A_

Symbols
List
crtstuff.c, __JCR_LIST__, deregister_tm_clones, register_tm_clones, __do_global_dtors_aux, completed.7594, __do_global_dtors_aux_fini_array_entry, frame_dummy, __frame_dummy_init_array_entry, for_uninit.c, crtstuff.c, __FRAME_END__, __JCR_END__, __init_array_end, _DYNAMIC, __init_array_start, __GNU_EH_FRAME_HDR, _GLOBAL_OFFSET_TABLE_, __libc_csu_fini, _ITM_deregisterTMCloneTable, data_start, _edata, _fini, __libc_start_main@@GLIBC_2.2.5, __data_start, __gmon_start__, __dso_handle, _IO_stdin_used, __libc_csu_init, _end, _start, __bss_start, main, _Jv_RegisterClasses, __TMC_END__, _ITM_registerTMCloneTable, _init
Number
66
Reason
None
Suspicious
False cancel
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .interp, .note.ABI-tag, .note.gnu.build-id, .gnu.hash, .dynsym, .dynstr, .gnu.version, .gnu.version_r, .rela.dyn, .rela.plt, .init, .plt, .plt.got, .text, .fini, .rodata, .eh_frame_hdr, .eh_frame, .init_array, .fini_array, .jcr, .dynamic, .got, .got.plt, .data, .bss, .comment, .shstrtab, .symtab, .strtab
Number
31
Suspicious
False cancel
Segments
Number
9
Suspicious
False cancel
Compilers
List
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609
Identified
1
Suspicious
False cancel
Functions
List
, , __libc_start_main, @GLIBC_2.2.5 (2), __gmon_start__, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , crtstuff.c, , __JCR_LIST__, , deregister_tm_clones, , register_tm_clones, , __do_global_dtors_aux, , completed.7594, , __do_global_dtors_aux_fini_array_entry, , frame_dummy, , __frame_dummy_init_array_entry, , for_uninit.c, , crtstuff.c, , __FRAME_END__, , __JCR_END__, , , , __init_array_end, , _DYNAMIC, , __init_array_start, , __GNU_EH_FRAME_HDR, , _GLOBAL_OFFSET_TABLE_, , __libc_csu_fini, , _ITM_deregisterTMCloneTable, , data_start, , _edata, , _fini, , __libc_start_main@@GLIBC_2.2.5, , __data_start, , __gmon_start__, , __dso_handle, , _IO_stdin_used, , __libc_csu_init, , _end, , _start, , __bss_start, , main, , _Jv_RegisterClasses, , __TMC_END__, , _ITM_registerTMCloneTable, , _init,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x4003e0
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
56
Number
9
Offset
64
Section Header
Size
64
Number
31
Offset
6576
AVclass
None
1
VirusTotal
md5
34b9992d690222b624f771e6743e658e
sha1
cdeda71305af7ed6a84f21e1972db979405940d9
SCANS (DETECTION RATE = 0.00%)
AVG
update: 20191116
version: 18.4.3895.0
detected: False cancel

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
update: 20191116
version: 2019.9.16.1
detected: False cancel

K7GW
update: 20191116
version: 11.78.32577
detected: False cancel

ALYac
update: 20191116
version: 1.1.1.5
detected: False cancel

Avira
update: 20191116
version: 8.3.3.8
detected: False cancel

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
update: 20191116
version: 6.2.2.2
detected: False cancel

DrWeb
update: 20191116
version: 7.0.41.7240
detected: False cancel

GData
update: 20191116
version: A:25.24004B:26.16672
detected: False cancel

Panda
update: 20191116
version: 4.6.4.2
detected: False cancel

VBA32
update: 20191116
version: 4.2.0
detected: False cancel

VIPRE
update: 20191116
version: 79374
detected: False cancel

Zoner
update: 20191116
version: 1.0.0.1
detected: False cancel

ClamAV
update: 20191116
version: 0.102.0.0
detected: False cancel

Comodo
update: 20191116
version: 31730
detected: False cancel

F-Prot
update: 20191116
version: 4.7.1.166
detected: False cancel

Ikarus
update: 20191116
version: 0.1.5.2
detected: False cancel

McAfee
update: 20191113
version: 6.0.6.653
detected: False cancel

Rising
update: 20191116
version: 25.0.0.24
detected: False cancel

Sophos
update: 20191116
version: 4.98.0
detected: False cancel

Yandex
update: 20191114
version: 5.5.2.24
detected: False cancel

Zillya
update: 20191115
version: 2.0.0.3952
detected: False cancel

Arcabit
update: 20191116
version: 1.0.0.861
detected: False cancel

FireEye
update: 20191116
version: 29.7.0.0
detected: False cancel

TACHYON
update: 20191116
version: 2019-11-16.02
detected: False cancel

Tencent
update: 20191116
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20191116
version: 2014.3.20.0
detected: False cancel

Ad-Aware
update: 20191116
version: 3.0.5.370
detected: False cancel

AegisLab
update: 20191116
version: 4.2
detected: False cancel

Emsisoft
update: 20191031
version: 2018.12.0.1641
detected: False cancel

F-Secure
update: 20191116
version: 12.0.86.52
detected: False cancel

Fortinet
update: 20191116
version: 5.4.247.0
detected: False cancel

Jiangmin
update: 20191116
version: 16.0.100
detected: False cancel

Kingsoft
update: 20191116
version: 2013.8.14.323
detected: False cancel

Symantec
update: 20191116
version: 1.11.0.0
detected: False cancel

AhnLab-V3
update: 20191116
version: 3.16.4.25692
detected: False cancel

Antiy-AVL
update: 20191116
version: 3.0.0.1
detected: False cancel

Kaspersky
update: 20191116
version: 15.0.1.13
detected: False cancel

Microsoft
update: 20191116
version: 1.1.16500.1
detected: False cancel

Qihoo-360
update: 20191116
version: 1.0.0.1120
detected: False cancel

ZoneAlarm
update: 20191116
version: 1.0
detected: False cancel

ESET-NOD32
update: 20191116
version: 20359
detected: False cancel

TrendMicro
update: 20191116
version: 11.0.0.1006
detected: False cancel

BitDefender
update: 20191116
version: 7.2
detected: False cancel

K7AntiVirus
update: 20191116
version: 11.78.32577
detected: False cancel

SentinelOne
update: 20191115
version: 1.0.31.33
detected: False cancel

Avast-Mobile
update: 20191115
version: 191114-10
detected: False cancel

Malwarebytes
update: 20191116
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20191116
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20191116
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20191116
version: 1.0.134.24859
detected: False cancel

BitDefenderTheta
update: 20191113
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
update: 20191116
version: 14.0.297.0
detected: False cancel

SUPERAntiSpyware
update: 20191115
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20191116
version: v2017.3010
detected: False cancel

TrendMicro-HouseCall
update: 20191116
version: 10.0.0.1040
detected: False cancel

total
57
sha256
fdf63cf054a5d2f9a00794e8e92f37a58b69b605baf8d7360f3b8dbc929655b4
scan_id
fdf63cf054a5d2f9a00794e8e92f37a58b69b605baf8d7360f3b8dbc929655b4-1573938672
resource
34b9992d690222b624f771e6743e658e
positives
0
scan_date
2019-11-16 21:11:12
verbose_msg
Scan finished, information embedded
response_code
1
Ltrace
Trace
4290__libc_start_main0x4004d610x7ffd0aef41680x400510 4290 __libc_start_main(0x4004d6, 1, 0x7ffd0aef4168, 0x400510

Strace
Trace
4291execve"./malware"["./malware"][/* 15 vars */] 0
4291brkNULL 0xdbd000
4291access"/etc/ld.so.nohwcap"F_OK) = -1 ENOENT (No such file or directory -1 ENOENT (No such file or directory)
4291access"/etc/ld.so.preload"R_OK) = -1 ENOENT (No such file or directory -1 ENOENT (No such file or directory)
4291open"/etc/ld.so.cache"O_RDONLY|O_CLOEXEC 3
4291fstat3{st_mode=S_IFREG|0644, {st_mode=S_IFREG|0644, st_size=99075, st_size=99075, ...}...} 0
4291mmapNULL99075PROT_READMAP_PRIVATE30 0x7f03dfb40000
4291close3 0
4291access"/etc/ld.so.nohwcap"F_OK) = -1 ENOENT (No such file or directory -1 ENOENT (No such file or directory)
4291open"/lib/x86_64-linux-gnu/libc.so.6"O_RDONLY|O_CLOEXEC 3
4291read3"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"...832 832
4291fstat3{st_mode=S_IFREG|0755, {st_mode=S_IFREG|0755, st_size=1868984, st_size=1868984, ...}...} 0
4291mmapNULL4096PROT_READ|PROT_WRITEMAP_PRIVATE|MAP_ANONYMOUS-10 0x7f03dfb3f000
4291mmapNULL3971488PROT_READ|PROT_EXECMAP_PRIVATE|MAP_DENYWRITE30 0x7f03df56a000
4291mprotect0x7f03df72a0002097152PROT_NONE 0
4291mmap0x7f03df92a00024576PROT_READ|PROT_WRITEMAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE30x1c0000 0x7f03df92a000
4291mmap0x7f03df93000014752PROT_READ|PROT_WRITEMAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS-10 0x7f03df930000
4291close3 0
4291mmapNULL4096PROT_READ|PROT_WRITEMAP_PRIVATE|MAP_ANONYMOUS-10 0x7f03dfb3e000
4291mmapNULL4096PROT_READ|PROT_WRITEMAP_PRIVATE|MAP_ANONYMOUS-10 0x7f03dfb3d000
4291arch_prctlARCH_SET_FS0x7f03dfb3e700 0
4291mprotect0x7f03df92a00016384PROT_READ 0
4291mprotect0x6000004096PROT_READ 0
4291mprotect0x7f03dfb590004096PROT_READ 0
4291munmap0x7f03dfb4000099075 0
4291exit_group6 ?

Analysis
Ltrace
Statically-compiled samples cannot be ltraced.

Reason
Timeout

Status
Sucess

Strace
Success

Results
True check_circle

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Binary
RF
confidence: 67.13%
suspicious: False cancel
MLP
confidence: 66.17%
suspicious: False cancel
SVM
confidence: 81.38%
suspicious: False cancel
Add to Collection
Download