Report #1621 cancel

Binary
ABI
ELFOSABI_SYSV
Size
544.69KB
Type
ET_EXEC
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
494d9a5e25b9e1d3eedb7a2341aa49ad
sha1
3f1f4ba2434d0ad07838ebc694ad4a4cf8c9641a
crc32
0x904101e6
sha224
7b8e9f1067d02893ed03e070c2f3ec9f791b7d6e5b421fbf8aea84ed
sha256
5f0a2b492c8accde73f1e3db51fe398d54e622655d34fd6d49f7a7264179a885
sha384
ce20e626805aa3ff8d3d3a89787f1915e8f7d4694acfa60d2667393ef78ad4149c7f6abe565e8c8dd51bd5470ffa8f49
sha512
7b0514d9919a80e3585f2c5695acccd27b1cc9725c5995a7d657a49e6de04d07ca4e920328e7c59ab89f4395ce239881b23803710c87560950b596d00fa65b12
ssdeep
12288:JbinNy0Y1nvEtXBx6DkkJmAGyPexU279WnjVZ6ySWK:1iNy0evmxvkJmApPexUm9cVE
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, url, IP, contentis_base64, is__elf

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys
/proc/sys/kernel/version, /proc/sys/kernel/osrelease, /proc/sys/kernel/ngroups_max, /proc/sys/kernel/rtsig-max
Home

Proc
/proc/%d/exe, /proc/net/tcp, /proc/%d/fd, /proc/%d/fd/%s, /proc/mounts, /proc/sys/kernel/version, /proc/sys/kernel/osrelease, /proc/self/maps, /proc/sys/kernel/ngroups_max, /proc/sys/kernel/rtsig-max, /proc/meminfo, /proc/stat, /proc/cpuinfo, /proc/self/exe
Password

Suspicious
True check_circle
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs

URLs
/etc/cron.hourly/%s.sh, /etc/ld.so.cache, ld.so-1.7.0, glibc-ld.so.cache1.1, TLS generation counter wrapped! Please report as described in ., .data.rel.ro
Mails
keld@dkuug.dk, /#7PVUE'V43@h"[[n.([
Suspicious
True check_circle
Strings
List
TLS generation counter wrapped! Please report as described in <http://www.gnu.org/software/libc/bugs.html>.
.data.rel.ro
keld@dkuug.dk
/etc/daemon.cfg
/etc/cron.hourly/%s.sh
GET %s HTTP/1.1
ld.so-1.7.0
/etc/ld.so.cache
glibc-ld.so.cache1.1
.got.plt
/etc/resolv.conf
LD_DEBUG_OUTPUT
Host: %s:%d
Network is down
Machine is not on the network
No route to host
Host is down
8.8.4.4
cannot apply additional memory protection after relocation
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)
/proc/%d/fd
/proc/%d/fd/%s
/etc/rc.d/rc%d.d/S90%s
/etc/rc%d.d/S90%s
/proc/%d/exe
/etc/rc.d/rc%d.d/
/etc/rc%d.d/
%p%t%g%t%m%t%f
/etc/init.d/%s
M%hu.%hu.%hu%n
Transport endpoint is not connected
No such process
file=%s [%lu]; destroying link map
Block device required
cannot allocate dependency list
Remote address changed
No such device or address
Operation now in progress
LD_PROFILE_OUTPUT
Owner died
Too many open files
Link has been severed
Key has expired
cannot read file data
Key was rejected by service
Too many open files in system
Key has been revoked
No such device
Is a named type file
Object is remote
Connection reset by peer
Too many links
continued
cannot enable executable stack as shared object requires
cannot create TLS data structures
%a%N%f%N%d%N%b%N%s %h %e %r%N%C-%z %T%N%c%N
http://
%I:%M:%S %p
calling fini: %s [%lu]
.lib section in a.out corrupted
%s: error: %s: %s (%s)
*** glibc detected *** %s: %s: 0x%s ***
Cannot send after transport endpoint shutdown
+%c %a %l
calling init: %s
RESOLV_HOST_CONF
%a %b %e %H:%M:%S %Z %Y
%a %b %e %H:%M:%S %Y
%h %e %T
Operation not permitted
OUTPUT_CHARSET
LD_DEBUG
%s%s.sh
cannot load auxiliary `%s' because of empty dynamic string token substitution
Arena %d:
(%s from file %s)
# Provides: %s
MemFree: %ld kB
search cache=%s
8.8.8.8
%s: cannot open file: %s
%s: cannot stat file: %s
%s/%s.sh
MALLOC_TRACE
GETCONF_DIR
GETCONF_DIR
RES_OPTIONS
RES_OPTIONS
Too many users
/etc/suid-debug
gnome-power-manager
/usr/lib/locale/locale-archive
/usr/sbin/sshd
_dl_open_hook
/proc/net/tcp
_dlfcn_hook
entry: 0x%0*lx phdr: 0x%0*lx phnum: %*u
socket:[
dynamic: 0x%0*lx base: 0x%0*lx size: 0x%0*Zx
*** %n in writable segment detected ***

Symbols
List

Number
0
Reason
Stripped
Suspicious
True check_circle
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .note.ABI-tag, .init, .text, __libc_freeres_fn, __libc_thread_freeres_fn, .fini, .rodata, __libc_atexit, __libc_subfreeres, __libc_thread_subfreeres, .eh_frame, .gcc_except_table, .tdata, .tbss, .ctors, .dtors, .jcr, .data.rel.ro, .got, .got.plt, .data, .bss, __libc_freeres_ptrs, .comment, .shstrtab
Number
26
Suspicious
False cancel
Segments
Number
5
Suspicious
False cancel
Compilers
List
GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-46), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-46), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-55), GCC: (GNU) 4.1.2 20080704 (Red Hat 4.1.2-46), .gcc_except_table
Identified
22
Suspicious
True check_circle
Functions
List

Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x8048110
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
32
Number
5
Offset
52
Section Header
Size
40
Number
26
Offset
556720
AVclass
emotet
1
VirusTotal
md5
494d9a5e25b9e1d3eedb7a2341aa49ad
sha1
3f1f4ba2434d0ad07838ebc694ad4a4cf8c9641a
SCANS (DETECTION RATE = 67.80%)
AVG
result: ELF:Xorddos-M [Trj]
update: 20190413
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=98)
update: 20190413
version: 2018.9.12.1
detected: True check_circle

Bkav
update: 20190412
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20190413
version: 11.38.30593
detected: False cancel

ALYac
result: Trojan.Linux.Xorddos.K
update: 20190413
version: 1.1.1.5
detected: True check_circle

Avast
result: ELF:Xorddos-M [Trj]
update: 20190413
version: 18.4.3895.0
detected: True check_circle

Avira
result: LINUX/Xorddos.gzsbh
update: 20190413
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
result: ELF/Trojan.XWTB-4
update: 20190413
version: 6.2.0.1
detected: True check_circle

DrWeb
result: Linux.DDoS.86
update: 20190413
version: 7.0.34.11020
detected: True check_circle

GData
result: Trojan.Linux.Xorddos.K
update: 20190413
version: A:25.21530B:25.14836
detected: True check_circle

Panda
result: ELF/XorDDos.A
update: 20190413
version: 4.6.4.2
detected: True check_circle

VBA32
update: 20190412
version: 4.0.0
detected: False cancel

VIPRE
update: 20190413
version: 74362
detected: False cancel

Zoner
update: 20190413
version: 1.0
detected: False cancel

ClamAV
result: Unix.Malware.Agent-6137694-0
update: 20190413
version: 0.101.2.0
detected: True check_circle

Comodo
result: Malware@#24414v7us92l8
update: 20190413
version: 30716
detected: True check_circle

F-Prot
update: 20190413
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan.DDoS
update: 20190413
version: 0.1.5.2
detected: True check_circle

McAfee
result: Linux/DDoS-Xor.B
update: 20190413
version: 6.0.6.653
detected: True check_circle

Rising
result: Trojan.DDoS-Xor/Linux!1.A3E4 (CLASSIC)
update: 20190413
version: 25.0.0.24
detected: True check_circle

Sophos
result: Linux/DDoS-BH
update: 20190413
version: 4.98.0
detected: True check_circle

Yandex
update: 20190412
version: 5.5.1.3
detected: False cancel

Zillya
result: Downloader.OpenConnection.JS.224624
update: 20190412
version: 2.0.0.3795
detected: True check_circle

Arcabit
result: Trojan.Linux.Xorddos.K
update: 20190413
version: 1.0.0.845
detected: True check_circle

Babable
update: 20180918
version: 9107201
detected: False cancel

FireEye
result: Trojan.Linux.Xorddos.K
update: 20190413
version: 29.7.0.0
detected: True check_circle

TACHYON
update: 20190413
version: 2019-04-13.02
detected: False cancel

Tencent
result: Trojan-Ddos.Linux.Xarcen.a
update: 20190413
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20190413
version: 2014.3.20.0
detected: False cancel

Ad-Aware
result: Trojan.Linux.Xorddos.K
update: 20190413
version: 3.0.5.370
detected: True check_circle

AegisLab
result: Trojan.Linux.Xarcen.4!c
update: 20190413
version: 4.2
detected: True check_circle

Emsisoft
result: Trojan.Linux.Xorddos.K (B)
update: 20190413
version: 2018.4.0.1029
detected: True check_circle

F-Secure
result: Malware.LINUX/Xorddos.gzsbh
update: 20190413
version: 12.0.86.52
detected: True check_circle

Fortinet
result: ELF/Xorddos.D!tr
update: 20190413
version: 5.4.247.0
detected: True check_circle

Jiangmin
result: TrojanDDoS.Linux.gb
update: 20190413
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20190413
version: 2013.8.14.323
detected: False cancel

AhnLab-V3
result: Linux/Flooder.557760
update: 20190413
version: 3.15.0.23609
detected: True check_circle

Antiy-AVL
result: Trojan[DDoS]/Linux.Xarcen.d
update: 20190413
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: HEUR:Trojan-DDoS.Linux.Xarcen.d
update: 20190413
version: 15.0.1.13
detected: True check_circle

Microsoft
result: DoS:Linux/Xorddos!rfn
update: 20190413
version: 1.1.15800.1
detected: True check_circle

Qihoo-360
result: Win32/Trojan.DDoS.785
update: 20190413
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20190411
version: 6.8.0.5.4154
detected: False cancel

ZoneAlarm
result: HEUR:Trojan-DDoS.Linux.Xarcen.d
update: 20190413
version: 1.0
detected: True check_circle

ESET-NOD32
result: a variant of Linux/Xorddos.P
update: 20190413
version: 19189
detected: True check_circle

TrendMicro
result: ELF_XORDDOS.SM
update: 20190413
version: 10.0.0.1040
detected: True check_circle

BitDefender
result: Trojan.Linux.Xorddos.K
update: 20190413
version: 7.2
detected: True check_circle

K7AntiVirus
update: 20190413
version: 11.38.30594
detected: False cancel

SentinelOne
result: DFI - Malicious ELF
update: 20190407
version: 1.0.25.312
detected: True check_circle

Avast-Mobile
update: 20190413
version: 190413-00
detected: False cancel

Malwarebytes
update: 20190413
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20190413
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: Trojan.DDoS.PR8af
update: 20190413
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Elf32.Xorddos.efutws
update: 20190413
version: 1.0.134.24576
detected: True check_circle

MicroWorld-eScan
result: Trojan.Linux.Xorddos.K
update: 20190413
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20190410
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: Linux/DDoS-Xor.B
update: 20190413
version: v2017.3010
detected: True check_circle

TrendMicro-HouseCall
result: ELF_XORDDOS.SM
update: 20190413
version: 10.0.0.1040
detected: True check_circle

total
59
sha256
5f0a2b492c8accde73f1e3db51fe398d54e622655d34fd6d49f7a7264179a885
scan_id
5f0a2b492c8accde73f1e3db51fe398d54e622655d34fd6d49f7a7264179a885-1555162777
resource
494d9a5e25b9e1d3eedb7a2341aa49ad
positives
40
scan_date
2019-04-13 13:39:37
verbose_msg
Scan finished, information embedded
response_code
1
DNS
Query

Response

TCP
Info

UDP
Info
computer localhost:44422 arrow_forward 8.8.8.8:53
computer localhost:53132 arrow_forward 8.8.4.4:53
computer localhost:50867 arrow_forward 8.8.8.8:53
computer localhost:47875 arrow_forward 8.8.4.4:53
computer localhost:36653 arrow_forward 8.8.4.4:53
computer localhost:52802 arrow_forward 8.8.8.8:53
computer localhost:40833 arrow_forward 8.8.4.4:53
computer localhost:52532 arrow_forward 8.8.4.4:53
computer localhost:34752 arrow_forward 8.8.4.4:53
computer localhost:47100 arrow_forward 8.8.8.8:53
computer localhost:51439 arrow_forward 8.8.4.4:53
computer localhost:38185 arrow_forward 8.8.4.4:53
computer localhost:56818 arrow_forward 8.8.4.4:53
computer localhost:41150 arrow_forward 8.8.8.8:53
computer localhost:36001 arrow_forward 8.8.8.8:53
computer localhost:52194 arrow_forward 8.8.8.8:53
computer localhost:52559 arrow_forward 8.8.8.8:53
computer localhost:54082 arrow_forward 8.8.8.8:53
computer localhost:45405 arrow_forward 8.8.8.8:53
computer localhost:50758 arrow_forward 8.8.8.8:53
computer localhost:50339 arrow_forward 8.8.8.8:53
computer localhost:43620 arrow_forward 8.8.4.4:53
computer localhost:56728 arrow_forward 8.8.4.4:53
computer localhost:54813 arrow_forward 8.8.8.8:53
computer localhost:34623 arrow_forward 8.8.4.4:53
computer localhost:35520 arrow_forward 8.8.8.8:53
computer localhost:46315 arrow_forward 8.8.8.8:53
computer localhost:5353 arrow_forward help_outline 224.0.0.251:5353
computer localhost:35503 arrow_forward 8.8.4.4:53

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
True check_circle

HTTP
False cancel

Binary
RF
confidence: 100.00%
suspicious: True check_circle
MLP
confidence: 99.98%
suspicious: True check_circle
SVM
confidence: 97.70%
suspicious: True check_circle