Sample : 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976

Summary


OS ABI

UNIX - System V
CPU class

64 bit
Persistence (user)

No
Persistence (root)

No
CPU byte order

2's complement LSB
File type

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a7ebfe59ae9df5cab9314bef58cce08f84afc511, stripped
CPU type

AMD x86-64
Entropy

6.40289782971
Syscalls executed (root)

57
Syscalls executed (user)

56
ELF type

Executable file

ELF


Class

64 bit
Data encoding

2's complement LSB
Operating system ABI

UNIX - System V
Object file type

Executable file
ELF version

0.1
Machine

AMD x86-64
Link

dynamic
Entrypoint

0x4061d0
Interpreter

'/lib64/ld-linux-x86-64.so.2'
Number of segments

10
Number of sections

31
Program header table offset

64
Section header table offset

3148072
Program header table - size of entry

56
Section header table - size of entry

64
Program header table - entries

10
Section header table - entries

31
Section header table - index sections names

30
Stripped

True
Sections stripped

False
Needed libraries

libdl.so.2

libpthread.so.0

libc.so.6

ld-linux-x86-64.so.2

Dynamic symbols

ctime

chmod

tcsetattr

fileno

dup2

__stpcpy_chk

execv

mktime

memset

ftell

snprintf

dcngettext

inet_pton

__strncpy_chk

close

ioctl

abort

memchr

clock_gettime

__fprintf_chk

isatty

puts

fseek

pthread_cond_signal

__isoc99_sscanf

select

getpeername

exit

__assert_fail

__printf_chk

getaddrinfo

strcasecmp

bindtextdomain

prctl

gettimeofday

setvbuf

__poll_chk

putchar

getopt

read

strncmp

fopen

__libc_start_main

recv

dup

regexec

system

strerror_r

unlink

__memcpy_chk

setsockopt

getpid

fgets

__vsnprintf_chk

__strcat_chk

geteuid

__ctype_toupper_loc

__strdup

fputc

freeaddrinfo

fnmatch

_IO_getc

strlen

__res_ninit

ferror

__asprintf_chk

opendir

__xstat

pthread_cond_init

__vfprintf_chk

__ctype_b_loc

readdir

__tls_get_addr

dlerror

link

sprintf

fdopen

strrchr

__sendmmsg

syscall

pipe

sleep

fsync

dlclose

timegm

poll

gmtime_r

flock

usleep

strerror

strstr

sigaction

getifaddrs

getsockopt

fputs

lseek

strtol

getsockname

connect

gethostname

__poll

regcomp

fchmod

tcgetattr

__strcpy_chk

signal

strspn

strptime

setbuf

memmove

strchr

socket

fread

inet_ntoa

__fxstat

getenv

__errno_location

qsort

mkstemp

dcgettext

strncasecmp

__stack_chk_fail

getnameinfo

__memset_chk

send

strcpy

strtok

freeifaddrs

nanosleep

srand

getuid

__res_nclose

pthread_cond_wait

dladdr

pthread_detach

regfree

__ctype_tolower_loc

memcmp

calloc

globfree

getpwnam_r

feof

writev

fclose

dlopen

recvfrom

strncpy

difftime

localtime_r

__lxstat

dlsym

closedir

__sprintf_chk

strcspn

__snprintf_chk

access

fork

sigemptyset

__res_iclose

fopen64

bind

fwrite

getpwuid_r

perror

rand

gai_strerror

localtime

write

pthread_cond_broadcast

strftime

__strtok_r

__fgets_chk

strtoul

pthread_kill

memcpy

fcntl

glob

open

__vasprintf_chk

getpwnam

__strncat_chk

rename

__fdelt_chk

_IO_putc

mkdir

time

fflush

inet_addr

sync

getservbyname

pthread_key_delete

pthread_key_create

pthread_mutex_unlock

free

pthread_once

pthread_mutex_lock

realloc

pthread_mutex_init

pthread_create

isalnum

isdigit

strcmp

pthread_join

pthread_equal

pthread_getspecific

pthread_mutex_destroy

pthread_setspecific

malloc

pthread_self

isxdigit

Anomalies


Segments
High entropy : PT_LOAD at offset 0x0 - 6.433627
Memory size doubles physical size : PT_LOAD at offset 0x2f9b48
PT_TLS at offset 0x2f9b48


Sections
Uncommon sections : .tbss
section without a name
High entropy : .text - 6.463083


Debug information

False
Comment

GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609

Note

GNU : '\xa7\xeb\xfeY\xae\x9d\xf5\xca\xb91K\xefX\xcc\xe0\x8f\x84\xaf\xc5'

Hash


MD5

7f2f76470c90eb2404f22dfcc81b6a97
SHA1

28765b048c9afa942d5a21b8d3f395b20c723667
SHA256

620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976
SHA512

9df72753c72400acf2d5a565688a93e3d3fac768a42deaafc020bcee5a713be129b725da67e5c8c5fb6767915b7db3cea6616fd29f42c043bca0f0d4e7d44685
ssdeep

49152:ZDAiNpVkGtlqZ3T47VwAsOPloEOcTg8t0W8gnly6nUTIjwW/ghgmgOkgMPyXjIx9:ZDAiFWWpOcFj/nlyM3Ah+drhNq

Bytes


Entropy

6.40289782971
Min entropy (16KB blocks)

1.77160579843
Max entropy (16KB blocks)

7.98995447047
Unique bytes (0-255)

256
Null bytes

670546
White spaces

67838
Printable bytes

956450
First 16B

7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Last 16B

01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Longest same bytes sequence

Byte : 0x0

Offset : 0x2fa6e6

Length : 4091

Three rarest bytes

0xae - 1839 times

0xa2 - 1809 times

0x8a - 1773 times

Three most common bytes

0x0 - 670546 times

0x48 - 116838 times

0xff - 104422 times

File type


Mime type

application/x-executable
File type

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a7ebfe59ae9df5cab9314bef58cce08f84afc511, stripped

VirusTotal


URL

https://www.virustotal.com/#/file/620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976
Positive

35
Total AVs

60
Scan date

2020-02-20 21:36:06
AVClass

sshbrute
Detection

Kaspersky : HEUR:Backdoor.Linux.Ssh.a

McAfee : GenericRXIK-SD!7F2F76470C90

Qihoo-360 : Linux/Backdoor.6ca

BitDefender : Trojan.Linux.Generic.151688

TrendMicro-HouseCall : Trojan.Linux.SSHBRUTE.B

Ad-Aware : Trojan.Linux.Generic.151688

F-Secure : Malware.LINUX/Agent.ztzyp

Zillya : Trojan.Agent.Linux.2418

NANO-Antivirus : Trojan.Elf64.BtcMine.gvevte

AVG : ELF:BruteForce-I [Trj]

Avira : LINUX/Agent.ztzyp

ClamAV : Unix.Malware.Agent-7443654-0

TrendMicro : Trojan.Linux.SSHBRUTE.B

Antiy-AVL : Trojan[Backdoor]/Linux.Ssh.a

Avast : ELF:BruteForce-I [Trj]

Emsisoft : Trojan.Linux.Generic.151688 (B)

MAX : malware (ai score=82)

Cyren : ELF/Trojan.FHHZ-8

ESET-NOD32 : a variant of Linux/Agent.GF

Symantec : Trojan.Gen.MBT

FireEye : Trojan.Linux.Generic.151688

Arcabit : Trojan.Linux.Generic.D25088

DrWeb : Linux.BtcMine.271

Avast-Mobile : ELF:Agent-AEA [Trj]

Fortinet : PossibleThreat

Sophos : Linux/SSHBrut-A

McAfee-GW-Edition : GenericRXIK-SD!7F2F76470C90

Ikarus : Trojan.Linux.Agent

Microsoft : Trojan:Win32/Occamy.C

ZoneAlarm : HEUR:Backdoor.Linux.Ssh.a

ALYac : Backdoor.Linux.Agent

AhnLab-V3 : Trojan/Linux.Sshbrute.3150056

Jiangmin : Backdoor.Linux.eaon

MicroWorld-eScan : Trojan.Linux.Generic.151688

GData : Trojan.Linux.Generic.151688

Data Explore


Paths

/usr/sbiH

/home/buH

~/E1

~/

~/;5Jx

~/D;

/proc/cpuinfo

/var/tmp/.var03522123

/var/tmp/.var03522123

/proc/cpuinfo

/var/tmp/.systemcache436621

/var/tmp/.systemcache436621

/var/tmp/.systemcache436621

/var/tmp;

/var/tmp;

~/.ssh

/var/tmp/dota3.tar.gz

~/.ssh/id_rsa

/var/tmp/.var03522123

/var/tmp/dota*

/home/buffer/cnc/godaddy

/dev/shm/ip

/dev/shm/p

~/.ssh

/etc/ssh/ssh_config

/bin/sh

~/;0

~/

/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines

/dev/urandom

/var/run/egd-pool

/dev/egd-pool

/etc/egd-pool

/etc/entropy

/dev/random

/dev/srandom

/usr/lib/ssl/private

/usr/lib/ssl

/usr/lib/ssl/certs

/usr/lib/ssl/cert.pem

/dev/tty

/usr/local/lib/gss/

/usr/local/etc/gss/mech

/usr/local/etc/gss/mech.d/*.conf

/var/run/.heim_org.h5l.kcm-socket

/usr/local/lib/krb5/plugins/authdata

/usr/local/lib/krb5/plugins

/usr/local/lib

/usr/local/bin

/usr/local/sbin

/etc/krb5.conf:/usr/local/etc/krb5.conf

/usr/local/var/krb5kdc/kdc.conf

/etc/krb5.keytab

/usr/local/var/krb5/user/%{euid}/client.keytab

/usr/local/lib/krb5/plugins/libkrb5

/usr/local/share/locale

/var/tmp

URLs

http://www.openssl.org/support/faq

IPs (v4 and v6)

::

::

45.9.148.129

45.9.148.125

192.168.0.1

::

::

::

::

::

d::

Code Explore


Nucleus

Number of functions : 7188

Total size functions [B] : 18288754

Average size a function [B] : 2544.34529772

Percentage of covered .text section : 933.167300896

Percentage of covered LOAD segment : 581.423016128

Eh_frame

Number of functions : 7148

Total size functions [B] : 1629232

Average size a function [B] : 227.928371572

Percentage of covered .text section : 83.1301043239

Percentage of covered LOAD segment : 51.7953811076

Sandbox (user)


Standard output

====================================================================== ---------------------->Faster than light<----------------------------- --------------------->use only for testing<---------------...
Standard error

Sandbox (root)


Standard output

====================================================================== ---------------------->Faster than light<----------------------------- --------------------->use only for testing<---------------...
Standard error

Behavior


User behavior

Syscalls


Unique
mmap2
set_tid_address
set_robust_list
exit_group
rt_sigaction
read
munmap
mprotect
arch_prctl
access
write
brk
rt_sigprocmask
close
getrlimit
open
fstat
execve


Unique number
18

Total number
56

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Files being read

/opt/lib/libpthread.so.0

/opt/lib/libdl.so.2

/etc/ld.so.cache

/opt/lib/libc.so.6

Max sleep

-1.0



Root behavior

Syscalls


Unique
mmap2
write
set_tid_address
set_robust_list
exit_group
rt_sigaction
read
commit_creds
mprotect
arch_prctl
access
munmap
brk
rt_sigprocmask
close
getrlimit
open
fstat
execve


Unique number
19

Total number
57

Instrumented libc calls


Unique
strchr


Unique number
1

Total number
1

Number of processes

1

Trace lines lost

0

Files being read

/opt/lib/libpthread.so.0

/opt/lib/libdl.so.2

/etc/ld.so.cache

/opt/lib/libc.so.6

Max sleep

-1.0