Sample : 620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976
Modules
Summary
OS ABI
UNIX - System V
CPU class
64 bit
Persistence (user)
No
Persistence (root)
No
CPU byte order
2's complement LSB
File type
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a7ebfe59ae9df5cab9314bef58cce08f84afc511, stripped
CPU type
AMD x86-64
Entropy
6.40289782971
Syscalls executed (root)
57
Syscalls executed (user)
56
ELF type
Executable file
ELF
Class
64 bit
Data encoding
2's complement LSB
Operating system ABI
UNIX - System V
Object file type
Executable file
ELF version
0.1
Machine
AMD x86-64
Link
dynamic
Entrypoint
0x4061d0
Interpreter
'/lib64/ld-linux-x86-64.so.2'
Number of segments
10
Number of sections
31
Program header table offset
64
Section header table offset
3148072
Program header table - size of entry
56
Section header table - size of entry
64
Program header table - entries
10
Section header table - entries
31
Section header table - index sections names
30
Stripped
True
Sections stripped
False
Needed libraries
libdl.so.2
libpthread.so.0
libc.so.6
ld-linux-x86-64.so.2
libpthread.so.0
libc.so.6
ld-linux-x86-64.so.2
Dynamic symbols
ctime
chmod
tcsetattr
fileno
dup2
__stpcpy_chk
execv
mktime
memset
ftell
snprintf
dcngettext
inet_pton
__strncpy_chk
close
ioctl
abort
memchr
clock_gettime
__fprintf_chk
isatty
puts
fseek
pthread_cond_signal
__isoc99_sscanf
select
getpeername
exit
__assert_fail
__printf_chk
getaddrinfo
strcasecmp
bindtextdomain
prctl
gettimeofday
setvbuf
__poll_chk
putchar
getopt
read
strncmp
fopen
__libc_start_main
recv
dup
regexec
system
strerror_r
unlink
__memcpy_chk
setsockopt
getpid
fgets
__vsnprintf_chk
__strcat_chk
geteuid
__ctype_toupper_loc
__strdup
fputc
freeaddrinfo
fnmatch
_IO_getc
strlen
__res_ninit
ferror
__asprintf_chk
opendir
__xstat
pthread_cond_init
__vfprintf_chk
__ctype_b_loc
readdir
__tls_get_addr
dlerror
link
sprintf
fdopen
strrchr
__sendmmsg
syscall
pipe
sleep
fsync
dlclose
timegm
poll
gmtime_r
flock
usleep
strerror
strstr
sigaction
getifaddrs
getsockopt
fputs
lseek
strtol
getsockname
connect
gethostname
__poll
regcomp
fchmod
tcgetattr
__strcpy_chk
signal
strspn
strptime
setbuf
memmove
strchr
socket
fread
inet_ntoa
__fxstat
getenv
__errno_location
qsort
mkstemp
dcgettext
strncasecmp
__stack_chk_fail
getnameinfo
__memset_chk
send
strcpy
strtok
freeifaddrs
nanosleep
srand
getuid
__res_nclose
pthread_cond_wait
dladdr
pthread_detach
regfree
__ctype_tolower_loc
memcmp
calloc
globfree
getpwnam_r
feof
writev
fclose
dlopen
recvfrom
strncpy
difftime
localtime_r
__lxstat
dlsym
closedir
__sprintf_chk
strcspn
__snprintf_chk
access
fork
sigemptyset
__res_iclose
fopen64
bind
fwrite
getpwuid_r
perror
rand
gai_strerror
localtime
write
pthread_cond_broadcast
strftime
__strtok_r
__fgets_chk
strtoul
pthread_kill
memcpy
fcntl
glob
open
__vasprintf_chk
getpwnam
__strncat_chk
rename
__fdelt_chk
_IO_putc
mkdir
time
fflush
inet_addr
sync
getservbyname
pthread_key_delete
pthread_key_create
pthread_mutex_unlock
free
pthread_once
pthread_mutex_lock
realloc
pthread_mutex_init
pthread_create
isalnum
isdigit
strcmp
pthread_join
pthread_equal
pthread_getspecific
pthread_mutex_destroy
pthread_setspecific
malloc
pthread_self
isxdigit
chmod
tcsetattr
fileno
dup2
__stpcpy_chk
execv
mktime
memset
ftell
snprintf
dcngettext
inet_pton
__strncpy_chk
close
ioctl
abort
memchr
clock_gettime
__fprintf_chk
isatty
puts
fseek
pthread_cond_signal
__isoc99_sscanf
select
getpeername
exit
__assert_fail
__printf_chk
getaddrinfo
strcasecmp
bindtextdomain
prctl
gettimeofday
setvbuf
__poll_chk
putchar
getopt
read
strncmp
fopen
__libc_start_main
recv
dup
regexec
system
strerror_r
unlink
__memcpy_chk
setsockopt
getpid
fgets
__vsnprintf_chk
__strcat_chk
geteuid
__ctype_toupper_loc
__strdup
fputc
freeaddrinfo
fnmatch
_IO_getc
strlen
__res_ninit
ferror
__asprintf_chk
opendir
__xstat
pthread_cond_init
__vfprintf_chk
__ctype_b_loc
readdir
__tls_get_addr
dlerror
link
sprintf
fdopen
strrchr
__sendmmsg
syscall
pipe
sleep
fsync
dlclose
timegm
poll
gmtime_r
flock
usleep
strerror
strstr
sigaction
getifaddrs
getsockopt
fputs
lseek
strtol
getsockname
connect
gethostname
__poll
regcomp
fchmod
tcgetattr
__strcpy_chk
signal
strspn
strptime
setbuf
memmove
strchr
socket
fread
inet_ntoa
__fxstat
getenv
__errno_location
qsort
mkstemp
dcgettext
strncasecmp
__stack_chk_fail
getnameinfo
__memset_chk
send
strcpy
strtok
freeifaddrs
nanosleep
srand
getuid
__res_nclose
pthread_cond_wait
dladdr
pthread_detach
regfree
__ctype_tolower_loc
memcmp
calloc
globfree
getpwnam_r
feof
writev
fclose
dlopen
recvfrom
strncpy
difftime
localtime_r
__lxstat
dlsym
closedir
__sprintf_chk
strcspn
__snprintf_chk
access
fork
sigemptyset
__res_iclose
fopen64
bind
fwrite
getpwuid_r
perror
rand
gai_strerror
localtime
write
pthread_cond_broadcast
strftime
__strtok_r
__fgets_chk
strtoul
pthread_kill
memcpy
fcntl
glob
open
__vasprintf_chk
getpwnam
__strncat_chk
rename
__fdelt_chk
_IO_putc
mkdir
time
fflush
inet_addr
sync
getservbyname
pthread_key_delete
pthread_key_create
pthread_mutex_unlock
free
pthread_once
pthread_mutex_lock
realloc
pthread_mutex_init
pthread_create
isalnum
isdigit
strcmp
pthread_join
pthread_equal
pthread_getspecific
pthread_mutex_destroy
pthread_setspecific
malloc
pthread_self
isxdigit
Anomalies
Segments
High entropy : PT_LOAD at offset 0x0 - 6.433627
Memory size doubles physical size : PT_LOAD at offset 0x2f9b48
PT_TLS at offset 0x2f9b48
Sections
Uncommon sections : .tbss
section without a name
High entropy : .text - 6.463083
Debug information
False
Comment
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.11) 5.4.0 20160609
Note
GNU : '\xa7\xeb\xfeY\xae\x9d\xf5\xca\xb91K\xefX\xcc\xe0\x8f\x84\xaf\xc5'
Hash
MD5
7f2f76470c90eb2404f22dfcc81b6a97
SHA1
28765b048c9afa942d5a21b8d3f395b20c723667
SHA256
620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976
SHA512
9df72753c72400acf2d5a565688a93e3d3fac768a42deaafc020bcee5a713be129b725da67e5c8c5fb6767915b7db3cea6616fd29f42c043bca0f0d4e7d44685
ssdeep
49152:ZDAiNpVkGtlqZ3T47VwAsOPloEOcTg8t0W8gnly6nUTIjwW/ghgmgOkgMPyXjIx9:ZDAiFWWpOcFj/nlyM3Ah+drhNq
Bytes
Entropy
6.40289782971
Min entropy (16KB blocks)
1.77160579843
Max entropy (16KB blocks)
7.98995447047
Unique bytes (0-255)
256
Null bytes
670546
White spaces
67838
Printable bytes
956450
First 16B
7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Last 16B
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Longest same bytes sequence
Byte :
0x0
Offset : 0x2fa6e6
Length : 4091
Offset : 0x2fa6e6
Length : 4091
Three rarest bytes
0xae - 1839 times
0xa2 - 1809 times
0x8a - 1773 times
0xa2 - 1809 times
0x8a - 1773 times
Three most common bytes
0x0 - 670546 times
0x48 - 116838 times
0xff - 104422 times
0x48 - 116838 times
0xff - 104422 times
File type
Mime type
application/x-executable
File type
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=a7ebfe59ae9df5cab9314bef58cce08f84afc511, stripped
VirusTotal
URL
https://www.virustotal.com/#/file/620635aa9685249c87ead1bb0ad25b096714a0073cfd38a615c5eb63c3761976
Positive
35
Total AVs
60
Scan date
2020-02-20 21:36:06
AVClass
sshbrute
Detection
Kaspersky :
HEUR:Backdoor.Linux.Ssh.a
McAfee : GenericRXIK-SD!7F2F76470C90
Qihoo-360 : Linux/Backdoor.6ca
BitDefender : Trojan.Linux.Generic.151688
TrendMicro-HouseCall : Trojan.Linux.SSHBRUTE.B
Ad-Aware : Trojan.Linux.Generic.151688
F-Secure : Malware.LINUX/Agent.ztzyp
Zillya : Trojan.Agent.Linux.2418
NANO-Antivirus : Trojan.Elf64.BtcMine.gvevte
AVG : ELF:BruteForce-I [Trj]
Avira : LINUX/Agent.ztzyp
ClamAV : Unix.Malware.Agent-7443654-0
TrendMicro : Trojan.Linux.SSHBRUTE.B
Antiy-AVL : Trojan[Backdoor]/Linux.Ssh.a
Avast : ELF:BruteForce-I [Trj]
Emsisoft : Trojan.Linux.Generic.151688 (B)
MAX : malware (ai score=82)
Cyren : ELF/Trojan.FHHZ-8
ESET-NOD32 : a variant of Linux/Agent.GF
Symantec : Trojan.Gen.MBT
FireEye : Trojan.Linux.Generic.151688
Arcabit : Trojan.Linux.Generic.D25088
DrWeb : Linux.BtcMine.271
Avast-Mobile : ELF:Agent-AEA [Trj]
Fortinet : PossibleThreat
Sophos : Linux/SSHBrut-A
McAfee-GW-Edition : GenericRXIK-SD!7F2F76470C90
Ikarus : Trojan.Linux.Agent
Microsoft : Trojan:Win32/Occamy.C
ZoneAlarm : HEUR:Backdoor.Linux.Ssh.a
ALYac : Backdoor.Linux.Agent
AhnLab-V3 : Trojan/Linux.Sshbrute.3150056
Jiangmin : Backdoor.Linux.eaon
MicroWorld-eScan : Trojan.Linux.Generic.151688
GData : Trojan.Linux.Generic.151688
McAfee : GenericRXIK-SD!7F2F76470C90
Qihoo-360 : Linux/Backdoor.6ca
BitDefender : Trojan.Linux.Generic.151688
TrendMicro-HouseCall : Trojan.Linux.SSHBRUTE.B
Ad-Aware : Trojan.Linux.Generic.151688
F-Secure : Malware.LINUX/Agent.ztzyp
Zillya : Trojan.Agent.Linux.2418
NANO-Antivirus : Trojan.Elf64.BtcMine.gvevte
AVG : ELF:BruteForce-I [Trj]
Avira : LINUX/Agent.ztzyp
ClamAV : Unix.Malware.Agent-7443654-0
TrendMicro : Trojan.Linux.SSHBRUTE.B
Antiy-AVL : Trojan[Backdoor]/Linux.Ssh.a
Avast : ELF:BruteForce-I [Trj]
Emsisoft : Trojan.Linux.Generic.151688 (B)
MAX : malware (ai score=82)
Cyren : ELF/Trojan.FHHZ-8
ESET-NOD32 : a variant of Linux/Agent.GF
Symantec : Trojan.Gen.MBT
FireEye : Trojan.Linux.Generic.151688
Arcabit : Trojan.Linux.Generic.D25088
DrWeb : Linux.BtcMine.271
Avast-Mobile : ELF:Agent-AEA [Trj]
Fortinet : PossibleThreat
Sophos : Linux/SSHBrut-A
McAfee-GW-Edition : GenericRXIK-SD!7F2F76470C90
Ikarus : Trojan.Linux.Agent
Microsoft : Trojan:Win32/Occamy.C
ZoneAlarm : HEUR:Backdoor.Linux.Ssh.a
ALYac : Backdoor.Linux.Agent
AhnLab-V3 : Trojan/Linux.Sshbrute.3150056
Jiangmin : Backdoor.Linux.eaon
MicroWorld-eScan : Trojan.Linux.Generic.151688
GData : Trojan.Linux.Generic.151688
Data Explore
Paths
/usr/sbiH
/home/buH
~/E1
~/
~/;5Jx
~/D;
/proc/cpuinfo
/var/tmp/.var03522123
/var/tmp/.var03522123
/proc/cpuinfo
/var/tmp/.systemcache436621
/var/tmp/.systemcache436621
/var/tmp/.systemcache436621
/var/tmp;
/var/tmp;
~/.ssh
/var/tmp/dota3.tar.gz
~/.ssh/id_rsa
/var/tmp/.var03522123
/var/tmp/dota*
/home/buffer/cnc/godaddy
/dev/shm/ip
/dev/shm/p
~/.ssh
/etc/ssh/ssh_config
/bin/sh
~/;0
~/
/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines
/dev/urandom
/var/run/egd-pool
/dev/egd-pool
/etc/egd-pool
/etc/entropy
/dev/random
/dev/srandom
/usr/lib/ssl/private
/usr/lib/ssl
/usr/lib/ssl/certs
/usr/lib/ssl/cert.pem
/dev/tty
/usr/local/lib/gss/
/usr/local/etc/gss/mech
/usr/local/etc/gss/mech.d/*.conf
/var/run/.heim_org.h5l.kcm-socket
/usr/local/lib/krb5/plugins/authdata
/usr/local/lib/krb5/plugins
/usr/local/lib
/usr/local/bin
/usr/local/sbin
/etc/krb5.conf:/usr/local/etc/krb5.conf
/usr/local/var/krb5kdc/kdc.conf
/etc/krb5.keytab
/usr/local/var/krb5/user/%{euid}/client.keytab
/usr/local/lib/krb5/plugins/libkrb5
/usr/local/share/locale
/var/tmp
/home/buH
~/E1
~/
~/;5Jx
~/D;
/proc/cpuinfo
/var/tmp/.var03522123
/var/tmp/.var03522123
/proc/cpuinfo
/var/tmp/.systemcache436621
/var/tmp/.systemcache436621
/var/tmp/.systemcache436621
/var/tmp;
/var/tmp;
~/.ssh
/var/tmp/dota3.tar.gz
~/.ssh/id_rsa
/var/tmp/.var03522123
/var/tmp/dota*
/home/buffer/cnc/godaddy
/dev/shm/ip
/dev/shm/p
~/.ssh
/etc/ssh/ssh_config
/bin/sh
~/;0
~/
/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines
/dev/urandom
/var/run/egd-pool
/dev/egd-pool
/etc/egd-pool
/etc/entropy
/dev/random
/dev/srandom
/usr/lib/ssl/private
/usr/lib/ssl
/usr/lib/ssl/certs
/usr/lib/ssl/cert.pem
/dev/tty
/usr/local/lib/gss/
/usr/local/etc/gss/mech
/usr/local/etc/gss/mech.d/*.conf
/var/run/.heim_org.h5l.kcm-socket
/usr/local/lib/krb5/plugins/authdata
/usr/local/lib/krb5/plugins
/usr/local/lib
/usr/local/bin
/usr/local/sbin
/etc/krb5.conf:/usr/local/etc/krb5.conf
/usr/local/var/krb5kdc/kdc.conf
/etc/krb5.keytab
/usr/local/var/krb5/user/%{euid}/client.keytab
/usr/local/lib/krb5/plugins/libkrb5
/usr/local/share/locale
/var/tmp
URLs
http://www.openssl.org/support/faq
IPs (v4 and v6)
::
::
45.9.148.129
45.9.148.125
192.168.0.1
::
::
::
::
::
d::
::
45.9.148.129
45.9.148.125
192.168.0.1
::
::
::
::
::
d::
Code Explore
Nucleus
Number of functions :
7188
Total size functions [B] : 18288754
Average size a function [B] : 2544.34529772
Percentage of covered .text section : 933.167300896
Percentage of covered LOAD segment : 581.423016128
Total size functions [B] : 18288754
Average size a function [B] : 2544.34529772
Percentage of covered .text section : 933.167300896
Percentage of covered LOAD segment : 581.423016128
Eh_frame
Number of functions :
7148
Total size functions [B] : 1629232
Average size a function [B] : 227.928371572
Percentage of covered .text section : 83.1301043239
Percentage of covered LOAD segment : 51.7953811076
Total size functions [B] : 1629232
Average size a function [B] : 227.928371572
Percentage of covered .text section : 83.1301043239
Percentage of covered LOAD segment : 51.7953811076
Sandbox (user)
Standard output
====================================================================== ---------------------->Faster than light<----------------------------- --------------------->use only for testing<---------------...
Standard error
Sandbox (root)
Standard output
====================================================================== ---------------------->Faster than light<----------------------------- --------------------->use only for testing<---------------...
Standard error
Behavior
User behavior
Syscalls
Unique
mmap2
set_tid_address
set_robust_list
exit_group
rt_sigaction
read
munmap
mprotect
arch_prctl
access
write
brk
rt_sigprocmask
close
getrlimit
open
fstat
execve
Unique number
18
Total number
56
Instrumented libc calls
Unique
strchr
Unique number
1
Total number
1
Number of processes
1
Trace lines lost
0
Files being read
/opt/lib/libpthread.so.0
/opt/lib/libdl.so.2
/etc/ld.so.cache
/opt/lib/libc.so.6
/opt/lib/libdl.so.2
/etc/ld.so.cache
/opt/lib/libc.so.6
Max sleep
-1.0
Root behavior
Syscalls
Unique
mmap2
write
set_tid_address
set_robust_list
exit_group
rt_sigaction
read
commit_creds
mprotect
arch_prctl
access
munmap
brk
rt_sigprocmask
close
getrlimit
open
fstat
execve
Unique number
19
Total number
57
Instrumented libc calls
Unique
strchr
Unique number
1
Total number
1
Number of processes
1
Trace lines lost
0
Files being read
/opt/lib/libpthread.so.0
/opt/lib/libdl.so.2
/etc/ld.so.cache
/opt/lib/libc.so.6
/opt/lib/libdl.so.2
/etc/ld.so.cache
/opt/lib/libc.so.6
Max sleep
-1.0