MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d350024fe02082af1292a08153754e73f9755e0c94790bebed57646e123bba0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BillGates


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d350024fe02082af1292a08153754e73f9755e0c94790bebed57646e123bba0
SHA3-384 hash: 3fddd6d73ffc0b62c8272785d27508f2cede27431a3832771687c158f37410fc9da0b4767e89436fd1ee94ff286c0998
SHA1 hash: c04067f7ad99d272279a0e60eb6a08cdeb7ebb49
MD5 hash: d5aab96628048266bc8aacbabd0a0876
humanhash: spring-johnny-rugby-mango
File name:d5aab96628048266bc8aacbabd0a0876
Download: download sample
Signature BillGates
Create hunting rule
File size:1'223'123 bytes
First seen:2021-10-01 12:34:43 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 24576:e845rGHu6gVJKG75oFpA0VWeX432y1q2rJp0:745vRVJKGtSA0VWeomu9p0
TLSH T17D456B12FBD0CCB1D84616F5100FDA35D5229677A01BCA4FEA5DCD38BB29181AB1A37E
telfhash t1e3018946923c19882ea2ed54cc6127d354dbc16a2691e768fb8acdc4994e80af574c0f
Reporter zbetcheckin
Tags:32 BillGates elf intel

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Unix.Trojan.Agent-37008
Create hunting rule

Unix.Malware.Setag-9753632-0
Create hunting rule

Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
34
Number of processes launched:
61
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/1d350024fe02082af1292a08153754e73f9755e0c94790bebed57646e123bba0
Behaviour
Anti-VM
Information Gathering
Kernel Modules
Botnet C2s
TCP botnet C2(s):
103.45.185.68:25999
192.74.254.181:6001
UDP botnet C2(s):
not identified
Malware family:
BillGates
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b36ed496-1cc0-403a-9157-2e1b9a8495d8
Result
Threat name:
BillGates
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862708
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes permissions of common UNIX (system) binary directories
Contains symbols with names commonly found in malware
Detected Linux BillGates botnet
Drops files in suspicious directories
Drops invisible ELF files
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Sample tries to persist itself using System V runlevels
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes identical ELF files to multiple locations
Yara detected BillGates
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 495136 Sample: U2fEmRTPT9 Startdate: 01/10/2021 Architecture: LINUX Score: 100 105 www.mx90.vip 192.74.254.181, 37258, 6001 PEGTECHINCUS United States 2->105 107 109.202.202.202, 80 INIT7CH Switzerland 2->107 109 3 other IPs or domains 2->109 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for dropped file 2->127 129 6 other signatures 2->129 13 U2fEmRTPT9 2->13         started        signatures3 process4 process5 15 U2fEmRTPT9 13->15         started        file6 93 /tmp/gates.lod, ASCII 15->93 dropped 95 /etc/init.d/DbSecuritySpt, Bourne-Again 15->95 dropped 111 Detected Linux BillGates botnet 15->111 113 Drops files in suspicious directories 15->113 115 Opens /proc/net/* files useful for finding connected devices and routers 15->115 19 U2fEmRTPT9 15->19         started        21 U2fEmRTPT9 sh 15->21         started        23 U2fEmRTPT9 sh 15->23         started        25 11 other processes 15->25 signatures7 process8 process9 27 U2fEmRTPT9 sh 19->27         started        29 sh cp 21->29         started        33 sh cp 23->33         started        35 U2fEmRTPT9 sh 25->35         started        37 sh ln 25->37         started        39 sh ln 25->39         started        41 8 other processes 25->41 file10 43 sh getty 27->43         started        89 /usr/bin/.sshd, ELF 29->89 dropped 139 Writes identical ELF files to multiple locations 29->139 141 Drops invisible ELF files 29->141 143 Drops files in suspicious directories 29->143 91 /usr/bin/bsd-port/getty, ELF 33->91 dropped 45 sh .sshd 35->45         started        145 Sample tries to persist itself using System V runlevels 37->145 signatures11 process12 process13 47 getty 43->47         started        51 .sshd 45->51         started        file14 97 /usr/bin/bsd-port/getty.lock, ASCII 47->97 dropped 99 /usr/bin/bsd-port/conf.n, data 47->99 dropped 101 /etc/init.d/selinux, Bourne-Again 47->101 dropped 117 Drops files in suspicious directories 47->117 119 Opens /proc/net/* files useful for finding connected devices and routers 47->119 53 getty sh 47->53         started        55 getty sh 47->55         started        57 getty sh 47->57         started        59 40 other processes 47->59 103 /tmp/moni.lod, ASCII 51->103 dropped 121 Detected Linux BillGates botnet 51->121 signatures15 process16 process17 61 sh cp 53->61         started        64 sh cp 55->64         started        66 sh cp 57->66         started        68 sh cp 59->68         started        70 sh cp 59->70         started        73 sh cp 59->73         started        75 37 other processes 59->75 file18 131 Writes identical ELF files to multiple locations 61->131 133 Drops files in suspicious directories 61->133 77 /usr/bin/dpkgd/netstat, ELF 70->77 dropped 79 /usr/bin/dpkgd/lsof, ELF 73->79 dropped 81 /usr/bin/ss, ELF 75->81 dropped 83 /usr/bin/ps, ELF 75->83 dropped 85 /usr/bin/netstat, ELF 75->85 dropped 87 3 other malicious files 75->87 dropped 135 Sample tries to persist itself using System V runlevels 75->135 137 Changes permissions of common UNIX (system) binary directories 75->137 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d350024fe02082af1292a08153754e73f9755e0c94790bebed57646e123bba0/
Threat name:
Linux.Backdoor.Setag
Create hunting rule
Status:
Malicious
First seen:
2021-09-25 15:20:01 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Result
Malware family:
mrblack
Create hunting rule
Score:
  10/10
Tags:
family:mrblack linux suricata
Link:
https://tria.ge/reports/211001-pscwfsbggm/
Behaviour
Reads runtime system information
Writes file to tmp directory
Write file to user bin folder
Writes file to system bin folder
suricata: ET MALWARE Linux/BillGates Checkin Response
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/1d350024fe02082af1292a08153754e73f9755e0c94790bebed57646e123bba0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BillGates

elf 1d350024fe02082af1292a08153754e73f9755e0c94790bebed57646e123bba0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1650389/

Comments