MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8191c27aa7d7a53cb39d674dfc6391219a881b5bcadcc45afca76ea10bbf38ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BillGates


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8191c27aa7d7a53cb39d674dfc6391219a881b5bcadcc45afca76ea10bbf38ae
SHA3-384 hash: 764b77f68b8a490ca9904ca3a53e2d202bfce316e213852717d91562130ca3372cf34f94fac4d0e7bc2fc8135810799a
SHA1 hash: e89584c2b09d4563ea26106b3f7a3d924092034a
MD5 hash: c79065c085dd2b7aeaf5563244572d04
humanhash: failed-comet-ten-queen
File name:c79065c085dd2b7aeaf5563244572d04
Download: download sample
Signature BillGates
Create hunting rule
File size:1'223'123 bytes
First seen:2022-02-20 09:58:22 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 24576:e845rGHu6gVJKG75oFpA0VWIX4A2y1q2rJp0:745vRVJKGtSA0VWIo3u9p0
TLSH T134456B12FBD0CCB1D84616B5100FDA35D5229677A01BCA4FEA5DCD38BB29181AB1A37E
telfhash t1e3018946923c19882ea2ed54cc6127d354dbc16a2691e768fb8acdc4994e80af574c0f
Reporter zbetcheckin
Tags:32 BillGates elf intel

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Unix.Trojan.Agent-37008
Create hunting rule

Unix.Malware.Setag-9753632-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
remote.exe
Link:
https://www.filescan.io/uploads/621210e9875593a3ccf2f0e7/reports/3d0004eb-2275-4ce6-b0bb-c62c31dc4697/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
34
Number of processes launched:
61
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/8191c27aa7d7a53cb39d674dfc6391219a881b5bcadcc45afca76ea10bbf38ae
Behaviour
Anti-VM
Information Gathering
Kernel Modules
Botnet C2s
TCP botnet C2(s):
101.33.238.116:25000
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53506cfc-e9e7-4859-8d4b-50b9a7d03b42
Result
Threat name:
BillGates
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/942781
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes permissions of common UNIX (system) binary directories
Contains symbols with names commonly found in malware
Detected Linux BillGates botnet
Drops files in suspicious directories
Drops invisible ELF files
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Opens /proc/net/* files useful for finding connected devices and routers
Sample tries to persist itself using System V runlevels
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes identical ELF files to multiple locations
Yara detected BillGates
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 575260 Sample: dycJTHzLbq Startdate: 20/02/2022 Architecture: LINUX Score: 100 103 101.33.238.116, 25000, 35216 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 2->103 105 www.jkx3.com 2->105 107 4 other IPs or domains 2->107 119 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->119 121 Malicious sample detected (through community Yara rule) 2->121 123 Antivirus detection for dropped file 2->123 125 6 other signatures 2->125 13 dycJTHzLbq 2->13         started        signatures3 process4 process5 15 dycJTHzLbq 13->15         started        file6 93 /tmp/gates.lod, ASCII 15->93 dropped 95 /etc/init.d/DbSecuritySpt, Bourne-Again 15->95 dropped 109 Detected Linux BillGates botnet 15->109 111 Drops files in suspicious directories 15->111 113 Opens /proc/net/* files useful for finding connected devices and routers 15->113 19 dycJTHzLbq 15->19         started        21 dycJTHzLbq sh 15->21         started        23 dycJTHzLbq sh 15->23         started        25 11 other processes 15->25 signatures7 process8 process9 27 dycJTHzLbq sh 19->27         started        29 sh cp 21->29         started        33 sh cp 23->33         started        35 dycJTHzLbq sh 25->35         started        37 sh ln 25->37         started        39 sh ln 25->39         started        41 8 other processes 25->41 file10 43 sh getty 27->43         started        89 /usr/bin/.sshd, ELF 29->89 dropped 135 Writes identical ELF files to multiple locations 29->135 137 Drops invisible ELF files 29->137 139 Drops files in suspicious directories 29->139 91 /usr/bin/bsd-port/getty, ELF 33->91 dropped 45 sh .sshd 35->45         started        141 Sample tries to persist itself using System V runlevels 37->141 signatures11 process12 process13 47 getty 43->47         started        51 .sshd 45->51         started        file14 97 /usr/bin/bsd-port/getty.lock, ASCII 47->97 dropped 99 /etc/init.d/selinux, Bourne-Again 47->99 dropped 115 Drops files in suspicious directories 47->115 53 getty sh 47->53         started        55 getty sh 47->55         started        57 getty sh 47->57         started        59 40 other processes 47->59 101 /tmp/moni.lod, ASCII 51->101 dropped 117 Detected Linux BillGates botnet 51->117 signatures15 process16 process17 61 sh cp 53->61         started        64 sh cp 55->64         started        66 sh cp 57->66         started        68 sh cp 59->68         started        70 sh cp 59->70         started        73 sh cp 59->73         started        75 37 other processes 59->75 file18 127 Writes identical ELF files to multiple locations 61->127 129 Drops files in suspicious directories 61->129 77 /usr/bin/dpkgd/netstat, ELF 70->77 dropped 79 /usr/bin/dpkgd/lsof, ELF 73->79 dropped 81 /usr/bin/ss, ELF 75->81 dropped 83 /usr/bin/ps, ELF 75->83 dropped 85 /usr/bin/netstat, ELF 75->85 dropped 87 3 other malicious files 75->87 dropped 131 Sample tries to persist itself using System V runlevels 75->131 133 Changes permissions of common UNIX (system) binary directories 75->133 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8191c27aa7d7a53cb39d674dfc6391219a881b5bcadcc45afca76ea10bbf38ae/
Threat name:
Linux.Backdoor.Setag
Create hunting rule
Status:
Malicious
First seen:
2022-02-20 09:59:07 UTC
File Type:
ELF32 Little (Exe)
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Result
Malware family:
mrblack
Create hunting rule
Score:
  10/10
Tags:
family:mrblack linux suricata
Link:
https://tria.ge/reports/220220-lz3hxacchk/
Behaviour
Reads runtime system information
Writes file to tmp directory
Write file to user bin folder
Writes file to system bin folder
suricata: ET MALWARE Linux/BillGates Checkin Response
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/8191c27aa7d7a53cb39d674dfc6391219a881b5bcadcc45afca76ea10bbf38ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BillGates

elf 8191c27aa7d7a53cb39d674dfc6391219a881b5bcadcc45afca76ea10bbf38ae

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2049651/

Comments


Avatar
zbet commented on 2022-02-20 09:58:24 UTC

url : hxxp://107.189.13.118/u0x