MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81b654d71009658fa0fa4f4fcb6b9092ae02a513f0484fe7a844bf2585157c7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ConnectBack


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81b654d71009658fa0fa4f4fcb6b9092ae02a513f0484fe7a844bf2585157c7a
SHA3-384 hash: 1b8e16920199840b27f74c4a95c4e422753af613c1fdfe6c12d2b9561391a6bee202951e6084dcac1d4576e7d94e727d
SHA1 hash: cdc48dedc563070f169b0ba12e4a5e68206a5495
MD5 hash: 96057e8ed8044efb8f0d9652e6266ec3
humanhash: five-wisconsin-artist-timing
File name:96057e8ed8044efb8f0d9652e6266ec3
Download: download sample
Signature ConnectBack
Create hunting rule
File size:250 bytes
First seen:2024-05-06 19:14:36 UTC
Last seen:2024-05-07 00:59:34 UTC
File type: elf
MIME type:application/x-executable
ssdeep 6:BnX//In8/r1uBxHocmTT9Q3RQdygg5XJYD:BvwncrAH3mi532D
TLSH T112D080330B0A40DBDAE4063F6574596CD77B8A76574A76310850DC010C096045F52D75
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter zbetcheckin
Tags:64 ConnectBack elf

Intelligence

File Origin
# of uploads :
2
# of downloads :
110
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Unix.Backdoor.Msfvenom-10012672-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
0
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/81b654d71009658fa0fa4f4fcb6b9092ae02a513f0484fe7a844bf2585157c7a
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b3aae6c-4b96-4a84-9e3d-07692161870f
Result
Threat name:
ConnectBack
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1436990
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected ConnectBack
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/81b654d71009658fa0fa4f4fcb6b9092ae02a513f0484fe7a844bf2585157c7a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81b654d71009658fa0fa4f4fcb6b9092ae02a513f0484fe7a844bf2585157c7a/
Threat name:
Linux.Backdoor.ConnectBack
Create hunting rule
Status:
Malicious
First seen:
2024-04-30 12:18:18 UTC
File Type:
ELF64 Little (Exe)
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qg3fjvyqbfsy7ih2j5h4w24qskxafjit6bee7z5iis7slbivpr5a._file
Result
Malware family:
connectback
Create hunting rule
Score:
  10/10
Tags:
family:connectback linux
Link:
https://tria.ge/reports/240506-xx766aab44/
Malware Config
C2 Extraction:
154.40.57.241:9901
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.29
Link:
https://yomi.yoroi.company/submissions/81b654d71009658fa0fa4f4fcb6b9092ae02a513f0484fe7a844bf2585157c7a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ConnectBack

elf 81b654d71009658fa0fa4f4fcb6b9092ae02a513f0484fe7a844bf2585157c7a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2840801/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments


Avatar
zbet commented on 2024-05-06 19:14:36 UTC

url : hxxp://154.40.47.195:9000/apach