MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 940ea36c95934bc5293f43894ff5af8cd4c35c15dcf2f4032a9bf87050678406. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GoBrut


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 940ea36c95934bc5293f43894ff5af8cd4c35c15dcf2f4032a9bf87050678406
SHA3-384 hash: f8f8afd1287d6e22418948ebdb5cfa1e9db042c3415e6ca1a0fb94c33f210625fab6c72c2f4a9a44803e2e31c5ccb346
SHA1 hash: 2da956bfa7db43218ba0b4469acf4a3f67a9da3a
MD5 hash: e27f183578d17738b5fab27fa1f7b207
humanhash: texas-finch-may-mirror
File name:Linux_x86
Download: download sample
Signature GoBrut
Create hunting rule
File size:2'228'748 bytes
First seen:2022-05-03 01:42:54 UTC
Last seen:2022-11-07 22:22:02 UTC
File type: elf
MIME type:application/x-executable
ssdeep 49152:rdfjEIRbloS+0dpxtdDNqJ4I5y4CIuuzz:rNjEIxiSbpxteJ4Q7LuI
TLSH T108A533C6AE12E474D31709D500FE67CFFAADFB4A03849D5747AAEE1402447A6CAD03AD
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Reporter 1ZRR4H
Tags:82.165.106.79 92.255.85.17 elf GoBrut Linux_x86 StealthWorker

Intelligence

File Origin
# of uploads :
5
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Unix.Trojan.Generic-9916333-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug gafgyt mirai stealthworker
Link:
https://www.filescan.io/uploads/627088a8801e66012b222555/reports/1f4f2266-3d0d-48cc-b84b-a1ba7a898395/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
UPX
Botnet:
unknown
Number of open files:
20
Number of processes launched:
417
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/940ea36c95934bc5293f43894ff5af8cd4c35c15dcf2f4032a9bf87050678406
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
92.255.85.17:8888
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Malware family:
gobrut
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7870715-8523-480a-bd1c-0948c5afe8b3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/986791
Signature
Antivirus / Scanner detection for submitted sample
Connects to many IPs within the same subnet mask (likely port scanning)
Executes the "crontab" command typically for achieving persistence
Multi AV Scanner detection for submitted file
Passes username and password via HTTP get
Performs DNS queries to domains with low reputation
Sample is packed with UPX
Sample tries to persist itself using cron
Snort IDS alert for network traffic
Tries to resolve many domain names, but no domain seems valid
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 619281 Sample: Linux_x86 Startdate: 03/05/2022 Architecture: LINUX Score: 96 62 www.silvernbox.com 2->62 64 misteretec.com 2->64 66 2174 other IPs or domains 2->66 68 Snort IDS alert for network traffic 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 72 Multi AV Scanner detection for submitted file 2->72 76 5 other signatures 2->76 9 systemd mandb Linux_x86 2->9         started        11 systemd logrotate 2->11         started        13 systemd install 2->13         started        15 systemd find 2->15         started        signatures3 74 Tries to resolve many domain names, but no domain seems valid 64->74 process4 process5 17 Linux_x86 Linux_x86 9->17         started        20 Linux_x86 cat 9->20         started        22 Linux_x86 cat 9->22         started        32 2 other processes 9->32 24 logrotate sh 11->24         started        26 logrotate sh 11->26         started        28 logrotate gzip 11->28         started        30 logrotate gzip 11->30         started        file6 58 /tmp/nip9iNeiph5chee, ASCII 17->58 dropped 34 Linux_x86 crontab 17->34         started        38 Linux_x86 cat 17->38         started        40 Linux_x86 cat 17->40         started        46 2 other processes 17->46 42 sh invoke-rc.d 24->42         started        44 sh rsyslog-rotate 26->44         started        process7 file8 60 /var/spool/cron/crontabs/tmp.5y8Djg, ASCII 34->60 dropped 78 Sample tries to persist itself using cron 34->78 80 Executes the "crontab" command typically for achieving persistence 34->80 48 invoke-rc.d runlevel 42->48         started        50 invoke-rc.d systemctl 42->50         started        52 invoke-rc.d ls 42->52         started        54 invoke-rc.d systemctl 42->54         started        56 rsyslog-rotate systemctl 44->56         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/940ea36c95934bc5293f43894ff5af8cd4c35c15dcf2f4032a9bf87050678406/
Threat name:
Linux.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 17:51:19 UTC
File Type:
ELF32 Little (Exe)
AV detection:
17 of 42 (40.48%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
linux
Link:
https://tria.ge/reports/220503-b4865sfbg4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/940ea36c95934bc5293f43894ff5af8cd4c35c15dcf2f4032a9bf87050678406

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments