MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed
SHA3-384 hash: d93ab6d15b987ba30af3ceab0c15d93c2f5d8485c13a314739ad309363a9fb5f43ac95433174290423f58e9146f6a692
SHA1 hash: 23c56da0cdddc664980705c4d14cb2579a970eed
MD5 hash: 5e11432c30783b184dc2bf27aa1728b4
humanhash: kilo-blossom-montana-cup
File name:bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed
Download: download sample
File size:865'144 bytes
First seen:2022-01-11 23:53:48 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 24576:170drUZ5Z48iZVdjajDA0KNZmHEW4qNJt:176sZ48iZVdjajDA0KNZmHEW4q3t
TLSH T168052C7775C10EE6D4CEBDB82DD785E3A860FCD28209205AB7DA89219B87DC01F1D762
telfhash t181e0d107da4a0edb7cd2d2a194463a4ba3226160d90084407f6d4bd5c875328e114c5c
Reporter Arkbird_SOLG
Tags:backdoor elf SysJoker

Intelligence

File Origin
# of uploads :
1
# of downloads :
536
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Linux.Agent.4c.16425.30069.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
60%
Tags:
control.exe print.exe tracker.exe update.exe
Link:
https://www.filescan.io/uploads/61de189df2e8ec86fef16c57/reports/4d11759f-76eb-4a1e-a1b1-a1cd753e03d4/overview
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
13
Number of processes launched:
1
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Verdict:
UNKNOWN
Malware family:
SysJoker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bca98787-b6bc-4566-ab5d-bcfab84b691e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/918797
Signature
Executes the "crontab" command typically for achieving persistence
Executes the "ifconfig" command used to gather network information
Multi AV Scanner detection for submitted file
Sample tries to persist itself using cron
Writes ELF files to hidden directories
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 551275 Sample: psO5Q4nOUG Startdate: 12/01/2022 Architecture: LINUX Score: 64 96 109.202.202.202, 80 INIT7CH Switzerland 2->96 98 graphic-updater.com 23.254.131.176, 36106, 36108, 36110 HOSTWINDSUS United States 2->98 100 6 other IPs or domains 2->100 102 Multi AV Scanner detection for submitted file 2->102 10 systemd mandb psO5Q4nOUG 2->10         started        12 systemd logrotate 2->12         started        14 systemd install 2->14         started        16 10 other processes 2->16 signatures3 process4 process5 18 psO5Q4nOUG sh 10->18         started        20 psO5Q4nOUG sh 10->20         started        22 psO5Q4nOUG sh 10->22         started        32 3 other processes 10->32 24 logrotate sh 12->24         started        26 logrotate sh 12->26         started        28 logrotate gzip 12->28         started        30 logrotate gzip 12->30         started        process6 34 sh crontab 18->34         started        38 sh 18->38         started        40 sh nohup updateSystem 20->40         started        42 sh cp 22->42         started        44 sh invoke-rc.d 24->44         started        46 sh rsyslog-rotate 26->46         started        48 sh crontab 32->48         started        50 sh egrep grep 32->50         started        52 3 other processes 32->52 file7 92 /var/spool/cron/crontabs/tmp.UWWGtW, ASCII 34->92 dropped 104 Sample tries to persist itself using cron 34->104 106 Executes the "crontab" command typically for achieving persistence 34->106 54 sh crontab 38->54         started        57 updateSystem sh 40->57         started        59 updateSystem sh 40->59         started        61 updateSystem sh 40->61         started        69 3 other processes 40->69 94 /.Library/SystemServices/updateSystem, ELF 42->94 dropped 108 Writes ELF files to hidden directories 42->108 63 invoke-rc.d runlevel 44->63         started        65 invoke-rc.d systemctl 44->65         started        71 2 other processes 44->71 67 rsyslog-rotate systemctl 46->67         started        signatures8 process9 signatures10 110 Executes the "crontab" command typically for achieving persistence 54->110 73 sh crontab 57->73         started        76 sh egrep grep 57->76         started        78 sh grep 57->78         started        80 sh ifconfig 59->80         started        88 3 other processes 59->88 90 2 other processes 61->90 82 sh id 69->82         started        84 sh whoami 69->84         started        86 sh uname 69->86         started        process11 signatures12 112 Executes the "crontab" command typically for achieving persistence 73->112 114 Executes the "ifconfig" command used to gather network information 80->114
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed/
Threat name:
Linux.Trojan.SysJoker
Create hunting rule
Status:
Malicious
First seen:
2021-12-30 20:03:44 UTC
File Type:
ELF64 Little (Exe)
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220111-3xv5gsaba7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/

Comments