Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf

Overview

General Information

Sample name: SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf
Analysis ID: 1430163
MD5: a7bbd9d15d98cabc448db9d9631a5955
SHA1: 3665a8652b068332615ddd1d2e9a19b63f0d2475
SHA256: 3f0df94d07c25f6ede17cef36aa664c0c0240f875446733323a1bfda64413bd1
Tags: elf
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Queries the IP of a very long domain name
Sample deletes itself
Sample tries to kill multiple processes (SIGKILL)
Deletes log files
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf Virustotal: Detection: 15% Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf Joe Sandbox ML: detected
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6299) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior

Networking
barindex
Queries the IP of a very long domain name
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.V'f66PV,PV!E((4G/3M5Ng/yV'fDVVPV!PV,EHp@@.=3M54ysexsecure-cyber-securitys.'f6)66PV,PV!E((4o/3M5eyV'f*VVP.!PV,EHp@@>,3M54xysexsecure-cyber-securitysV'.66PV,PV!E((4/p3M5eyV'fVVPV!PV,EHq.@>3M54xysexsecure-cyber-securitys..'f&66PV,PV!E((4/g3M5 iyV'fA'VVP.!PV,EHq@@=3M54ysexsecure-cyber-securitysV'.66PV,PV!E((4/`3M5gyV'fJJJPV!PV,E<.@YF]#V'f6
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.V'f6)66PV,PV!E((4o/3M5eyV'f*VVPV!PV,EHp@@.,3M54xysexsecure-cyber-securitys.'f66PV,PV!E((4/p3M5eyV'fVVP.!PV,EHq@@>3M54xysexsecure-cyber-securitysV'.&66PV,PV!E((4/g3M5 iyV'fA'VVPV!PV,EHq.@=3M54ysexsecure-cyber-securitys..'f66PV,PV!E((4/`3M5gyV'fJJJP.!PV,E<@@YF]#V'f66
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.V'f66PV,PV!E((4/p3M5eyV'fVVPV!PV,EHq@@.3M54xysexsecure-cyber-securitys.'f&66PV,PV!E((4/g3M5 iyV'fA'VVP.!PV,EHq@@=3M54ysexsecure-cyber-securitysV'.66PV,PV!E((4/`3M5gyV'fJJJPV!PV,E<.@YF]#V'f6
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.V'f&66PV,PV!E((4/g3M5 iyV'fA'VVPV!PV,EHq@@.3M54ysexsecure-cyber-securitys.V'f66PV,PV.E((4/`3M5gy
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.V'f66PV,PV!E((4/`3M5gyV'fJJJPV!PV,E<@@.F]#V'f66PV,PV!E((@0.F]P..'fN9BBPV!PV,E4a@@_T[[+T>V48_iV'fY.W.PV!PV,EI@@3;55{securityrebirth-networksu...'fzeWWPV,PV!E(I2T3;55securityrebirth-.etworksuV'ffWWPV!PV,EI@@3;Y55\securityrebirth-network.uV'fWWPV,PV!E(I2T3;5Y5securityrebirth-networksuV'fY.WW.V!PV,EI@@3;)55~securityrebirth-networksu
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.V'f66PV,PV!EH(~4{n5PV'fNNPV!PV,E@.@@5,Nkzadolf.itlersunV'fjI66PV,PV!EH(~3|E5@V'fTJNNPV.PV,E@P@@H5
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.V'fjI66PV,PV!EH(~3|E5@V'fTJNNPV!PV,E@.@@H5,}kzadolfhitlersunV'f_66PV,
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.V'f_66PV,PV!EH(~4{!5HV'fNNPV!PV,E@.@@@5,#kzadolfhitlersunV'f<V66PV,PV!EH(4{
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.V'f<V66PV,PV!EH(4{5@V'fWNNPV!PV,E@.@@=5,kzadolfhitlersunV'f66PV,PV!EH(3|5
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.V'f66PV,PV!EH(3|5=V'fkJJPV!PV,E<.@@OjF4#jV'f
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.!V'fVVPV,PV!EHH3$W54]sexsecure-cyber-securitys!V'f.JPV!PV,E<@@wFqg#
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.#V'fNNPV,PV!E(@3L3l5Y,p\kzadolfhitlersus#V'fJJJ
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.OV'fNNPV,PV!EH@3$W5,SkzadolfhitlersunOV'fcJ
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.dV'fNNPV!PV,E@O@@WD^r5,PkzadolfhitlersuniV'f%N
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.iV'f%NNPV!PV,E@P]@@V^r5,sPkzadolfhitlersunmV'fJ
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.mV'fJJPV!PV,E<R]@;E '@@<JUPINGnV'f`$NN
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.sV'f)NNPV!PV,E@S@@SF^r5,PkzadolfhitlersunxV'f;J
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.xV'f;JJPV!PV,E<7@@XpFaQD.#+xV'f466
Source: unknown DNS traffic detected: query: sex.secure-cyber-security.V'fVVPV,PV!EHH3d$W54+dsexsecure-cyber-securitysV'f.JPV!PV,E<@@#F6#H
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.V'fe66PV,PV!EH(6f5Oz)V'f/gNNPV!PV,E@C@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.V'f66PV,PV!EH(6?5y>)V'fPNNPV!PV,E@i@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.V'fV66PV,PV!EH(65G)V'fNNPV!PV,E@u@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.V'fW66PV,PV!EH(652)V'f3NNPV!PV,E@@@
Source: unknown DNS traffic detected: query: kz.adolfhitler.su.V'f0h66PV,PV!EH(65;I)V'fhJJPV!PV,E<t@@
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:55764 -> 212.70.149.14:35342
Source: global traffic TCP traffic: 192.168.2.23:41852 -> 0.4.0.4:35342
Sample listens on a socket
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6218) Socket: 127.0.0.1::8345 Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 0.4.0.4
Source: unknown TCP traffic detected without corresponding DNS query: 0.4.0.4
Source: unknown TCP traffic detected without corresponding DNS query: 0.4.0.4
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 0.4.0.4
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 0.4.0.4
Source: unknown TCP traffic detected without corresponding DNS query: 0.4.0.4
Source: unknown TCP traffic detected without corresponding DNS query: 0.4.0.4
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 0.4.0.4
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown TCP traffic detected without corresponding DNS query: 212.70.149.14
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 134.195.4.2
Source: unknown UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown UDP traffic detected without corresponding DNS query: 51.77.149.139
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 51.254.162.59
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 178.254.22.166
Source: unknown UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown UDP traffic detected without corresponding DNS query: 91.217.137.37
Source: unknown DNS traffic detected: queries for: security.rebirth-network.su
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6222.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Source: 6218.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Source: 6221.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Source: 6223.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_564b8eda Author: unknown
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1 (init), result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 797, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1476, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1601, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 2038, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 4498, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6034, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6196, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6197, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6221, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6222, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6223, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6224, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6246, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6258, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6260, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6261, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6262, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6265, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6266, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6267, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6268, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6269, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6270, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6271, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6272, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6273, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6274, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6275, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6276, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6277, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6281, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6282, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6283, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6284, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6285, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6286, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6290, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6293, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6295, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6298, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6299, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6300, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6301, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6302, result: no such process Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6303, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6304, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6305, result: no such process Jump to behavior
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x400000
Sample tries to kill a process (SIGKILL)
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1 (init), result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 797, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1389, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1476, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1601, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1809, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1888, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 2038, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 4498, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6034, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6196, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6197, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6221, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6222, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6223, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6224, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6246, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6258, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6260, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6261, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6262, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6265, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6266, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6267, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6268, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6269, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6270, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6271, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6272, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6273, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6274, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6275, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6276, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6277, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6281, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6282, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6283, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6284, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6285, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6286, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6290, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6293, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6295, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6298, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6299, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6300, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6301, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6302, result: no such process Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6303, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6304, result: successful Jump to behavior
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6220) SIGKILL sent: pid: 6305, result: no such process Jump to behavior
Yara signature match
Source: 6222.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: 6218.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: 6221.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: 6223.1.0000000000400000.0000000000416000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_564b8eda reference_sample = ff04921d7bf9ca01ae33a9fc0743dce9ca250e42a33547c5665b1c9a0b5260ee, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 63a9e43902e7db0b7a20498b5a860e36201bacc407e9e336faca0b7cfbc37819, id = 564b8eda-6f0e-45b8-bef6-d61b0f090a36, last_modified = 2021-09-16
Source: classification engine Classification label: mal72.spre.troj.evad.linELF@0/0@44/0
Executes commands using a shell command-line interpreter
Source: /usr/bin/gpu-manager (PID: 6291) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6296) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 6297) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /usr/share/gdm/generate-config (PID: 6287) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6294) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6299) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6302) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6305) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf (PID: 6218) File: /tmp/SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf Jump to behavior
ELF contains segments with high entropy indicating compressed/encrypted content
Source: SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf Submission file: segment LOAD with 7.8087 entropy (max. 8.0)
Source: SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf Submission file: segment LOAD with 7.9722 entropy (max. 8.0)
Deletes log files
Source: /usr/bin/gpu-manager (PID: 6285) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6290) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6295) Truncated file: /var/log/gpu-manager.log Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6299) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf, 6223.1.0000000000f12000.0000000000f15000.rw-.sdmp Binary or memory string: /tmp/vmware-root_721-4290559889
Source: SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf, 6223.1.0000000000f11000.0000000000f12000.rw-.sdmp Binary or memory string: vmware-root_721-4290559889
Source: SecuriteInfo.com.Linux.Siggen.7251.3492.11320.elf, 6223.1.0000000000f12000.0000000000f15000.rw-.sdmp Binary or memory string: `A/tmp/vmware-root_721-4290559889A

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.70.149.14
 unknown Bulgaria
208410 INTERNET-HOSTINGBG false
0.4.0.4
 unknown unknown
unknown unknown false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
kz.adolfhitler.su.V'fW66PV,PV!EH(652)V'f3NNPV!PV,E@@@ unknown unknown
sex.secure-cyber-security.!V'fVVPV,PV!EHH3$W54]sexsecure-cyber-securitys!V'f.JPV!PV,E<@@wFqg# unknown unknown
sex.secure-cyber-security.V'f66PV,PV!E((4G/3M5Ng/yV'fDVVPV!PV,EHp@@.=3M54ysexsecure-cyber-securitys.'f6)66PV,PV!E((4o/3M5eyV'f*VVP.!PV,EHp@@>,3M54xysexsecure-cyber-securitysV'.66PV,PV!E((4/p3M5eyV'fVVPV!PV,EHq.@>3M54xysexsecure-cyber-securitys..'f&66PV,PV!E((4/g3M5 iyV'fA'VVP.!PV,EHq@@=3M54ysexsecure-cyber-securitysV'.66PV,PV!E((4/`3M5gyV'fJJJPV!PV,E<.@YF]#V'f6 unknown unknown
kz.adolfhitler.su.V'f_66PV,PV!EH(~4{!5HV'fNNPV!PV,E@.@@@5,#kzadolfhitlersunV'f<V66PV,PV!EH(4{ unknown unknown
kz.adolfhitler.su.V'f<V66PV,PV!EH(4{5@V'fWNNPV!PV,E@.@@=5,kzadolfhitlersunV'f66PV,PV!EH(3|5 unknown unknown
kz.adolfhitler.su.V'fjI66PV,PV!EH(~3|E5@V'fTJNNPV!PV,E@.@@H5,}kzadolfhitlersunV'f_66PV, unknown unknown
kz.adolfhitler.su.V'fe66PV,PV!EH(6f5Oz)V'f/gNNPV!PV,E@C@@ unknown unknown
sex.secure-cyber-security.V'f&66PV,PV!E((4/g3M5 iyV'fA'VVPV!PV,EHq@@.3M54ysexsecure-cyber-securitys.V'f66PV,PV.E((4/`3M5gy unknown unknown
kz.adolfhitler.su.V'f66PV,PV!EH(6?5y>)V'fPNNPV!PV,E@i@@ unknown unknown
kz.adolfhitler.su.V'f0h66PV,PV!EH(65;I)V'fhJJPV!PV,E<t@@ unknown unknown
kz.adolfhitler.su.xV'f;JJPV!PV,E<7@@XpFaQD.#+xV'f466 unknown unknown
sex.secure-cyber-security.V'fVVPV,PV!EHH3d$W54+dsexsecure-cyber-securitysV'f.JPV!PV,E<@@#F6#H unknown unknown
kz.adolfhitler.su.V'f66PV,PV!EH(3|5=V'fkJJPV!PV,E<.@@OjF4#jV'f unknown unknown
security.rebirth-network.su unknown unknown
sex.secure-cyber-security.V'f66PV,PV!E((4/p3M5eyV'fVVPV!PV,EHq@@.3M54xysexsecure-cyber-securitys.'f&66PV,PV!E((4/g3M5 iyV'fA'VVP.!PV,EHq@@=3M54ysexsecure-cyber-securitysV'.66PV,PV!E((4/`3M5gyV'fJJJPV!PV,E<.@YF]#V'f6 unknown unknown
kz.adolfhitler.su.V'f66PV,PV!EH(~4{n5PV'fNNPV!PV,E@.@@5,Nkzadolf.itlersunV'fjI66PV,PV!EH(~3|E5@V'fTJNNPV.PV,E@P@@H5 unknown unknown
kz.adolfhitler.su.sV'f)NNPV!PV,E@S@@SF^r5,PkzadolfhitlersunxV'f;J unknown unknown
kz.adolfhitler.su.OV'fNNPV,PV!EH@3$W5,SkzadolfhitlersunOV'fcJ unknown unknown
kz.adolfhitler.su.dV'fNNPV!PV,E@O@@WD^r5,PkzadolfhitlersuniV'f%N unknown unknown
sex.secure-cyber-security.V'f66PV,PV!E((4/`3M5gyV'fJJJPV!PV,E<@@.F]#V'f66PV,PV!E((@0.F]P..'fN9BBPV!PV,E4a@@_T[[+T>V48_iV'fY.W.PV!PV,EI@@3;55{securityrebirth-networksu...'fzeWWPV,PV!E(I2T3;55securityrebirth-.etworksuV'ffWWPV!PV,EI@@3;Y55\securityrebirth-network.uV'fWWPV,PV!E(I2T3;5Y5securityrebirth-networksuV'fY.WW.V!PV,EI@@3;)55~securityrebirth-networksu unknown unknown
kz.adolfhitler.su.iV'f%NNPV!PV,E@P]@@V^r5,sPkzadolfhitlersunmV'fJ unknown unknown
kz.adolfhitler.su.#V'fNNPV,PV!E(@3L3l5Y,p\kzadolfhitlersus#V'fJJJ unknown unknown
sex.secure-cyber-security.V'f6)66PV,PV!E((4o/3M5eyV'f*VVPV!PV,EHp@@.,3M54xysexsecure-cyber-securitys.'f66PV,PV!E((4/p3M5eyV'fVVP.!PV,EHq@@>3M54xysexsecure-cyber-securitysV'.&66PV,PV!E((4/g3M5 iyV'fA'VVPV!PV,EHq.@=3M54ysexsecure-cyber-securitys..'f66PV,PV!E((4/`3M5gyV'fJJJP.!PV,E<@@YF]#V'f66 unknown unknown
kz.adolfhitler.su.mV'fJJPV!PV,E<R]@;E '@@<JUPINGnV'f`$NN unknown unknown
kz.adolfhitler.su.V'fV66PV,PV!EH(65G)V'fNNPV!PV,E@u@@ unknown unknown