Edit tour
Linux
Analysis Report
h9UrfXfX6V
Overview
General Information
Sample name: | h9UrfXfX6Vrenamed because original name is a hash value |
Original sample name: | 55ab7aa2ceadb3d30784123f2d534fdf |
Analysis ID: | 1431426 |
MD5: | 55ab7aa2ceadb3d30784123f2d534fdf |
SHA1: | 9ee7550820cf2b979387f545337a85e51e50a853 |
SHA256: | 50ea64265c5bff72a5e5aa49dc6b27ada334666cde1807f30b5ec131e6bfcf3c |
Errors
|
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Signatures
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
ELF contains segments with high entropy indicating compressed/encrypted content
Sample has stripped symbol table
Classification
Analysis Advice
Static ELF header machine description suggests that the sample might not execute correctly on this machine. |
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures. |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1431426 |
Start date and time: | 2024-04-25 04:57:46 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 33s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultlinuxfilecookbook.jbs |
Analysis system description: | Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 88.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171) |
Analysis Mode: | default |
Sample name: | h9UrfXfX6Vrenamed because original name is a hash value |
Original Sample Name: | 55ab7aa2ceadb3d30784123f2d534fdf |
Detection: | MAL |
Classification: | mal56.lin@0/0@0/0 |
- No process behavior to analyse as no analysis process or sample was found
- Connection to analysis system has been lost, crash info: Unknown
⊘No yara matches
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | .symtab present: |
Source: | Classification label: |
Source: | Submission file: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | Path Interception | Path Interception | 1 Obfuscated Files or Information | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
⊘No configs have been found
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
54% | ReversingLabs | Linux.Trojan.Ngioweb | ||
52% | Virustotal | Browse | ||
100% | Avira | LINUX/Agent.lsswq |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No created / dropped files found
File type: | |
Entropy (8bit): | 6.916393574464341 |
TrID: |
|
File name: | h9UrfXfX6V |
File size: | 79'772 bytes |
MD5: | 55ab7aa2ceadb3d30784123f2d534fdf |
SHA1: | 9ee7550820cf2b979387f545337a85e51e50a853 |
SHA256: | 50ea64265c5bff72a5e5aa49dc6b27ada334666cde1807f30b5ec131e6bfcf3c |
SHA512: | 70dfcbf8a4a0f9b7bc8454ea8da2027d4ab020bc5bfac18bd2cbdde8f42e348a9463b14ee8a529026908ba6e96476df1f3f99351d286165d2b268e125aabd285 |
SSDEEP: | 1536:e3+IYXCJDHFMFjEPL75tQ6h4e2+K/ZKTishko14nTJuP:w+HXs51tQe4PUT |
TLSH: | C473C07EB3A59E8FD9A1DB3D3B1454854C14FD3FFAEECB0AA511A43E96393240E20254 |
File Content Preview: | .ELF..............(.....=...4...T4......4. ...(........px...x...x.......................................................8/..8/..8/..4...................@/..@/..@/..................Q.td............................R.td8/..8/..8/............................. |
ELF header | |
---|---|
Class: | |
Data: | |
Version: | |
Machine: | |
Version Number: | |
Type: | |
OS/ABI: | |
ABI Version: | 0 |
Entry Point Address: | |
Flags: | |
ELF Header Size: | 52 |
Program Header Offset: | 52 |
Program Header Size: | 32 |
Number of Program Headers: | 6 |
Section Header Offset: | 78932 |
Section Header Size: | 40 |
Number of Section Headers: | 21 |
Header String Table Index: | 20 |
Name | Type | Address | Offset | Size | EntSize | Flags | Flags Description | Link | Info | Align |
---|---|---|---|---|---|---|---|---|---|---|
NULL | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0 | 0 | 0 | ||
.hash | HASH | 0xf4 | 0xf4 | 0x18 | 0x4 | 0x2 | A | 3 | 0 | 4 |
.gnu.hash | GNU_HASH | 0x10c | 0x10c | 0x18 | 0x4 | 0x2 | A | 3 | 0 | 4 |
.dynsym | DYNSYM | 0x124 | 0x124 | 0x30 | 0x10 | 0x2 | A | 4 | 3 | 4 |
.dynstr | STRTAB | 0x154 | 0x154 | 0x1 | 0x0 | 0x2 | A | 0 | 0 | 1 |
.rel.dyn | REL | 0x158 | 0x158 | 0x258 | 0x8 | 0x2 | A | 3 | 0 | 4 |
.init | PROGBITS | 0x3b0 | 0x3b0 | 0x8 | 0x0 | 0x6 | AX | 0 | 0 | 2 |
.text | PROGBITS | 0x3b8 | 0x3b8 | 0x11958 | 0x0 | 0x6 | AX | 0 | 0 | 4 |
.fini | PROGBITS | 0x11d10 | 0x11d10 | 0x8 | 0x0 | 0x6 | AX | 0 | 0 | 2 |
.rodata | PROGBITS | 0x11d18 | 0x11d18 | 0x260 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.ARM.exidx | ARM_EXIDX | 0x11f78 | 0x11f78 | 0x8 | 0x0 | 0x82 | AL | 7 | 0 | 4 |
.eh_frame | PROGBITS | 0x11f80 | 0x11f80 | 0x4 | 0x0 | 0x2 | A | 0 | 0 | 4 |
.init_array | INIT_ARRAY | 0x22f38 | 0x12f38 | 0x4 | 0x4 | 0x3 | WA | 0 | 0 | 4 |
.fini_array | FINI_ARRAY | 0x22f3c | 0x12f3c | 0x4 | 0x4 | 0x3 | WA | 0 | 0 | 4 |
.dynamic | DYNAMIC | 0x22f40 | 0x12f40 | 0xc0 | 0x8 | 0x3 | WA | 4 | 0 | 4 |
.got | PROGBITS | 0x23000 | 0x13000 | 0x13c | 0x4 | 0x3 | WA | 0 | 0 | 4 |
.data | PROGBITS | 0x2313c | 0x1313c | 0x230 | 0x0 | 0x3 | WA | 0 | 0 | 4 |
.bss | NOBITS | 0x23370 | 0x1336c | 0x350 | 0x0 | 0x3 | WA | 0 | 0 | 8 |
.comment | PROGBITS | 0x0 | 0x1336c | 0x11 | 0x1 | 0x30 | MS | 0 | 0 | 1 |
.ARM.attributes | ARM_ATTRIBUTES | 0x0 | 0x1337d | 0x2d | 0x0 | 0x0 | 0 | 0 | 1 | |
.shstrtab | STRTAB | 0x0 | 0x133aa | 0xa7 | 0x0 | 0x0 | 0 | 0 | 1 |
Type | Offset | Virtual Address | Physical Address | File Size | Memory Size | Entropy | Flags | Flags Description | Align | Prog Interpreter | Section Mappings |
---|---|---|---|---|---|---|---|---|---|---|---|
EXIDX | 0x11f78 | 0x11f78 | 0x11f78 | 0x8 | 0x8 | 2.4056 | 0x4 | R | 0x4 | .ARM.exidx | |
LOAD | 0x0 | 0x0 | 0x0 | 0x11f84 | 0x11f84 | 7.1174 | 0x5 | R E | 0x10000 | .hash .gnu.hash .dynsym .dynstr .rel.dyn .init .text .fini .rodata .ARM.exidx .eh_frame | |
LOAD | 0x12f38 | 0x22f38 | 0x22f38 | 0x434 | 0x788 | 6.3117 | 0x6 | RW | 0x10000 | .init_array .fini_array .dynamic .got .data .bss | |
DYNAMIC | 0x12f40 | 0x22f40 | 0x22f40 | 0xc0 | 0xc0 | 2.3310 | 0x6 | RW | 0x4 | .dynamic | |
GNU_STACK | 0x0 | 0x0 | 0x0 | 0x0 | 0x0 | 0.0000 | 0x6 | RW | 0x10 | ||
GNU_RELRO | 0x12f38 | 0x22f38 | 0x22f38 | 0xc8 | 0xc8 | 2.4093 | 0x4 | R | 0x1 | .init_array .fini_array .dynamic |
Type | Meta | Value | Tag |
---|---|---|---|
DT_SYMBOLIC | value | 0x0 | 0x10 |
DT_INIT | value | 0x3b1 | 0xc |
DT_FINI | value | 0x11d11 | 0xd |
DT_INIT_ARRAY | value | 0x22f38 | 0x19 |
DT_INIT_ARRAYSZ | bytes | 4 | 0x1b |
DT_FINI_ARRAY | value | 0x22f3c | 0x1a |
DT_FINI_ARRAYSZ | bytes | 4 | 0x1c |
DT_HASH | value | 0xf4 | 0x4 |
DT_GNU_HASH | value | 0x10c | 0x6ffffef5 |
DT_STRTAB | value | 0x154 | 0x5 |
DT_SYMTAB | value | 0x124 | 0x6 |
DT_STRSZ | bytes | 1 | 0xa |
DT_SYMENT | bytes | 16 | 0xb |
DT_DEBUG | value | 0x0 | 0x15 |
DT_REL | value | 0x158 | 0x11 |
DT_RELSZ | bytes | 600 | 0x12 |
DT_RELENT | bytes | 8 | 0x13 |
DT_FLAGS_1 | value | 0x8000000 | 0x6ffffffb |
DT_RELCOUNT | value | 75 | 0x6ffffffa |
DT_NULL | value | 0x0 | 0x0 |
Name | Version Info Name | Version Info File Name | Section Name | Value | Size | Symbol Type | Symbol Bind | Symbol Visibility | Ndx |
---|---|---|---|---|---|---|---|---|---|
.dynsym | 0x0 | 0 | NOTYPE | <unknown> | DEFAULT | SHN_UNDEF | |||
.dynsym | 0x3b0 | 0 | SECTION | <unknown> | DEFAULT | 6 | |||
.dynsym | 0x2313c | 0 | SECTION | <unknown> | DEFAULT | 16 |
⊘No network behavior found