Analysis Report bin.sh.1

Overview

General Information

Sample Name:	bin.sh.1
Analysis ID:	327181
MD5:	a73ddd6ec22462db955439f665cad4e6
SHA1:	ac6962542a4b23ac13bddff22f8df9aeb702ef12
SHA256:	b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sample is packed with UPX

Sample contains only a LOAD segment without any section mappings

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: bin.sh.1

Avira: detected

Multi AV Scanner detection for submitted file

Source: bin.sh.1	Virustotal: Detection: 64%	Perma Link
Source: bin.sh.1	Metadefender: Detection: 15%	Perma Link
Source: bin.sh.1	ReversingLabs: Detection: 58%

Source: bin.sh.1

String found in binary or memory: http://upx.sf.net

System Summary:

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x400000

Yara signature match

Source: bin.sh.1, type: SAMPLE

Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Source: classification engine

Classification label: mal60.evad.lin1@0/2@0/0

Data Obfuscation:

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.95 Copyright (C) 1996-2018 the UPX Team. All Rights Reserved. $

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/bin.sh.1 (PID: 4568)	Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 4610)	Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 4637)	Queries kernel information via 'uname':

Screenshots

No Screenshots

Network Map

No contacted IP infos

ID:	327181
Product:	CloudBasic
Start time:	00:10:39
Start date:	05.12.2020
Sample:	bin.sh.1
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	a73ddd6ec22462db955439f665cad4e6
SHA1:	ac6962542a4b23ac13bddff22f8df9aeb702ef12
SHA256:	b5cf68c7cb5bb2d21d60bf6654926f61566d95bfd7c9f9e182d032f1da5b4605
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Name	Type	MD5	SHA1	SHA256
/var/crash/_usr_share_apport_apport-checkreports.1000.crash	ASCII text	235DBFF95A59A846E5373C3B1C66E608	F13A343E6225DCA43D5C1B93AFE4CDA51DEB42E7	210509C9580F04055A9B8868C5C2E5FFE4EC0E22D7236A666B6B36B8552E1AC9
/var/crash/_usr_share_apport_apport-gtk.1000.crash	ASCII text	999C5A9227F2288110CC8791816D4CD2	F4525B7814BA6AEEC36401125D54635CA1617B6F	A744B50BE7DF0F41AECDD66DEF80A973412331C19AFD55F3D6A34E6F814F6CDA

Analysis Report bin.sh.1

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Screenshots

Network Map