Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
MDcooUySCg

Overview

General Information

Sample Name:MDcooUySCg
Analysis ID:614314
MD5:3801a926ee836b6907d2d13723693d2d
SHA1:cdf39434bb78871e839312e600b6fe40dc782a1f
SHA256:d42bcb0fca6d93ce4c9a78e5393f7e5949c7398ac598f7c55b76120739eac544
Infos:

Detection

REvil
Score:64
Range:0 - 100
Whitelisted:false

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected REvil Linux Ransomware

Classification

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:614314
Start date and time: 23/04/202209:48:152022-04-23 09:48:15 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 12s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:MDcooUySCg
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Detection:MAL
Classification:mal64.rans.lin@0/0@0/0
Command:/tmp/MDcooUySCg
PID:6811
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Revix 1.2a
Usage example: elf.exe --path /vmfs/ --threads 5
--silent (-s) use for not stoping VMs mode
!!!BY DEFAULT THIS SOFTWARE USES 50 THREADS!!!
Standard Error:
  • system is lnxubuntu1
  • MDcooUySCg (PID: 6811, Parent: 6745, MD5: 3801a926ee836b6907d2d13723693d2d) Arguments: /tmp/MDcooUySCg
  • cleanup
SourceRuleDescriptionAuthorStrings
MDcooUySCgJoeSecurity_REvilLinuxYara detected REvil Linux RansomwareJoe Security
    SourceRuleDescriptionAuthorStrings
    6811.1.0000000000400000.0000000000415000.r-x.sdmpJoeSecurity_REvilLinuxYara detected REvil Linux RansomwareJoe Security

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: 6811.1.0000000000616000.000000000061b000.rw-.sdmpMalware Configuration Extractor: REvil {"pk": "4nONu4GmajfjefjrnvkrnvkdsnchfkvnkfjnvnHf40RvBhHclpampcsKyZMxfSelgMmZE/nI=", "pid": "$2a$12$D3Wk4d.cy0e0EiVqDPJe1.06OMR3duoMRIH78i7XFXbSkCLHuLoMG", "sub": "8639", "dbg": false, "et": 0, "nbody": "LS0tPT09IFdlbGNvbWUuIEFnYWluLiA9PT0tLS0KClstXSBXaGF0cyBIYXBwZW4/IFstXQoKWW91ciBmaWxlcyBhcmUgZW5jcnlwdGVkLCBhbmQgY3VycmVudGx5IHVuYXZhaWxhYmxlLiBZb3UgY2FuIGNoZWNrIGl0OiBhbGwgZmlsZXMgb24geW91ciBzeXN0ZW0gaGFzIGV4dGVuc2lvbiB7RVhUfS4KQnkgdGhlIHdheSwgZXZlcnl0aGluZyBpcyBwb3NzaWJsZSB0byByZWNvdmVyIChyZXN0b3JlKSwgYnV0IHlvdSBuZWVkIHRvIGZvbGxvdyBvdXIgaW5zdHJ1Y3Rpb25zLiBPdGhlcndpc2UsIHlvdSBjYW50IHJldHVybiB5b3VyIGRhdGEgKE5FVkVSKS4KClstXSBXaGF0IGd1YXJhbnRlZXM/IFstXQoKSXRzIGp1c3QgYSBidXNpbmVzcy4gV2UgYWJzb2x1dGVseSBkbyBub3QgY2FyZSBhYm91dCB5b3UgYW5kIHlvdXIgZGVhbHMsIGV4Y2VwdCBnZXR0aW5nIGJlbmVmaXRzLiBJZiB3ZSBkbyBub3QgZG8gb3VyIHdvcmsgYW5kIGxpYWJpbGl0aWVzIC0gbm9ib2R5IHdpbGwgbm90IGNvb3BlcmF0ZSB3aXRoIHVzLiBJdHMgbm90IGluIG91ciBpbnRlcmVzdHMuClRvIGNoZWNrIHRoZSBhYmlsaXR5IG9mIHJldHVybmluZyBmaWxlcywgWW91IHNob3VsZCBnbyB0byBvdXIgd2Vic2l0ZS4gVGhlcmUgeW91IGNhbiBkZWNyeXB0IG9uZSBmaWxlIGZvciBmcmVlLiBUaGF0IGlzIG91ciBndWFyYW50ZWUuCklmIHlvdSB3aWxsIG5vdCBjb29wZXJhdGUgd2l0aCBvdXIgc2VydmljZSAtIGZvciB1cywgaXRzIGRvZXMgbm90IG1hdHRlci4gQnV0IHlvdSB3aWxsIGxvc2UgeW91ciB0aW1lIGFuZCBkYXRhLCBjYXVzZSBqdXN0IHdlIGhhdmUgdGhlIHByaXZhdGUga2V5LiBJbiBwcmFjdGljZSAtIHRpbWUgaXMgbXVjaCBtb3JlIHZhbHVhYmxlIHRoYW4gbW9uZXkuCgpbK10gSG93IHRvIGdldCBhY2Nlc3Mgb24gd2Vic2l0ZT8gWytdCgpVc2luZyBhIFRPUiBicm93c2VyIQogIDEpIERvd25sb2FkIGFuZCBpbnN0YWxsIFRPUiBicm93c2VyIGZyb20gdGhpcyBzaXRlOiBodHRwczovL3RvcnByb2plY3Qub3JnLwogIDIpIE9wZW4gb3VyIHdlYnNpdGU6IGh0dHA6Ly9hcGxlYnp1NDd3Z2F6YXBkcWtzNnZyY3Y2emNuanBwa2J4YnI2d2tldGY1Nm5mNmFxMm5teW95ZC5vbmlvbi97VUlEfQoKV2FybmluZzogc2Vjb25kYXJ5IHdlYnNpdGUgY2FuIGJlIGJsb2NrZWQsIHRoYXRzIHdoeSBmaXJzdCB2YXJpYW50IG11Y2ggYmV0dGVyIGFuZCBtb3JlIGF2YWlsYWJsZS4KCldoZW4geW91IG9wZW4gb3VyIHdlYnNpdGUsIHB1dCB0aGUgZm9sbG93aW5nIGRhdGEgaW4gdGhlIGlucHV0IGZvcm06CktleToKCgp7S0VZfQoKCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgohISEgREFOR0VSICEhIQpET04nVCB0cnkgdG8gY2hhbmdlIGZpbGVzIGJ5IHlvdXJzZWxmLCBET04nVCB1c2UgYW55IHRoaXJkIHBhcnR5IHNvZnR3YXJlIGZvciByZXN0b3JpbmcgeW91ciBkYXRhIG9yIGFudGl2aXJ1cyBzb2x1dGlvbnMgLSBpdHMgbWF5IGVudGFpbCBkYW1hZ2Ugb2YgdGhlIHByaXZhdGUga2V5IGFuZCwgYXMgcmVzdWx0LCBUaGUgTG9zcyBhbGwgZGF0YS4KISEhICEhISAhISEKT05FIE1PUkUgVElNRTogSXRzIGluIHlvdXIgaW50ZXJlc3RzIHRvIGdldCB5b3VyIGZpbGVzIGJhY2suIEZyb20gb3VyIHNpZGUsIHdlICh0aGUgYmVzdCBzcGVjaWFsaXN0cykgbWFrZSBldmVyeXRoaW5nIGZvciByZXN0b3JpbmcsIGJ1dCBwbGVhc2Ugc2hvdWxkIG5vdCBpbnRlcmZlcmUuCiEhISAhISEgISEhAA==", "nname": "{EXT}-readme.txt", "rdmcnt": 0, "ext": ".vemar"}
      Source: MDcooUySCgVirustotal: Detection: 22%Perma Link
      Source: MDcooUySCgReversingLabs: Detection: 42%

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: MDcooUySCg, type: SAMPLE
      Source: Yara matchFile source: 6811.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORY
      Source: classification engineClassification label: mal64.rans.lin@0/0@0/0
      No Mitre Att&ck techniques found
      {"pk": "4nONu4GmajfjefjrnvkrnvkdsnchfkvnkfjnvnHf40RvBhHclpampcsKyZMxfSelgMmZE/nI=", "pid": "$2a$12$D3Wk4d.cy0e0EiVqDPJe1.06OMR3duoMRIH78i7XFXbSkCLHuLoMG", "sub": "8639", "dbg": false, "et": 0, "nbody": "LS0tPT09IFdlbGNvbWUuIEFnYWluLiA9PT0tLS0KClstXSBXaGF0cyBIYXBwZW4/IFstXQoKWW91ciBmaWxlcyBhcmUgZW5jcnlwdGVkLCBhbmQgY3VycmVudGx5IHVuYXZhaWxhYmxlLiBZb3UgY2FuIGNoZWNrIGl0OiBhbGwgZmlsZXMgb24geW91ciBzeXN0ZW0gaGFzIGV4dGVuc2lvbiB7RVhUfS4KQnkgdGhlIHdheSwgZXZlcnl0aGluZyBpcyBwb3NzaWJsZSB0byByZWNvdmVyIChyZXN0b3JlKSwgYnV0IHlvdSBuZWVkIHRvIGZvbGxvdyBvdXIgaW5zdHJ1Y3Rpb25zLiBPdGhlcndpc2UsIHlvdSBjYW50IHJldHVybiB5b3VyIGRhdGEgKE5FVkVSKS4KClstXSBXaGF0IGd1YXJhbnRlZXM/IFstXQoKSXRzIGp1c3QgYSBidXNpbmVzcy4gV2UgYWJzb2x1dGVseSBkbyBub3QgY2FyZSBhYm91dCB5b3UgYW5kIHlvdXIgZGVhbHMsIGV4Y2VwdCBnZXR0aW5nIGJlbmVmaXRzLiBJZiB3ZSBkbyBub3QgZG8gb3VyIHdvcmsgYW5kIGxpYWJpbGl0aWVzIC0gbm9ib2R5IHdpbGwgbm90IGNvb3BlcmF0ZSB3aXRoIHVzLiBJdHMgbm90IGluIG91ciBpbnRlcmVzdHMuClRvIGNoZWNrIHRoZSBhYmlsaXR5IG9mIHJldHVybmluZyBmaWxlcywgWW91IHNob3VsZCBnbyB0byBvdXIgd2Vic2l0ZS4gVGhlcmUgeW91IGNhbiBkZWNyeXB0IG9uZSBmaWxlIGZvciBmcmVlLiBUaGF0IGlzIG91ciBndWFyYW50ZWUuCklmIHlvdSB3aWxsIG5vdCBjb29wZXJhdGUgd2l0aCBvdXIgc2VydmljZSAtIGZvciB1cywgaXRzIGRvZXMgbm90IG1hdHRlci4gQnV0IHlvdSB3aWxsIGxvc2UgeW91ciB0aW1lIGFuZCBkYXRhLCBjYXVzZSBqdXN0IHdlIGhhdmUgdGhlIHByaXZhdGUga2V5LiBJbiBwcmFjdGljZSAtIHRpbWUgaXMgbXVjaCBtb3JlIHZhbHVhYmxlIHRoYW4gbW9uZXkuCgpbK10gSG93IHRvIGdldCBhY2Nlc3Mgb24gd2Vic2l0ZT8gWytdCgpVc2luZyBhIFRPUiBicm93c2VyIQogIDEpIERvd25sb2FkIGFuZCBpbnN0YWxsIFRPUiBicm93c2VyIGZyb20gdGhpcyBzaXRlOiBodHRwczovL3RvcnByb2plY3Qub3JnLwogIDIpIE9wZW4gb3VyIHdlYnNpdGU6IGh0dHA6Ly9hcGxlYnp1NDd3Z2F6YXBkcWtzNnZyY3Y2emNuanBwa2J4YnI2d2tldGY1Nm5mNmFxMm5teW95ZC5vbmlvbi97VUlEfQoKV2FybmluZzogc2Vjb25kYXJ5IHdlYnNpdGUgY2FuIGJlIGJsb2NrZWQsIHRoYXRzIHdoeSBmaXJzdCB2YXJpYW50IG11Y2ggYmV0dGVyIGFuZCBtb3JlIGF2YWlsYWJsZS4KCldoZW4geW91IG9wZW4gb3VyIHdlYnNpdGUsIHB1dCB0aGUgZm9sbG93aW5nIGRhdGEgaW4gdGhlIGlucHV0IGZvcm06CktleToKCgp7S0VZfQoKCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCgohISEgREFOR0VSICEhIQpET04nVCB0cnkgdG8gY2hhbmdlIGZpbGVzIGJ5IHlvdXJzZWxmLCBET04nVCB1c2UgYW55IHRoaXJkIHBhcnR5IHNvZnR3YXJlIGZvciByZXN0b3JpbmcgeW91ciBkYXRhIG9yIGFudGl2aXJ1cyBzb2x1dGlvbnMgLSBpdHMgbWF5IGVudGFpbCBkYW1hZ2Ugb2YgdGhlIHByaXZhdGUga2V5IGFuZCwgYXMgcmVzdWx0LCBUaGUgTG9zcyBhbGwgZGF0YS4KISEhICEhISAhISEKT05FIE1PUkUgVElNRTogSXRzIGluIHlvdXIgaW50ZXJlc3RzIHRvIGdldCB5b3VyIGZpbGVzIGJhY2suIEZyb20gb3VyIHNpZGUsIHdlICh0aGUgYmVzdCBzcGVjaWFsaXN0cykgbWFrZSBldmVyeXRoaW5nIGZvciByZXN0b3JpbmcsIGJ1dCBwbGVhc2Ugc2hvdWxkIG5vdCBpbnRlcmZlcmUuCiEhISAhISEgISEhAA==", "nname": "{EXT}-readme.txt", "rdmcnt": 0, "ext": ".vemar"}
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      SourceDetectionScannerLabelLink
      MDcooUySCg23%VirustotalBrowse
      MDcooUySCg42%ReversingLabsLinux.Trojan.Multiverze
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      No contacted IP infos
      No context
      No context
      No context
      No context
      No context
      No created / dropped files found
      File type:ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, stripped
      Entropy (8bit):5.667902292324163
      TrID:
      • ELF Executable and Linkable format (Linux) (4029/14) 49.77%
      • ELF Executable and Linkable format (generic) (4004/1) 49.46%
      • Lumena CEL bitmap (63/63) 0.78%
      File name:MDcooUySCg
      File size:109366
      MD5:3801a926ee836b6907d2d13723693d2d
      SHA1:cdf39434bb78871e839312e600b6fe40dc782a1f
      SHA256:d42bcb0fca6d93ce4c9a78e5393f7e5949c7398ac598f7c55b76120739eac544
      SHA512:ec312353aa521e39be7f86fe350daf663f793b3ca43d5223cb0acf091ea45f2770125a62c73ec1dec52666c3b3048ea355522347773a894a14840a19f8b762bc
      SSDEEP:3072:LQ7b+XdBHttsNgggwgggwgggwgggwgggYSYVP:mZFlVP
      TLSH:12B32AF7E6B551ECC676F33925CF7CFBE0A0707815B6240E6B86391D23249890D6623A
      File Content Preview:.ELF..............>.....P.@.....@...................@.8...@.............@.......@.@.....@.@.....................................8.......8.@.....8.@...............................................@.......@......O.......O........ ..............].......]a....
      No network behavior found

      System Behavior

      Start time:09:48:50
      Start date:23/04/2022
      Path:/tmp/MDcooUySCg
      Arguments:/tmp/MDcooUySCg
      File size:109366 bytes
      MD5 hash:3801a926ee836b6907d2d13723693d2d