From Perfctl to InfoStealer - SANS Internet Storm Center
Tags
| attack-pattern: | Data Credentials - T1589.001 Malware - T1587.001 Malware - T1588.001 Python - T1059.006 Ssh - T1021.004 Tool - T1588.002 Connection Proxy - T1090 Rootkit - T1014 Sudo - T1169 Rootkit |
Common Information
| Type | Value |
|---|---|
| UUID | 758d53c7-61a1-4e79-bb90-16c5944746a6 |
| Fingerprint | e57b034480f59505 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Oct. 9, 2024, midnight |
| Added to db | Oct. 9, 2024, 11:09 a.m. |
| Last updated | Nov. 17, 2024, 7:44 p.m. |
| Headline | Internet Storm Center |
| Title | From Perfctl to InfoStealer - SANS Internet Storm Center |
| Detected Hints/Tags/Attributes | 40/1/56 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://isc.sans.edu/diary/rss/31334 |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 142 | ✔ | SANS Internet Storm Center, InfoCON: green | https://isc.sans.edu/rssfeed_full.xml | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | tor-exit-read-me.dfri.se |
|
| Details | Domain | 1 | tor-exit.exs.no |
|
| Details | Domain | 1 | www.bogus.net |
|
| Details | Domain | 1 | disabled.you |
|
| Details | Domain | 7 | proxy.example.com |
|
| Details | Domain | 1 | urllib2.py |
|
| Details | Domain | 1 | dbexts.py |
|
| Details | Domain | 1 | howtorotate.com |
|
| Details | Domain | 8 | application.properties |
|
| Details | Domain | 2 | libfsnldev.so |
|
| Details | Domain | 3 | libpprocps.so |
|
| Details | Domain | 8 | www.aquasec.com |
|
| Details | Domain | 425 | isc.sans.edu |
|
| Details | Domain | 4127 | github.com |
|
| Details | 1 | xyzzy@www.bogus.net |
||
| Details | 1 | password@proxy.example.com |
||
| Details | File | 8 | aa.txt |
|
| Details | File | 1 | cloud_meta.txt |
|
| Details | File | 17 | debug.txt |
|
| Details | File | 1 | environs.txt |
|
| Details | File | 140 | files.txt |
|
| Details | File | 1 | cry.txt |
|
| Details | File | 1 | fds.txt |
|
| Details | File | 1 | fs.txt |
|
| Details | File | 1 | varlib.txt |
|
| Details | File | 2 | xy.txt |
|
| Details | File | 6 | host.txt |
|
| Details | File | 1 | local_users.txt |
|
| Details | File | 1 | modules.txt |
|
| Details | File | 4 | net.txt |
|
| Details | File | 2 | env.txt |
|
| Details | File | 3 | mem.txt |
|
| Details | File | 1 | large-1.txt |
|
| Details | File | 1 | found.txt |
|
| Details | File | 2 | 2_linux_amd64.tar |
|
| Details | File | 1 | th.tar |
|
| Details | File | 1 | urllib2.py |
|
| Details | File | 1 | dbexts.py |
|
| Details | File | 1 | 252_.tar |
|
| Details | Github username | 4 | trufflesecurity |
|
| Details | sha1 | 1 | 9813cde2db1f31f92fed49a4dd8aa29b21d72581 |
|
| Details | sha1 | 1 | 44ca5b263a955ba19ec4f57a5646d4a406a34f70 |
|
| Details | sha256 | 5 | 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 |
|
| Details | IPv4 | 1441 | 127.0.0.1 |
|
| Details | IPv4 | 3 | 104.183.100.189 |
|
| Details | Url | 1 | https://github.com/trufflesecurity/trufflehog/releases/download/v3.78.2/trufflehog_3.78.2_linux_amd64.tar.gz |
|
| Details | Url | 1 | http://jschmoe:xyzzy@www.bogus.net:8000 |
|
| Details | Url | 1 | ftp://joe:password@proxy.example.com |
|
| Details | Url | 1 | http://joe:password@proxy.example.com |
|
| Details | Url | 1 | http://joe:password@proxy.example.com:3128 |
|
| Details | Url | 1 | https://howtorotate.com/docs/tutorials/github |
|
| Details | Url | 1 | http://104.183.100.189/common/backup.list |
|
| Details | Url | 2 | https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers |
|
| Details | Url | 1 | https://www.virustotal.com/gui/file/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 |
|
| Details | Url | 1 | https://isc.sans.edu/diary/kunai |
|
| Details | Url | 2 | https://github.com/trufflesecurity/trufflehog |