SUSP_LNX_SH_Cron_Curl_Apr21_1

Rule Info

Av Ratio
17.9
Required Modules
[]
Name
SUSP_LNX_SH_Cron_Curl_Apr21_1
Score
60
Reference
Internal Research
Date
2021-04-19
Minimum Yara
1.7
Author
Florian Roth
Modified
2021-04-21
Description
Detects suspicious crontab entry invoking curl (often seen in malware and rarely used by admins - they usually do this (or at least should do this) in a proper script)
Tags
['LINUX', 'SUSP']
Rule Hash
ac057fc6acf7aaaba741489fe023abf4
Virustotal Matches
https://www.virustotal.com/gui/search/susp_lnx_sh_cron_curl_apr21_1/comments

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
17
Suspicious (< 10 engines)
22
Clean (0 engines)
8

Rule Matches

Total
Hash
Timestamp
Positives
VT
58
efdfc57b07fe86cfdb5769961ecb628c05aa710934e263c27b6c0c0cf82c6a70
2021-09-24 23:44:30
7
57
d2f1c7de7c04cd677e0cd45a1efe5a1097fa49cdc12bed06b8f81a8e091578a4
2021-09-23 19:45:59
11
54
dd65973fad6acf41bfb7b28a5014cfa2fba08fc7cb6445af7670524060d9c7a4
2021-09-23 15:43:24
0
58
f176d69f18cde008f1998841c343c3e5d4337b495132232507a712902a0aec5e
2021-09-22 20:00:32
17
57
bfc20721a25463f6b1c9274063ee66230c458013a73b511227eaddf3d40f06a0
2021-09-16 20:29:52
0
57
a92f24767a97fe59cf74b73014cdfa675cfb360b5e486366a0b4f8cbb1d8247e
2021-09-15 22:46:44
0
57
9e88e888062c38d76053f102e7b65cbf978b66d2467f99c65dd48984d48ba839
2021-09-14 09:19:59
0
58
0ad253f44ace4649a1075e981d4eaa14175f01644bf0e1c80e87fa352a5b4338
2021-09-13 20:41:08
4
58
ac6830099962317513029e00880e8e04b2a692f905cedd630747ceee8301684e
2021-09-11 22:36:08
4
57
9b8c31a9bb2764b8cad7a9e868140c9686b5a27f53e911ff696cbabaff2ec01d
2021-09-11 22:22:57
4
58
2172e719fa1c1b71c20028618b11016bc97b54febe883f62f80af581e914ee60
2021-09-10 10:23:27
8
58
dcc96cdc7192a41fb242a680a83969e16247511816dc0f80e63b134059497ad1
2021-09-09 01:42:40
7
58
89b959ef0d55d303bb70cf2879e309d5c43b67d85245f406fad76231da473bf9
2021-09-08 03:08:52
4
58
95e403d6f30bbf5b85d4b64fa60e40bcbaec61a20fdcc692b96d4a029a07cb78
2021-09-07 17:14:03
6
57
57c1d78f8d2ad333d7434e8725274ab6aa4d0393d9f7c75a38f34e216cfa1a0c
2021-09-04 03:24:28
6
56
2c4e53afd4e793cb43af10543f47bec00df1c46370de0c3e284c076c14acf3bd
2021-09-03 03:35:22
16
57
8ee3d825859ead1500a338cfd65e6fdf4aff3f0b278e55d478bff6f8385d2ac4
2021-09-02 16:26:54
0
57
e9e17df2e6c6e3f2bcecfe75f55b120cc93398c3f67f01cd50fb03fd78187ea1
2021-09-01 22:38:50
0
47
0769920336483db6b7d25562b627ad40c72c268de104b4dcfd6e961f29030bc9
2021-08-21 14:21:47
21
60
639145f704e4bdf3f01fd0ff68ca51bfe950fa7b596a5697ff652d3c92d8bc25
2021-08-09 06:05:36
1
58
879dfe253609611b4751ce761548b62c8a686c38b761652fe049ca62bf27d99c
2021-08-05 09:33:18
28
59
be4631b2ac96d0268d87c21b8749a77d2d711200b43a0623d2c86b24c1c464df
2021-08-05 09:33:18
25
57
64beb4ecbecbd427f04dfeb27193be2285ccafbf9f06afbbb4d4739410c52dd9
2021-07-27 08:11:39
6
59
650d253223d023c6f957f1a08885cff62ba252b47295763b8a5ebc59fe0404d4
2021-07-24 10:20:00
11
59
01b4ccc7be55485ff529ca1f92fd5dbefcce93e13720a8b4d5d3385e944fff8a
2021-07-20 15:45:13
23
58
b066ff0ede4e01a1eccebe873b4ca31fa36dad58d169f3cdd5e0ef429a857060
2021-07-20 00:44:41
6
59
d44cf300feb4c99918a14603a6da13b82ee840b5dcf2e54b81c87207806d5acb
2021-07-17 01:46:13
22
59
06ef58892b677ed28226f2e18e1317e74a6dcad0b9236d37be12497e8e489823
2021-07-17 01:36:48
9
58
8fcb42ffe39060f2f15a0bd645c7a98fb270f435ff40a2c49f58d960660b5e7c
2021-06-29 14:04:40
9
59
0b6c5fd3a0d9027a9b43ca7a3ef64103a47eb722af120da8b962656d2d8ad104
2021-06-28 15:23:38
7
58
e92b2e6244b718a74d78299cb0e3be33af51f7a8e735f7b03dd5a456a719a275
2021-05-24 06:48:48
2
59
9537ff8af37c7e3ddb3bfe2c7d85b50878b3957e62b0291d4735cef0b8fb714b
2021-05-11 11:53:25
2
56
6870fcd23449235071c09891019d82c71b46d2eb50d5aff731bc3b930b6842d5
2021-05-08 10:54:43
4
58
8da927116dc9273b6d64ad8b007e257f0ecd4a6c51420c601a63d58784c8436f
2021-05-06 18:51:13
4
59
a94e0517a81ae4a69f853ea223680b9c7310336633bb0c45b6b9115d09cdd860
2021-05-05 17:54:52
19
59
e604a730154af21ede38f155dbee7ceeb218abd02362c0eba0ad0db9c5dfad33
2021-05-04 20:30:09
29
57
9883cfed524ad4bb2ed53b9887b20e1fb0909f77e55ac34c07c91c9fe9d536c6
2021-05-02 22:46:04
31
58
ea458759b2004412f759346c7f4c6f9a57fe80b0a475f752ade9c09763ab0969
2021-05-02 16:41:03
23
57
dc8f318732a3639d48b0404b0a14f4702936d1bbce4e87d69b69011b5bcce7f1
2021-05-02 12:15:52
27
42
f0ba26ddd7b5a2a917b17f61f0d813390f68ac9b2f6fad0fa217dba7c550fe59
2021-05-02 10:09:46
16
57
0d6fcf9adee209d710d03ed0a05056663c3114678c79ad8d985286c806a61f3e
2021-05-02 01:48:52
18
56
11d3606cde511e00f4ddb6314cb46c1ed15588ada3e9f908248dadf690e4671f
2021-05-01 22:04:02
29
58
4c4309a83d820cd72070e4b04727562e1e379145f7e7dc13769393af49aebe11
2021-04-25 20:29:26
2
59
3b0ab312a1537b3050af0a4ed8d7af477fb7e57393bef213d32cb9e759b07abb
2021-04-23 05:40:11
4
59
4a50d3b76d929217364cef13638aee76e437ef2de091887041c7e1e71b074371
2021-04-21 18:54:36
4
57
47ff228b21f94a548153aa6b53c444b9d0a06816dfd814bba5417caf766ceb63
2021-04-21 13:32:58
0
58
ab218fbdc34009026f8fb37dad0a80b239939d348587282471cd8244d9a42105
2021-04-21 09:06:39
0

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2020