Multiple hits for APT28 related content across multiple machines

[1490kdrm]

Hello,

I was directed to your issues page by an associate after hitting the info email.

I'm getting hits for DROVORUB on an ArchLinux instance, Xtunnel on the same machine but a Windows instance, and Snake on a Windows instance on a different machine. Let me know what you'd need or want for me - I can either upload the .txt or .html files for the specific scans or just copy and paste the detections. Let me know.

Thank you

[1490kdrm]

Ok - Well, I'm proactively posting the detections.   `Alert 1 Apr 29 14:24:51 archlinux/10.1.0.22 MODULE: ProcessCheck MESSAGE: Malicious process found PID: 4894 COMMAND: /usr/bin/clamd PPID: 2974 PARENT: /usr/lib/systemd/systemd PROCESS_NAME: clamd OWNER: clamav CREATED: Mon Apr 29 08:46:59 2024 SESSION: IMAGE_FILE: /usr/bin/clamd IMAGE_TYPE: ELF IMAGE_SIZE: 202784 IMAGE_MD5: 22015cf434970e1a01049f7042f96ab4 IMAGE_SHA1: 848a49c96a4e9665bca2ef6cbb950df163d7afd1 IMAGE_SHA256: 8b880a7fdbbb88caad19bc8b4f48b392a9fd62205eea021b8fa136713a868364 IMAGE_FIRSTBYTES: 7f454c4602010100000000000000000003003e00 / ELF> IMAGE_CHANGED: Mon Apr 8 17:40:15.688 2024 IMAGE_MODIFIED: Fri Oct 27 15:12:58.000 2023 IMAGE_ACCESSED: Sun Apr 28 20:36:44.232 2024 IMAGE_PERMISSIONS: -rwxr-xr-x IMAGE_OWNER: root IMAGE_GROUP: root CONNECTION_COUNT: 0 LISTEN_PORTS: FILE_1: /usr/bin/clamd EXISTS_1: yes TYPE_1: ELF SIZE_1: 202784 MD5_1: 22015cf434970e1a01049f7042f96ab4 SHA1_1: 848a49c96a4e9665bca2ef6cbb950df163d7afd1 SHA256_1: 8b880a7fdbbb88caad19bc8b4f48b392a9fd62205eea021b8fa136713a868364 FIRSTBYTES_1: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_1: root GROUP_1: root FILE_2: /usr/lib/systemd/systemd EXISTS_2: yes TYPE_2: ELF SIZE_2: 100560 MD5_2: 80865b96a49686b2b25c901bf2e71feb SHA1_2: c1354e27304011b60b8ec02b2305088119e01027 SHA256_2: 95a6795b21f6211638eea1a0e815dd87708bb75b553ed759f941689c6790ed69 FIRSTBYTES_2: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_2: root GROUP_2: root REASON_1: YARA rule HKTL_Meterpreter_inMemory / Detects Meterpreter in-memory SUBSCORE_1: 85 REF_1: https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/ SIGTYPE_1: internal SIGCLASS_1: YARA Rule MATCHED_1

WS2_32.dll at 0x7eeb8c64bd25
ReflectiveLoader at 0x7eeb6786d69f

RULEDATE_1: 2020-06-29 TAGS_1: HKTL, METASPLOIT RULENAME_1: HKTL_Meterpreter_inMemory AUTHOR_1: netbiosX, Florian Roth REASON_2: YARA rule sql_php_php / Semi-Auto-generated - file sql.php.php.txt SUBSCORE_2: 75 REF_2:

SIGTYPE_2: internal SIGCLASS_2: YARA Rule MATCHED_2

http://rst.void.ru at 0x7eeb2ebb440d

RULEDATE_2: 1970-01-01 TAGS_2: T1505_003, WEBSHELL RULENAME_2: sql_php_php AUTHOR_2: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_3: YARA rule lamashell_php / Semi-Auto-generated - file lamashell.php.txt SUBSCORE_3: 75 REF_3:

SIGTYPE_3: internal SIGCLASS_3: YARA Rule MATCHED_3

lama's'hell at 0x7eeb2ebb4769

RULEDATE_3: 1970-01-01 TAGS_3: T1505_003, WEBSHELL RULENAME_3: lamashell_php AUTHOR_3: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_4: YARA rule ironshell_php / Semi-Auto-generated - file ironshell.php.txt SUBSCORE_4: 75 REF_4:

SIGTYPE_4: internal SIGCLASS_4: YARA Rule MATCHED_4

$cookiename = "wieeeee"; at 0x7eeb2ebb201a

RULEDATE_4: 1970-01-01 TAGS_4: T1505_003, WEBSHELL RULENAME_4: ironshell_php AUTHOR_4: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_5: YARA rule h4ntu_shell__powered_bytsoi / Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt SUBSCORE_5: 75 REF_5:

SIGTYPE_5: internal SIGCLASS_5: YARA Rule MATCHED_5

h4ntu shell at 0x7eeb4bf91649
system("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"); at 0x7eeb2ebb3678

RULEDATE_5: 1970-01-01 TAGS_5: SCRIPT, T1505_003, WEBSHELL RULENAME_5: h4ntu_shell__powered_bytsoi AUTHOR_5: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_6: YARA rule connectback2_pl / Semi-Auto-generated - file connectback2.pl.txt SUBSCORE_6: 75 REF_6:

SIGTYPE_6: internal SIGCLASS_6: YARA Rule MATCHED_6

ConnectBack Backdoor at 0x7eeb2eba95c2

RULEDATE_6: 1970-01-01 TAGS_6: T1505_003, WEBSHELL RULENAME_6: connectback2_pl AUTHOR_6: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_7: YARA rule SimAttacker_Vrsion_1_00priv8_4_My_friend_php / Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt SUBSCORE_7: 75 REF_7:

SIGTYPE_7: internal SIGCLASS_7: YARA Rule MATCHED_7

SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend at 0x7eeb2ebb68aa

RULEDATE_7: 1970-01-01 TAGS_7: T1505_003, WEBSHELL RULENAME_7: SimAttacker_Vrsion_1_00priv8_4_My_friend_php AUTHOR_7: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_8: YARA rule Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php / Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt SUBSCORE_8: 75 REF_8:

SIGTYPE_8: internal SIGCLASS_8: YARA Rule MATCHED_8

Safe0ver at 0x7eeb2ea4a4fd

RULEDATE_8: 1970-01-01 TAGS_8: SCRIPT, T1505_003, WEBSHELL RULENAME_8: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php AUTHOR_8: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_9: YARA rule SUSP_PowerShell_Caret_Obfuscation_2 / Detects powershell keyword obfuscated with carets SUBSCORE_9: 75 REF_9: Internal Research SIGTYPE_9: internal SIGCLASS_9: YARA Rule MATCHED_9

p^o^wer^sh^ell at 0x7eeb6b71fd06

RULEDATE_9: 2019-07-20 TAGS_9: OBFUS, SCRIPT, SUSP, T1059_001 RULENAME_9: SUSP_PowerShell_Caret_Obfuscation_2 AUTHOR_9: Florian Roth (Nextron Systems) REASON_10: YARA rule SUSP_Double_Base64_Encoded_Executable / Detects an executable that has been encoded with base64 twice SUBSCORE_10: 75 REF_10: https://twitter.com/TweeterCyber/status/1189073238803877889 SIGTYPE_10: internal SIGCLASS_10: YARA Rule MATCHED_10

VFZxUUFBT at 0x7eeb5d2eb740

RULEDATE_10: 2019-10-29 TAGS_10: SUSP, T1132_001 RULENAME_10: SUSP_Double_Base64_Encoded_Executable AUTHOR_10: Florian Roth (Nextron Systems) REASON_11: YARA rule PHANTASMA_php / Semi-Auto-generated - file PHANTASMA.php.txt SUBSCORE_11: 75 REF_11:

SIGTYPE_11: internal SIGCLASS_11: YARA Rule MATCHED_11

[*] Spawning Shell at 0x7eeb2eba9d61
Cha0s at 0x7eeb2ea669f9

RULEDATE_11: 1970-01-01 TAGS_11: T1505_003, WEBSHELL RULENAME_11: PHANTASMA_php AUTHOR_11: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_12: YARA rule Hunting_Rule_ShikataGaNai / - SUBSCORE_12: 75 REF_12: https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html SIGTYPE_12: internal SIGCLASS_12: YARA Rule MATCHED_12

"\xd9t$\xf4\xb8\"\xd2'z)\xc9\xb1K[1C\x1a" at 0x7eeb3971bc3c

RULEDATE_12: 1970-01-01 RULENAME_12: Hunting_Rule_ShikataGaNai AUTHOR_12: Steven Miller REASON_13: YARA rule DTool_Pro_php / Semi-Auto-generated - file DTool Pro.php.txt SUBSCORE_13: 75 REF_13:

SIGTYPE_13: internal SIGCLASS_13: YARA Rule MATCHED_13

r3v3ng4ns\nDigite at 0x7eeb2ebb5505

RULEDATE_13: 1970-01-01 TAGS_13: T1505_003, WEBSHELL RULENAME_13: DTool_Pro_php AUTHOR_13: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls REASON_14: YARA rule Cobaltbaltstrike_Payload_Encoded / Detects CobaltStrike payloads SUBSCORE_14: 75 REF_14: https://github.com/avast/ioc SIGTYPE_14: internal SIGCLASS_14: YARA Rule MATCHED_14

fc4883e4f0e8c8000000415141505251 at 0x7eeb65c2f20e

RULEDATE_14: 1970-01-01 TAGS_14: COBALTSTRIKE, S0154, T1550_002 RULENAME_14: Cobaltbaltstrike_Payload_Encoded AUTHOR_14: Avast Threat Intel Team REASON_15: YARA rule APT_APT28_drovorub_unique_network_comms_strings / Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based SUBSCORE_15: 75 REF_15: https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/ SIGTYPE_15: internal SIGCLASS_15: YARA Rule MATCHED_15

action at 0x5b404d4b7994
auth.commit at 0x7eeb71457ff0
auth.hello at 0x7eeb7144ff62
auth.login at 0x7eeb71455d32
auth.pending at 0x7eeb71455eba
client_id at 0x7eeb5c4ebae0
client_login at 0x7eeb396b8d48
client_pass at 0x7eeb396b8d6a
clientid at 0x7eeb714565da
clientkey_base64 at 0x7eeb714567a2
file_list_request at 0x7eeb714571c4
module_list_request at 0x7eeb71457c18
monitor at 0x7eeb2e1772d4
net_list_request at 0x7eeb71457e22
server finished at 0x7eeb5b68bc46
serverid at 0x7eeb6aca3b8a
tunnel at 0x7eeb2df919a3

RULEDATE_15: 2020-08-13 TAGS_15: APT, G0007, RUSSIA RULENAME_15: APT_APT28_drovorub_unique_network_comms_strings AUTHOR_15: NSA / FBI REASON_16: YARA rule webshell_c99_locus7s_c99_w4cking_xxx / Web Shell SUBSCORE_16: 70 REF_16:

SIGTYPE_16: internal SIGCLASS_16: YARA Rule MATCHED_16

$res = @shell_exec($cfe); at 0x7eeb2eb69bba
$res = @ob_get_contents(); at 0x7eeb2eb69c19
@exec($cfe,$res); at 0x7eeb2eb69a71

RULEDATE_16: 2014-01-28 TAGS_16: SCRIPT, T1505_003, WEBSHELL RULENAME_16: webshell_c99_locus7s_c99_w4cking_xxx AUTHOR_16: Florian Roth (Nextron Systems) REASON_17: YARA rule EditServer / Disclosed hacktool set (old stuff) - file EditServer.exe SUBSCORE_17: 60 REF_17:

SIGTYPE_17: internal SIGCLASS_17: YARA Rule MATCHED_17

WinEggDrop Shell Congirator at 0x7eeb40c28189

RULEDATE_17: 2014-11-23 TAGS_17: HKTL RULENAME_17: EditServer AUTHOR_17: Florian Roth (Nextron Systems) REASON_18: YARA rule HackTool_Samples / Hacktool SUBSCORE_18: 50 REF_18:

SIGTYPE_18: internal SIGCLASS_18: YARA Rule MATCHED_18

WPE-C1467211-7C89-49c5-801A-1D048E4014C4 at 0x7eeb3b9c2ea4
clearlogs [\\computername at 0x7eeb3b68fd90

RULEDATE_18: 1970-01-01 TAGS_18: HKTL RULENAME_18: HackTool_Samples AUTHOR_18: Undefined REASONS_COUNT: 18 FILE_1: /usr/bin/clamd EXISTS_1: yes TYPE_1: ELF SIZE_1: 202784 MD5_1: 22015cf434970e1a01049f7042f96ab4 SHA1_1: 848a49c96a4e9665bca2ef6cbb950df163d7afd1 SHA256_1: 8b880a7fdbbb88caad19bc8b4f48b392a9fd62205eea021b8fa136713a868364 FIRSTBYTES_1: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_1: root GROUP_1: root FILE_2: /usr/lib/systemd/systemd EXISTS_2: yes TYPE_2: ELF SIZE_2: 100560 MD5_2: 80865b96a49686b2b25c901bf2e71feb SHA1_2: c1354e27304011b60b8ec02b2305088119e01027 SHA256_2: 95a6795b21f6211638eea1a0e815dd87708bb75b553ed759f941689c6790ed69 FIRSTBYTES_2: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_2: root GROUP_2: root SCORE: 94`

`Warning 1 Jun 12 12:33:49 x299-clr/10.1.0.17 MODULE: ProcessCheck MESSAGE: Suspicious process found PID: 2786 COMMAND: sudo ssh mrkd@10.5.0.3 PPID: 2240 PARENT: /usr/bin/bash PROCESS_NAME: sudo OWNER: mrkd CREATED: Wed Jun 12 08:25:41 2024 SESSION: IMAGE_FILE: /usr/bin/sudo IMAGE_TYPE: ELF IMAGE_SIZE: 517760 IMAGE_MD5: 73964442358af031c483e63eee4f576d IMAGE_SHA1: 3c12eb14a537847d8522fd84f60fbe8c94772fae IMAGE_SHA256: feb1abdbed064a147dd58271938ea0a2ab145773d35ea45a5c1b53a186ba2b82 IMAGE_FIRSTBYTES: 7f454c4602010100000000000000000003003e00 / ELF> IMAGE_CHANGED: Fri May 31 07:54:44.911 2024 IMAGE_MODIFIED: Tue Jan 16 15:44:54.000 2024 IMAGE_ACCESSED: Wed Jun 12 08:09:56.394 2024 IMAGE_PERMISSIONS: urwxr-xr-x IMAGE_OWNER: root IMAGE_GROUP: 0 CONNECTION_COUNT: 0 LISTEN_PORTS: FILE_1: /usr/bin/bash EXISTS_1: yes TYPE_1: ELF SIZE_1: 1674328 MD5_1: 07ff9f25cf5869f1497f6670a0a0df33 SHA1_1: 843aa1cc7dc9e5f5b4ecd059324b8d6e48a517f5 SHA256_1: cc225ac208c32673df35bdbc43639ad2aee9d890ff5554eaac5f1b0b42b4286c FIRSTBYTES_1: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_1: root GROUP_1: 0 REASON_1: YARA rule APT_APT28_drovorub_unique_network_comms_strings / Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based SUBSCORE_1: 75 REF_1: https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/ SIGTYPE_1: internal SIGCLASS_1: YARA Rule MATCHED_1

action at 0x558f061ea291
auth.commit at 0x558f0d2a3edc
auth.hello at 0x558f0d2a3f02
auth.login at 0x558f0d2a3f27
auth.pending at 0x558f0d2a3f4c
client_id at 0x558f06b16aa8
client_login at 0x558f0d2a3f97
client_pass at 0x558f0d2a3fbe
clientid at 0x558f0d2a3fe4
clientkey_base64 at 0x558f0d2a4008
file_list_request at 0x558f0d2a4034
module_list_request at 0x558f0d2a4061
monitor at 0x558f06bdf161
net_list_request at 0x558f0d2a40b3
server finished at 0x558f067c4495
serverid at 0x558f0d2a410a
tunnel at 0x558f06580b06

RULEDATE_1: 2020-08-13 TAGS_1: APT, G0007, RUSSIA RULENAME_1: APT_APT28_drovorub_unique_network_comms_strings AUTHOR_1: NSA / FBI REASON_2: YARA rule webshell_c99_locus7s_c99_w4cking_xxx / Web Shell SUBSCORE_2: 70 REF_2:

SIGTYPE_2: internal SIGCLASS_2: YARA Rule MATCHED_2

$res = @shell_exec($cfe); at 0x558f0d2a4368
$res = @ob_get_contents(); at 0x558f0d2a439c
@exec($cfe,$res); at 0x558f0d2a43d1

RULEDATE_2: 2014-01-28 TAGS_2: SCRIPT, T1505_003, WEBSHELL RULENAME_2: webshell_c99_locus7s_c99_w4cking_xxx AUTHOR_2: Florian Roth (Nextron Systems) REASON_3: YARA rule EditServer / Disclosed hacktool set (old stuff) - file EditServer.exe SUBSCORE_3: 60 REF_3:

SIGTYPE_3: internal SIGCLASS_3: YARA Rule MATCHED_3

WinEggDrop Shell Congirator at 0x558f0d2a463e

RULEDATE_3: 2014-11-23 TAGS_3: HKTL RULENAME_3: EditServer AUTHOR_3: Florian Roth (Nextron Systems) REASON_4: YARA rule HackTool_Samples / Hacktool SUBSCORE_4: 50 REF_4:

SIGTYPE_4: internal SIGCLASS_4: YARA Rule MATCHED_4

WPE-C1467211-7C89-49c5-801A-1D048E4014C4 at 0x558f0d2a485a

RULEDATE_4: 1970-01-01 TAGS_4: HKTL RULENAME_4: HackTool_Samples AUTHOR_4: Undefined REASONS_COUNT: 4 FILE_1: /usr/bin/bash EXISTS_1: yes TYPE_1: ELF SIZE_1: 1674328 MD5_1: 07ff9f25cf5869f1497f6670a0a0df33 SHA1_1: 843aa1cc7dc9e5f5b4ecd059324b8d6e48a517f5 SHA256_1: cc225ac208c32673df35bdbc43639ad2aee9d890ff5554eaac5f1b0b42b4286c FIRSTBYTES_1: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_1: root GROUP_1: 0 SCORE: 87 Warning 2 Jun 12 12:33:49 x299-clr/10.1.0.17 MODULE: ProcessCheck MESSAGE: Suspicious process found PID: 2789 COMMAND: ssh mrkd@10.5.0.3 PPID: 2788 PARENT: /usr/bin/sudo PROCESS_NAME: ssh OWNER: root CREATED: Wed Jun 12 08:25:41 2024 SESSION: IMAGE_FILE: /usr/bin/ssh IMAGE_TYPE: ELF IMAGE_SIZE: 1475896 IMAGE_MD5: 8b346ccfe2ed832b1c724e5a200845c2 IMAGE_SHA1: ad2e093cd00287043decf80eb77f3d7861bdfe61 IMAGE_SHA256: fd5d41a4f595794f73ee402095896ea10370aca03138e61cc96aa78a1c719808 IMAGE_FIRSTBYTES: 7f454c4602010100000000000000000003003e00 / ELF> IMAGE_CHANGED: Fri May 31 07:54:44.656 2024 IMAGE_MODIFIED: Mon Mar 11 11:22:22.000 2024 IMAGE_ACCESSED: Wed Jun 12 08:27:01.886 2024 IMAGE_PERMISSIONS: -rwxr-xr-x IMAGE_OWNER: root IMAGE_GROUP: 0 CONNECTION_COUNT: 1 LISTEN_PORTS: 49226 FILE_1: /usr/bin/sudo EXISTS_1: yes TYPE_1: ELF SIZE_1: 517760 MD5_1: 73964442358af031c483e63eee4f576d SHA1_1: 3c12eb14a537847d8522fd84f60fbe8c94772fae SHA256_1: feb1abdbed064a147dd58271938ea0a2ab145773d35ea45a5c1b53a186ba2b82 FIRSTBYTES_1: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_1: root GROUP_1: 0 REASON_1: YARA rule APT_APT28_drovorub_unique_network_comms_strings / Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based SUBSCORE_1: 75 REF_1: https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/ SIGTYPE_1: internal SIGCLASS_1: YARA Rule MATCHED_1

action at 0x55d3b4a1c368
auth.commit at 0x55d3bd1535dc
auth.hello at 0x55d3bd153602
auth.login at 0x55d3bd153627
auth.pending at 0x55d3bd15364c
client_id at 0x55d3bd153673
client_login at 0x55d3bd153697
client_pass at 0x55d3bd1536be
clientid at 0x55d3bd1536e4
clientkey_base64 at 0x55d3bd153708
file_list_request at 0x55d3bd153734
module_list_request at 0x55d3bd153761
monitor at 0x55d3b53ff964
net_list_request at 0x55d3bd1537b3
server finished at 0x55d3bd1537df
serverid at 0x55d3bd15380a
tunnel at 0x55d3b5180b06

RULEDATE_1: 2020-08-13 TAGS_1: APT, G0007, RUSSIA RULENAME_1: APT_APT28_drovorub_unique_network_comms_strings AUTHOR_1: NSA / FBI REASON_2: YARA rule webshell_c99_locus7s_c99_w4cking_xxx / Web Shell SUBSCORE_2: 70 REF_2:

SIGTYPE_2: internal SIGCLASS_2: YARA Rule MATCHED_2

$res = @shell_exec($cfe); at 0x55d3bd153a68
$res = @ob_get_contents(); at 0x55d3bd153a9c
@exec($cfe,$res); at 0x55d3bd153ad1

RULEDATE_2: 2014-01-28 TAGS_2: SCRIPT, T1505_003, WEBSHELL RULENAME_2: webshell_c99_locus7s_c99_w4cking_xxx AUTHOR_2: Florian Roth (Nextron Systems) REASON_3: YARA rule EditServer / Disclosed hacktool set (old stuff) - file EditServer.exe SUBSCORE_3: 60 REF_3:

SIGTYPE_3: internal SIGCLASS_3: YARA Rule MATCHED_3

WinEggDrop Shell Congirator at 0x55d3bd153d3e

RULEDATE_3: 2014-11-23 TAGS_3: HKTL RULENAME_3: EditServer AUTHOR_3: Florian Roth (Nextron Systems) REASON_4: YARA rule HackTool_Samples / Hacktool SUBSCORE_4: 50 REF_4:

SIGTYPE_4: internal SIGCLASS_4: YARA Rule MATCHED_4

WPE-C1467211-7C89-49c5-801A-1D048E4014C4 at 0x55d3bd153f5a

RULEDATE_4: 1970-01-01 TAGS_4: HKTL RULENAME_4: HackTool_Samples AUTHOR_4: Undefined REASONS_COUNT: 4 FILE_1: /usr/bin/sudo EXISTS_1: yes TYPE_1: ELF SIZE_1: 517760 MD5_1: 73964442358af031c483e63eee4f576d SHA1_1: 3c12eb14a537847d8522fd84f60fbe8c94772fae SHA256_1: feb1abdbed064a147dd58271938ea0a2ab145773d35ea45a5c1b53a186ba2b82 FIRSTBYTES_1: 7f454c4602010100000000000000000003003e00 / ELF> OWNER_1: root GROUP_1: 0 SCORE: 87`

Just trying to figure out if these are false positives or not as I can't replicate these on remote machines and it is happening across multiple devices. Affected OS's are Arch Linux, Clear Linux, Windows 11 Pro, and Windows 11 Home. The above snippets are from the Clear Linux instance. I will add to this post with the Windows additions here shortly.