MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ddf688bdf16a1d465aef954ff90b372dacd8162bac2c7797ff7b6b4f20afcbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XorDDoS


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ddf688bdf16a1d465aef954ff90b372dacd8162bac2c7797ff7b6b4f20afcbc
SHA3-384 hash: b48c648dfd9a2dff8ff66b7a39c1734f44bef29c8961bf1ddbe54e85130e27c7e385c0ee9cd0d6861a95cca287c9f4a2
SHA1 hash: 9db5baba5f06bc3e6d5b78de1505eee915690148
MD5 hash: b51476351c030b45c982011e12be17d7
humanhash: victor-six-delta-delta
File name:p.txt
Download: download sample
Signature XorDDoS
Create hunting rule
File size:555'272 bytes
First seen:2025-08-14 21:06:19 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:VB2bw1CH/FwznbIU9sE8c8lqd49N94wT4JXhLLp6yWrk3:VB2WCH/eMU9Uc8gd49N94BJXhLL4ru
TLSH T133C45C06F283A2F7D42705B0124BF7BF8620F63594129D9BB7989D5AB9338F12A4D353
telfhash t129c16ab23eb059d9b3f0880282667220ce19e42765d4397a1df3b194fbf2d522b35d79
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf XorDDoS

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Unix.Malware.Xorddos-9856891-0
Create hunting rule

Unix.Trojan.DDoS_XOR-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changes owner for a written file
Collects information on the network activity
Collects information on the RAM
Sends data to a server
Receives data from a server
Connection attempt
DNS request
Creating a file
Launching a process
Runs as daemon
Manages services
Collects information on the CPU
Creating a process from a recently created file
Writes files to system directory
Creates or modifies files in /cron to set up autorun
Deletes a system binary file
Creates or modifies files in /init.d to set up autorun
Creates or modifies symbolic links in /init.d to set up autorun
Deleting of the original file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gcc lolbin remote xorddos
Link:
https://www.filescan.io/uploads/689e4fe39ef4d2ff7cfdd08a/reports/eaeef408-3207-45d1-9fc9-71e430d2f3fb/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21a42ce2-17a3-4fc1-b49a-0cd1eb9745b1
Result
Threat name:
XorDDoS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1757469
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops files in suspicious directories
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Suricata IDS alerts for network traffic
Yara detected XorDDoS Bot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1757469 Sample: p.txt.elf Startdate: 14/08/2025 Architecture: LINUX Score: 100 80 ee.vvbb321.com 5.135.208.137, 1520, 48188 OVHFR France 2->80 82 ww.wowapplecar.com 2->82 84 6 other IPs or domains 2->84 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 4 other signatures 2->92 10 p.txt.elf 2->10         started        12 sshd sshd 2->12         started        14 sshd sshd 2->14         started        16 4 other processes 2->16 signatures3 process4 process5 18 p.txt.elf 10->18         started        22 sshd 12->22         started        24 sshd 14->24         started        file6 70 /usr/lib/libudev.so, ELF 18->70 dropped 72 /usr/bin/yvdqmoxtwu, ELF 18->72 dropped 74 /usr/bin/yuhdatljnc, ELF 18->74 dropped 76 15 other malicious files 18->76 dropped 94 Drops files in suspicious directories 18->94 96 Sample deletes itself 18->96 98 Sample tries to persist itself using cron 18->98 100 Sample tries to persist itself using System V runlevels 18->100 26 p.txt.elf sh 18->26         started        30 p.txt.elf 18->30         started        32 p.txt.elf 18->32         started        34 110 other processes 18->34 signatures7 process8 file9 78 /etc/crontab, ASCII 26->78 dropped 106 Sample tries to persist itself using cron 26->106 36 sh sed 26->36         started        39 p.txt.elf cfzsxccdgx 30->39         started        41 p.txt.elf cfzsxccdgx 32->41         started        43 p.txt.elf cfzsxccdgx 34->43         started        45 p.txt.elf cfzsxccdgx 34->45         started        47 p.txt.elf cfzsxccdgx 34->47         started        49 107 other processes 34->49 signatures10 process11 signatures12 104 Sample tries to persist itself using cron 36->104 51 cfzsxccdgx 39->51         started        54 cfzsxccdgx 41->54         started        56 cfzsxccdgx 43->56         started        58 cfzsxccdgx 45->58         started        60 cfzsxccdgx 47->60         started        62 yuhdatljnc 49->62         started        64 yuhdatljnc 49->64         started        66 yuhdatljnc 49->66         started        68 103 other processes 49->68 process13 signatures14 102 Sample deletes itself 51->102
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/6ddf688bdf16a1d465aef954ff90b372dacd8162bac2c7797ff7b6b4f20afcbc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ddf688bdf16a1d465aef954ff90b372dacd8162bac2c7797ff7b6b4f20afcbc/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/6ddf688bdf16a1d465aef954ff90b372dacd8162bac2c7797ff7b6b4f20afcbc
Threat name:
Linux.Trojan.XorDDoS
Create hunting rule
Status:
Malicious
First seen:
2024-04-12 22:25:19 UTC
File Type:
ELF32 Little (Exe)
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxpwrc67c2q5izno7fkp7eftolnm3alcxlbmo6l7663lj4qk7s6a._file
Result
Malware family:
xorddos
Create hunting rule
Score:
  10/10
Tags:
family:xorddos antivm botnet discovery downloader execution linux persistence privilege_escalation
Link:
https://tria.ge/reports/250814-zx39bazps9/
Behaviour
Reads runtime system information
Checks CPU configuration
Creates/modifies Cron job
Modifies init.d
Write file to user bin folder
Executes dropped EXE
XorDDoS
XorDDoS payload
Xorddos family
Malware Config
C2 Extraction:
http://ww.wowapplecar.com/config.rar
ee.vvbb321.com:1520
ee.jjkk567.com:1520
ee.nnmm234.com:1520
ee.aass654.com:1520
ee.xxcc789.com:1520
Verdict:
Malicious
Tags:
backdoor trojan xor_ddos Unix.Malware.Xorddos-9856891-0
YARA:
libgcc_backdoor Linux_Trojan_Xorddos_2aef46a6 Linux_Trojan_Xorddos_0eb147ca Linux_Trojan_Xorddos_884cab60 Linux_Trojan_Xorddos_ba961ed2 Linux_Trojan_Xorddos_2084099a MALWARE_Linux_XORDDoS
Link:
https://app.threat.zone/submission/02abee77-1ef0-41e7-b855-9ce93374acda
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ddf688bdf16a1d465aef954ff90b372dacd8162bac2c7797ff7b6b4f20afcbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:F01_s1ckrule
Create hunting rule
Author:s1ckb017
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:Linux_Trojan_Xorddos_0eb147ca
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Xorddos_2084099a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Xorddos_2aef46a6
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Xorddos_ba961ed2
Create hunting rule
Author:Elastic Security
Rule name:MALWARE_Linux_XORDDoS
Create hunting rule
Author:ditekSHen
Description:Detects XORDDoS
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XorDDoS

sh 68746fc30c09671a367a3c6ed4fdfec7e9caeb919390391f77084c832c0af740

XorDDoS

elf 6ddf688bdf16a1d465aef954ff90b372dacd8162bac2c7797ff7b6b4f20afcbc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3603490/
  
Delivery method
Distributed via web download
  
Dropped by
SHA256 68746fc30c09671a367a3c6ed4fdfec7e9caeb919390391f77084c832c0af740
  
Dropped by
MD5 1839048de4489995c31f7200039cd8c4
  
URLhaus
https://urlhaus.abuse.ch/url/3603521/

Comments