MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b26780bcc66dc4f9be647233a80c900fa76f0a706bb9bea437431b5b5c1dd574. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XorDDoS

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	b26780bcc66dc4f9be647233a80c900fa76f0a706bb9bea437431b5b5c1dd574
SHA3-384 hash:	88855bb4601dbaa3102a5530ae557eeaf28fb42cfc4188cd35b68b8e40f75a908db4e3fb5d5625f3ff82cff5f23c870d
SHA1 hash:	2ed36c9986c0fc5c2436e36f5aa9491b94d2878f
MD5 hash:	f6b6079e3660d0ba76a64f06f5e2148f
humanhash:	magazine-nuts-lion-steak
File name:	p.sh
Download:	download sample
Signature	XorDDoS Create hunting rule
File size:	1'255 bytes
First seen:	2025-11-25 19:47:17 UTC
Last seen:	2025-11-26 16:48:59 UTC
File type:	sh
MIME type:	text/plain
ssdeep	24:fN7PvyA3RqAAZ5UAFTe4typU4o39LOYvkRexV5O:V7Jh2ZBFTLtyfs9L7vkReVM
TLSH	T19321A29950FA689031CD893F94AE5E9C8BCB79928428560D63DFEFE8D06816875C8734
Magika	shell
Reporter	abuse_ch
Tags:	sh XorDDoS

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://195.20.19.216/p.txt	8f5ebb5b1c09744b4bb0087dca66360530533a1913151eaa04f17b691aae5a6b	XorDDoS	elf geofenced ua-wget USA x86 Xorddos
http://195.20.19.216/r.txt	n/a	n/a	n/a

Intelligence

File Origin

# of uploads :

2

# of downloads :

45

Origin country :

DE

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Linux.DownLoader.37.17275.16584.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

xorddos

Link:

https://www.filescan.io/uploads/692607fa5788d63eca90cad2/reports/7f50859a-2a58-4ee4-a7f3-107f0ebd736a/overview

Verdict:

Unknown

File Type:

ps1

First seen:

2025-11-25T17:07:00Z UTC

Last seen:

2025-11-25T17:50:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/b26780bcc66dc4f9be647233a80c900fa76f0a706bb9bea437431b5b5c1dd574/results?tab=lookup

Status:

terminated

Link:

https://sandbox.kunai.rocks/analysis/15dc5d9f-a635-4d72-a9ce-2920e7042c2c

Behavior Graph:

Score:

47%

Verdict:

Susipicious

File Type:

SCRIPT

Link:

https://malprob.io/report/b26780bcc66dc4f9be647233a80c900fa76f0a706bb9bea437431b5b5c1dd574

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b26780bcc66dc4f9be647233a80c900fa76f0a706bb9bea437431b5b5c1dd574/

Threat name:

Linux.Trojan.XorDDoS

Status:

Malicious

First seen:

2025-11-25 19:48:15 UTC

File Type:

Text (Shell)

AV detection:

9 of 38 (23.68%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wjtybpggnxcptpteoiz2qdeqb6tw6ctqno435jbximnvwxa52v2a._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/251125-yh6v8axpfv/

Behaviour

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates physical storage devices

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/b26780bcc66dc4f9be647233a80c900fa76f0a706bb9bea437431b5b5c1dd574

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

sh b26780bcc66dc4f9be647233a80c900fa76f0a706bb9bea437431b5b5c1dd574

(this sample)

elf 8f5ebb5b1c09744b4bb0087dca66360530533a1913151eaa04f17b691aae5a6b

URLhaus

https://urlhaus.abuse.ch/url/3716717/

Delivery method

Distributed via web download

Dropping

MD5 720c75bfcecad5ac0f57893b74676583

Dropping

SHA256 8f5ebb5b1c09744b4bb0087dca66360530533a1913151eaa04f17b691aae5a6b

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample