MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6c3eefd08f5543b0c79d2a5233d597c875f67b7a24b5ee29012e0e1b91e5111. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DDoS.TF


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c6c3eefd08f5543b0c79d2a5233d597c875f67b7a24b5ee29012e0e1b91e5111
SHA3-384 hash: ff5cd4fb2d8409050fb49bcefa97fb21145aaea53fb1684d80fe3e0171d4f6c5da518d6e333a71e593fc6e9cb109425f
SHA1 hash: 0eb7ac145db88ec79eade60b91d9a98fbe09008a
MD5 hash: eb331f75ad1639ff7ffa03befef52ac2
humanhash: mars-echo-high-indigo
File name:eb331f75ad1639ff7ffa03befef52ac2
Download: download sample
Signature DDoS.TF
Create hunting rule
File size:1'058'408 bytes
First seen:2022-02-13 18:12:35 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 24576:RsqZhvnhHXuhshNjm3Bp6gDgR16lwzBWa4wwS49TrHg29XE/PJroyUkNR9:PhvnhHXuhshNjK8AlGWaooroyUk
TLSH T168359F9AE746D9E2E1A30576029FC7F60231D1360103D6F7EB48FAB87862B157F07266
telfhash t1dd21d0d8885ab05899828810e83f0981595bd257423cedc3bf34d8d20c7e5cdf887d7b
Reporter zbetcheckin
Tags:32 DDoS.TF elf intel

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Unix.Dropper.Mirai-7135968-0
Create hunting rule

Unix.Trojan.Ddostf-6443160-0
Create hunting rule

Gathering data
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
true
Architecture:
x86
Packer:
not packed
Botnet:
unknown
Number of open files:
11
Number of processes launched:
18
Processes remaning?
false
Remote TCP ports scanned:
not identified
Full report:
https://elfdigest.com/brief/c6c3eefd08f5543b0c79d2a5233d597c875f67b7a24b5ee29012e0e1b91e5111
Behaviour
Anti-VM
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Result
Verdict:
MALICIOUS
Malware family:
DDOS.TF
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0b42c8d3-0e86-4bbc-adbd-7e2d2ad0726f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/938993
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sets full permissions to files and/or directories
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 571471 Sample: 6sSEMcBZpw Startdate: 13/02/2022 Architecture: LINUX Score: 72 49 205.185.120.229, 50072, 50074, 50076 PONYNETUS United States 2->49 51 109.202.202.202, 80 INIT7CH Switzerland 2->51 53 4 other IPs or domains 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Machine Learning detection for sample 2->61 10 6sSEMcBZpw 2->10         started        12 dash cat 2->12         started        14 dash tr 2->14         started        16 7 other processes 2->16 signatures3 process4 process5 18 6sSEMcBZpw sh 10->18         started        20 6sSEMcBZpw 10->20         started        22 6sSEMcBZpw sh 10->22         started        24 7 other processes 10->24 process6 26 sh chmod 18->26         started        29 6sSEMcBZpw 20->29         started        31 6sSEMcBZpw 20->31         started        33 sh chmod 22->33         started        35 sh mv 24->35         started        37 sh sed 24->37         started        39 sh sed 24->39         started        41 4 other processes 24->41 signatures7 63 Sets full permissions to files and/or directories 26->63 43 6sSEMcBZpw 29->43         started        45 6sSEMcBZpw 31->45         started        process8 process9 47 6sSEMcBZpw 43->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c6c3eefd08f5543b0c79d2a5233d597c875f67b7a24b5ee29012e0e1b91e5111/
Threat name:
Linux.Trojan.Ddostf
Create hunting rule
Status:
Malicious
First seen:
2022-02-13 18:13:11 UTC
File Type:
ELF32 Little (Exe)
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
botnet linux persistence
Link:
https://tria.ge/reports/220213-wtrvbsddfp/
Behaviour
Reads runtime system information
Modifies init.d
Modifies rc script
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DDoS.TF

elf c6c3eefd08f5543b0c79d2a5233d597c875f67b7a24b5ee29012e0e1b91e5111

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2042549/

Comments


Avatar
zbet commented on 2022-02-13 18:12:36 UTC

url : hxxp://107.189.13.118/sys