MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XorDDoS


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876
SHA3-384 hash: 3aa5a40e6c982f6d50d658c59796bb8a8ab78fa22525bb529990a40cd78fcfcef7a56dc06d0771005d1ba1043688e4db
SHA1 hash: 681406d197c6de50bc611bb466c012f0cd9b4aa6
MD5 hash: d20e3e491d242d649c3fcf4879f2cbf2
humanhash: jig-massachusetts-minnesota-cola
File name:test
Download: download sample
Signature XorDDoS
Create hunting rule
File size:662'840 bytes
First seen:2022-01-18 06:45:14 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
TLSH T149E47D06E343EAF7C4570670129BF77B4230E2358412CF8AB6989D1EB9379F56A4E352
telfhash t18f3142e1187c0d860ce0ac104c7d3b828a9b81626aa4d61def5acec9604f011f57bc0a
Reporter r3dbU7z
Tags:elf XorDDoS

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Unix.Malware.Xorddos-9856891-0
Create hunting rule

Unix.Trojan.DDoS_XOR-1
Create hunting rule

Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4514/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
csi.exe print.exe remote.exe
Link:
https://www.filescan.io/uploads/61e6622ff81da814af8b6ccf/reports/f88175f6-44af-4a0a-9eac-9e961ad795f4/overview
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5090f1de-c3b5-48ff-9063-72da89e86e4d
Result
Threat name:
XorDDoS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/922180
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops files in suspicious directories
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample tries to persist itself using cron
Sample tries to persist itself using System V runlevels
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Writes identical ELF files to multiple locations
Yara detected XorDDoS Bot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 554658 Sample: test Startdate: 18/01/2022 Architecture: LINUX Score: 100 87 aa369369.f3322.org 96.43.105.68, 2897, 45048 BCPL-SGBGPNETGlobalASNSG United States 2->87 89 109.202.202.202, 80 INIT7CH Switzerland 2->89 91 2 other IPs or domains 2->91 97 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->97 99 Antivirus detection for dropped file 2->99 101 Antivirus / Scanner detection for submitted sample 2->101 103 5 other signatures 2->103 13 test 2->13         started        15 systemd snapd-env-generator 2->15         started        signatures3 process4 process5 17 test 13->17         started        file6 73 /usr/lib/udev/udev, ELF 17->73 dropped 75 /boot/lqzpnnvgqq, ELF 17->75 dropped 93 Writes identical ELF files to multiple locations 17->93 95 Sample deletes itself 17->95 21 test 17->21         started        signatures7 process8 process9 23 test lqzpnnvgqq 21->23         started        process10 25 lqzpnnvgqq 23->25         started        file11 77 /etc/init.d/lqzpnnvgqq, POSIX 25->77 dropped 79 /etc/cron.hourly/cron.sh, POSIX 25->79 dropped 81 /boot/ydvgqptufg, ELF 25->81 dropped 83 12 other malicious files 25->83 dropped 109 Writes identical ELF files to multiple locations 25->109 111 Drops files in suspicious directories 25->111 113 Sample deletes itself 25->113 115 2 other signatures 25->115 29 lqzpnnvgqq sh 25->29         started        33 lqzpnnvgqq 25->33         started        35 lqzpnnvgqq 25->35         started        37 23 other processes 25->37 signatures12 process13 file14 85 /etc/crontab, ASCII 29->85 dropped 117 Sample tries to persist itself using cron 29->117 39 sh sed 29->39         started        42 lqzpnnvgqq cmltpcveev 33->42         started        44 lqzpnnvgqq ydvgqptufg 35->44         started        46 lqzpnnvgqq qmdgzglfzw 37->46         started        48 lqzpnnvgqq fqimirdumn 37->48         started        50 lqzpnnvgqq mpetjlbbrw 37->50         started        52 20 other processes 37->52 signatures15 process16 signatures17 107 Sample tries to persist itself using cron 39->107 54 cmltpcveev 42->54         started        57 ydvgqptufg 44->57         started        59 qmdgzglfzw 46->59         started        61 fqimirdumn 48->61         started        63 mpetjlbbrw 50->63         started        65 ikjjfxjdrw 52->65         started        67 hrdgxiqezw 52->67         started        69 laeuklbisl 52->69         started        71 16 other processes 52->71 process18 signatures19 105 Sample deletes itself 65->105
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876/
Threat name:
Linux.Trojan.XorDDoS
Create hunting rule
Status:
Malicious
First seen:
2022-01-05 19:08:43 UTC
File Type:
ELF32 Little (Exe)
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220118-hjmkzaabgn/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DoS Malware
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:enterpriseapps2
Create hunting rule
Author:Tim Brown @timb_machine
Description:Enterprise apps
Rule name:linux_generic_ipv6_catcher
Create hunting rule
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

XorDDoS

elf f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876

(this sample)

  
Delivery method
Distributed via web download

Comments