Resubmissions

20-04-2023 08:22

230420-j9jsfaae7s 10

27-03-2023 09:38

230327-lmbvescg32 10

General

  • Target

    Malz.zip

  • Size

    41.8MB

  • Sample

    230420-j9jsfaae7s

  • MD5

    72d76d00f0cfa5bcf976ad2f91c31219

  • SHA1

    631f788057a9c0c9afa5adb3634cccf49134c707

  • SHA256

    664fd170b1d07e372b3daa91aab78a8151d3f0b0361a2b3157b405314dd219a2

  • SHA512

    d6c6afacd7bf9680545cbc306361b16f8f4d41326d3e67db8fdb7d0c771362e5833d2ec09b06f09401956c30c1921e31788c9a7029591e8950f9c25b21ed8326

  • SSDEEP

    786432:yw31BOqBbfjzQ3HoRScthZa2BLXYXWl/efKwqKVVuiaohsBtSvVLUDMC2ygvWt+:ywDxT/Q3HnMZa2ZXYX0/efbl+E5UDM1z

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2807

192.161.60.184:2807

www.yjgost.com:2807

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3306

ns4.hostasa.org:3306

ns1.hostasa.org:3306

ns2.hostasa.org:3306

ns3.hostasa.org:3307

ns4.hostasa.org:3307

ns1.hostasa.org:3307

ns2.hostasa.org:3307

ns3.hostasa.org:3308

ns4.hostasa.org:3308

ns1.hostasa.org:3308

ns2.hostasa.org:3308

ns3.hostasa.org:3309

ns4.hostasa.org:3309

ns1.hostasa.org:3309

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Targets

    • Target

      .sshdd

    • Size

      647KB

    • MD5

      33229183c1a701376ef15a0af4f9dc5b

    • SHA1

      b6a981f7d1e3141bc99e448ca5ea88e4f973463c

    • SHA256

      4e6eb417b5598ed171d383e6d6e3f1dc861438a52cfd869bbfaebabb8905f622

    • SHA512

      af69aabf1cb1463cf425d23fdab57d43eca545c86211c4dd7d2a14d27803f461aebebbf2108df8033b16f208e26026f5c3ae3cc578d7d893ba5487e992fbe419

    • SSDEEP

      12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonnp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mn6wvnDWXMN

    Score
    7/10
    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    • Target

      261664

    • Size

      186KB

    • MD5

      b754622e816fb2281402b86f75fa9ccf

    • SHA1

      be1c9842f441500bd14b8ad9ac3a6cdac77ea47d

    • SHA256

      d8c511b7a07df74df69fd91a435a7228f7ecad477c7b6b4d23bf6fb5b04cf77d

    • SHA512

      d8057fe16bc35bc62b1998c67385ac79513ccfbf77cef68b5c73875910725b0ad886faf49b739576cbc3e795f8cf3416d729497e8e5cd7b47e8c78796405d925

    • SSDEEP

      3072:ilEwSaKOao1hsD4lLsCH4aNSJReEK5BQ6SnJ43aCQiqse:iOwPi4Jp4RnCk6A5

    Score
    8/10
    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Target

      32

    • Size

      10KB

    • MD5

      a6345ddc1e04904f4c96933e1a59730f

    • SHA1

      5451cf4a8bf5dfae0ca21781c2dce0a9db1d4194

    • SHA256

      33671229bcfc0cdd0c789495575b5e20a39e077bf4f80a26783a7f0598a1d1d8

    • SHA512

      facc8b2e3692f40cddd56846717af65831bbc239dc1c1496519446cd0cc107fa9e2cd756419d6033f36118f03448d009f728e373cccd2a83733ca2c64623485d

    • SSDEEP

      192:MdU7fsvvarONq9HX6yHRN61oNAM62+CxBQ0a6NQCxQdJV:My7AKUqxKO61oN3+CxBQ0XFxy

    Score
    1/10
    • Target

      36000.exe

    • Size

      416KB

    • MD5

      51f00e56b4ef21e6b7d6685ca3fbad1a

    • SHA1

      c145e5e23cd95de4c0b521f0eb7ded59ba0a381e

    • SHA256

      4209035f042bcd79fe91997c8466cfdd890e740d8cb85b3076d7a5e79891f441

    • SHA512

      69be029f0183cf3b425703467beee190bba49a3fe78cebd06e6c54c5ff550a6b9e18c704677a4587bef9ef83ffa5a38d6879717991fc3362d3686ab9f5cfb876

    • SSDEEP

      6144:cXVDAhO3GzujrS6DfgSf2WPpx7MZyCwc9DMypdi8UAfndbeA0u9Adqhhs56EDL0C:YauGgSqntxwpTMf8TdIqAD4

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      64

    • Size

      10KB

    • MD5

      3ede781c8a49e64f8fe62c07e6bfda4b

    • SHA1

      3c89dc70861685c609a8671ed1ceb452f9379779

    • SHA256

      ade2e8a84482ff9ef0a15b471514f1c4370af1e8130b28c0bcd25382898c0b67

    • SHA512

      e9aa8008683dea3c64a398fa38e8b85e2a86ae349e6571f81e8cf281731ac3d222b35b2bd47d4ff87fd702b221180f5b8b14495c7ffb8d96dd7a2840e93b918b

    • SSDEEP

      192:V91LqTakK4wMaw1pWDnD5ZtpjkA6Ywt/anV6jeSXnrkLecAVgzBUi0vbuL8ZcAr0:YzwPeWP5Znj2IIdXnQLec/zKiOpcX

    Score
    8/10
    • Modifies hosts file

      Adds to hosts file used for mapping hosts to IP addresses.

    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Target

      GetPass.exe

    • Size

      178KB

    • MD5

      2e17ac792a4ae32ff5c9d751ab3a77e3

    • SHA1

      d18d952b24110b83abd17e042f9deee679de6a1a

    • SHA256

      e9cffb4773da2d46282aeafc6680e7aed8ff8537040a2a27d3c1ee3e3229d88e

    • SHA512

      30144f1ad0b0967f29dc4628ef50485fff201234041fa4aba8fc55521ca10aa3b16f391c5c7332267438235985d9e703b6155c59b1c34f06dbb56ae0072899d9

    • SSDEEP

      3072:EnPhSvw5JB9goXOO8Ua7o+NbUmW8NUCABqJ+iS5xqlIJPZrn1c2x45Y/32kls5xi:EnPhtfBLOn7vNbUmnWqJt4xqlIld1XxJ

    Score
    7/10
    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Target

      NetSyst81.dll

    • Size

      240KB

    • MD5

      0b156ec492ea45d282cf823415ecaf12

    • SHA1

      54ad711765e27f91a4d554e336e8a2bb04547f1d

    • SHA256

      ac3b2cebb3f7a50fa237be97b07afa6f68be712e932f57074444e0c02e4d8342

    • SHA512

      d29c4459ab65b42e5f31e0ecb2f077598cea177de1789fbc735e03089996f0891d9917b3c79573c2405302966f1d816a86b4698fca6891445866310871be2b60

    • SSDEEP

      6144:SSGAi+a1Bsf81KVv19XAzKd4hDfYlY1wtNesuNrGq:SRAiP1Bsf84tJdK2Yi7GEq

    Score
    1/10
    • Target

      POP

    • Size

      1.3MB

    • MD5

      050f2541b0ff97734b066f33be89f53d

    • SHA1

      a0ce2fa27c8ec790e62bf926560fe8c10956b737

    • SHA256

      cb338967d877dff6129806568b7e201bba2b45da24943f1d5686d6b200670786

    • SHA512

      8b78e89dcedb1fa9e505e94084295c8d9872ef02008fc074e9f266272e9243b0936150579d3b652ee1a87e3ecc18b6b34243115bafd1dfc2b9b46073f6f329e3

    • SSDEEP

      24576:fAg0g+3YAqKbwt6Mleiv8x7HBruOmjqD0rV8T5KWs2/wgLg6Yvz1VVbBHpusVmMS:og01IAqHtZleikDuOGqYrVy5Kd2/hJYw

    Score
    1/10
    • Target

      SAY123

    • Size

      551KB

    • MD5

      a62bd401421253c27fc38aa8803f1451

    • SHA1

      955d7153ae275b3b1cbef1f6d9fedf463de06e08

    • SHA256

      977750a1f015f1ffa51edfeeae498a82e979b1644f70bec9170db96247c6e371

    • SHA512

      9137448dde857b2f2b74fbd4488c6d00cc275da57d542d88a3b785d97257c232231fa13e792a124fef7cc5fcc36a18f7c82504944f3c3b324d3f3186ac09fe3b

    • SSDEEP

      12288:/ocX0ds1H10GyzD9GCsQoD5umHxqKhHEwPTXdGFwMI:Qck61eGk9lzotuO1hHEwLHj

    Score
    5/10
    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    • Target

      SAY456

    • Size

      639KB

    • MD5

      467771cc496a8764e143c772d3585072

    • SHA1

      3233613081abf60ebd8bb04a97c9d9eeded025df

    • SHA256

      c453e0d47de8106884381fcc0db2bf7927f714fc480fe31356809fff629c8a33

    • SHA512

      c5cfad7c857a377850398df29190522bac911271bed4b2f6d17f91522173834f17daa38c53bdeb7c82796384aa21ea149abe18639425920003076095d69b7e0f

    • SSDEEP

      12288:8Y62/fARweXwB5QXgn19w1k1a7s+95qXtPMZCLZZgyOQPAe5UyojTucN44XML:VdAywwBMgV1ux9cPM6LZJIu8N44o

    Score
    8/10
    • Writes DNS configuration

      Writes data to DNS resolver config file.

    • Reads CPU attributes

    • Reads system network configuration

      Uses contents of /proc filesystem to enumerate network settings.

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    • Target

      TomDog_Result.html

    • Size

      704B

    • MD5

      ad877860d464ab42abdd05de03866bd1

    • SHA1

      bd2487ccb213802ff8f40e9632342ecd45324ff8

    • SHA256

      c3d3c1612ed44202eaa7c64b69b07774e522e0d9125faa2dde0ada217440735f

    • SHA512

      df90395c677840859d12b68b6b97fa646e8fceba8acf1ede661460167c342c09660e09add14eb091fe442edc44cd2e4b81e1ac03cf49ab78659678264b4eb08b

    Score
    1/10
    • Target

      a06

    • Size

      611KB

    • MD5

      3c49b5160b981f06bd5242662f8d0a54

    • SHA1

      c50933e1f8a194e608049839707d8d698dd5caa5

    • SHA256

      c394440c56fdcda9739fbb966e9ac2eab9e11e2eeff0720eb4c850a05b33eefc

    • SHA512

      d947f1ecfb10002bc05bb6d1786758dfecb9000b94140128ccc9a68bd3a032ccb7360f27a3f7f522df856b372691bde46792975f6ac82c6fa0218d38b0d8488e

    • SSDEEP

      12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6Tikx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhkfNiGQl/91h

    Score
    9/10
    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    • Target

      a07

    • Size

      611KB

    • MD5

      bcb6b83a4e6e20ffe0ce3c750360ddf5

    • SHA1

      d88755b78834e87418aa3cb3bfee5de5c378bd2f

    • SHA256

      61b0107a7a06ecbb8cc1d323967291d15450df7e8bab5d96c822a98c9399a521

    • SHA512

      f3be44f45eb0c453192b0ddeb7d37f3335499b41b46cc3190e918ac2909f048b3857d2496ebd33fa79ddce4024a1b47a5e44867ff576c18eb998c7e4f87914ca

    • SSDEEP

      12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6TiZx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhZfNiGQl/91h

    Score
    9/10
    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    • Target

      a08

    • Size

      611KB

    • MD5

      a99c10cb9713770b9e7dda376cddee3a

    • SHA1

      1f1dd4d74eba8949fb1d2316c13f77b3ffa96f98

    • SHA256

      92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86

    • SHA512

      1d410a7259469a16a1599fb28cb7cd82813270a112055e4fbe28327735a2968affbfdcba0a2001d504919e5ef3b271f40c45da6291be9c5f97c278418b241b79

    • SSDEEP

      12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6TiOx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhOfNiGQl/91h

    Score
    9/10
    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    • Target

      a09

    • Size

      611KB

    • MD5

      d1b5b4b4b5a118e384c7ff487e14ac3f

    • SHA1

      038b7e9406fe5cb0a0be8f95ac935923c6d83c28

    • SHA256

      0a312a4154dcec2bc6ce1d3b51c037b122ace5848ec99c2b861ab6124addae9b

    • SHA512

      20885f782beeca1712924d6dec7fa474fb2fa7f926d7cbdbdd5f7fa18f6a3ac2bcd5dbd771a80c13c3403cbad05f2cda86ffefdc8170d6cc0f0b4b01a5baec74

    • SSDEEP

      12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6TiLx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhLfNiGQl/91h

    Score
    9/10
    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    • Target

      a10

    • Size

      611KB

    • MD5

      83eea5625ca2affd3e841d3b374e88eb

    • SHA1

      dca946f677a1be95fb3ef6adc950730b4736a405

    • SHA256

      fd6060b963d1b5ca7a07b5a283ad99105298a6708e44d286440a506738a17e34

    • SHA512

      a856a78004812a5aa75f52ecaa3690d5edfc98179b4c34f23434cd9d60e0a0ea7dc6e3ab30e311f7da088267de026552155c9a46cc3c3dda99544e67969e3a1c

    • SSDEEP

      12288:UB1tATMVAqnf+ExxBHYpmA38X8LYkCW6Tipx6yB1/iGK4UlUuTh1AG:UB1BVpmExDYp38X8LYTWhpfNiGQl/91h

    Score
    9/10
    • Writes file to system bin folder

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

    • Modifies init.d

      Adds/modifies system service, likely for persistence.

    • Modifies rc script

      Adding/modifying system rc scripts is a common persistence mechanism.

    • Write file to user bin folder

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    • Target

      banner313.pl

    • Size

      26KB

    • MD5

      c9553c06f2118d8c7cf8d641e306b17f

    • SHA1

      b262a8f0fd3a8317087b25d069f47bae39c8a8a9

    • SHA256

      d5f918b0d11d5674727ef7b11ece8bb93e8845a23ce471f6e8c700a608c85e26

    • SHA512

      c9133726c2f7e7a13d9fe6af1cdb49d5fd6804949c4c6f486b46c3e2b48c017b554957ed4a7c6669f5f5d1fd39dcf77b7616c01496e021642e7418756cbfb1b2

    • SSDEEP

      384:8z9Yikph+AaZKmalkVQmjthmft1wVSE4ol6/c50Ilmu6ovAwfJ:s9nkph+0RkV/qPwVSvzIlOx+

    Score
    1/10
    • Target

      f.sh

    • Size

      518B

    • MD5

      cac62e5664152a357145747ba5dbe0a2

    • SHA1

      8402c68d0b57b04eb19f52c18fc57edbe716f0da

    • SHA256

      919bce738726efdfd08aa43552e095851c52c7452ef4c6c03d2b4c08cbceda76

    • SHA512

      6e19b9dbf0e3cff0397c6cdf1774bdd08070b509be2520c32a3148daa0211cf74a728f2e163199e789d5bbead4f9cd246853483e65526ddef1b14a62bdb6d52f

    Score
    5/10
    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    • Target

      g3m.pl

    • Size

      9KB

    • MD5

      2e455776b59e5005f5a0d8bf894d5577

    • SHA1

      55dc947790e180564247d8573211dc413996a142

    • SHA256

      f2585f17a1dc14c15de5ef5d7964c3d64a29825450ae76b8124448258f99b397

    • SHA512

      3d4818d9e7444aadef5d634ff131ac658a087d6f52f045b15037ec49e03189325035fd815f31024436ea786ac64344386bf33319152b264bc99046d9fff89be2

    • SSDEEP

      96:3N+3KCnHmzxq1eqRUSdC10Wpv84uip83Ik37xzni/YS2s/bCbeCbovm:s3Czxq1eFPGZ4oYMQYSNzCbeCbovm

    Score
    1/10

MITRE ATT&CK Enterprise v6

Tasks

static1

upxxorddosmrblackgh0stratblackmoon
Score
10/10

behavioral1

persistence
Score
7/10

behavioral2

persistence
Score
8/10

behavioral3

Score
1/10

behavioral4

upx
Score
7/10

behavioral5

upx
Score
7/10

behavioral6

Score
8/10

behavioral7

upx
Score
7/10

behavioral8

upx
Score
7/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
5/10

behavioral13

Score
8/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

persistence
Score
9/10

behavioral17

persistence
Score
9/10

behavioral18

persistence
Score
9/10

behavioral19

persistence
Score
9/10

behavioral20

persistence
Score
9/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
5/10

behavioral26

Score
5/10

behavioral27

Score
5/10

behavioral28

Score
5/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10