Resubmissions

20-04-2023 08:22

230420-j9jsfaae7s 10

27-03-2023 09:38

230327-lmbvescg32 10

General

  • Target

    Malz.zip

  • Size

    41.8MB

  • MD5

    72d76d00f0cfa5bcf976ad2f91c31219

  • SHA1

    631f788057a9c0c9afa5adb3634cccf49134c707

  • SHA256

    664fd170b1d07e372b3daa91aab78a8151d3f0b0361a2b3157b405314dd219a2

  • SHA512

    d6c6afacd7bf9680545cbc306361b16f8f4d41326d3e67db8fdb7d0c771362e5833d2ec09b06f09401956c30c1921e31788c9a7029591e8950f9c25b21ed8326

  • SSDEEP

    786432:yw31BOqBbfjzQ3HoRScthZa2BLXYXWl/efKwqKVVuiaohsBtSvVLUDMC2ygvWt+:ywDxT/Q3HnMZa2ZXYX0/efbl+E5UDM1z

Malware Config

Extracted

Family

xorddos

C2

http://info1.3000uc.com/b/u.php

gh.dsaj2a1.org:2807

192.161.60.184:2807

www.yjgost.com:2807

http://aa.hostasa.org/game.rar

ns3.hostasa.org:3306

ns4.hostasa.org:3306

ns1.hostasa.org:3306

ns2.hostasa.org:3306

ns3.hostasa.org:3307

ns4.hostasa.org:3307

ns1.hostasa.org:3307

ns2.hostasa.org:3307

ns3.hostasa.org:3308

ns4.hostasa.org:3308

ns1.hostasa.org:3308

ns2.hostasa.org:3308

ns3.hostasa.org:3309

ns4.hostasa.org:3309

ns1.hostasa.org:3309

Attributes
  • crc_polynomial

    EDB88320

xor.plain

Signatures

  • Blackmoon family
  • Detect Blackmoon payload 1 IoCs
  • Gh0st RAT payload 2 IoCs
  • Gh0strat family
  • MrBlack trojan 3 IoCs
  • Mrblack family
  • XorDDoS payload 7 IoCs
  • Xorddos family
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

Files

  • Malz.zip
    .zip

    Password: infected

  • .sshdd
    .elf linux x86
  • 1.txt
  • 10221.rar
    .rar

    Password: infected

  • TSmm
    .elf linux x86
  • bin.exe
    .exe windows x86

    Password: infected

    160ca90966867f92a1e8064697edb02d


    Headers

    Imports

    Sections

  • 261664
    .elf linux x64
  • 32
    .elf linux x86
  • 3306.zip_
    .zip

    Password: infected

  • 3306/3306/ʹ˵.txt
  • 3306/3306/޸3306 - 500̰߳/Result.txt
  • 3306/3306/޸3306 - 500̰߳/Syn.exe
    .exe windows x86

    Password: infected


    Headers

    Sections

  • 3306/3306/޸3306 - 500̰߳/ip.txt
  • 3306/3306/޸3306 - 500̰߳/libmySQL.dll
    .dll windows x86

    Password: infected


    Headers

    Exports

    Sections

  • out.upx
    .dll windows x86


    Headers

    Sections

  • 3306/3306/޸3306 - 500̰߳/pass.txt
  • 3306/3306/޸3306 - 500̰߳/s.exe
    .exe windows x86

    Password: infected


    Headers

    Sections

  • 3306/3306/޸3306 - 500̰߳/up.dll
    .dll windows x86

    Password: infected


    Headers

    Exports

    Sections

  • 3306/3306/޸3306 - 500̰߳/updata.ini
  • 3306/3306/޸3306 - 500̰߳/user.txt
  • 3306/3306/޸3306 - 500̰߳/˵.txt
  • 3306/3306/޸3306 - 500̰߳/.bat
  • 3306/3306/޸3306 - 500̰߳/޸3306 - 500̰߳.exe
    .exe windows x86

    Password: infected

    423f01e9d2b066cd1b31541d1211d4ba


    Headers

    Imports

    Sections

  • 36000.exe
    .exe windows x86


    Headers

    Sections

  • 64
    .elf linux x64
  • 64.zip
    .zip
  • GetPass.exe
    .exe windows x86


    Headers

    Sections

  • Linux3264生成器M.1.0_se.rar
    .rar
  • NetSyst81.dll
  • POP
    .elf linux x86
  • SAY123
    .elf linux x86
  • SAY456
    .elf linux x64
  • Server.rar
    .rar
  • TomDog_Result.html
  • a.rar
    .rar
  • a06
    .elf linux x86
  • a07
    .elf linux x86
  • a08
    .elf linux x86
  • a09
    .elf linux x86
  • a10
    .elf linux x86
  • aaaa.rar
    .rar
  • b.rar
    .rar
  • banner313.pl
    .pl .sh linux
  • c.rar
    .rar
  • desktop.ini
  • f.sh
    .sh linux
  • g3m.pl
    .pl .sh linux
  • getbinaries.sh
    .sh linux
  • hosst
    .elf linux x86
  • host.exe
    .exe windows x86

    c37071790129a533e4046947023f9794


    Headers

    Imports

    Sections

  • index.html
    .js
  • ktx-armer
    .elf linux arm
  • ktx-i686er
    .elf linux x86
  • ktx-mipsel
    .elf linux mipsel
  • lyjq
    .elf linux mipsbe
  • mips
    .elf linux mipsbe
  • mips-ktx
    .elf linux mipsbe
  • mm.rar
    .rar
  • multi.py
    .py .sh linux
  • payw
  • pma.pl
    .sh .ps1 linux
  • putty.exe
    .exe windows x86

    6331cdb5d878c7264ad0657f66b30caf


    Headers

    Imports

    Sections

  • rc.local
    .sh linux
  • s-3.rar
    .rar
  • ss32
    .elf linux x86
  • ss64
    .elf linux x64
  • ssh12
    .elf linux x86
  • ssh32
    .elf linux x86
  • ssh64
    .elf linux x64
  • ssh66
    .elf linux x86
  • ssh88
    .elf linux x86
  • svchost (2).exe
    .exe windows x86

    f83bf57899b2ddd413fb4d334eac7a54


    Headers

    Imports

    Sections

  • svchost.exe
    .exe windows x86


    Headers

    Sections

  • svchost.exe.1
    .exe windows x86

    9b76dac8a18f363adaed8a7f786ed2c0


    Headers

    Imports

    Sections

  • svchost.exe.1_
    .exe windows x86

    9b76dac8a18f363adaed8a7f786ed2c0


    Headers

    Imports

    Sections

  • tfddos.exe
    .exe windows x86

    3ad350f14c2e450686dbd3fbcbe807a6


    Headers

    Imports

    Sections

  • wso2.5.1.php
    .js
  • x64-ktx
    .elf linux x64
  • xiaoma
    .elf linux x86
  • xmit32
    .elf linux x86
  • xudp
    .elf linux x86
  • yk.exe
    .exe windows x86


    Code Sign

    Headers

    Sections

  • yk1.exe
    .exe windows x86


    Code Sign

    Headers

    Sections

  • z2
    .elf linux x86
  • 集群.exe
    .exe windows x86

    d1d5f966b653a61664e0a50f1c3f92af


    Headers

    Imports

    Sections