xzutil | 13d2a7961d5b7142cc4666f1997b0738d3bc4df904814febfed5c68c29e485d4

Resubmissions

05-04-2024 09:57

240405-ly3ghsha5v 10

Analysis

max time kernel
0s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
05-04-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload
Size

7.0MB
MD5

e1584b5eb8b0a1a6cb3d6da74e4d2074
SHA1

0d4f48bf2345299872b7dae1fc1b88bb15a03880
SHA256

13d2a7961d5b7142cc4666f1997b0738d3bc4df904814febfed5c68c29e485d4
SHA512

7ded777e85b308d5ab6b7a4ec75d21a683699117940803671bcaff44920f7cf3a4eafaa2088bbe88838a81af7bd1c5d8155aa5b4fb7f6e6cf0e466c74f5febbd
SSDEEP

196608:zrHvQtMPrw4oh6Uoc5TuWnS1pYqq1T62rFJ8aCXx:HHItYfYVEWnS1pnoTPrFJ8aCX

Score

10^/10

xzutil backdoor

Malware Config

Signatures

XZUtil is a linux backdoor releated to the CVE-2024-3094. 1 IoCs

backdoor

Processes:

resource	yara_rule
/tmp/_MEIOi7Ipv/liblzma.so.5	family_xzutil

XZutil
XZutil is a linux backdoor written in C++.
backdoor xzutil

Writes file to tmp directory 22 IoCs

Malware often drops required files in the /tmp directory.

Processes:

payload

description	ioc	process
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_lzma.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/resource.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/libbz2.so.1.0	payload
File opened for modification	/tmp/_MEIOi7Ipv/libexpat.so.1	payload
File opened for modification	/tmp/_MEIOi7Ipv/libz.so.1	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_codecs_cn.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_codecs_hk.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_hashlib.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_codecs_tw.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_contextvars.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_ctypes.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_decimal.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_multibytecodec.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_bz2.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_codecs_iso2022.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_codecs_jp.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/libpython3.11.so.1.0	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_typing.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/libcrypto.so.3	payload
File opened for modification	/tmp/_MEIOi7Ipv/libffi.so.8	payload
File opened for modification	/tmp/_MEIOi7Ipv/lib-dynload/_codecs_kr.cpython-311-x86_64-linux-gnu.so	payload
File opened for modification	/tmp/_MEIOi7Ipv/liblzma.so.5	payload

/tmp/payload
/tmp/payload
1⤵
- Writes file to tmp directory
PID:1576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/_MEIOi7Ipv/lib-dynload/_bz2.cpython-311-x86_64-linux-gnu.so

Filesize
27KB

MD5
18c0ba6afc70c570c2b24a94d1a5ca4b

SHA1
b7884f92dd0eef49794bea08130c92a7c7a9890c

SHA256
45cc2981a780005649a1e4e01fbff9f9ae13902044f05c7ca3fa29e53295ba6a

SHA512
d0fbddf2e13de96d2519a6ebf223ebae3cc82cf70e1ec27685bfcbac5b3108880047ff3a0255b3d773363773e498fa78b5dfefd243fb0197a3a4346f6e7ab6c7

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_codecs_cn.cpython-311-x86_64-linux-gnu.so

Filesize
150KB

MD5
0aae0ce8e510a6942adcb34e7c53bede

SHA1
0e5eb67ae238c0fcaa9de641903661a8b0b8f3dc

SHA256
c3fcef08685fb434a2afa9b2c0a4d16bf8b99af4bab5fa6cbc88975a81d5c960

SHA512
f518997ae55da3097d64db6250d857d3e1bda5028cb5ade0fb02d9556df2c2d80f662aa5739bf4aaa70d9ceaf18b2de8bbe66e18caf66289ab70bfcac4a49276

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_codecs_hk.cpython-311-x86_64-linux-gnu.so

Filesize
154KB

MD5
a29a85cd7e2f43020c83a9415b1aab0b

SHA1
390843900b2282c9cf2c027bf97e05848ec70b15

SHA256
d84e71d541b8d874fd33545d1a30ae6d4005f8bc8152ef1e0faf860106541f69

SHA512
ceb9298d9571504249a6fd851528869ed19b2713e8de886f3bad3e718c22b88e031c3a403af6e3415f93853698fab41d0230003ddcfae68a0450ba0d9535c459

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_codecs_iso2022.cpython-311-x86_64-linux-gnu.so

Filesize
30KB

MD5
6a5323c92329d583fcc30ed5b08275db

SHA1
2c3df586364d8da0823df17b764ee284cae82108

SHA256
f6f963b676ca0c52f2d7d3a5ba683dc200cab1f9cd8559bc8e26c8e452201217

SHA512
69652f73642841d9a4b944e3a2e180277c34be3c8a06d6721d38fb2f23bfa31e60871f3733f29cc446eff8ac6e64c990036942df9990c5138998a3df9013d9ff

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_codecs_jp.cpython-311-x86_64-linux-gnu.so

Filesize
266KB

MD5
94487fcf37cbc5555fdba9aad1b092b9

SHA1
55e622c18d8f6949e758e931e8e9adfafdbf3417

SHA256
89e34da5295f3592f2e84018ae671b64d9bcb0139719a8116b5bc648a352a30b

SHA512
8c69ec3a0cffcd61cbc0a3379e9dd15407f3f406b74e80f663b6742a6e244cf09242999d3cb22e977f78416313c534634ea7537d34b0ccef569ee7f3f21139ad

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_codecs_kr.cpython-311-x86_64-linux-gnu.so

Filesize
138KB

MD5
d53e80b3c6bf0f4398e37384331ed70f

SHA1
9e57dad59a32ecb4b1eb32a301ca071ec23eb82d

SHA256
c7c708ce8eff59e3cfacdd71055f096bba72c9579be59921f8b55396d3cfdf5f

SHA512
61d5977a6c20e385c262f3b78111a5bd858652f0d525ea5eeb3185154aab7b3617a62129027dbb1a358de1da2be0ab603695f29d0726b5ec983885871a764fad

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_codecs_tw.cpython-311-x86_64-linux-gnu.so

Filesize
110KB

MD5
1027ae6fa912c21e8456b30cc1b24392

SHA1
b9cd5fcd5d450576431b468da095ea5a7f8e2996

SHA256
707b0103bc647249ec287fc1ef0b497f170cf5be2a1d5f2441618e309adfd6fc

SHA512
ffeacf5f6a134cf80c73b61ff09c6fd7fb40bb1074be72156174ec799e300f209da81318949d6a694f44a2c4731fe6d7eec1ed5d216777da496b13229d8101d4

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_contextvars.cpython-311-x86_64-linux-gnu.so

Filesize
14KB

MD5
4a2e5e87447b53a1b1233a46f2b8cf78

SHA1
3b7a00bd2a9fb25799f00e691a892c46621edded

SHA256
91acaede2223f824a791a23634ac200906d854376665f015fa3017d53c27de26

SHA512
f5951ebb5432c3584be64fe4ea7a0f248319b97b48df499043ba355f53db16c6d4062da4ca0377b078bc3002c56d2e00709e5901a43b68b881b64fed28e8bc13

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_ctypes.cpython-311-x86_64-linux-gnu.so

Filesize
132KB

MD5
ed520b11adddc69fe955db593ee5857a

SHA1
4111103956b5f3f848419f565b74e83fe9a6d84a

SHA256
38caaa34806125e43ae5d8eabf20a4953288241152859b3d40d1145de0ca5a52

SHA512
8972f3ffafd65a3599fa10229d45d1ed7a9c4097ba1e9a78c1f4bf06d32e7c7b7e451bef4af809105b210f4637d86a1f1b47524fddfb3c43eda2ad990e98df1d

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_decimal.cpython-311-x86_64-linux-gnu.so

Filesize
303KB

MD5
3bf96419d11d2a183c54f7a877811c7a

SHA1
880b0c260ca47c3d5bf9e5a453aad894cb1c22d4

SHA256
53f5f45182319d17d724d24964ec113b7401f2158f666e626cb2844eb15068f5

SHA512
0630066d487c9fd849d11dd21555db9d4754c90db77f56422f90266ddaff7bbb3b13d61e9cd50b64ccdec33b938681174c7866dbf9ab623f2d2af65b9f8750f7

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_hashlib.cpython-311-x86_64-linux-gnu.so

Filesize
62KB

MD5
5d590ec99b299ab6a9707a6c78cfe333

SHA1
1294ae32a622bb529885a3ee8d564ae7026c193c

SHA256
0e9f6f21c764cbedee8aa9b8e5a96d9b5fa72ff8d5921f8dffc08ad626d7ab29

SHA512
8a5ae8374207726ac98f6002c5cc73dc54c6fe925bc599546b643f085f9f329a5e636967646a1f04393fc8f6f0d2ce277a8cab2622bcdcdd3061485a25c7b554

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_lzma.cpython-311-x86_64-linux-gnu.so

Filesize
43KB

MD5
902df1b64b9cc27037642b08e99370b5

SHA1
bd0d1579a97e92f7a1a011b9bbcff150cc21f873

SHA256
219608dcc499a27728ada4773829098e16a9437a8cc778d496614f163b38e023

SHA512
9612692a12c9bf77171cb4f57095a44cdbb38bb40f5ec2c4f932c66f284dc0c183339e037ca35058a4562c42fc2b9c23d941eb50995afe93b65560570ffe7578

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_multibytecodec.cpython-311-x86_64-linux-gnu.so

Filesize
53KB

MD5
5dbeb0aa941cfaa0c7587e32e1c6a934

SHA1
53c3dc30ee2ad48dd389f0eb24b3d174ee4c5d83

SHA256
195760adb09ae8ebf5f30693614f2d0ba72e4032cf63021ce2a37d8823efcfdf

SHA512
695cc82275d71f0f9b314ab10d505a905ad4fbcd0697132fba82777f4933ce0c10376c18f71a0221f3d25ef861a2af5ef2526908362ed054e7536edeab5383db

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/_typing.cpython-311-x86_64-linux-gnu.so

Filesize
13KB

MD5
1ae782f47b5b5328af1481e42f6ede4b

SHA1
32171f1f1f1db42be147bd5c3cf8bc3da2bc340c

SHA256
4fd0ef7a112b0c651b7bb17d8fda80de717b52b5ec4dc88f5710229d020dd9aa

SHA512
6b83cf791e96c86a2456155715c3580df835fc1b3ec2875a06bd13429a862aee0bc510ba9e92e782335a222af8c661708f703105153e041ff66ff937015e7868

Download Submit
/tmp/_MEIOi7Ipv/lib-dynload/resource.cpython-311-x86_64-linux-gnu.so

Filesize
18KB

MD5
188ea5b4b1e562482004381455886a2d

SHA1
2a9c582051fe979025281613cdbdf6907703fc21

SHA256
68308d57e1f27b3a1f02e8a30b9296f065ad413f4c5e3431b9f2d541903fe56b

SHA512
26576c1775b65a2362324c8bec1c0bb17065e6f5faf35b0efd2b199f4b0d1abe399fd57b9245fd506f429b7fcdda5d395e95d9de6597870f4148cad66c8b769a

Download Submit
/tmp/_MEIOi7Ipv/libbz2.so.1.0

Filesize
72KB

MD5
0abf433489232cdc8683f88d3ceb0f1b

SHA1
4e858c2b909842e4dffc32da38d81f65f0b6d7c0

SHA256
beab0081229187c19bd128b29e0b7df49fb8a9eb5048a81e01aff750e8390187

SHA512
8d3536d6b704214aaabb096f5f14617f930f56c86fe1181c3b820673f47d92ff82f192dfabfaa0691d06594393fe39f70b4f4ff4e3c74a60d1b6bed8a26a8b58

Download Submit
/tmp/_MEIOi7Ipv/libcrypto.so.3

Filesize
5.2MB

MD5
df49342d80aa1f9476d20ca1fff4d13d

SHA1
1385acc9d4d182eb41ee19f2d66210eb59d63c45

SHA256
3c1a03c495f1abaa390f8f7ed670a80f08ddc4fc48915ebf0633fa0f1e6d1c44

SHA512
633798e792befd69c671496afd910faf693e2655de6db5272a371dba380c5f419c90f5c7f85a8a3a9f4b5c307a132556723522cacc40cf5b995dfdb72759d036

Download Submit
/tmp/_MEIOi7Ipv/libexpat.so.1

Filesize
170KB

MD5
02a031d6560dd81b73bc3f0a6a622d9f

SHA1
ab00bd66a49e357da2ab941ccaa60ecc5d083e85

SHA256
80b6ff17c18761318c5b3f2d65bbe0309dd2511f37d79233461c89ef59ec6f06

SHA512
c82715c5b70e8304c1114c7671c16a55017ab733b23f4323ce11614bbffb10ae974580d0a47cbea6e60cdec865d725fd22b019757937c0415f6b4c4e2beff2c2

Download Submit
/tmp/_MEIOi7Ipv/libffi.so.8

Filesize
46KB

MD5
ff15c283a58bb77ce0e0970f3953a8f7

SHA1
50e602d29e25422a585394f92fb38534ca318231

SHA256
350a9ff172e18b4046a2ab05254ffcb3f6c2658c952da2dfb66f7ac8d3173894

SHA512
ae6dbdd8a78527954ebfa23c1bd93a0298acf785197f2e3bc9323cfec3cf9bffce8b6927dcad4fb343716b8c6149d2ed6a340c4485f6d7fccee030cde847c10a

Download Submit
/tmp/_MEIOi7Ipv/liblzma.so.5

Filesize
241KB

MD5
4f0cf1d2a2d44b75079b3ea5ed28fe54

SHA1
72e8163734d586b6360b24167a3aff2a3c961efb

SHA256
319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae

SHA512
1c28546b13a82b2522609ce00852386cbcd51ccd161a03c73daae186c7869c7deecd07bf7681b06e8046843860bcb45c4bd24a926e93c6a2ff8fc807a303612b

Download Submit
/tmp/_MEIOi7Ipv/libpython3.11.so.1.0

Filesize
7.4MB

MD5
a965e9adb8b9ecdae6ae163d6e258c80

SHA1
27d92faf1cacacf51ba07520d0274ee3161c732d

SHA256
36e817506cf8b176e3913501c4c7c51c217d5a5322ffab8bfa09d00b6e33b2c4

SHA512
9f19bdc1f574ff7f023ecbef226c805a4c07b4f732852143873b03ea9f6f9aaf6b6cd8f4d2fbe895f46db3a9f270bd21fe00840452d3582abe4a70efee5ca04d

Download Submit
/tmp/_MEIOi7Ipv/libz.so.1

Filesize
118KB

MD5
a693c9779441f2a5932b9d5bc6e82802

SHA1
b03f761c39fae4747d3e0c23fd0381a28112d474

SHA256
cea99d9c9cc83663b8b3f47f644fc322d1c48afb81e7609bc04f5bc03fb4abc9

SHA512
2a94ebb229289c8a044a727e4f1ff8f247cd61364e58a9c6866f92d829d10710bdf5ddb55e70e09962f52f1cc9460faea3de2f5a5f2fcb19ca2aeb1e4a93d56a

Download Submit