Resubmissions

22/05/2025, 03:10

250522-dn9h3sfn3z 6

22/05/2025, 02:51

250522-dcdx2afk3z 6

21/05/2025, 02:52

250521-dc448adp7x 10

21/05/2025, 02:41

250521-c6f4tadn8z 6

21/05/2025, 02:34

250521-c2k7zavn16 6

21/05/2025, 02:05

250521-ch6dsseq7s 7

21/05/2025, 01:50

250521-b9hw5sxly5 6

21/05/2025, 01:41

250521-b39raaxls5 6

17/05/2025, 09:35

250517-lkf2csck5t 6

17/05/2025, 09:19

250517-laaftscj51 6

General

  • Target

    visual.exe

  • Size

    12.2MB

  • Sample

    250521-dc448adp7x

  • MD5

    a6de62fc30088488d483b7f88893e62c

  • SHA1

    26e5752bdf7406cd554403afb4d969ceb1cc380e

  • SHA256

    ef12d7c8167d4fe2d79a8faf27c2c681801e1d72f7ee2c8836ee665a78390a50

  • SHA512

    9439d997290dd91a7c736db32ad1d4cc50437e96b3999ae62b7afd957736c828a3d20080a453384d2ca4ee474bc37ab41af75ddda45eea9fb9ee883de5f93d10

  • SSDEEP

    98304:8xJmTXY7HrDPO7cbCYX3hwWAe0hb9fTTrADkS8KZR+Mk4PcE9ORt50:8xJJPCcbCC3hZqhxTrADkS8m/kIQtK

Malware Config

Targets

    • Target

      visual.exe

    • Size

      12.2MB

    • MD5

      a6de62fc30088488d483b7f88893e62c

    • SHA1

      26e5752bdf7406cd554403afb4d969ceb1cc380e

    • SHA256

      ef12d7c8167d4fe2d79a8faf27c2c681801e1d72f7ee2c8836ee665a78390a50

    • SHA512

      9439d997290dd91a7c736db32ad1d4cc50437e96b3999ae62b7afd957736c828a3d20080a453384d2ca4ee474bc37ab41af75ddda45eea9fb9ee883de5f93d10

    • SSDEEP

      98304:8xJmTXY7HrDPO7cbCYX3hwWAe0hb9fTTrADkS8KZR+Mk4PcE9ORt50:8xJJPCcbCC3hZqhxTrADkS8m/kIQtK

    • XorDDoS

      Botnet and downloader malware targeting Linux-based operating systems and IoT devices.

    • XorDDoS payload

    • Xorddos family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Downloads MZ/PE file

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks