BCKDR_XZUtil_Binary_CVE_2024_3094_Mar24_1

Rule Info

Name
BCKDR_XZUtil_Binary_CVE_2024_3094_Mar24_1
Author
Florian Roth
Description
Detects injected code used by the backdoored XZ library (xzutil) CVE-2024-3094.
Score
75
Reference
https://www.openwall.com/lists/oss-security/2024/03/29/4
Date
2024-03-30
Minimum Yara
1.7
Rule Hash
7180ceb878d428704ad1635bd4f2ba1b
Tags
['DEMO', 'CVE_2024_3094', 'FILE']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/bckdr_xzutil_binary_cve_2024_3094_mar24_1/comments
Community Rule
https://github.com/Neo23x0/signature-base/search?q=BCKDR_XZUtil_Binary_CVE_2024_3094_Mar24_1

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
26
Suspicious (< 10 engines)
5
Clean (0 engines)
0

Rule Matches

Timestamp
Positives
Total
Hash
VT
2024-05-01 20:01:22
14
66
87f29859fd38c920a2f5e609293cf62f5c1e79362aa94b0c9f8f8ee492617aca
2024-04-28 14:08:15
32
64
5d9f751a8311dab1c3fe3ec7ee8639cda5b451c305d58075f80e47ec8663e220
2024-04-28 03:10:24
32
66
f6fae48073ae0a93f50eaaac97dc930e01f887eb0e71b128d4a574485a625fbe
2024-04-28 03:09:58
31
65
0e54988cc1e726d220583eafee1e3dd9e5036eff4971b5d392488ffc7ac167a2
2024-04-24 18:06:12
15
65
97a0ca3a1ed23b70174ceec1c7a411364e57b7fff53aae1251460b335d21662c
2024-04-23 16:07:34
29
65
b7ad51fdac4ce7d28aac10804c915c543b3e1b9d2f1638405536d797442fe5da
2024-04-21 06:05:28
31
65
cc7f01e2db474a80ef100ce028f1e5c8f2357ba1657ecb9310e9b8e62d3315ab
2024-04-17 05:00:40
32
62
b0f95b124073faaac4415aefa4bb3985f287318efa8db702303f68dd650da349
2024-04-13 12:01:08
26
63
f37a2eb45249b54ee0821f3ce02f18dcab0de2295c35e138caeedaf2eea9701d
2024-04-09 04:03:28
24
64
9b368d0ad8b3bda5eabfdf8a40944f4dd270955bab868da9a51beedcfde38699
2024-04-06 22:00:50
14
64
c5cca00ab09946b9fcbc2b84f566742d35254fb9993e9bde43b4996c1ec06f36
2024-04-05 13:06:37
33
64
f19f29bbde3d6a6777fa7524179f68583a19278494019c289b6b9d59e5be9fd8
2024-04-04 17:13:26
16
64
ea7206ab4b0c3479ff1b478c8803adc9e7aeba243254a9f601b626ef8aa80e3d
2024-04-03 20:04:18
7
64
20343851b9c3738355162ddd79e737a6f4c7f250b3e2a68cb8785a2fb8f84a78
2024-04-03 13:04:26
23
62
aaaaf9a12d38dac328c74b45a2e6ea43950c85ecb010406d4092594cd904edc3
2024-04-03 10:03:23
28
64
f50ee33bab6abc93164577ca80f111d77595659842920d04a4d22e184f675d14
2024-04-03 09:02:24
26
64
c292bc94bb3a4d631ee458b22d633268e0a74733838f4b8638cd164bf150c9c5
2024-04-03 09:02:07
26
64
fcd4d1ba8a4def4e7178c27513a2897001019722f131efe7c4f6b940f231071b
2024-04-03 08:06:11
29
64
8fa641c454c3e0f76de73b7cc3446096b9c8b9d33d406d38b8ac76090b0344fd
2024-04-03 07:02:56
16
64
df0c2424b48b3e388fe31b469ac95076bd82d5222efe9dc0ef3fffbaedef047d
2024-04-03 07:02:56
14
63
fbfddd1e77b684e9d2d18017ae658b24402727551447f41db0ab882d4a0cac81
2024-04-03 07:02:06
3
63
99c0b4e40f458d2291cadc6e45f6fc590972ce7e66baf8d9cfcf34924aef7081
2024-04-03 07:01:57
4
64
77346180bc192be65078becc977d312ff17ddd74005cb33d6440fca119b55ae0
2024-04-03 06:06:54
28
64
605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4
2024-04-03 03:05:27
15
64
7cc78c6d753938c5165427f4a81ba018a762503c6b2230bd51cfdd7eb75607a5
2024-04-02 21:09:57
21
63
319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae
2024-04-02 21:09:36
29
64
cbeef92e67bf41ca9c015557d81f39adaba67ca9fb3574139754999030b83537
2024-04-02 20:11:41
4
64
84319e9ec82b654438d8c26d8a93e9e3197dff0d93265e30f961b200bbb27472
2024-04-02 20:09:47
26
64
5448850cdc3a7ae41ff53b433c2adbd0ff492515012412ee63a40d2685db3049
2024-04-02 17:02:38
7
64
257fc477b9684863e0822cbad3606d76c039be8dd51cdc13b73e74e93d7b04cc
2024-04-02 17:02:03
27
64
b418bfd34aa246b2e7b5cb5d263a640e5d080810f767370c4d2c24662a274963

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022