BCKDR_XZUtil_Script_CVE_2024_3094_Mar24_1

Rule Info

Name
BCKDR_XZUtil_Script_CVE_2024_3094_Mar24_1
Author
Florian Roth
Description
Detects make file and script contents used by the backdoored XZ library (xzutil) CVE-2024-3094.
Score
80
Reference
https://www.openwall.com/lists/oss-security/2024/03/29/4
Date
2024-03-30
Minimum Yara
1.7
Rule Hash
b3d2a87ac4be5f4801526d6ce520b843
Tags
['SCRIPT', 'DEMO', 'CVE_2024_3094']
Required Modules
[]
Virustotal Matches
https://www.virustotal.com/gui/search/bckdr_xzutil_script_cve_2024_3094_mar24_1/comments
Community Rule
https://github.com/Neo23x0/signature-base/search?q=BCKDR_XZUtil_Script_CVE_2024_3094_Mar24_1

Antivirus Verdicts

Rating
Number of Samples
Malicious (>= 10 engines)
18
Suspicious (< 10 engines)
2
Clean (0 engines)
2

Rule Matches

Timestamp
Positives
Total
Hash
VT
2025-03-14 06:57:27
15
63
430acb142db319466010b3029f853f0dab401bca7b6404ecfeb7663a14b31a57
2025-03-13 05:07:09
16
64
2dd0cbf1eff245e2aac8ddf6f9c050faef3c72c5e2b69c7738bc55a1d44b8dd4
2025-03-10 20:38:47
11
62
f08873b3be49bbd816c927e729d4bf692b51714e82dba3471cc1bdff45fee855
2025-03-05 08:04:06
15
62
09259c22461ddba55ed256013930beccbbf6061875500538962a8da6d0d05b22
2025-02-25 20:11:47
15
63
d5b2b0313a6f1ec33b81fca6dacfe45bf4ae997741eac6dcd1148abc02ee5026
2025-02-24 09:50:40
13
66
4743b85e790eff48d1a6582509345c21f2bf7eb250570261b7edf706c7cf2336
2025-02-10 23:03:02
11
49
beed61dc63e3b01b93e6c50c6885b89988b59a3f6abdfa24e922e1402a0235e9
2025-02-07 08:16:25
12
60
8913d291c3350b5634e0d3c87a5289d6bfd0e361e3cad01e0d0b85ce17b5a397
2024-11-12 12:47:34
10
62
fb91830e9767e9df1f2e58b95e000539ae9adffec48f80547260c1e6b3cd0799
2024-10-23 16:40:33
11
46
3642079fc987b1ecbdda35eb54495d65be304022dbce5eafd294adf06a98bd47
2024-10-05 04:28:52
11
36
4e58686f61c63f293b551a95bebb5934f8ab45dfa18423c8c8702df12f1bbd91
2024-08-23 17:54:31
10
65
9eb8d4d86a528c0c40fee60bd37ca326059a95b55a33b1105db68d60611a92b1
2024-07-21 08:19:00
35
63
70ff81f48c82556f2f970cac4d335f08906d995a54721feba9fbe6261ba535f7
2024-06-13 04:25:09
13
59
3ef7f4c0ca12b49136e1ac18f2624aaf0b4133588d09d722e01632a0e2fa1c3e
2024-04-17 10:15:12
11
59
de8ad188acbce0003d198c7fba958bcd42fff718d4122b68b8d31cf1a5112b41
2024-04-11 07:06:21
12
59
654c673c177a2a06c2b240ee07f81dc9096b1626f82855dc67722a5e10bbf6a1
2024-04-06 20:07:43
4
59
89abf6bf0cd3cd0d50205bfdf1cbc4e3c20d6ee485fa102811db0789a082010d
2024-04-06 01:05:40
0
60
80f0150cec433b31eb555ed34651451edf2b38b86ea6ac5d76c8fe29366b7d89
2024-04-04 09:00:56
23
59
d44d0425769fa2e0b6875e5ca25d45b251bbe98870c6b9bef34f7cea9f84c9c3
2024-04-03 09:02:17
12
60
ece869c6e359a650da3a82c8d26239bde4293a591c0d634815595129654665ae
2024-04-02 18:01:54
0
60
d2d99c2dcb17923e9ce1d91e16491527edcdd945aa68e54d83bc6fc927274b05
2024-04-02 17:03:06
3
60
b83ee6d62e5e159fa0a16fcad953862a1d567abc5c60aa35dc02aac7efc87870

Rule Matches per Month (last 24 months)

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022